Merge pull request #7913 from markmckinnon/Prefetch-SRU-Update

Prefetch sru update
2025-07-06 21:00:22 +00:00 · 2024-08-12 14:37:09 -04:00 · 2024-08-12 14:37:09 -04:00 · 5e3464c452
commit 5e3464c452
parent 4df939d448 aa4b5edb11
11 changed files with 19 additions and 30 deletions
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java
@ -69,9 +69,7 @@ final class ExtractPrefetch extends Extract {
    private static final String PREFETCH_TSK_COMMENT = "Prefetch File";
    private static final String PREFETCH_FILE_LOCATION = "/windows/prefetch";
    private static final String PREFETCH_TOOL_FOLDER = "markmckinnon"; //NON-NLS
-    private static final String PREFETCH_TOOL_NAME_WINDOWS_64 = "parse_prefetch_x64.exe"; //NON-NLS
-    private static final String PREFETCH_TOOL_NAME_WINDOWS_32 = "parse_prefetch_x32.exe"; //NON-NLS
-    private static final String PREFETCH_TOOL_NAME_MACOS = "parse_prefetch_macos"; //NON-NLS
+    private static final String PREFETCH_TOOL_NAME_WINDOWS = "parse_prefetch.exe"; //NON-NLS
    private static final String PREFETCH_TOOL_NAME_LINUX = "parse_prefetch_linux"; //NON-NLS
    private static final String PREFETCH_OUTPUT_FILE_NAME = "Output.txt"; //NON-NLS
    private static final String PREFETCH_ERROR_FILE_NAME = "Error.txt"; //NON-NLS
@ -178,7 +176,6 @@ final class ExtractPrefetch extends Extract {
                }
            }
        }
-
    }

    /**
@ -219,16 +216,10 @@ final class ExtractPrefetch extends Extract {
    private String getPathForPrefetchDumper() {
        Path path = null;
        if (PlatformUtil.isWindowsOS()) {
-            if (PlatformUtil.is64BitOS()) {
-                path = Paths.get(PREFETCH_TOOL_FOLDER, PREFETCH_TOOL_NAME_WINDOWS_64);
-            } else {
-                path = Paths.get(PREFETCH_TOOL_FOLDER, PREFETCH_TOOL_NAME_WINDOWS_32);
-            }
+            path = Paths.get(PREFETCH_TOOL_FOLDER, PREFETCH_TOOL_NAME_WINDOWS);
        } else {
            if ("Linux".equals(PlatformUtil.getOSName())) {
                path = Paths.get(PREFETCH_TOOL_FOLDER, PREFETCH_TOOL_NAME_LINUX);
-            } else {
-                path = Paths.get(PREFETCH_TOOL_FOLDER, PREFETCH_TOOL_NAME_MACOS);
            }
        }
        File prefetchToolFile = InstalledFileLocator.getDefault().locate(path.toString(),
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSru.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSru.java
@ -62,10 +62,8 @@ final class ExtractSru extends Extract {
    private static final String APPLICATION_USAGE_SOURCE_NAME = "System Resource Usage - Application Usage"; //NON-NLS
    private static final String NETWORK_USAGE_SOURCE_NAME = "System Resource Usage - Network Usage";
    private static final String SRU_TOOL_FOLDER = "markmckinnon"; //NON-NLS
-    private static final String SRU_TOOL_NAME_WINDOWS_32 = "Export_Srudb_32.exe"; //NON-NLS
-    private static final String SRU_TOOL_NAME_WINDOWS_64 = "Export_Srudb_64.exe"; //NON-NLS
+    private static final String SRU_TOOL_NAME_WINDOWS = "Export_Srudb.exe"; //NON-NLS
    private static final String SRU_TOOL_NAME_LINUX = "Export_Srudb_Linux.exe"; //NON-NLS
-    private static final String SRU_TOOL_NAME_MAC = "Export_srudb_macos"; //NON-NLS
    private static final String SRU_OUTPUT_FILE_NAME = "Output.txt"; //NON-NLS
    private static final String SRU_ERROR_FILE_NAME = "Error.txt"; //NON-NLS

@ -239,8 +237,11 @@ final class ExtractSru extends Extract {

        List<String> commandLine = new ArrayList<>();
        commandLine.add(sruExePath);
+        commandLine.add("-sr");
        commandLine.add(sruFile);  //NON-NLS
+        commandLine.add("-s");
        commandLine.add(softwareHiveFile);
+        commandLine.add("-db");
        commandLine.add(tempOutFile);

        ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
@ -253,16 +254,10 @@ final class ExtractSru extends Extract {
    private String getPathForSruDumper() {
        Path path = null;
        if (PlatformUtil.isWindowsOS()) {
-            if (PlatformUtil.is64BitOS()) {
-                path = Paths.get(SRU_TOOL_FOLDER, SRU_TOOL_NAME_WINDOWS_64);
-            } else {
-                path = Paths.get(SRU_TOOL_FOLDER, SRU_TOOL_NAME_WINDOWS_32);
-            }
+            path = Paths.get(SRU_TOOL_FOLDER, SRU_TOOL_NAME_WINDOWS);
        } else {
            if ("Linux".equals(PlatformUtil.getOSName())) {
                path = Paths.get(SRU_TOOL_FOLDER, SRU_TOOL_NAME_LINUX);
-            } else {
-                path = Paths.get(SRU_TOOL_FOLDER, SRU_TOOL_NAME_MAC);
            }
        }
        File sruToolFile = InstalledFileLocator.getDefault().locate(path.toString(),
@ -320,11 +315,13 @@ final class ExtractSru extends Extract {
    }

    private void createNetUsageArtifacts(String sruDb, AbstractFile sruAbstractFile) {
-        List<BlackboardArtifact> bba = new ArrayList<>();
+         List<BlackboardArtifact> bba = new ArrayList<>();

