mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5769 from markmckinnon/6231-Add-TSK_COMMENT-attributes-to-TSK_RECENT_OBJECT-artifacts

Browse Source 
6231-Add-TSK_COMMENT-attributes-to-TSK_RECENT_OBJECT-artifacts
This commit is contained in:
Richard Cordovano 2020-04-02 19:24:18 -04:00 committed by GitHub
commit 5e54b8fafc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 62 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED
View File

@ -1,22 +1,16 @@
cannotBuildXmlParser=Unable to build XML parser:
cannotLoadSEUQA=Unable to load Search Engine URL Query Analyzer settings file, SEUQAMappings.xml:
cannotParseXml=Unable to parse XML file:
Chrome.getBookmark.errMsg.errAnalyzeFile={0}: Error while trying to analyze file: {1}
ChromeCacheExtract_adding_artifacts_msg=Chrome Cache: Adding %d artifacts for analysis.
ChromeCacheExtract_adding_extracted_files_msg=Chrome Cache: Adding %d extracted files for analysis.
ChromeCacheExtract_loading_files_msg=Chrome Cache: Loading files from %s.
ChromeCacheExtractor.moduleName=ChromeCacheExtractor
# {0} - module name
# {1} - row number
# {2} - table length
# {3} - cache path
ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3}
DataSourceUsage_AndroidMedia=Android Media Card
DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card
DataSourceUsage_FlashDrive=Flash Drive
DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})
DataSourceUsageAnalyzer.parentModuleName=Recent Activity
Extract.dbConn.errMsg.failedToQueryDb={0}: Failed to query database.
Extract.indexError.message=Failed to index artifact for keyword search.
Extract.noOpenCase.errMsg=No open case available.
ExtractEdge_getHistory_containerFileNotFound=Error while trying to analyze Edge history
@ -25,11 +19,6 @@ ExtractEdge_process_errMsg_errGettingWebCacheFiles=Error trying to retrieving Ed
ExtractEdge_process_errMsg_spartanFail=Failure processing Microsoft Edge spartan.edb file
ExtractEdge_process_errMsg_unableFindESEViewer=Unable to find ESEDatabaseViewer
ExtractEdge_process_errMsg_webcacheFail=Failure processing Microsoft Edge WebCacheV01.dat file
ExtractIE.getBookmark.ere.noSpace=RecentActivity
ExtractIE.getBookmark.errMsg.errPostingBookmarks=Error posting Internet Explorer Bookmark artifacts.
ExtractIE.getCookie.errMsg.errPostingCookies=Error posting Internet Explorer Cookie artifacts.
ExtractIE.getHistory.errMsg.errPostingHistory=Error posting Internet Explorer History artifacts.
Extractor.errPostingArtifacts=Error posting {0} artifacts to the blackboard.
ExtractOs.androidOs.label=Android
ExtractOs.androidVolume.label=OS Drive (Android)
ExtractOs.debianLinuxOs.label=Linux (Debian)
@ -96,7 +85,7 @@ Chrome.getLogin.errMsg.errAnalyzingFiles={0}: Error while trying to analyze file
Chrome.getAutofill.errMsg.errGettingFiles=Error when trying to get Chrome Web Data files.
Chrome.getAutofill.errMsg.errAnalyzingFiles={0}: Error while trying to analyze file:{1}
ExtractIE.moduleName.text=Internet Explorer
ExtractIE.getBookmark.errMsg.errGettingBookmarks=Error getting Internet Explorer Bookmarks.
ExtractIE.getBookmark.errMsg.errGettingBookmarks={0}: Error getting Internet Explorer Bookmarks.
