mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

merge from develop

Browse Source
This commit is contained in:
Greg DiCristofaro 2023-07-12 16:17:54 -04:00
commit 6473d2c3fa
66 changed files with 907 additions and 1195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
.travis.yml
View File

@ -15,27 +15,50 @@ addons:
apt:
update: true
packages:
- openjdk-17-jdk
- openjdk-17-jre
- build-essential
- autoconf
- libtool
- automake
- git
- zip
- wget
- ant
- libde265-dev
- libheif-dev
- libpq-dev
- testdisk
- libafflib-dev
- libewf-dev
- libpq-dev
- autopoint
- libsqlite3-dev
- ant
- ant-optional
- libcppunit-dev
- wget
- libvhdi-dev
- libvmdk-dev
- libgstreamer1.0-0
- gstreamer1.0-plugins-base
- gstreamer1.0-plugins-good
- gstreamer1.0-plugins-bad
- gstreamer1.0-plugins-ugly
- gstreamer1.0-libav
- gstreamer1.0-tools
- gstreamer1.0-x
- gstreamer1.0-alsa
- gstreamer1.0-gl
- gstreamer1.0-gtk3
- gstreamer1.0-qt5
- gstreamer1.0-pulseaudio
homebrew:
update: true
packages:
- ant
- wget
- libpq
- libewf
- gettext
- cppunit
- openjdk@17
- ant
- automake
- libtool
- afflib
- libewf
- postgresql@15
- testdisk
- libheif
- gstreamer
python:
- 2.7
@ -49,19 +72,11 @@ install:
before_script:
- if [ $TRAVIS_OS_NAME = linux ]; then
wget -q -O - https://download.bell-sw.com/pki/GPG-KEY-bellsoft | sudo apt-key add -;
echo "deb [arch=amd64] https://apt.bell-sw.com/ stable main" | sudo tee /etc/apt/sources.list.d/bellsoft.list;
sudo apt-get update;
sudo apt-get install bellsoft-java17-full;
export PATH=/usr/bin:$PATH;
export JAVA_HOME=/usr/lib/jvm/bellsoft-java17-full-amd64;
export JAVA_HOME=/usr/lib/jvm/java-1.17.0-openjdk-amd64;
fi
- if [ $TRAVIS_OS_NAME = osx ]; then
brew uninstall java --force --ignore-dependencies;
brew cask uninstall java --force;
brew tap bell-sw/liberica;
brew install --cask liberica-jdk17-full;
export JAVA_HOME=/Library/Java/JavaVirtualMachines/liberica-jdk-17-full.jdk/Contents/Home;
export JAVA_HOME=$(/usr/libexec/java_home -v 17);
fi
- java -version

4
BUILDING.txt
View File

@ -11,9 +11,9 @@ correct C libraries.
STEPS:
1) Get Java Setup
1a) Download and install 64-bit JDK version 17 with JavaFX.
1a) Download and install 64-bit JDK version 17.
Autopsy has been used and tested with liberica java which can be downloaded from here: https://bell-sw.com/pages/downloads/.
Autopsy has been used and tested with java 17 which can be downloaded from here: https://www.oracle.com/java/technologies/downloads/#java17.
1b) Ensure that JDK_HOME is set to the root JDK directory.

47
Core/src/org/sleuthkit/autopsy/casemodule/AutopsyContentProvider.java Normal file
View File

@ -0,0 +1,47 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2023 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.casemodule;
import org.sleuthkit.datamodel.ContentStreamProvider;
/**
* Interface that modules can implement to provide their own The Sleuth Kit
* ContentProvider implementations
*/
public interface AutopsyContentProvider {
/**
* Attempts to create a ContentProvider given the specified args. Returns
* null if arguments are invalid for this custom content provider.
*
* @param args The key value pair of arguments loaded from the .aut xml
* file.
* @return The created content provider or null if arguments are invalid.
*/
ContentStreamProvider load();
/**
* Returns the uniquely identifying name of this FileContentProvider. This
* name will be stored in the .AUT file and used for lookup when the case is
* opened.
*
* @return The unique name.
*/
String getName();
}

53
Core/src/org/sleuthkit/autopsy/casemodule/Case.java
View File

@ -41,7 +41,6 @@ import java.sql.SQLException;
import java.sql.Statement;
import java.text.SimpleDateFormat;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
@ -133,8 +132,6 @@ import org.sleuthkit.autopsy.events.AutopsyEventPublisher;
import org.sleuthkit.autopsy.discovery.ui.OpenDiscoveryAction;
import org.sleuthkit.autopsy.ingest.IngestJob;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.IngestServices;
import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService;
import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchServiceException;
import org.sleuthkit.autopsy.machinesettings.UserMachinePreferences;
@ -143,18 +140,14 @@ import org.sleuthkit.autopsy.progress.ModalDialogProgressIndicator;
import org.sleuthkit.autopsy.progress.ProgressIndicator;
import org.sleuthkit.autopsy.timeline.OpenTimelineAction;
import org.sleuthkit.autopsy.timeline.events.TimelineEventAddedEvent;
import org.sleuthkit.datamodel.Blackboard;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifactTag;
import org.sleuthkit.datamodel.CaseDbConnectionInfo;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentStreamProvider;
import org.sleuthkit.datamodel.ContentTag;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.Host;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.Person;
import org.sleuthkit.datamodel.Report;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TimelineManager;
@ -2078,7 +2071,7 @@ public class Case {
metadata = caseMetaData;
sleuthkitEventListener = new SleuthkitEventListener();
}
/**
* Performs a case action that involves creating or opening a case. If the
* case is a multi-user case, the action is done after acquiring a
@ -2742,10 +2735,18 @@ public class Case {
progressIndicator.progress(Bundle.Case_progressMessage_openingCaseDatabase());
try {
String databaseName = metadata.getCaseDatabaseName();
ContentStreamProvider contentProvider = loadContentProvider(metadata.getContentProviderName());
if (CaseType.SINGLE_USER_CASE == metadata.getCaseType()) {
caseDb = SleuthkitCase.openCase(Paths.get(metadata.getCaseDirectory(), databaseName).toString());
// only prefix with metadata directory if databaseName is a relative path
String fullDatabasePath = (new File(databaseName).isAbsolute())
? databaseName
: Paths.get(metadata.getCaseDirectory(), databaseName).toString();
caseDb = SleuthkitCase.openCase(fullDatabasePath, contentProvider);
} else if (UserPreferences.getIsMultiUserModeEnabled()) {
caseDb = SleuthkitCase.openCase(databaseName, UserPreferences.getDatabaseConnectionInfo(), metadata.getCaseDirectory());
caseDb = SleuthkitCase.openCase(databaseName, UserPreferences.getDatabaseConnectionInfo(), metadata.getCaseDirectory(), contentProvider);
} else {
throw new CaseActionException(Bundle.Case_open_exception_multiUserCaseNotEnabled());
}
@ -2758,6 +2759,36 @@ public class Case {
throw new CaseActionException(Bundle.Case_exceptionMessage_couldNotOpenCaseDatabase(ex.getLocalizedMessage()), ex);
}
}
/**
* Attempts to load a content provider for the provided arguments. Returns
* null if no content provider for the arguments can be identified.
*
* @param providerName The name of the content provider.
* @param args The arguments.
* @return The content provider or null if no content provider can be
* provisioned for the arguments
*/
private static ContentStreamProvider loadContentProvider(String providerName) {
Collection<? extends AutopsyContentProvider> customContentProviders = Lookup.getDefault().lookupAll(AutopsyContentProvider.class);
if (customContentProviders != null) {
for (AutopsyContentProvider customProvider : customContentProviders) {
// ensure the provider matches the name
if (customProvider == null || !StringUtils.equalsIgnoreCase(providerName, customProvider.getName())) {
continue;
}
ContentStreamProvider contentProvider = customProvider.load();
if (contentProvider != null) {
return contentProvider;
}
}
}
return null;
}
/**
* Opens the case-level services: the files manager, tags manager and

62
Core/src/org/sleuthkit/autopsy/casemodule/CaseMetadata.java
View File

@ -29,8 +29,16 @@ import java.nio.file.Path;
import java.nio.file.Paths;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Map.Entry;
import java.util.stream.Collectors;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@ -42,10 +50,14 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.openide.util.Lookup;
import org.sleuthkit.autopsy.coreutils.Version;
import org.sleuthkit.autopsy.coreutils.XMLUtil;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
@ -103,13 +115,21 @@ public final class CaseMetadata {
private static final String SCHEMA_VERSION_FIVE = "5.0";
private final static String ORIGINAL_CASE_ELEMENT_NAME = "OriginalCase"; //NON-NLS
/*
* Fields from schema version 6
*/
private static final String SCHEMA_VERSION_SIX = "6.0";
private final static String CONTENT_PROVIDER_ELEMENT_NAME = "ContentProvider";
private final static String CONTENT_PROVIDER_NAME_ELEMENT_NAME = "Name";
private final static String CONTENT_PROVIDER_ARG_DEFAULT_KEY = "DEFAULT";
/*
* Unread fields, regenerated on save.
*/
private final static String MODIFIED_DATE_ELEMENT_NAME = "ModifiedDate"; //NON-NLS
private final static String AUTOPSY_SAVED_BY_ELEMENT_NAME = "SavedByAutopsyVersion"; //NON-NLS
private final static String CURRENT_SCHEMA_VERSION = SCHEMA_VERSION_FIVE;
private final static String CURRENT_SCHEMA_VERSION = SCHEMA_VERSION_SIX;
private final Path metadataFilePath;
private Case.CaseType caseType;
@ -121,6 +141,7 @@ public final class CaseMetadata {
private String createdDate;
private String createdByVersion;
private CaseMetadata originalMetadata = null; // For portable cases
private String contentProviderName;
/**
* Gets the file extension used for case metadata files.
@ -176,6 +197,7 @@ public final class CaseMetadata {
createdByVersion = Version.getVersion();
createdDate = CaseMetadata.DATE_FORMAT.format(new Date());
this.originalMetadata = originalMetadata;
this.contentProviderName = originalMetadata == null ? null : originalMetadata.contentProviderName;
}
/**
@ -213,6 +235,14 @@ public final class CaseMetadata {
return null;
}
/**
* @return The custom provider name for content byte data or null if no
* custom provider.
*/
public String getContentProviderName() {
return this.contentProviderName;
}
/**
* Gets the full path to the case metadata file.
*
@ -458,6 +488,15 @@ public final class CaseMetadata {
Element caseElement = doc.createElement(CASE_ELEMENT_NAME);
rootElement.appendChild(caseElement);
Element contentProviderEl = doc.createElement(CONTENT_PROVIDER_ELEMENT_NAME);
rootElement.appendChild(contentProviderEl);
Element contentProviderNameEl = doc.createElement(CONTENT_PROVIDER_NAME_ELEMENT_NAME);
if (this.contentProviderName != null) {
contentProviderNameEl.setTextContent(this.contentProviderName);
}
contentProviderEl.appendChild(contentProviderNameEl);
/*
* Create the children of the case element.
*/
@ -543,7 +582,15 @@ public final class CaseMetadata {
} else {
this.createdByVersion = getElementTextContent(rootElement, AUTOPSY_CREATED_BY_ELEMENT_NAME, true);
}
Element contentProviderEl = getChildElOrNull(rootElement, CONTENT_PROVIDER_ELEMENT_NAME);
if (contentProviderEl != null) {
Element contentProviderNameEl = getChildElOrNull(contentProviderEl, CONTENT_PROVIDER_NAME_ELEMENT_NAME);
this.contentProviderName = contentProviderNameEl != null ? contentProviderNameEl.getTextContent() : null;
} else {
this.contentProviderName = null;
}
/*
* Get the content of the children of the case element.
*/
@ -614,7 +661,16 @@ public final class CaseMetadata {
throw new CaseMetadataException(String.format("Error reading from case metadata file %s", metadataFilePath), ex);
}
}
private Element getChildElOrNull(Element parent, String childTag) {
NodeList nl = parent.getElementsByTagName(childTag);
if (nl != null && nl.getLength() > 0 && nl.item(0) instanceof Element) {
return (Element) nl.item(0);
} else {
return null;
}
}
/**
* Gets the text content of an XML element.
*

