Fixed downloads for newest chrome and firefox versions

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java

@@ -62,6 +62,7 @@ public class Chrome extends Extract {
     private static final String cookieQuery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies";
     private static final String bookmarkQuery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id";
     private static final String downloadQuery = "select full_path, url, start_time, received_bytes from downloads";
+    private static final String downloadQueryVersion30 = "SELECT current_path as full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id";
     private static final String loginQuery = "select origin_url, username_value, signon_realm from logins";
     private final Logger logger = Logger.getLogger(this.getClass().getName());
     public int ChromeCount = 0;
@@ -380,6 +381,11 @@ public class Chrome extends Extract {
             }
 
             List<HashMap<String, Object>> tempList = this.dbConnect(temps, downloadQuery);
+            
+            if (tempList.isEmpty()) {
+                tempList = this.dbConnect(temps, downloadQueryVersion30);
+            }
+            
             logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified.");
             for (HashMap<String, Object> result : tempList) {
                 Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java

@@ -57,6 +57,7 @@ public class Firefox extends Extract {
     private static final String cookieQueryV3 = "SELECT name,value,host,expiry,(lastAccessed/1000000) as lastAccessed FROM moz_cookies";
     private static final String bookmarkQuery = "SELECT fk, moz_bookmarks.title, url, (moz_bookmarks.dateAdded/1000000) as dateAdded FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id";
     private static final String downloadQuery = "SELECT target, source,(startTime/1000000) as startTime, maxBytes  FROM moz_downloads";
+    private static final String downloadQueryVersion24 = "SELECT url, content as target, (lastModified/1000000) as lastModified FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND moz_annos.anno_attribute_id = 3";
     
     public int FireFoxCount = 0;
     final public static String MODULE_VERSION = "1.0";
@@ -283,6 +284,11 @@ public class Firefox extends Extract {
             return;
         }
         
+        if (downloadsFiles.isEmpty()) {
+            getDownloadVersion24(dataSource, controller);
+            return;
+        }
+
         int j = 0;
         for (AbstractFile downloadsFile : downloadsFiles) {
             if (downloadsFile.getSize() == 0) {
@@ -305,6 +311,10 @@ public class Firefox extends Extract {
             }
 
             List<HashMap<String, Object>> tempList = this.dbConnect(temps, downloadQuery);
+            if (tempList.isEmpty()) {
+                getDownloadVersion24(dataSource, controller);
+                return;
+            }
             logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified.");
             for (HashMap<String, Object> result : tempList) {
                 
@@ -363,4 +373,65 @@ public class Firefox extends Extract {
     public boolean hasBackgroundJobsRunning() {
         return false;
     }
+
+    private void getDownloadVersion24(Content dataSource, IngestDataSourceWorkerController controller) {
+        FileManager fileManager = currentCase.getServices().getFileManager();
+        List<AbstractFile> downloadsFiles = null;
+        try {
+            downloadsFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox");
+        } catch (TskCoreException ex) {
+            String msg = "Error fetching 'places' files for Firefox.";
+            logger.log(Level.WARNING, msg);
+            this.addErrorMessage(this.getName() + ": " + msg);
+            return;
+        }
+
+        int j = 0;
+        for (AbstractFile downloadsFile : downloadsFiles) {
+            if (downloadsFile.getSize() == 0) {
+                continue;
+            }
+            String fileName = downloadsFile.getName();
+            String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + "-downloads" + j + ".db";
+            int errors = 0;
+            try {
+                ContentUtils.writeToFile(downloadsFile, new File(temps));
+            } catch (IOException ex) {
+                logger.log(Level.SEVERE, "Error writing the sqlite db for firefox download artifacts.{0}", ex);
+                this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName);
+                continue;
+            }
+            File dbFile = new File(temps);
+            if (controller.isCancelled()) {
+                dbFile.delete();
+                break;
+            }
+
+            List<HashMap<String, Object>> tempList = this.dbConnect(temps, downloadQueryVersion24);
+            logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified.");
+            for (HashMap<String, Object> result : tempList) {
+                
+                Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
+
+                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : "")));
+                //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? EscapeUtil.decodeURL(result.get("source").toString()) : "")));
+                //TODO Revisit usage of deprecated constructor as per TSK-583
+                //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString()))));
+                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", Long.valueOf(result.get("lastModified").toString())));
+                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", ((result.get("target").toString() != null) ? result.get("target").toString().replaceAll("file:///", "") : "")));
+                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
+                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""))));
+                this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
+                
+            }
+            if (errors > 0) {
+                this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web download artifacts.");
+            }
+            j++;
+            dbFile.delete();
+            break;
+        }
+        
+        services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
+    }
 }