From 59d177ece730484500aa47c91b95ef2fd801aaa2 Mon Sep 17 00:00:00 2001 From: Alex Ebadirad Date: Wed, 2 May 2012 09:21:43 -0700 Subject: [PATCH] Critical fixes to last update. Signed-off-by: Alex Ebadirad --- .../recentactivity/ExtractRegistry.java | 57 +++++++++++++------ .../autopsy/recentactivity/Firefox.java | 7 ++- .../recentactivity/RAImageIngestService.java | 30 +++++----- .../autopsy/recentactivity/Util.java | 18 ++++++ .../autopsy/report/ReportConfiguration.java | 25 +++++++- .../autopsy/report/reportFilter.java | 10 +++- 6 files changed, 108 insertions(+), 39 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 251c1f68fa..5ad3a1f5b5 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -43,16 +43,16 @@ public class ExtractRegistry { } else { rrFound = true; } - try { - Case currentCase = Case.getCurrentCase(); // get the most updated case - SleuthkitCase tempDb = currentCase.getSleuthkitCase(); - ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); - - while (artset.next()) { - sysid = artset.getInt("artifact_type_id"); - } - } catch (Exception e) { - } +// try { +// Case currentCase = Case.getCurrentCase(); // get the most updated case +// SleuthkitCase tempDb = currentCase.getSleuthkitCase(); +// ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); +// +// while (artset.next()) { +// sysid = artset.getInt("artifact_type_id"); +// } +// } catch (Exception e) { +// } final String rrHome = rrRoot.getAbsolutePath(); logger.log(Level.INFO, "RegRipper home: " + rrHome); @@ -191,10 +191,10 @@ public class ExtractRegistry { etime = timenode.getTextTrim(); Long time = null; try { - Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(etime).getTime(); + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime(); time = epochtime.longValue(); } catch (ParseException e) { - logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage()); + logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e.getMessage()); } Element artroot = tempnode.getChild("artifacts"); List artlist = artroot.getChildren(); @@ -216,16 +216,32 @@ public class ExtractRegistry { // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); // bbart.addAttributes(bbattributes); } else if ("usb".equals(context)) { + + Long utime = null; + try { + + utime = Long.parseLong(name); + } catch (Exception e) { + logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e.getMessage()); + } + BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, utime)); String dev = artnode.getAttributeValue("dev"); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value)); bbart.addAttributes(bbattributes); } else if ("uninstall".equals(context)) { + Long ftime = null; + try { + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(name).getTime(); + ftime = epochtime.longValue(); + } catch (ParseException e) { + logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e.getMessage()); + } bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, ftime)); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); bbart.addAttributes(bbattributes); } else if ("WinVersion".equals(context)) { @@ -238,15 +254,22 @@ public class ExtractRegistry { } if (name.contains("InstallDate")) { installdate = value; + Long installtime = null; + try { + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime(); + installtime = epochtime.longValue(); + } catch (ParseException e) { + logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e.getMessage()); + } bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installtime)); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); bbart.addAttributes(bbattributes); } } else { - BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid); - bbart.addAttributes(bbattributes); +// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid); +// bbart.addAttributes(bbattributes); } } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 3b4b2c9110..2a9aab42ac 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -108,8 +108,8 @@ public class Firefox { dbFile.delete(); break; } - - ResultSet temprs = Util.runQuery(ffquery, connectionString); + dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString); + ResultSet temprs = tempdbconnect.executeQry(ffquery); while (temprs.next()) { try { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); @@ -126,6 +126,7 @@ public class Firefox { } } temprs.close(); + tempdbconnect.closeConnection(); @@ -225,7 +226,7 @@ public class Firefox { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox")); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", temprs.getString("host"))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.getBaseDomain(temprs.getString("host")))); bbart.addAttributes(bbattributes); } catch (Exception ex) { logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java index c2c0c773bd..354fc82514 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java @@ -79,21 +79,21 @@ public final class RAImageIngestService implements IngestServiceImage { try { //do the work for(FileSystem img : imageFS ) - try { - ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); - int artcount = 0; - while (artset.next()) { - artcount++; - } - - // artset.beforeFirst(); - if (artcount > 0) { - } else { - int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information"); - } - - } catch (Exception e) { - } +// try { +// ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); +// int artcount = 0; +// while (artset.next()) { +// artcount++; +// } +// +// // artset.beforeFirst(); +// if (artcount > 0) { +// } else { +// int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information"); +// } +// +// } catch (Exception e) { +// } ext.extractToBlackboard(controller, fsIds); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java index 0d9bc2b17b..28c27199ef 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java @@ -105,6 +105,24 @@ public class Util { return rt; } + public static String getBaseDomain(String url) { + String host = url; + + int startIndex = 0; + int nextIndex = host.indexOf('.'); + int lastIndex = host.lastIndexOf('.'); + while (nextIndex < lastIndex) { + startIndex = nextIndex + 1; + nextIndex = host.indexOf('.', startIndex); + } + if (startIndex > 0) { + return host.substring(startIndex); + } else { + return host; + } +} + + public static String extractDomain(String value) { if (value == null) { throw new java.lang.NullPointerException("domains to extract"); diff --git a/Report/src/org/sleuthkit/autopsy/report/ReportConfiguration.java b/Report/src/org/sleuthkit/autopsy/report/ReportConfiguration.java index 6ca6a47df7..c705b8753f 100644 --- a/Report/src/org/sleuthkit/autopsy/report/ReportConfiguration.java +++ b/Report/src/org/sleuthkit/autopsy/report/ReportConfiguration.java @@ -60,8 +60,29 @@ class ReportConfiguration { } ; - //setters for generally supported report parts - public void setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE type, Boolean value) throws ReportModuleException { + + //regets everything that occurs in the constructor normally + public void getAllTypes() throws ReportModuleException { + config.clear(); + //now lets get the list from the tsk and current case + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase skCase = currentCase.getSleuthkitCase(); + try { + ArrayList arttypes = skCase.getBlackboardArtifactTypes(); + for (BlackboardArtifact.ARTIFACT_TYPE type : arttypes) { + config.put(type, Boolean.FALSE); + } + + } catch (Exception ex) { + logger.log(Level.WARNING, "Error while trying to retrieve list of artifact types from the TSK case .", ex); + } + + } + + ; + +//setters for generally supported report parts +public void setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE type, Boolean value) throws ReportModuleException { if (config.containsKey(type)) { config.put(type, value); } else { diff --git a/Report/src/org/sleuthkit/autopsy/report/reportFilter.java b/Report/src/org/sleuthkit/autopsy/report/reportFilter.java index e369a4caab..6b5d308baf 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportFilter.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportFilter.java @@ -37,7 +37,7 @@ import org.sleuthkit.datamodel.SleuthkitCase; public class reportFilter extends javax.swing.JPanel { public static ArrayList filters = new ArrayList(); - public static ReportConfiguration config = new ReportConfiguration(); + public static ReportConfiguration config = new ReportConfiguration(); private final Logger logger = Logger.getLogger(this.getClass().getName()); public final reportFilter panel = this; reportPanelAction rpa = new reportPanelAction(); @@ -51,7 +51,13 @@ public class reportFilter extends javax.swing.JPanel { public reportFilter() { initComponents(); cancel = false; - + try{ + config.getAllTypes(); + } + catch(ReportModuleException ex) + { + Logger.getLogger(report.class.getName()).log(Level.SEVERE, "Exception occurred", ex); + } } /**