49
Core/src/org/sleuthkit/autopsy/contentviewers/artifactviewers/DefaultTableArtifactContentViewer.java
View File

@ -348,9 +348,8 @@ public class DefaultTableArtifactContentViewer extends AbstractArtifactDetailsPa
case JSON:
// Get the attribute's JSON value and convert to indented multiline display string
String jsonVal = attr.getValueString();
JsonObject json = JsonParser.parseString(jsonVal).getAsJsonObject();
value = toJsonDisplayString(json, "");
JsonElement jsonEl = JsonParser.parseString(jsonVal);
value = toJsonDisplayString(jsonEl, "");
break;
case STRING:
@ -411,19 +410,43 @@ public class DefaultTableArtifactContentViewer extends AbstractArtifactDetailsPa
* @return A multi-line display string.
*/
private String toJsonDisplayString(JsonElement element, String startIndent) {
if (element == null || element.isJsonNull()) {
return "";
} else if (element.isJsonPrimitive()) {
return element.getAsString();
} else if (element.isJsonObject()) {
StringBuilder sb = new StringBuilder("");
JsonObject obj = element.getAsJsonObject();
StringBuilder sb = new StringBuilder("");
JsonObject obj = element.getAsJsonObject();
for (Map.Entry<String, JsonElement> entry : obj.entrySet()) {
appendJsonElementToString(entry.getKey(), entry.getValue(), startIndent, sb);
}
for (Map.Entry<String, JsonElement> entry : obj.entrySet()) {
appendJsonElementToString(entry.getKey(), entry.getValue(), startIndent, sb);
String returnString = sb.toString();
if (startIndent.length() == 0 && returnString.startsWith(NEW_LINE)) {
returnString = returnString.substring(NEW_LINE.length());
}
return returnString;
} else if (element.isJsonArray()) {
StringBuilder sb = new StringBuilder("");
JsonArray jsonArray = element.getAsJsonArray();
if (jsonArray.size() > 0) {
int count = 1;
for (JsonElement arrayMember : jsonArray) {
sb.append(NEW_LINE).append(String.format("%s%d", startIndent, count));
sb.append(toJsonDisplayString(arrayMember, startIndent.concat(INDENT_RIGHT)));
count++;
}
}
String returnString = sb.toString();
if (startIndent.length() == 0 && returnString.startsWith(NEW_LINE)) {
returnString = returnString.substring(NEW_LINE.length());
}
return returnString;
} else {
return "";
}
String returnString = sb.toString();
if (startIndent.length() == 0 && returnString.startsWith(NEW_LINE)) {
returnString = returnString.substring(NEW_LINE.length());
}
return returnString;
}
/**

4
Core/src/org/sleuthkit/autopsy/coreutils/ImageUtils.java
View File

@ -126,9 +126,9 @@ public class ImageUtils {
if (OpenCvLoader.openCvIsLoaded()) {
try {
if (System.getProperty("os.arch").equals("amd64") || System.getProperty("os.arch").equals("x86_64")) { //NON-NLS
System.loadLibrary("opencv_ffmpeg248_64"); //NON-NLS
System.loadLibrary("opencv_ffmpeg2413_64"); //NON-NLS
} else {
System.loadLibrary("opencv_ffmpeg248"); //NON-NLS
System.loadLibrary("opencv_ffmpeg2413"); //NON-NLS
}
tempFfmpegLoaded = true;
} catch (UnsatisfiedLinkError e) {

6
Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java
View File

@ -143,14 +143,16 @@ public final class AutopsyTreeChildFactory extends ChildFactory.Detachable<Objec
// either way, add in reports node
nodes.add(new Reports());
} else {
SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase();
// data source by type view
nodes = Arrays.asList(
new DataSourcesByType(),
new Views(Case.getCurrentCaseThrows().getSleuthkitCase()),
new Views(skCase),
new DataArtifacts(),
new AnalysisResults(),
new OsAccounts(Case.getCurrentCaseThrows().getSleuthkitCase()),
new OsAccounts(skCase),
new Tags(),
new ScoreContent(skCase),
new Reports()
);
}

9
Core/src/org/sleuthkit/autopsy/datamodel/DataSourceGroupingNode.java
View File

@ -29,6 +29,7 @@ import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LocalFilesDataSource;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
* Data source grouping node - an optional grouping node in the data tree view
@ -74,13 +75,15 @@ class DataSourceGroupingNode extends DisplayableItemNode {
long dsObjId = dataSource.getId();
try {
SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase();
return new RootContentChildren(Arrays.asList(
new DataSources(dsObjId),
new Views(Case.getCurrentCaseThrows().getSleuthkitCase(), dsObjId),
new Views(skCase, dsObjId),
new DataArtifacts(dsObjId),
new AnalysisResults(dsObjId),
new OsAccounts(Case.getCurrentCaseThrows().getSleuthkitCase(), dsObjId),
new Tags(dsObjId)
new OsAccounts(skCase, dsObjId),
new Tags(dsObjId),
new ScoreContent(skCase, dsObjId)
));
} catch (NoCurrentCaseException ex) {