ExtractIE.parentModuleName.noSpace=RecentActivity
ExtractIE.parentModuleName=Recent Activity
ExtractIE.getURLFromIEBmkFile.errMsg={0}: Error parsing IE bookmark File {1}
@ -196,6 +185,14 @@ RecentDocumentsByLnk.getRecDoc.errMsg.errGetLnkFiles={0}: Error getting lnk File
RecentDocumentsByLnk.getRecDoc.errParsingFile={0}: Error parsing Recent File {1}
RecentDocumentsByLnk.parentModuleName.noSpace=RecentActivity
RecentDocumentsByLnk.parentModuleName=Recent Activity
Recently_Used_Artifacts_Adobe=Recently opened according to Adobe MRU
Recently_Used_Artifacts_Applets=Recently opened according to Applets registry key
Recently_Used_Artifacts_ArcHistory=Recently opened by 7Zip
Recently_Used_Artifacts_Mediaplayer=Recently opened according to Media Player MRU
Recently_Used_Artifacts_Mmc=Recently opened according to Windows Management Console MRU
Recently_Used_Artifacts_Office_Trustrecords=Stored in TrustRecords because Office security exception was granted
Recently_Used_Artifacts_Officedocs=Recently opened according to Office MRU
Recently_Used_Artifacts_Winrar=Recently opened according to WinRAR MRU
RegRipperFullNotFound=Full version RegRipper executable not found.
RegRipperNotFound=Autopsy RegRipper executable not found.
SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}.

76
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -81,6 +81,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT;
import org.sleuthkit.datamodel.BlackboardAttribute;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED;
@ -103,7 +104,15 @@ import org.sleuthkit.datamodel.TskDataException;
"Progress_Message_Analyze_Registry=Analyzing Registry Files",
"Shellbag_Artifact_Display_Name=Shell Bags",
"Shellbag_Key_Attribute_Display_Name=Key",
"Shellbag_Last_Write_Attribute_Display_Name=Last Write"
"Shellbag_Last_Write_Attribute_Display_Name=Last Write",
"Recently_Used_Artifacts_Office_Trustrecords=Stored in TrustRecords because Office security exception was granted",
"Recently_Used_Artifacts_ArcHistory=Recently opened by 7Zip",
"Recently_Used_Artifacts_Applets=Recently opened according to Applets registry key",
"Recently_Used_Artifacts_Mmc=Recently opened according to Windows Management Console MRU",
"Recently_Used_Artifacts_Winrar=Recently opened according to WinRAR MRU",
"Recently_Used_Artifacts_Officedocs=Recently opened according to Office MRU",
"Recently_Used_Artifacts_Adobe=Recently opened according to Adobe MRU",
"Recently_Used_Artifacts_Mediaplayer=Recently opened according to Media Player MRU"
})
class ExtractRegistry extends Extract {
@ -1197,21 +1206,21 @@ class ExtractRegistry extends Extract {
line = line.trim();
if (line.matches("^adoberdr v.*")) {
parseAdobeMRUList(regFile, reader);
parseAdobeMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Adobe());
} else if (line.matches("^mpmru v.*")) {
parseMediaPlayerMRUList(regFile, reader);
parseMediaPlayerMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Mediaplayer());
} else if (line.matches("^trustrecords v.*")) {
parseTrustrecordsMRUList(regFile, reader);
parseOfficeTrustRecords(regFile, reader, Bundle.Recently_Used_Artifacts_Office_Trustrecords());
} else if (line.matches("^ArcHistory:")) {
parseArchHistoryMRUList(regFile, reader);
parse7ZipMRU(regFile, reader, Bundle.Recently_Used_Artifacts_ArcHistory());
} else if (line.matches("^applets v.*")) {
parseGenericMRUList(regFile, reader);
parseGenericMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Applets());
} else if (line.matches("^mmc v.*")) {
parseGenericMRUList(regFile, reader);
parseGenericMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Mmc());
} else if (line.matches("^winrar v.*")) {
parseWinRARMRUList(regFile, reader);
parseWinRARMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Winrar());
} else if (line.matches("^officedocs2010 v.*")) {
parseOfficeDocs2010MRUList(regFile, reader);
parseOfficeDocs2010MRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Officedocs());
}
line = reader.readLine();
}
@ -1219,15 +1228,17 @@ class ExtractRegistry extends Extract {
}
/**
* Create recently used artifacts from adobemru records
* Create recently used artifacts from adobemru Regripper Plugin records
*