-        String sqlStatement = "SELECT STRFTIME('%s', timestamp) ExecutionTime, a.application_name, b.Application_Name formatted_application_name, User_Name, "
-                + " bytesSent, BytesRecvd FROM network_Usage a, SruDbIdMapTable, exe_to_app b "
-                + " where appId = IdIndex and IdType = 0 and a.application_name = b.source_name order by ExecutionTime;"; //NON-NLS
+        String sqlStatement = "SELECT STRFTIME('%s', timestamp) ExecutionTime, b.application_name, b.Application_Name formatted_application_name, username User_Name, \n" +
+                              "       bytesSent, BytesRecvd \n" +
+                              "  FROM network_Usage a, SruDbIdMapTable s, exe_to_app b, userNames u\n" +
+                              " WHERE s.idType = 0 and s.idIndex = appId and idblob = b.source_name and u.idindex = userid \n" +
+                              " order by ExecutionTime;"; //NON-NLS

        try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", "jdbc:sqlite:" + sruDb); //NON-NLS
                ResultSet resultSet = tempdbconnect.executeQry(sqlStatement)) {
@ -384,9 +381,11 @@ final class ExtractSru extends Extract {
    private void createAppUsageArtifacts(String sruDb, AbstractFile sruAbstractFile) {
        List<BlackboardArtifact> bba = new ArrayList<>();

-        String sqlStatement = "SELECT STRFTIME('%s', timestamp) ExecutionTime, a.application_name, b.Application_Name formatted_application_name, User_Name "
-                + " FROM Application_Resource_Usage a, SruDbIdMapTable, exe_to_app b WHERE "
-                + " idType = 0 and idIndex = appId and a.application_name = b.source_name order by ExecutionTime;"; //NON-NLS
+        String sqlStatement = "SELECT STRFTIME('%s', timestamp) ExecutionTime, b.Application_Name \n" +
+                              "       formatted_application_name, username User_Name \n" +
+                              "  FROM Application_Resource_Usage a, SruDbIdMapTable s, exe_to_app b, userNames u \n" +
+                              " WHERE s.idType = 0 and s.idIndex = appId and idblob = b.source_name and u.idindex = userid \n" +
+                              " order by ExecutionTime;"; //NON-NLS

        try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", "jdbc:sqlite:" + sruDb); //NON-NLS
                ResultSet resultSet = tempdbconnect.executeQry(sqlStatement)) {
@ -398,7 +397,6 @@ final class ExtractSru extends Extract {
                    return;
                }

-                String applicationName = resultSet.getString("Application_Name"); //NON-NLS
                String formattedApplicationName = resultSet.getString("formatted_application_name");
                Long executionTime = Long.valueOf(resultSet.getInt("ExecutionTime")); //NON-NLS
                String userName = resultSet.getString("User_Name");
@ -419,7 +417,7 @@ final class ExtractSru extends Extract {
                try {
                    BlackboardArtifact bbart = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_PROG_RUN, sruAbstractFile, bbattributes);
                    bba.add(bbart);
-                    BlackboardArtifact associateBbArtifact = createAssociatedArtifact(applicationName.toLowerCase(), bbart);
+                    BlackboardArtifact associateBbArtifact = createAssociatedArtifact(formattedApplicationName.toLowerCase(), bbart);
                    if (associateBbArtifact != null) {
                        bba.add(associateBbArtifact);
                    }
--- a/thirdparty/markmckinnon/Export_Srudb_Linux
+++ b/thirdparty/markmckinnon/Export_Srudb_Linux
--- a/thirdparty/markmckinnon/Export_srudb_macos
+++ b/thirdparty/markmckinnon/Export_srudb_macos
--- a/thirdparty/markmckinnon/parse_prefetch_x64.exe
+++ b/thirdparty/markmckinnon/parse_prefetch_x64.exe
--- a/thirdparty/markmckinnon/export_srudb_32.exe
+++ b/thirdparty/markmckinnon/export_srudb_32.exe
--- a/thirdparty/markmckinnon/export_srudb_64.exe
+++ b/thirdparty/markmckinnon/export_srudb_64.exe
--- a/thirdparty/markmckinnon/parse_prefetch.exe
+++ b/thirdparty/markmckinnon/parse_prefetch.exe
--- a/thirdparty/markmckinnon/parse_prefetch_linux
+++ b/thirdparty/markmckinnon/parse_prefetch_linux
--- a/thirdparty/markmckinnon/parse_prefetch_macos
+++ b/thirdparty/markmckinnon/parse_prefetch_macos
--- a/thirdparty/markmckinnon/parse_prefetch_x86.exe
+++ b/thirdparty/markmckinnon/parse_prefetch_x86.exe