308
Core/src/org/sleuthkit/autopsy/datamodel/ScoreContent.java
View File

@ -20,33 +20,46 @@ package org.sleuthkit.autopsy.datamodel;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.sql.SQLException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Comparator;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.atomic.AtomicReference;
import java.util.logging.Level;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.openide.nodes.AbstractNode;
import org.openide.nodes.ChildFactory;
import org.openide.nodes.Children;
import org.openide.nodes.Node;
import org.openide.nodes.Sheet;
import org.openide.util.NbBundle;
import org.openide.util.NbBundle.Messages;
import org.openide.util.WeakListeners;
import org.openide.util.lookup.Lookups;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.TimeZoneUtils;
import static org.sleuthkit.autopsy.datamodel.AbstractContentNode.NO_DESCR;
import org.sleuthkit.autopsy.guiutils.RefreshThrottler;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent;
import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.Category;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentVisitor;
import org.sleuthkit.datamodel.DerivedFile;
@ -110,6 +123,7 @@ public class ScoreContent implements AutopsyVisitableItem {
/**
* Constructor assuming no data source filtering.
*
* @param skCase The sleuthkit case.
*/
public ScoreContent(SleuthkitCase skCase) {
@ -118,6 +132,7 @@ public class ScoreContent implements AutopsyVisitableItem {
/**
* Constructor.
*
* @param skCase The sleuthkit case.
* @param dsObjId The data source object id to filter on if > 0.
*/
@ -153,11 +168,17 @@ public class ScoreContent implements AutopsyVisitableItem {
Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED,
Case.Events.BLACKBOARD_ARTIFACT_TAG_DELETED
);
private static final Set<String> CASE_EVENTS_OF_INTEREST_STRS = CASE_EVENTS_OF_INTEREST.stream()
.map(evt -> evt.name())
.collect(Collectors.toSet());
private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);
private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestModuleEvent.CONTENT_CHANGED);
/**
* Returns a property change listener listening for possible updates to aggregate score updates for files.
* Returns a property change listener listening for possible updates to
* aggregate score updates for files.
*
* @param onRefresh Action on refresh.
* @param onRemove Action to remove listener (i.e. case close).
* @return The property change listener.
@ -182,7 +203,7 @@ public class ScoreContent implements AutopsyVisitableItem {
if (evt.getNewValue() == null && onRemove != null) {
onRemove.run();
}
} else if (CASE_EVENTS_OF_INTEREST.contains(eventType)) {
} else if (CASE_EVENTS_OF_INTEREST_STRS.contains(eventType)) {
// only refresh if there is a current case.
try {
Case.getCurrentCaseThrows();
@ -199,34 +220,61 @@ public class ScoreContent implements AutopsyVisitableItem {
}
/**
* The sql where statement for the files.
* The sql where statement for the content.
*
* @param filter The filter type.
* @param objIdAlias The alias for the object id of the content. Must be sql
* safe.
* @param dsIdAlias The alias for the data source id. Must be sql safe.
* @param filteringDSObjId The data source object id to filter on if > 0.
* @return The sql where statement.
* @throws IllegalArgumentException
*/
private static String getFilter(ScoreContent.ScoreContentFilter filter, String objIdAlias, String dsIdAlias, long filteringDSObjId) throws IllegalArgumentException {
String aggregateScoreFilter = getScoreFilter(filter);
String query = " " + objIdAlias + " IN (SELECT tsk_aggregate_score.obj_id FROM tsk_aggregate_score WHERE " + aggregateScoreFilter + ") ";
if (filteringDSObjId > 0) {
query += " AND " + dsIdAlias + " = " + filteringDSObjId;
}
return query;
}
private static String getScoreFilter(ScoreContentFilter filter) throws IllegalArgumentException {
switch (filter) {
case SUS_ITEM_FILTER:
return " tsk_aggregate_score.significance = " + Significance.LIKELY_NOTABLE.getId()
+ " AND (tsk_aggregate_score.priority = " + Priority.NORMAL.getId() + " OR tsk_aggregate_score.priority = " + Priority.OVERRIDE.getId() + " )";
case BAD_ITEM_FILTER:
return " tsk_aggregate_score.significance = " + Significance.NOTABLE.getId()
+ " AND (tsk_aggregate_score.priority = " + Priority.NORMAL.getId() + " OR tsk_aggregate_score.priority = " + Priority.OVERRIDE.getId() + " )";
default:
throw new IllegalArgumentException(MessageFormat.format("Unsupported filter type to get suspect content: {0}", filter));
}
}
/**
* Returns a sql where statement for files.
*
* @param filter The filter type.
* @param filteringDSObjId The data source object id to filter on if > 0.
* @return The sql where statement.
* @throws IllegalArgumentException
* @throws IllegalArgumentException
*/
static private String getFileFilter(ScoreContent.ScoreContentFilter filter, long filteringDSObjId) throws IllegalArgumentException {
String aggregateScoreFilter = "";
switch (filter) {
case SUS_ITEM_FILTER:
aggregateScoreFilter = " tsk_aggregate_score.significance = " + Significance.LIKELY_NOTABLE.getId() + " AND (tsk_aggregate_score.priority = " + Priority.NORMAL.getId() + " OR tsk_aggregate_score.priority = " + Priority.OVERRIDE.getId() + " )";
private static String getFileFilter(ScoreContent.ScoreContentFilter filter, long filteringDsObjId) throws IllegalArgumentException {
return getFilter(filter, "obj_id", "data_source_obj_id", filteringDsObjId);
}
break;
case BAD_ITEM_FILTER:
aggregateScoreFilter = " tsk_aggregate_score.significance = " + Significance.NOTABLE.getId() + " AND (tsk_aggregate_score.priority = " + Priority.NORMAL.getId() + " OR tsk_aggregate_score.priority = " + Priority.OVERRIDE.getId() + " )";
break;
default:
throw new IllegalArgumentException(MessageFormat.format("Unsupported filter type to get suspect content: {0}", filter));
}
String query = " obj_id IN (SELECT tsk_aggregate_score.obj_id FROM tsk_aggregate_score WHERE " + aggregateScoreFilter + ") ";
if (filteringDSObjId > 0) {
query += " AND data_source_obj_id = " + filteringDSObjId;
}
return query;
/**
* Returns a sql where statement for files.
*
* @param filter The filter type.
* @param filteringDSObjId The data source object id to filter on if > 0.
* @return The sql where statement.
* @throws IllegalArgumentException
*/
private static String getDataArtifactFilter(ScoreContent.ScoreContentFilter filter, long filteringDsObjId) throws IllegalArgumentException {
return getFilter(filter, "artifacts.artifact_obj_id", "artifacts.data_source_obj_id", filteringDsObjId);
}
/**
@ -424,7 +472,34 @@ public class ScoreContent implements AutopsyVisitableItem {
* @return
*/
private static long calculateItems(SleuthkitCase sleuthkitCase, ScoreContent.ScoreContentFilter filter, long datasourceObjId) throws TskCoreException {
return sleuthkitCase.countFilesWhere(getFileFilter(filter, datasourceObjId));
AtomicLong retVal = new AtomicLong(0L);
AtomicReference<SQLException> exRef = new AtomicReference(null);
String query = " COUNT(tsk_aggregate_score.obj_id) AS count FROM tsk_aggregate_score WHERE\n"
+ getScoreFilter(filter) + "\n"
+ ((datasourceObjId > 0) ? "AND tsk_aggregate_score.data_source_obj_id = \n" + datasourceObjId : "")
+ " AND tsk_aggregate_score.obj_id IN\n"
+ " (SELECT tsk_files.obj_id AS obj_id FROM tsk_files UNION\n"
+ " SELECT blackboard_artifacts.artifact_obj_id AS obj_id FROM blackboard_artifacts WHERE blackboard_artifacts.artifact_type_id IN\n"
+ " (SELECT artifact_type_id FROM blackboard_artifact_types WHERE category_type = " + Category.DATA_ARTIFACT.getID() + ")) ";
sleuthkitCase.getCaseDbAccessManager().select(query, (rs) -> {
try {
if (rs.next()) {
retVal.set(rs.getLong("count"));
}
} catch (SQLException ex) {
exRef.set(ex);
}
});
SQLException sqlEx = exRef.get();
if (sqlEx != null) {
throw new TskCoreException(
MessageFormat.format("A sql exception occurred fetching results with query: SELECT {0}", query),
sqlEx);
} else {
return retVal.get();
}
}
@Override
@ -466,7 +541,7 @@ public class ScoreContent implements AutopsyVisitableItem {
/**
* Children showing files for a score filter.
*/
static class ScoreContentChildren extends BaseChildFactory<AbstractFile> implements RefreshThrottler.Refresher {
static class ScoreContentChildren extends BaseChildFactory<Content> implements RefreshThrottler.Refresher {
private final RefreshThrottler refreshThrottler = new RefreshThrottler(this);
@ -515,15 +590,21 @@ public class ScoreContent implements AutopsyVisitableItem {
return ScoreContent.isRefreshRequired(evt);
}
private List<AbstractFile> runFsQuery() {
List<AbstractFile> ret = new ArrayList<>();
private List<Content> runFsQuery() {
List<Content> ret = new ArrayList<>();
String query = null;
String fileFilter = null;
String dataArtifactFilter = null;
try {
query = getFileFilter(filter, datasourceObjId);
ret = skCase.findAllFilesWhere(query);
fileFilter = getFileFilter(filter, datasourceObjId);
dataArtifactFilter = getDataArtifactFilter(filter, datasourceObjId);
ret.addAll(skCase.findAllFilesWhere(fileFilter));
ret.addAll(skCase.getBlackboard().getDataArtifactsWhere(dataArtifactFilter));
} catch (TskCoreException | IllegalArgumentException e) {
logger.log(Level.SEVERE, "Error getting files for the deleted content view using: " + StringUtils.defaultString(query, "<null>"), e); //NON-NLS
logger.log(Level.SEVERE, MessageFormat.format(
"Error getting files for the deleted content view using file filter: {0} data artifact filter: {1}",
StringUtils.defaultString(fileFilter, "<null>"),
StringUtils.defaultString(dataArtifactFilter, "<null>")), e); //NON-NLS
}
return ret;
@ -531,66 +612,201 @@ public class ScoreContent implements AutopsyVisitableItem {
}
@Override
protected List<AbstractFile> makeKeys() {
protected List<Content> makeKeys() {
return runFsQuery();
}
@Override
protected Node createNodeForKey(AbstractFile key) {
protected Node createNodeForKey(Content key) {
return key.accept(new ContentVisitor.Default<AbstractNode>() {
public FileNode visit(AbstractFile f) {
return new FileNode(f, false);
return new ScoreFileNode(f, false);
}
public FileNode visit(FsContent f) {
return new FileNode(f, false);
return new ScoreFileNode(f, false);
}
@Override
public FileNode visit(LayoutFile f) {
return new FileNode(f, false);
return new ScoreFileNode(f, false);
}
@Override
public FileNode visit(File f) {
return new FileNode(f, false);
return new ScoreFileNode(f, false);
}
@Override
public FileNode visit(Directory f) {
return new FileNode(f, false);
return new ScoreFileNode(f, false);
}
@Override
public FileNode visit(VirtualDirectory f) {
return new FileNode(f, false);
return new ScoreFileNode(f, false);
}
@Override
public AbstractNode visit(SlackFile sf) {
return new FileNode(sf, false);
return new ScoreFileNode(sf, false);
}
@Override
public AbstractNode visit(LocalFile lf) {
return new FileNode(lf, false);
return new ScoreFileNode(lf, false);
}
@Override
public AbstractNode visit(DerivedFile df) {
return new FileNode(df, false);
return new ScoreFileNode(df, false);
}
@Override
public AbstractNode visit(BlackboardArtifact ba) {
return new ScoreArtifactNode(ba);
}
@Override
protected AbstractNode defaultVisit(Content di) {
if (di instanceof AbstractFile) {
return visit((AbstractFile) di);
} else {
throw new UnsupportedOperationException("Not supported for this type of Displayable Item: " + di.toString());
throw new UnsupportedOperationException("Not supported for this type of Displayable Item: " + di.toString());
}
}
});
}
}
}
private static final String SOURCE_PROP = "Source";
private static final String TYPE_PROP = "Type";
private static final String PATH_PROP = "Path";
private static final String DATE_PROP = "Created Date";
private static Sheet createScoreSheet(String type, String path, Long time) {
Sheet sheet = new Sheet();
Sheet.Set sheetSet = Sheet.createPropertiesSet();
sheet.put(sheetSet);
List<NodeProperty<?>> properties = new ArrayList<>();
properties.add(new NodeProperty<>(
SOURCE_PROP,
SOURCE_PROP,
NO_DESCR,
StringUtils.defaultString(path)));
properties.add(new NodeProperty<>(
TYPE_PROP,
TYPE_PROP,
NO_DESCR,
type));
if (StringUtils.isNotBlank(path)) {
properties.add(new NodeProperty<>(
PATH_PROP,
PATH_PROP,
NO_DESCR,
path));
}
if (time != null && time > 0) {
properties.add(new NodeProperty<>(
DATE_PROP,
DATE_PROP,
NO_DESCR,
TimeZoneUtils.getFormattedTime(time)));
}
properties.forEach((property) -> {
sheetSet.put(property);
});
return sheet;
}
public static class ScoreArtifactNode extends BlackboardArtifactNode {
private static final Logger logger = Logger.getLogger(ScoreArtifactNode.class.getName());
private static final List<BlackboardAttribute.Type> TIME_ATTRS = Arrays.asList(
BlackboardAttribute.Type.TSK_DATETIME,
BlackboardAttribute.Type.TSK_DATETIME_ACCESSED,
BlackboardAttribute.Type.TSK_DATETIME_RCVD,
BlackboardAttribute.Type.TSK_DATETIME_SENT,
BlackboardAttribute.Type.TSK_DATETIME_CREATED,
BlackboardAttribute.Type.TSK_DATETIME_MODIFIED,
BlackboardAttribute.Type.TSK_DATETIME_START,
BlackboardAttribute.Type.TSK_DATETIME_END,
BlackboardAttribute.Type.TSK_DATETIME_DELETED,
BlackboardAttribute.Type.TSK_DATETIME_PASSWORD_RESET,
BlackboardAttribute.Type.TSK_DATETIME_PASSWORD_FAIL
);
private static final Map<Integer, Integer> TIME_ATTR_IMPORTANCE = IntStream.range(0, TIME_ATTRS.size())
.mapToObj(idx -> Pair.of(TIME_ATTRS.get(idx).getTypeID(), idx))
.collect(Collectors.toMap(Entry::getKey, Entry::getValue, (v1, v2) -> v1));
public ScoreArtifactNode(BlackboardArtifact artifact) {
super(artifact);
}
private Long getTime(BlackboardArtifact artifact) {
try {
BlackboardAttribute timeAttr = artifact.getAttributes().stream()
.filter((attr) -> TIME_ATTR_IMPORTANCE.keySet().contains(attr.getAttributeType().getTypeID()))
.sorted(Comparator.comparing(attr -> TIME_ATTR_IMPORTANCE.get(attr.getAttributeType().getTypeID())))
.findFirst()
.orElse(null);
if (timeAttr != null) {
return timeAttr.getValueLong();
} else {
return (artifact.getParent() instanceof AbstractFile) ? ((AbstractFile) artifact.getParent()).getCtime() : null;
}
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "An exception occurred while fetching time for artifact", ex);
return null;
}
}
@Override
protected synchronized Sheet createSheet() {
try {
return createScoreSheet(
this.content.getType().getDisplayName(),
this.content.getUniquePath(),
getTime(this.content)
);
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "An error occurred while fetching sheet data for score artifact.", ex);
return new Sheet();
}
}
}
@Messages("ScoreContent_ScoreFileNode_type=File")
public static class ScoreFileNode extends FileNode {
private static final Logger logger = Logger.getLogger(ScoreFileNode.class.getName());
public ScoreFileNode(AbstractFile af, boolean directoryBrowseMode) {
super(af, directoryBrowseMode);
}
@Override
protected synchronized Sheet createSheet() {
try {
return createScoreSheet(
Bundle.ScoreContent_ScoreFileNode_type(),
this.content.getUniquePath(),
this.content.getCtime()
);
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "An error occurred while fetching sheet data for score file.", ex);
return new Sheet();
}
}
}
}

3
Core/src/org/sleuthkit/autopsy/datamodel/ViewsNode.java
View File

@ -46,8 +46,7 @@ public class ViewsNode extends DisplayableItemNode {
// add it back in if we can filter the results to a more managable size.
// new RecentFiles(sleuthkitCase),
new DeletedContent(sleuthkitCase, dsObjId),
new FileSize(sleuthkitCase, dsObjId),
new ScoreContent(sleuthkitCase, dsObjId))
new FileSize(sleuthkitCase, dsObjId))
),
Lookups.singleton(NAME)
);

7
Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ALeappAnalyzerIngestModule.java
View File

@ -289,12 +289,13 @@ public class ALeappAnalyzerIngestModule implements DataSourceIngestModule {
private ProcessBuilder buildaLeappCommand(Path moduleOutputPath, String sourceFilePath, String aLeappFileSystemType) {
ProcessBuilder processBuilder = buildProcessWithRunAsInvoker(
"\"" + aLeappExecutable + "\"", //NON-NLS
aLeappExecutable.getAbsolutePath(), //NON-NLS
"-t", aLeappFileSystemType, //NON-NLS
"-i", sourceFilePath, //NON-NLS
"-o", moduleOutputPath.toString(),
"-w"
);
processBuilder.directory(moduleOutputPath.toFile());
processBuilder.redirectError(moduleOutputPath.resolve("aLeapp_err.txt").toFile()); //NON-NLS
processBuilder.redirectOutput(moduleOutputPath.resolve("aLeapp_out.txt").toFile()); //NON-NLS
return processBuilder;
@ -303,9 +304,11 @@ public class ALeappAnalyzerIngestModule implements DataSourceIngestModule {
private ProcessBuilder buildaLeappListCommand(Path moduleOutputPath) {
ProcessBuilder processBuilder = buildProcessWithRunAsInvoker(
"\"" + aLeappExecutable + "\"", //NON-NLS
aLeappExecutable.getAbsolutePath(), //NON-NLS
"-p"
);
// leapp process creates a text file in addition to outputting to stdout.
processBuilder.directory(moduleOutputPath.toFile());
processBuilder.redirectError(moduleOutputPath.resolve("aLeapp_paths_error.txt").toFile()); //NON-NLS
processBuilder.redirectOutput(moduleOutputPath.resolve("aLeapp_paths.txt").toFile()); //NON-NLS
return processBuilder;