* @param regFile registry file the artifact is associated with
*
* @param reader buffered reader to parse adobemru records
*
* @param comment string that will populate attribute TSK_COMMENT
*
* @throws FileNotFound and IOException
*/
private void parseAdobeMRUList(AbstractFile regFile, BufferedReader reader) throws FileNotFoundException, IOException {
private void parseAdobeMRUList(AbstractFile regFile, BufferedReader reader, String comment) throws FileNotFoundException, IOException {
List<BlackboardArtifact> bbartifacts = new ArrayList<>();
String line = reader.readLine();
SimpleDateFormat adobePluginDateFormat = new SimpleDateFormat("yyyyMMddHHmmssZ", US);
@ -1265,6 +1276,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, getName(), adobeUsedTime));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getName(), comment));
BlackboardArtifact bba = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_RECENT_OBJECT, regFile, attributes);
if(bba != null) {
bbartifacts.add(bba);
@ -1285,15 +1297,17 @@ class ExtractRegistry extends Extract {
}
/**
* Create recently used artifacts to parse the mpmru records
* Create recently used artifacts to parse the Media Player MRU regripper (mpmru) records
*
* @param regFile registry file the artifact is associated with
*
* @param reader buffered reader to parse adobemru records
*
* @param comment string that will populate attribute TSK_COMMENT
*
* @throws FileNotFound and IOException
*/
private void parseMediaPlayerMRUList(AbstractFile regFile, BufferedReader reader) throws FileNotFoundException, IOException {
private void parseMediaPlayerMRUList(AbstractFile regFile, BufferedReader reader, String comment) throws FileNotFoundException, IOException {
List<BlackboardArtifact> bbartifacts = new ArrayList<>();
String line = reader.readLine();
while (!line.contains(SECTION_DIVIDER)) {
@ -1309,6 +1323,7 @@ class ExtractRegistry extends Extract {
String fileName = tokens[1];
Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getName(), comment));
BlackboardArtifact bba = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_RECENT_OBJECT, regFile, attributes);
if(bba != null) {
bbartifacts.add(bba);
@ -1332,15 +1347,17 @@ class ExtractRegistry extends Extract {
}
/**
* Create recently used artifacts to parse the regripper output
* Create recently used artifacts to parse the regripper plugin output, this format is used in several diffent plugins
*
* @param regFile registry file the artifact is associated with
*
* @param reader buffered reader to parse adobemru records
*
* @param comment string that will populate attribute TSK_COMMENT
*
* @throws FileNotFound and IOException
*/
private void parseGenericMRUList(AbstractFile regFile, BufferedReader reader) throws FileNotFoundException, IOException {
private void parseGenericMRUList(AbstractFile regFile, BufferedReader reader, String comment) throws FileNotFoundException, IOException {
List<BlackboardArtifact> bbartifacts = new ArrayList<>();
String line = reader.readLine();
while (!line.contains(SECTION_DIVIDER)) {
@ -1356,6 +1373,7 @@ class ExtractRegistry extends Extract {
String fileName = tokens[1];
Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getName(), comment));
BlackboardArtifact bba = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_RECENT_OBJECT, regFile, attributes);
if(bba != null) {
bbartifacts.add(bba);
@ -1375,15 +1393,17 @@ class ExtractRegistry extends Extract {
}
/**
* Create recently used artifacts to parse the WinRAR output
* Create recently used artifacts to parse the WinRAR Regripper plugin output
*
* @param regFile registry file the artifact is associated with
*
* @param reader buffered reader to parse adobemru records
*
* @param comment string that will populate attribute TSK_COMMENT
*
* @throws FileNotFound and IOException
*/
private void parseWinRARMRUList(AbstractFile regFile, BufferedReader reader) throws FileNotFoundException, IOException {
private void parseWinRARMRUList(AbstractFile regFile, BufferedReader reader, String comment) throws FileNotFoundException, IOException {
List<BlackboardArtifact> bbartifacts = new ArrayList<>();
String line = reader.readLine();
while (!line.contains(SECTION_DIVIDER)) {