7
Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ILeappAnalyzerIngestModule.java
View File

@ -289,11 +289,12 @@ public class ILeappAnalyzerIngestModule implements DataSourceIngestModule {
private ProcessBuilder buildiLeappCommand(Path moduleOutputPath, String sourceFilePath, String iLeappFileSystemType) {
ProcessBuilder processBuilder = buildProcessWithRunAsInvoker(
"\"" + iLeappExecutable + "\"", //NON-NLS
iLeappExecutable.getAbsolutePath(), //NON-NLS
"-t", iLeappFileSystemType, //NON-NLS
"-i", sourceFilePath, //NON-NLS
"-o", moduleOutputPath.toString()
);
processBuilder.directory(moduleOutputPath.toFile());
processBuilder.redirectError(moduleOutputPath.resolve("iLeapp_err.txt").toFile()); //NON-NLS
processBuilder.redirectOutput(moduleOutputPath.resolve("iLeapp_out.txt").toFile()); //NON-NLS
return processBuilder;
@ -309,9 +310,11 @@ public class ILeappAnalyzerIngestModule implements DataSourceIngestModule {
private ProcessBuilder buildiLeappListCommand(Path moduleOutputPath) {
ProcessBuilder processBuilder = buildProcessWithRunAsInvoker(
"\"" + iLeappExecutable + "\"", //NON-NLS
iLeappExecutable.getAbsolutePath(), //NON-NLS
"-p"
);
// leapp process also outputs a file to the working directory in addition to stdout.
processBuilder.directory(moduleOutputPath.toFile());
processBuilder.redirectError(moduleOutputPath.resolve("iLeapp_paths_error.txt").toFile()); //NON-NLS
processBuilder.redirectOutput(moduleOutputPath.resolve("iLeapp_paths.txt").toFile()); //NON-NLS
return processBuilder;

51
CoreLibs/ivy.xml
View File

@ -1,11 +1,58 @@
<ivy-module version="2.0">
<!DOCTYPE ivy-module [
<!ENTITY javafx.version "17.0.7">
]>
<ivy-module version="2.0" xmlns:e="http://ant.apache.org/ivy/extra">
<info organisation="org.sleuthkit.autopsy" module="corelibs"/>
<configurations >
<!-- module dependencies -->
<conf name="autopsy_core"/>
</configurations>
<dependencies>
<dependencies>
<dependency conf="autopsy_core->default" org="org.openjfx" name="javafx-fxml" rev="&javafx.version;">
<artifact name="javafx-fxml" type="jar" />
<artifact name="javafx-fxml" type="jar" e:classifier="win"/>
<artifact name="javafx-fxml" type="jar" e:classifier="mac"/>
<artifact name="javafx-fxml" type="jar" e:classifier="linux"/>
</dependency>
<dependency conf="autopsy_core->default" org="org.openjfx" name="javafx-graphics" rev="&javafx.version;">
<artifact name="javafx-graphics" type="jar" />
<artifact name="javafx-graphics" type="jar" e:classifier="win"/>
<artifact name="javafx-graphics" type="jar" e:classifier="mac"/>
<artifact name="javafx-graphics" type="jar" e:classifier="linux"/>
</dependency>
<dependency conf="autopsy_core->default" org="org.openjfx" name="javafx-controls" rev="&javafx.version;">
<artifact name="javafx-controls" type="jar" />
<artifact name="javafx-controls" type="jar" e:classifier="win"/>
<artifact name="javafx-controls" type="jar" e:classifier="mac"/>
<artifact name="javafx-controls" type="jar" e:classifier="linux"/>
</dependency>
<dependency conf="autopsy_core->default" org="org.openjfx" name="javafx-base" rev="&javafx.version;">
<artifact name="javafx-base" type="jar" />
<artifact name="javafx-base" type="jar" e:classifier="win"/>
<artifact name="javafx-base" type="jar" e:classifier="mac"/>
<artifact name="javafx-base" type="jar" e:classifier="linux"/>
</dependency>
<dependency conf="autopsy_core->default" org="org.openjfx" name="javafx-swing" rev="&javafx.version;" >
<artifact name="javafx-swing" type="jar" />
<artifact name="javafx-swing" type="jar" e:classifier="win"/>
<artifact name="javafx-swing" type="jar" e:classifier="mac"/>
<artifact name="javafx-swing" type="jar" e:classifier="linux"/>
</dependency>
<dependency conf="autopsy_core->default" org="org.openjfx" name="javafx-web" rev="&javafx.version;" >
<artifact name="javafx-web" type="jar" />
<artifact name="javafx-web" type="jar" e:classifier="win"/>
<artifact name="javafx-web" type="jar" e:classifier="mac"/>
<artifact name="javafx-web" type="jar" e:classifier="linux"/>
</dependency>
<dependency conf="autopsy_core->default" org="org.openjfx" name="javafx-media" rev="&javafx.version;">
<artifact name="javafx-media" type="jar" />
<artifact name="javafx-media" type="jar" e:classifier="win"/>
<artifact name="javafx-media" type="jar" e:classifier="mac"/>
<artifact name="javafx-media" type="jar" e:classifier="linux"/>
</dependency>
<dependency conf="autopsy_core->default" org="org.apache.ant" name="ant-launcher" rev="1.10.12"/>
<dependency conf="autopsy_core->default" org="org.apache.ant" name="ant" rev="1.10.12"/>

31
CoreLibs/nbproject/project.properties
View File

@ -26,6 +26,7 @@ file.reference.commons-text-1.10.0.jar=release/modules/ext/commons-text-1.10.0.j
file.reference.commons-validator-1.7.jar=release/modules/ext/commons-validator-1.7.jar
file.reference.compiler-0.9.10.jar=release/modules/ext/compiler-0.9.10.jar
file.reference.conscrypt-openjdk-uber-2.5.1.jar=release/modules/ext/conscrypt-openjdk-uber-2.5.1.jar
file.reference.controlsfx-11.1.2-sources.jar=release/modules/ext/controlsfx-11.1.2-sources.jar
file.reference.controlsfx-11.1.2.jar=release/modules/ext/controlsfx-11.1.2.jar
file.reference.dd-plist-1.23.jar=release/modules/ext/dd-plist-1.23.jar
file.reference.error_prone_annotations-2.11.0.jar=release/modules/ext/error_prone_annotations-2.11.0.jar
@ -83,6 +84,34 @@ file.reference.jackson-annotations-2.15.2.jar=release/modules/ext/jackson-annota
file.reference.jackson-core-2.15.2.jar=release/modules/ext/jackson-core-2.15.2.jar
file.reference.jackson-databind-2.15.2.jar=release/modules/ext/jackson-databind-2.15.2.jar
file.reference.jackson-dataformat-csv-2.15.2.jar=release/modules/ext/jackson-dataformat-csv-2.15.2.jar
file.reference.javafx-base-17.0.7-linux.jar=release/modules/ext/javafx-base-17.0.7-linux.jar
file.reference.javafx-base-17.0.7-mac.jar=release/modules/ext/javafx-base-17.0.7-mac.jar
file.reference.javafx-base-17.0.7-win.jar=release/modules/ext/javafx-base-17.0.7-win.jar
file.reference.javafx-base-17.0.7.jar=release/modules/ext/javafx-base-17.0.7.jar
file.reference.javafx-controls-17.0.7-linux.jar=release/modules/ext/javafx-controls-17.0.7-linux.jar
file.reference.javafx-controls-17.0.7-mac.jar=release/modules/ext/javafx-controls-17.0.7-mac.jar
file.reference.javafx-controls-17.0.7-win.jar=release/modules/ext/javafx-controls-17.0.7-win.jar
file.reference.javafx-controls-17.0.7.jar=release/modules/ext/javafx-controls-17.0.7.jar
file.reference.javafx-fxml-17.0.7-linux.jar=release/modules/ext/javafx-fxml-17.0.7-linux.jar
file.reference.javafx-fxml-17.0.7-mac.jar=release/modules/ext/javafx-fxml-17.0.7-mac.jar
file.reference.javafx-fxml-17.0.7-win.jar=release/modules/ext/javafx-fxml-17.0.7-win.jar
file.reference.javafx-fxml-17.0.7.jar=release/modules/ext/javafx-fxml-17.0.7.jar
file.reference.javafx-graphics-17.0.7-linux.jar=release/modules/ext/javafx-graphics-17.0.7-linux.jar
file.reference.javafx-graphics-17.0.7-mac.jar=release/modules/ext/javafx-graphics-17.0.7-mac.jar
file.reference.javafx-graphics-17.0.7-win.jar=release/modules/ext/javafx-graphics-17.0.7-win.jar
file.reference.javafx-graphics-17.0.7.jar=release/modules/ext/javafx-graphics-17.0.7.jar
file.reference.javafx-media-17.0.7-linux.jar=release/modules/ext/javafx-media-17.0.7-linux.jar
file.reference.javafx-media-17.0.7-mac.jar=release/modules/ext/javafx-media-17.0.7-mac.jar
file.reference.javafx-media-17.0.7-win.jar=release/modules/ext/javafx-media-17.0.7-win.jar
file.reference.javafx-media-17.0.7.jar=release/modules/ext/javafx-media-17.0.7.jar
file.reference.javafx-swing-17.0.7-linux.jar=release/modules/ext/javafx-swing-17.0.7-linux.jar
file.reference.javafx-swing-17.0.7-mac.jar=release/modules/ext/javafx-swing-17.0.7-mac.jar
file.reference.javafx-swing-17.0.7-win.jar=release/modules/ext/javafx-swing-17.0.7-win.jar
file.reference.javafx-swing-17.0.7.jar=release/modules/ext/javafx-swing-17.0.7.jar
file.reference.javafx-web-17.0.7-linux.jar=release/modules/ext/javafx-web-17.0.7-linux.jar
file.reference.javafx-web-17.0.7-mac.jar=release/modules/ext/javafx-web-17.0.7-mac.jar
file.reference.javafx-web-17.0.7-win.jar=release/modules/ext/javafx-web-17.0.7-win.jar
file.reference.javafx-web-17.0.7.jar=release/modules/ext/javafx-web-17.0.7.jar
file.reference.javax.annotation-api-1.3.2.jar=release/modules/ext/javax.annotation-api-1.3.2.jar
file.reference.jericho-html-3.4.jar=release/modules/ext/jericho-html-3.4.jar
file.reference.jfxtras-common-17-r1.jar=release/modules/ext/jfxtras-common-17-r1.jar
@ -99,7 +128,7 @@ file.reference.log4j-core-2.17.2.jar=release/modules/ext/log4j-core-2.17.2.jar
file.reference.opencensus-api-0.31.0.jar=release/modules/ext/opencensus-api-0.31.0.jar
file.reference.opencensus-contrib-http-util-0.31.0.jar=release/modules/ext/opencensus-contrib-http-util-0.31.0.jar
file.reference.opencensus-proto-0.2.0.jar=release/modules/ext/opencensus-proto-0.2.0.jar
file.reference.opencv-248.jar=release/modules/ext/opencv-248.jar
file.reference.opencv-2413.jar=release/modules/ext/opencv-2413.jar
file.reference.perfmark-api-0.23.0.jar=release/modules/ext/perfmark-api-0.23.0.jar
file.reference.proto-google-cloud-translate-v3-2.1.11.jar=release/modules/ext/proto-google-cloud-translate-v3-2.1.11.jar
file.reference.proto-google-cloud-translate-v3beta1-0.83.11.jar=release/modules/ext/proto-google-cloud-translate-v3beta1-0.83.11.jar

236
CoreLibs/nbproject/project.xml
View File

@ -199,6 +199,83 @@
<package>com.google.type</package>
<package>com.microsoft.schemas.vml</package>
<package>com.microsoft.schemas.vml.impl</package>
<package>com.sun.javafx</package>
<package>com.sun.javafx.animation</package>
<package>com.sun.javafx.application</package>
<package>com.sun.javafx.beans</package>
<package>com.sun.javafx.beans.event</package>
<package>com.sun.javafx.binding</package>
<package>com.sun.javafx.charts</package>
<package>com.sun.javafx.collections</package>
<package>com.sun.javafx.css</package>
<package>com.sun.javafx.css.parser</package>
<package>com.sun.javafx.cursor</package>
<package>com.sun.javafx.effect</package>
<package>com.sun.javafx.embed</package>
<package>com.sun.javafx.embed.swing</package>
<package>com.sun.javafx.embed.swing.newimpl</package>
<package>com.sun.javafx.event</package>
<package>com.sun.javafx.font</package>
<package>com.sun.javafx.font.coretext</package>
<package>com.sun.javafx.font.directwrite</package>
<package>com.sun.javafx.font.freetype</package>
<package>com.sun.javafx.fxml</package>
<package>com.sun.javafx.fxml.builder</package>
<package>com.sun.javafx.fxml.builder.web</package>
<package>com.sun.javafx.fxml.expression</package>
<package>com.sun.javafx.geom</package>
<package>com.sun.javafx.geom.transform</package>
<package>com.sun.javafx.geometry</package>
<package>com.sun.javafx.iio</package>
<package>com.sun.javafx.iio.bmp</package>
<package>com.sun.javafx.iio.common</package>
<package>com.sun.javafx.iio.gif</package>
<package>com.sun.javafx.iio.ios</package>
<package>com.sun.javafx.iio.jpeg</package>
<package>com.sun.javafx.iio.png</package>
<package>com.sun.javafx.image</package>
<package>com.sun.javafx.image.impl</package>
<package>com.sun.javafx.logging</package>
<package>com.sun.javafx.logging.jfr</package>
<package>com.sun.javafx.media</package>
<package>com.sun.javafx.menu</package>
<package>com.sun.javafx.perf</package>
<package>com.sun.javafx.print</package>
<package>com.sun.javafx.property</package>
<package>com.sun.javafx.property.adapter</package>
<package>com.sun.javafx.reflect</package>
<package>com.sun.javafx.runtime</package>
<package>com.sun.javafx.runtime.async</package>
<package>com.sun.javafx.runtime.eula</package>
<package>com.sun.javafx.scene</package>
<package>com.sun.javafx.scene.canvas</package>
<package>com.sun.javafx.scene.control</package>
<package>com.sun.javafx.scene.control.behavior</package>
<package>com.sun.javafx.scene.control.inputmap</package>
<package>com.sun.javafx.scene.control.skin</package>
<package>com.sun.javafx.scene.control.skin.resources</package>
<package>com.sun.javafx.scene.input</package>
<package>com.sun.javafx.scene.layout</package>
<package>com.sun.javafx.scene.layout.region</package>
<package>com.sun.javafx.scene.media</package>
<package>com.sun.javafx.scene.paint</package>
<package>com.sun.javafx.scene.shape</package>
<package>com.sun.javafx.scene.text</package>
<package>com.sun.javafx.scene.transform</package>
<package>com.sun.javafx.scene.traversal</package>
<package>com.sun.javafx.scene.web</package>
<package>com.sun.javafx.scene.web.behavior</package>
<package>com.sun.javafx.sg.prism</package>
<package>com.sun.javafx.sg.prism.web</package>
<package>com.sun.javafx.stage</package>
<package>com.sun.javafx.text</package>
<package>com.sun.javafx.tk</package>
<package>com.sun.javafx.tk.quantum</package>
<package>com.sun.javafx.util</package>
<package>com.sun.javafx.webkit</package>
<package>com.sun.javafx.webkit.prism</package>
<package>com.sun.javafx.webkit.prism.theme</package>
<package>com.sun.javafx.webkit.theme</package>
<package>com.sun.jna</package>
<package>com.sun.jna.platform</package>
<package>com.sun.jna.platform.dnd</package>
@ -208,6 +285,7 @@
<package>com.sun.jna.platform.wince</package>
<package>com.sun.jna.ptr</package>
<package>com.sun.jna.win32</package>
<package>com.sun.scenario.animation</package>
<package>com.twelvemonkeys.image</package>
<package>com.twelvemonkeys.imageio</package>
<package>com.twelvemonkeys.imageio.color</package>
@ -246,6 +324,44 @@
<package>javax.annotation</package>
<package>javax.annotation.concurrent</package>
<package>javax.annotation.meta</package>
<package>javafx.animation</package>
<package>javafx.application</package>
<package>javafx.beans</package>
<package>javafx.beans.binding</package>
<package>javafx.beans.property</package>
<package>javafx.beans.property.adapter</package>
<package>javafx.beans.value</package>
<package>javafx.collections</package>
<package>javafx.collections.transformation</package>
<package>javafx.concurrent</package>
<package>javafx.css</package>
<package>javafx.css.converter</package>
<package>javafx.embed.swing</package>
<package>javafx.event</package>
<package>javafx.fxml</package>
<package>javafx.geometry</package>
<package>javafx.graphics</package>
<package>javafx.print</package>
<package>javafx.scene</package>
<package>javafx.scene.canvas</package>
<package>javafx.scene.chart</package>
<package>javafx.scene.control</package>
<package>javafx.scene.control.cell</package>
<package>javafx.scene.control.skin</package>
<package>javafx.scene.effect</package>
<package>javafx.scene.image</package>
<package>javafx.scene.input</package>
<package>javafx.scene.layout</package>
<package>javafx.scene.media</package>
<package>javafx.scene.paint</package>
<package>javafx.scene.robot</package>
<package>javafx.scene.shape</package>
<package>javafx.scene.text</package>
<package>javafx.scene.transform</package>
<package>javafx.scene.web</package>
<package>javafx.stage</package>
<package>javafx.util</package>
<package>javafx.util.converter</package>
<package>javax.jms</package>
<package>javax.mail</package>
<package>javax.mail.event</package>
@ -583,6 +699,10 @@
<runtime-relative-path>ext/conscrypt-openjdk-uber-2.5.1.jar</runtime-relative-path>
<binary-origin>release/modules/ext/conscrypt-openjdk-uber-2.5.1.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/controlsfx-11.1.2-sources.jar</runtime-relative-path>
<binary-origin>release/modules/ext/controlsfx-11.1.2-sources.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/controlsfx-11.1.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/controlsfx-11.1.2.jar</binary-origin>
@ -811,6 +931,118 @@
<runtime-relative-path>ext/jackson-dataformat-csv-2.15.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jackson-dataformat-csv-2.15.2.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-base-17.0.7-linux.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-base-17.0.7-linux.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-base-17.0.7-mac.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-base-17.0.7-mac.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-base-17.0.7-win.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-base-17.0.7-win.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-base-17.0.7.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-base-17.0.7.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-controls-17.0.7-linux.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-controls-17.0.7-linux.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-controls-17.0.7-mac.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-controls-17.0.7-mac.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-controls-17.0.7-win.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-controls-17.0.7-win.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-controls-17.0.7.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-controls-17.0.7.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-fxml-17.0.7-linux.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-fxml-17.0.7-linux.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-fxml-17.0.7-mac.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-fxml-17.0.7-mac.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-fxml-17.0.7-win.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-fxml-17.0.7-win.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-fxml-17.0.7.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-fxml-17.0.7.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-graphics-17.0.7-linux.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-graphics-17.0.7-linux.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-graphics-17.0.7-mac.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-graphics-17.0.7-mac.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-graphics-17.0.7-win.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-graphics-17.0.7-win.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-graphics-17.0.7.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-graphics-17.0.7.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-media-17.0.7-linux.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-media-17.0.7-linux.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-media-17.0.7-mac.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-media-17.0.7-mac.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-media-17.0.7-win.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-media-17.0.7-win.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-media-17.0.7.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-media-17.0.7.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-swing-17.0.7-linux.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-swing-17.0.7-linux.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-swing-17.0.7-mac.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-swing-17.0.7-mac.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-swing-17.0.7-win.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-swing-17.0.7-win.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-swing-17.0.7.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-swing-17.0.7.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-web-17.0.7-linux.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-web-17.0.7-linux.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-web-17.0.7-mac.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-web-17.0.7-mac.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-web-17.0.7-win.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-web-17.0.7-win.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javafx-web-17.0.7.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javafx-web-17.0.7.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/javax.annotation-api-1.3.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/javax.annotation-api-1.3.2.jar</binary-origin>
@ -876,8 +1108,8 @@
<binary-origin>release/modules/ext/opencensus-proto-0.2.0.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/opencv-248.jar</runtime-relative-path>
<binary-origin>release/modules/ext/opencv-248.jar</binary-origin>
<runtime-relative-path>ext/opencv-2413.jar</runtime-relative-path>
<binary-origin>release/modules/ext/opencv-2413.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/perfmark-api-0.23.0.jar</runtime-relative-path>

2
KeywordSearch/solr/bin/autopsy-solr.cmd
View File

@ -1,4 +1,4 @@
@REM set JAVA_HOME=C:\Program Files\BellSoft\LibericaJDK-17-Full
@REM set JAVA_HOME=C:\Program Files\Java\jdk-17
@REM set SOLR_SERVER_DIR=C:\Bitnami\solr-8.2.0-2/apache-solr/server
set SOLR_PORT=8983
set STOP_PORT=8079

2
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties
View File

@ -85,6 +85,8 @@ KeywordSearchFilterNode.getFileActions.searchSameMd5=Search for files with the s
KeywordSearchFilterNode.getFileActions.viewInNewWinActionLbl=View in New Window
KeywordSearchIngestModule.init.noKwInLstMsg=No keywords in keyword list.
KeywordSearchIngestModule.init.onlyIdxKwSkipMsg=Only indexing will be done and keyword search will be skipped (you can still add keyword lists using the Keyword Lists - Add to Ingest).
KeywordSearchIngestModule.init.SolrIndexingDisabled=Solr indexing is disabled.
KeywordSearchIngestModule.init.indexingDisabled=Text indexing is disabled. See user manual section "Limitations of Ad Hoc Keyword Search" for details.
KeywordSearchIngestModule.doInBackGround.displayName=Periodic Keyword Search
KeywordSearchIngestModule.doInBackGround.finalizeMsg=Finalizing
KeywordSearchIngestModule.doInBackGround.pendingMsg=(Pending)

2
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED
View File

@ -137,6 +137,8 @@ KeywordSearchFilterNode.getFileActions.searchSameMd5=Search for files with the s
KeywordSearchFilterNode.getFileActions.viewInNewWinActionLbl=View in New Window
KeywordSearchIngestModule.init.noKwInLstMsg=No keywords in keyword list.
KeywordSearchIngestModule.init.onlyIdxKwSkipMsg=Only indexing will be done and keyword search will be skipped (you can still add keyword lists using the Keyword Lists - Add to Ingest).
KeywordSearchIngestModule.init.SolrIndexingDisabled=Solr indexing is disabled.
KeywordSearchIngestModule.init.indexingDisabled=Text indexing is disabled. See user manual section "Limitations of Ad Hoc Keyword Search" for details.
KeywordSearchIngestModule.doInBackGround.displayName=Periodic Keyword Search
KeywordSearchIngestModule.doInBackGround.finalizeMsg=Finalizing
KeywordSearchIngestModule.doInBackGround.pendingMsg=(Pending)