@ -1400,6 +1420,7 @@ class ExtractRegistry extends Extract {
String fileName = tokens[1];
Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getName(), comment));
BlackboardArtifact bba = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_RECENT_OBJECT, regFile, attributes);
if(bba != null) {
bbartifacts.add(bba);
@ -1420,15 +1441,17 @@ class ExtractRegistry extends Extract {
}
/**
* Create recently used artifacts to parse the runmru ArcHistory records
* Create recently used artifacts to parse the runmru ArcHistory (7Zip) regripper plugin records
*
* @param regFile registry file the artifact is associated with
*
* @param reader buffered reader to parse adobemru records
*
* @param comment string that will populate attribute TSK_COMMENT
*
* @throws FileNotFound and IOException
*/
private void parseArchHistoryMRUList(AbstractFile regFile, BufferedReader reader) throws FileNotFoundException, IOException {
private void parse7ZipMRU(AbstractFile regFile, BufferedReader reader, String comment) throws FileNotFoundException, IOException {
List<BlackboardArtifact> bbartifacts = new ArrayList<>();
String line = reader.readLine();
line = line.trim();
@ -1439,6 +1462,7 @@ class ExtractRegistry extends Extract {
String fileName = line;
Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getName(), fileName));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getName(), comment));
BlackboardArtifact bba = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_RECENT_OBJECT, regFile, attributes);
if (bba != null) {
bbartifacts.add(bba);
@ -1457,15 +1481,17 @@ class ExtractRegistry extends Extract {
}
/**
* Create recently used artifacts to parse the Office Documents 2010 records
* Create recently used artifacts to parse the Office Documents 2010 records Regripper Plugin output
*
* @param regFile registry file the artifact is associated with
*
* @param reader buffered reader to parse adobemru records
*
* @param comment string that will populate attribute TSK_COMMENT
*
* @throws FileNotFound and IOException
*/
private void parseOfficeDocs2010MRUList(AbstractFile regFile, BufferedReader reader) throws FileNotFoundException, IOException {
private void parseOfficeDocs2010MRUList(AbstractFile regFile, BufferedReader reader, String comment) throws FileNotFoundException, IOException {
List<BlackboardArtifact> bbartifacts = new ArrayList<>();
String line = reader.readLine();
line = line.trim();
@ -1485,6 +1511,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, getName(), docDate));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getName(), comment));
BlackboardArtifact bba = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_RECENT_OBJECT, regFile, attributes);
if(bba != null) {
bbartifacts.add(bba);
@ -1502,15 +1529,17 @@ class ExtractRegistry extends Extract {
}
/**
* Create recently used artifacts to parse the trustrecords records
* Create recently used artifacts to parse the Office trust records (trustrecords) Regipper plugin records
*
* @param regFile registry file the artifact is associated with
*
* @param reader buffered reader to parse adobemru records
*
* @param comment string that will populate attribute TSK_COMMENT
*
* @throws FileNotFound and IOException
*/
private void parseTrustrecordsMRUList(AbstractFile regFile, BufferedReader reader) throws FileNotFoundException, IOException {
private void parseOfficeTrustRecords(AbstractFile regFile, BufferedReader reader, String comment) throws FileNotFoundException, IOException {
String userProfile = regFile.getParentPath();
userProfile = userProfile.substring(0, userProfile.length() - 1);
List<BlackboardArtifact> bbartifacts = new ArrayList<>();
@ -1543,6 +1572,7 @@ class ExtractRegistry extends Extract {
Collection<BlackboardAttribute> attributes = new ArrayList<>();
attributes.add(new BlackboardAttribute(TSK_PATH, getName(), fileName));
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, getName(), usedTime));
attributes.add(new BlackboardAttribute(TSK_COMMENT, getName(), comment));
BlackboardArtifact bba = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_RECENT_OBJECT, regFile, attributes);
if(bba != null) {
bbartifacts.add(bba);