12
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java
View File

@ -318,9 +318,15 @@ public final class KeywordSearchIngestModule implements FileIngestModule {
break;
}
}
if (!hasKeywordsForSearch) {
services.postMessage(IngestMessage.createWarningMessage(KeywordSearchModuleFactory.getModuleName(), NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.init.noKwInLstMsg"),
NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.init.onlyIdxKwSkipMsg")));
if (!settings.isIndexToSolrEnabled()) {
services.postMessage(IngestMessage.createWarningMessage(KeywordSearchModuleFactory.getModuleName(), NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.init.SolrIndexingDisabled"),
NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.init.indexingDisabled")));
} else {
if (!hasKeywordsForSearch) {
services.postMessage(IngestMessage.createWarningMessage(KeywordSearchModuleFactory.getModuleName(), NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.init.noKwInLstMsg"),
NbBundle.getMessage(this.getClass(), "KeywordSearchIngestModule.init.onlyIdxKwSkipMsg")));
}
}
}
}

4
README.txt
View File

@ -43,8 +43,8 @@ This section lists the software components and libraries that are used by
Autopsy. These tools are bundled with the Windows installer, unless specified otherwise.
JRE (Java Runtime Environment) 17
- Web page: https://bell-sw.com/pages/downloads/
- License: https://bell-sw.com/liberica_eula/
- Web page: https://www.oracle.com/java/technologies/downloads/#java17
- License: https://www.oracle.com/a/tech/docs/jdk17-lium.pdf
Netbeans 15 RCP platform and .jar files bundled with the platform
- Web page: https://netbeans.apache.org/

10
Running_Linux_OSX.md
View File

@ -9,11 +9,11 @@ When installing on Debian-based Linux or macOS systems, there are three general
# Installing The Sleuth Kit
- **Linux**: Download the .deb file for the release you want to install from the [release section](https://github.com/sleuthkit/sleuthkit/releases). Install The Sleuth Kit package from the repositories with the following command: `sudo apt update && sudo apt install /path/to/sleuthkit-version.deb`.
- **macOS**: Ensure that for this session, your `JAVA_HOME` variable is set to the java 17 installation by running `export JAVA_HOME=$(/usr/libexec/java_home -v 17)/bin/java`. Then, install The Sleuth Kit from source by running [`linux_macos_install_scripts/install_tsk_from_src.sh`](./linux_macos_install_scripts/install_tsk_from_src.sh), which will download, build, and install The Sleuth Kit. It can be run as follows: `install_tsk_from_src.sh -p ~/src/sleuthkit -b sleuthkit-4.11.1`. Make sure that your path to download source ends with "sleuthkit" as the last directory, and the release is the corresponding tag in the [repository](https://github.com/sleuthkit/sleuthkit).
- **macOS**: Ensure that for this session, your `JAVA_HOME` variable is set to the java 17 installation by running `export JAVA_HOME=$(/usr/libexec/java_home -v 17)`. Then, install The Sleuth Kit from source by running [`linux_macos_install_scripts/install_tsk_from_src.sh`](./linux_macos_install_scripts/install_tsk_from_src.sh), which will download, build, and install The Sleuth Kit. It can be run as follows: `install_tsk_from_src.sh -p ~/src/sleuthkit -b sleuthkit-4.11.1`. Make sure that your path to download source ends with "sleuthkit" as the last directory, and the release is the corresponding tag in the [repository](https://github.com/sleuthkit/sleuthkit).
# Installing Autopsy
- Download the Autopsy zip file from [repository releases](https://github.com/sleuthkit/autopsy/releases). The file will be marked as "autopsy-&lt;release&gt;.zip" (i.e. "autopsy-4.19.2.zip").
- Run [`install_application.sh`](./linux_macos_install_scripts/install_application.sh) with the following parameters: `install_application.sh [-z zip_path] [-i install_directory] [-j java_home]`. An example would be `install_application.sh -z ~/Downloads/autopsy-4.19.2.zip -i ~/autopsy -j /usr/lib/jvm/bellsoft-java17-full-amd64`. The path to the Java 17 home is the last output from the [prequisites installation scripts](#installing-prerequisites), but typically, the path will be `/usr/lib/jvm/bellsoft-java17-full-amd64` on Debian-based Linux or the output of running `/usr/libexec/java_home -v 17` on macOS.
- Run [`install_application.sh`](./linux_macos_install_scripts/install_application.sh) with the following parameters: `install_application.sh [-z zip_path] [-i install_directory] [-j java_home]`. An example would be `install_application.sh -z ~/Downloads/autopsy-4.19.2.zip -i ~/autopsy -j /usr/lib/jvm/java-1.17.0-openjdk-amd64`. The path to the Java 17 home is the last output from the [prequisites installation scripts](#installing-prerequisites), but typically, the path will be in the result of running `update-java-alternatives -l | grep java-1.17` on Debian-based Linux or the output of running `/usr/libexec/java_home -v 17` on macOS.
# Setup macOS JNA paths
If you are on macOS, run [linux_macos_install_scripts/add_macos_jna.sh](./linux_macos_install_scripts/add_macos_jna.sh) to properly setup the jna path to get things like gstreamer working. An example would be `add_macos_jna.sh -i ~/autopsy`.
@ -26,9 +26,9 @@ If you are on macOS, run [linux_macos_install_scripts/add_macos_jna.sh](./linux_
the wrong version of Java is being used to run Autopsy.
Check the version of Java reported in the `messages.log` file in the log directory. The log directory can be found by opening Autopsy, and, with no cases open, go to 'Help' > 'Open Log Folder'. `messages.log` should contain lines that looks like:
```
Java; VM; Vendor = 17.0.7; OpenJDK 64-Bit Server VM 17.0.7+7-LTS; BellSoft
Runtime = OpenJDK Runtime Environment 17.0.7+7-LTS
Java Home = /usr/lib/jvm/bellsoft-java17-full-amd64
Java; VM; Vendor = 17.0.7; OpenJDK 64-Bit Server VM 17.0.7+7-Ubuntu-0ubuntu122.04.2; Private Build
Runtime = OpenJDK Runtime Environment 17.0.7+7-Ubuntu-0ubuntu122.04.2
Java Home = /usr/lib/jvm/java-17-openjdk-amd64
```
If your `messages.log` file indicates that Java 17 is not being used:

5
appveyor.yml
View File

@ -11,14 +11,13 @@ platform: x64
environment:
global:
TSK_HOME: "C:\\sleuthkit"
JDK_HOME: C:\Program Files\BellSoft\LibericaJDK-17-Full
JAVA_HOME: C:\Program Files\BellSoft\LibericaJDK-17-Full
JDK_HOME: C:\Program Files\Java\jdk17
JAVA_HOME: C:\Program Files\Java\jdk17
PYTHON: "C:\\Python36-x64"
install:
- ps: choco install nuget.commandline
- ps: choco install ant --ignore-dependencies
- ps: choco install liberica17jdkfull --force
- git clone https://github.com/sleuthkit/sleuthkit
- ps: $env:Path="$($env:JAVA_HOME)\bin;$($env:Path);C:\ProgramData\chocolatey\lib\ant"
- set PATH=C:\Python36-x64\';%PATH%

46
build-windows-installer.xml
View File

@ -27,19 +27,6 @@
<echo message="32-bit JRE not found. No 32-bit installer will be built. Set the JRE_HOME_32 environment variable to generate a 32-bit installer."/>
</else>
</if> -->
<condition property="jre.home.64">
<isset property="env.JRE_HOME_64"/>
</condition>
<if>
<isset property="jre.home.64" />
<then>
<echo message="64-bit JRE found, 64-bit installer will be built."/>
</then>
<else>
<echo message="64-bit JRE not found. No 64-bit installer will be built. Set the JRE_HOME_64 environment variable to generate a 64-bit installer."/>
</else>
</if>
<property name="lib-rel-path" value="${app.name}\modules\lib" />
<!-- where libs are in build folder; forward slashes because not used directly by advanced installer -->
@ -100,14 +87,27 @@
<target name="copyJRE" description="Copy a given JRE to the installation folder">
<var name="new-jre-path" value="${inst-path}\jre"/>
<delete failonerror="false" dir="${new-jre-path}"/>
<mkdir dir="${new-jre-path}"/>
<copy todir="${new-jre-path}" overwrite="true">
<fileset dir="${jre-path}">
<include name="**/*"/>
</fileset>
</copy>
<property environment="env"/>
<if>
<isset property="env.JDK_HOME" />
<then>
<echo message="JDK found at: ${env.JDK_HOME}."/>
</then>
<else>
<fail message="Environment variable, JDK_HOME, not set. Cannot build installer."/>
</else>
</if>
<exec executable="${env.JDK_HOME}/bin/jlink" dir="${inst-path}">
<arg value="--add-modules"/>
<arg value="ALL-MODULE-PATH"/>
<arg value="--output"/>
<arg value="jre"/>
<arg value="--no-man-pages"/>
<arg value="--no-header-files"/>
<arg value="--compress=2"/>
</exec>
</target>
@ -140,7 +140,7 @@
<target name="build64" if="jre.home.64" description="Builds the 64 bit installer IF JRE_HOME_64 is set.">
<target name="build64" description="Builds the 64 bit installer IF JRE_HOME_64 is set.">
<property environment="env"/>
<var name="aip-path" value="${aip-path-64}"/>
@ -178,7 +178,7 @@
<target name="update-config" description="Updates configuration file with correct JVM args.">
<property name="inst.property.file" value="${inst-path}/etc/${app.name}.conf" />
<!-- Sets Java 17 JVM parameters -->
<var name="jvm.args" value="&quot;--branding ${app.name} -J-Xms24m -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED&quot;" />
<var name="jvm.args" value="&quot;--branding ${app.name} -J-Xms24m -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.lang=ALL-UNNAMED -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED&quot;" />
<propertyfile file="${inst.property.file}">
<entry key="default_options" value="@JVM_OPTIONS" />
<!-- Update configuration file to include runtime -->

2
build.xml
View File

@ -148,7 +148,7 @@
</copy>
<property name="app.property.file" value="${zip-tmp}/${app.name}/etc/${app.name}.conf" />
<var name="jvm-value" value="--branding ${app.name} -J-Xms24m -J-Xmx4G -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED"/>
<var name="jvm-value" value="--branding ${app.name} -J-Xms24m -J-Xmx4G -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.lang=ALL-UNNAMED -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED"/>
<!-- for Japanese localized version add option: -Duser.language=ja -->

2
developers/envvarsetup.py
View File

@ -34,7 +34,7 @@ open_jdk_64_home is the 64 bit jdk and is the assumed default
source_base_path is the directory containing all necessary repos (i.e. autopsy, sleuthkit, etc.)
open_jdk_32_home and postgres_32_home are only necessary if building binaries
'''
open_jdk_64_home = "C:\\Program Files\\BellSoft\\LibericaJDK-17-Full"
open_jdk_64_home = "C:\\Program Files\\Java\\jdk-17"
postgres_home = "C:\\Program Files\\PostgreSQL\\9.5"
ant_home = "C:\\Program Files\\NetBeans-17\\netbeans\\extide\\ant"
open_jdk_home = open_jdk_64_home

4
docs/doxygen-dev/Doxyfile
View File

@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy Developer Documentation"
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER = 4.19.3
PROJECT_NUMBER = 4.20.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@ -1025,7 +1025,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_OUTPUT = 4.19.3
HTML_OUTPUT = 4.20.0
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).

4
docs/doxygen-user/Doxyfile
View File

@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy User Documentation"
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER = 4.19.3
PROJECT_NUMBER = 4.20.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@ -1025,7 +1025,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_OUTPUT = 4.19.3
HTML_OUTPUT = 4.20.0
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).

5
docs/doxygen-user/data_sources.dox
View File

@ -103,7 +103,8 @@ To add a local drive:
You can add files or folders that are on your local computer (or on a shared drive) without putting them into a disk image. This is useful if you have only a collection of files that you want to analyze.
Some things to note when doing this:
- Autopsy ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device.
- Autopsy by default ignores the time stamps on files that it adds this way because they could be the timestamps when they were copied onto your examination device.
- You do have the option to have time stamps added on files by checking the timestamps you want, these time stamps are taken from the examination device. Directories will not have time stamps.
- If you have a USB-attached device that you are analyzing and you choose to add the device's contents using this method, then note that it will not look at unallocated space or deleted files. Autopsy will only be able to see the allocated files. You should add the device as a "Logical Drive" to analyze the unallocated space.
- You can modify the name of the Logical File Set from the default LogicalFileSet# by clicking the "Change" button as shown in the screenshot below:
@ -114,6 +115,8 @@ To add logical files:
-# Leave the top combo box on "Local files and folders"
-# Press the "Add" button and navigate to a folder or file to add. Choosing a folder will cause all of its contents (including sub-folders) to be added.
-# Continue to press "Add" until all files and folders have been selected.
-# If you want any of the files to be added with time stamps from the file system then check the box associated with the timestamp you would like associaed with the file.
-# If a file or directory was mistakenly added then highlight it and press the "Delete" button to remove the item from the list of files/folders
All of the files that you added in the panel will be grouped together into a single data source, called "LogicalFileSet" in the main UI.

BIN
docs/doxygen-user/images/change_logical_file_set_display_name.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 58 KiB

2
docs/doxygen-user/multi-user/installSolr.dox
View File

@ -52,7 +52,7 @@ Follow these steps to configure Solr:
Required Solr Configuration Parameters:
<ul>
<li><b>JAVA_HOME</b> path to 64-bit JRE installation. For example \c "JAVA_HOME= C:\Program Files\BellSoft\LibericaJDK-17-Full" or \c "JAVA_HOME=C:\Program Files\BellSoft\LibericaJDK-17-Full"
<li><b>JAVA_HOME</b> path to 64-bit JRE installation. For example \c "JAVA_HOME=C:\Program Files\Java\jdk-17"
<li><b>DEFAULT_CONFDIR</b> path to Autopsy configuration directory. If the Solr archive was extracted into \c "C:\solr-8.6.3" directory, then this path will be \c "C:\ solr-8.6.3\server\solr\configsets\AutopsyConfig\conf". Do not include quotes around the path.
<li><b>SOLR_JAVA_MEM</b> - Solr JVM heap size should be as large as the Solr machines resources allow, at least half of the total RAM available on the machine. A rule of thumb would be use "set SOLR_JAVA_MEM=-Xms2G -Xmx40G" for a machine with 64GB of RAM, "set SOLR_JAVA_MEM=-Xms2G -Xmx20G" for a machine with 32GB of RAM, and "set SOLR_JAVA_MEM=-Xms2G -Xmx8G" for a machine with 16GB of RAM. Please see the \ref install_solr_heap_usage "troubleshooting section" for more info regarding Solr heap usage and troubleshooting information.
<li><b>SOLR_DATA_HOME</b> location where Solr indexes will be stored. If this is not configured, the indexes will be stored in the \c "C:\solr-8.6.3\server\solr" directory. NOTE: for Autopsy cases consisting of large number of data sources, Solr indexes can get very large (hundreds of GBs, or TBs) so they should probably be stored on a larger network share.

4
docs/doxygen-user_fr/Doxyfile
View File

@ -38,7 +38,7 @@ PROJECT_NAME = "Documentation utilisateur Autopsy"
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER = 4.19.1
PROJECT_NUMBER = 4.20.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears at the top of each page and should give viewer a
@ -1025,7 +1025,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_OUTPUT = 4.19.1
HTML_OUTPUT = 4.20.0
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).

2
docs/doxygen-user_fr/multi-user/installSolr.dox
View File

@ -52,7 +52,7 @@ Suivez ces étapes pour configurer Solr:
Paramètres de configuration requis pour Solr:
<ul>
<li><b>JAVA_HOME</b> chemin d'accès à l'installation du JRE 64 bits. Par exemple \c "JAVA_HOME=C:\Program Files\Java\jre1.8.0_151" ou \c "JAVA_HOME=C:\Program Files\BellSoft\LibericaJDK-17-Full"
<li><b>JAVA_HOME</b> chemin d'accès à l'installation du JRE 64 bits. Par exemple \c "JAVA_HOME=C:\Program Files\Java\jdk-17"
<li><b>DEFAULT_CONFDIR</b> chemin vers le répertoire de configuration d'Autopsy. Si l'archive Solr a été extraite dans le répertoire \c "C:\solr-8.6.3", alors ce chemin sera \c "C:\ solr-8.6.3\server\solr\configsets\AutopsyConfig\conf". N'incluez pas de guillemets autour du chemin.
<li><b>SOLR_JAVA_MEM</b> - La taille du tas JVM Solr doit être aussi grande que les ressources de la machine Solr le permettent, au moins la moitié de la RAM totale disponible sur la machine. Une règle empirique serait d'utiliser "set SOLR_JAVA_MEM=-Xms2G -Xmx40G" pour une machine avec 64 Go de RAM, "set SOLR_JAVA_MEM=-Xms2G -Xmx20G" pour une machine avec 32 Go de RAM, et "set SOLR_JAVA_MEM=-Xms2G -Xmx8G" pour une machine avec 16 Go de RAM. Veuillez consulter la \ref install_solr_heap_usage "rubrique dépannage" pour plus d'informations sur l'utilisation du tas Solr et sur les informations de dépannage.
<li><b>SOLR_DATA_HOME</b> emplacement où les index Solr seront stockés. Si ce n'est pas configuré, les index seront stockés dans le répertoire \c "C:\solr-8.6.3\server\solr". REMARQUE: pour les cas d'Autopsy composés d'un grand nombre de sources de données, les index Solr peuvent devenir très volumineux (des centaines de Go ou de To), ils devront donc probablement être stockés sur un partage réseau plus important.

4
docs/doxygen/Doxyfile
View File

@ -38,7 +38,7 @@ PROJECT_NAME = "Autopsy"
# could be handy for archiving the generated documentation or if some version
# control system is used.
PROJECT_NUMBER = 4.19.3
PROJECT_NUMBER = 4.20.0
# Using the PROJECT_BRIEF tag one can provide an optional one line description
# for a project that appears a the top of each page and should give viewer a
@ -1066,7 +1066,7 @@ GENERATE_HTML = YES
# The default directory is: html.
# This tag requires that the tag GENERATE_HTML is set to YES.
HTML_OUTPUT = api-docs/4.19.3/
HTML_OUTPUT = api-docs/4.20.0/
# The HTML_FILE_EXTENSION tag can be used to specify the file extension for each
# generated HTML page (for example: .htm, .php, .asp).

2
installer_autopsy/etc/autopsy.conf
View File

@ -59,7 +59,7 @@ default_cachedir="${DEFAULT_CACHEDIR_ROOT}/dev"
# options used by the launcher by default, can be overridden by explicit
# command line switches
default_options="--branding autopsy -J-Xms24m -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED"
default_options="--branding autopsy -J-Xms24m -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.lang=ALL-UNNAMED -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED"
# for development purposes you may wish to append: -J-Dnetbeans.logger.console=true -J-ea
# default location of JDK/JRE, can be overridden by using --jdkhome <dir> switch

23
linux_macos_install_scripts/install_prereqs_macos.sh
View File

@ -1,15 +1,6 @@
#!/bin/bash
echo "Installing liberica java 17..."
brew tap bell-sw/liberica && \
brew install --cask liberica-jdk17-full
if [[ $? -ne 0 ]]
then
echo "Unable to install liberica java" >> /dev/stderr
exit 1
fi
echo "Installing remaining dependencies..."
brew install ant automake libtool afflib libewf postgresql@15 testdisk libheif gstreamer
echo "Installing dependencies..."
brew install openjdk@17 ant automake libtool afflib libewf postgresql@15 testdisk libheif gstreamer
if [[ $? -ne 0 ]]
then
@ -17,5 +8,15 @@ then
exit 1
fi
sudo ln -sfn $HOMEBREW_PREFIX/opt/openjdk@17/libexec/openjdk.jdk /Library/Java/JavaVirtualMachines/openjdk-17.jdk && \
echo "export PATH=\"$HOMEBREW_PREFIX/opt/openjdk@17/bin:$PATH\"" >> ~/.zshrc && \
source ~/.zshrc
if [[ $? -ne 0 ]]
then
echo "Unable to properly set up java env" >> /dev/stderr
exit 1
fi
java_path=$(/usr/libexec/java_home -v 17)
echo "Java 17 path: $java_path"

20
linux_macos_install_scripts/install_prereqs_ubuntu.sh
View File

@ -11,7 +11,9 @@ fi
echo "Installing all apt dependencies..."
sudo apt update && \
sudo apt -y install build-essential autoconf libtool automake git zip wget ant \
sudo apt -y install \
openjdk-17-jdk openjdk-17-jre \
build-essential autoconf libtool automake git zip wget ant \
libde265-dev libheif-dev \
libpq-dev \
testdisk libafflib-dev libewf-dev libvhdi-dev libvmdk-dev \
@ -24,18 +26,6 @@ if [[ $? -ne 0 ]]; then
exit 1
fi
echo "Installing bellsoft Java 17..."
pushd /usr/src/ &&
wget -q -O - https://download.bell-sw.com/pki/GPG-KEY-bellsoft | sudo apt-key add - &&
echo "deb [arch=amd64] https://apt.bell-sw.com/ stable main" | sudo tee /etc/apt/sources.list.d/bellsoft.list &&
sudo apt update &&
sudo apt -y install bellsoft-java17-full &&
popd
if [[ $? -ne 0 ]]; then
echo "Failed to install bellsoft java 17" >>/dev/stderr
exit 1
fi
echo "Autopsy prerequisites installed."
echo "Java path at /usr/lib/jvm/bellsoft-java17-full-amd64: "
ls /usr/lib/jvm/bellsoft-java17-full-amd64
echo "Java 17 instllation: "
update-java-alternatives -l | grep java-1.17

2
nbproject/project.properties
View File

@ -19,7 +19,7 @@ update_versions=false
#Note: can be higher on 64 bit systems, should be in sync with build.xml
# for Japanese version add: -J-Duser.language=ja
# NOTE: Modules need to be exported to other components for visibility (and use). See https://stackoverflow.com/questions/53695304/autocompletionbinding-cannot-access-class-com-sun-javafx-event-eventhandlermanag
run.args.extra=-J-Xms24m -J-Xmx4G -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED
run.args.extra=-J-Xms24m -J-Xmx4G -J-XX:+UseStringDeduplication -J-Dprism.order=sw -J--add-opens=java.base/java.lang=ALL-UNNAMED -J--add-opens=java.base/java.net=ALL-UNNAMED -J--add-opens=java.desktop/javax.swing=ALL-UNNAMED -J--add-opens=javafx.controls/javafx.scene.control.skin=ALL-UNNAMED -J--add-exports=java.desktop/sun.awt=ALL-UNNAMED -J--add-exports=javafx.controls/com.sun.javafx.scene.control.inputmap=ALL-UNNAMED -J--add-exports=javafx.base/com.sun.javafx.event=ALL-UNNAMED
auxiliary.org-netbeans-modules-apisupport-installer.license-type=apache.v2
auxiliary.org-netbeans-modules-apisupport-installer.os-linux=false
auxiliary.org-netbeans-modules-apisupport-installer.os-macosx=false

42
thirdparty/Volatility/AUTHORS-2.5.txt vendored
View File

@ -1,42 +0,0 @@
===============================================
This file identifies core Volatility authors.
All lists are alphabetical.
===============================================
Volatility 2.4, 2.5:
------------
Mike Auty
Andrew Case
Michael Hale Ligh
Jamie Levy
AAron Walters
Volatility 2.0, 2.1, 2.2, 2.3:
------------
Mike Auty
Andrew Case
Michael Cohen
Brendan Dolan-Gavitt
Michael Hale Ligh
Jamie Levy
AAron Walters
Volatility 1.3:
------------
AAron Walters <awalters@4tphi.net>
Volatile Systems LLC
Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu>
Volatools Basic authors:
------------
AAron Walters
Komoku, Inc.
Nick L. Petroni, Jr.
Komoku, Inc.

105
thirdparty/Volatility/CREDITS-2.5.txt vendored
View File

@ -1,105 +0,0 @@
===============================================
We would like to acknowledge individuals that
have made significant contributions, code, or
ideas toward the respective volatility releases.
All lists are alphabetical.
These lists exclude the core Volatility authors,
who are identified in AUTHORS.txt.
If you believe you've been left off, it is not
intentional. Please bring it to our attention!
===============================================
Volatility 2.5:
Adam Bridge for adding a --count option (humanly readable byte stats) to imagecopy/raw2dmp
Sebastien Bourdon-Richard for various patches and bug fixes
Bruno Constanzo for various patches to enhance performance/optimization
Glenn P. Edwards, Jr for adding combined user/kernel scans, --case, and ascii/unicode options to yarascan
@f-s-p for converting some plugins to unfied output format
Cem Gurkok for submitting the mac_threads plugin
Takahiro Haruyama for noticing and fixing a bug in impscan
@masdif for contributing a fix for kernel 3.7+ in linux/module.c
Wyatt Roersma for converting a large number of plugins to the unified output format
Karl Vogel for pointing out an issue with IPv4 addresses on big endian systems
Volatility 2.4:
Steven Adair for assistance identifying a large memory PAE bug
Sebastien Bourdon-Richard for his work on the VMware vmem/vmss split (with meta) AS
Justin Capella and Espen Olsen for their work on the Qemu ELF core dumps
Cem Gurkok for help updating Mac OS X support for 10.9
Matt McCormack for supplying a patch to rebase dumped PE files
Stewart McIntyre for extending apihooks for detecting JMP FAR instructions
Kevin Marker for contributing over 160 standard build Linux profiles
synack33 for creating various Mac OS X profiles, including initial ones for 10.10
Raphaël Vinot for his patch to fix IPython within volshell
Volatility 2.3:
Cem Gurkok for his work on the privileges plugin for Windows
Nir Izraeli for his work on the VMware snapshot address space (see also the vmsnparser project)
@osxmem of the volafox project (Mac OS X & BSD Memory Analysis Toolkit)
@osxreverser of reverse.put.as for his help with OSX memory analysis
Carl Pulley for numerous bug reports, example patches, and plugin testing
Andreas Schuster for his work on poison ivy plugins for Windows
Joe Sylve for his work on the ARM address space and significant contributions to linux and mac capabilities
Philippe Teuwen for his work on the virtual box address space
Santiago Vicente for his work on the citadel plugins for Windows
Volatility 2.2:
------------
Joe Sylve
Volatility 2.1:
------------
---
Volatility 2.0:
------------
Frank Boldewin
Carl Pulley
Andreas Schuster
Bradley Schatz
Volatility 1.3:
------------
Harlan Carvey
Michael Cohen
David Collett
Brendan Dolan-Gavitt
Andreas Schuster
Matthieu Suiche
We would also like to acknowledge those who have provided valuable
feedback, bug reports, and testing:
Jide Abu
Joseph Ayo Akinyele
Tommaso Assandri
Richard Austin
Cameron C Caffee
Eoghan Casey
Angelo Cavallini
Andre' DiMino
Jon Evans
Robert Guess
Christian Herndler
jeremie0
Eugene Libster
Erik Ligda
Robert Lowe
Tony Martin
Timothy Morgan
Bryan D. Payne
Golden G. Richard III
Wyatt Roersma
RB
Sam F. Stover
Marko Thure

20
thirdparty/Volatility/LEGAL-2.5.txt vendored
View File

@ -1,20 +0,0 @@
Volatility
===============
License
-------
Copyright (C) 2007-2013 Volatility Foundation
Volatility is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
Volatility is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Volatility. If not, see <http://www.gnu.org/licenses/>.

281
thirdparty/Volatility/LICENSE-2.5.txt vendored
View File

@ -1,281 +0,0 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS

553
thirdparty/Volatility/README-2.5.txt vendored
View File

@ -1,553 +0,0 @@
============================================================================
Volatility Framework - Volatile memory extraction utility framework
============================================================================
The Volatility Framework is a completely open collection of tools,
implemented in Python under the GNU General Public License, for the
extraction of digital artifacts from volatile memory (RAM) samples.
The extraction techniques are performed completely independent of the
system being investigated but offer visibilty into the runtime state
of the system. The framework is intended to introduce people to the
techniques and complexities associated with extracting digital artifacts
from volatile memory samples and provide a platform for further work into
this exciting area of research.
The Volatility distribution is available from:
http://www.volatilityfoundation.org/#!releases/component_71401
Volatility should run on any platform that supports
Python (http://www.python.org)
Volatility supports investigations of the following memory images:
Windows:
* 32-bit Windows XP Service Pack 2 and 3
* 32-bit Windows 2003 Server Service Pack 0, 1, 2
* 32-bit Windows Vista Service Pack 0, 1, 2
* 32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
* 32-bit Windows 7 Service Pack 0, 1
* 32-bit Windows 8, 8.1, and 8.1 Update 1
* 32-bit Windows 10 (initial support)
* 64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows Vista Service Pack 0, 1, 2
* 64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
* 64-bit Windows 2008 R2 Server Service Pack 0 and 1
* 64-bit Windows 7 Service Pack 0 and 1
* 64-bit Windows 8, 8.1, and 8.1 Update 1
* 64-bit Windows Server 2012 and 2012 R2
* 64-bit Windows 10 (initial support)
Linux:
* 32-bit Linux kernels 2.6.11 to 4.2.3
* 64-bit Linux kernels 2.6.11 to 4.2.3
* OpenSuSE, Ubuntu, Debian, CentOS, Fedora, Mandriva, etc
Mac OSX:
* 32-bit 10.5.x Leopard (the only 64-bit 10.5 is Server, which isn't supported)
* 32-bit 10.6.x Snow Leopard
* 64-bit 10.6.x Snow Leopard
* 32-bit 10.7.x Lion
* 64-bit 10.7.x Lion
* 64-bit 10.8.x Mountain Lion (there is no 32-bit version)
* 64-bit 10.9.x Mavericks (there is no 32-bit version)
* 64-bit 10.10.x Yosemite (there is no 32-bit version)
* 64-bit 10.11.x El Capitan (there is no 32-bit version)
Volatility does not provide memory sample acquisition
capabilities. For acquisition, there are both free and commercial
solutions available. If you would like suggestions about suitable
acquisition solutions, please contact us at:
volatility (at) volatilityfoundation (dot) org
Volatility supports a variety of sample file formats and the
ability to convert between these formats:
- Raw linear sample (dd)
- Hibernation file
- Crash dump file
- VirtualBox ELF64 core dump
- VMware saved state and snapshot files
- EWF format (E01)
- LiME (Linux Memory Extractor) format
- Mach-o file format
- QEMU virtual machine dumps
- Firewire
- HPAK (FDPro)
For a more detailed list of capabilities, see the following:
https://github.com/volatilityfoundation/volatility/wiki
Also see the community plugins repository:
https://github.com/volatilityfoundation/community
Example Data
============
If you want to give Volatility a try, you can download exemplar
memory images from the following url:
https://github.com/volatilityfoundation/volatility/wiki/Memory-Samples
Mailing Lists
=============
Mailing lists to support the users and developers of Volatility
can be found at the following address:
http://lists.volatilesystems.com/mailman/listinfo
Contact
=======
For information or requests, contact:
Volatility Foundation
Web: http://www.volatilityfoundation.org
http://volatility-labs.blogspot.com
http://volatility.tumblr.com
Email: volatility (at) volatilityfoundation (dot) org
IRC: #volatility on freenode
Twitter: @volatility
Requirements
============
- Python 2.6 or later, but not 3.0. http://www.python.org
Some plugins may have other requirements which can be found at:
https://github.com/volatilityfoundation/volatility/wiki/Installation
Quick Start
===========
1. Unpack the latest version of Volatility from
volatilityfoundation.org
2. To see available options, run "python vol.py -h" or "python vol.py --info"
Example:
$ python vol.py --info
Volatility Foundation Volatility Framework 2.5
Profiles
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win10x64 - A Profile for Windows 10 x64
Win10x86 - A Profile for Windows 10 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012x64 - A Profile for Windows Server 2012 x64
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
Win81U1x64 - A Profile for Windows 8.1 Update 1 x64
Win81U1x86 - A Profile for Windows 8.1 Update 1 x86
Win8SP0x64 - A Profile for Windows 8 x64
Win8SP0x86 - A Profile for Windows 8 x86
Win8SP1x64 - A Profile for Windows 8.1 x64
Win8SP1x86 - A Profile for Windows 8.1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
Address Spaces
--------------
AMD64PagedMemory - Standard AMD 64-bit address space.
ArmAddressSpace - Address space for ARM processors
FileAddressSpace - This is a direct file AS.
HPAKAddressSpace - This AS supports the HPAK format
IA32PagedMemory - Standard IA-32 paging address space.
IA32PagedMemoryPae - This class implements the IA-32 PAE paging address space. It is responsible
LimeAddressSpace - Address space for Lime
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
OSXPmemELF - This AS supports VirtualBox ELF64 coredump format
QemuCoreDumpElf - This AS supports Qemu ELF32 and ELF64 coredump format
VMWareAddressSpace - This AS supports VMware snapshot (VMSS) and saved state (VMSS) files
VMWareMetaAddressSpace - This AS supports the VMEM format with VMSN/VMSS metadata
VirtualBoxCoreDumpElf64 - This AS supports VirtualBox ELF64 coredump format
WindowsCrashDumpSpace32 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64 - This AS supports windows Crash Dump format
WindowsCrashDumpSpace64BitMap - This AS supports Windows BitMap Crash Dump format
WindowsHiberFileSpace32 - This is a hibernate address space for windows hibernation files.
Plugins
-------
amcache - Print AmCache information
apihooks - Detect API hooks in process and kernel memory
atoms - Print session and window station atom tables
atomscan - Pool scanner for atom tables
auditpol - Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bigpools - Dump the big page pools using BigPagePoolScanner
bioskbd - Reads the keyboard buffer from Real Mode memory
cachedump - Dumps cached domain hashes from memory
callbacks - Print system-wide notification routines
clipboard - Extract the contents of the windows clipboard
cmdline - Display process command-line arguments
cmdscan - Extract command history by scanning for _COMMAND_HISTORY
connections - Print list of open connections [Windows XP and 2003 Only]
connscan - Pool scanner for tcp connections
consoles - Extract command history by scanning for _CONSOLE_INFORMATION
crashinfo - Dump crash-dump information
deskscan - Poolscaner for tagDESKTOP (desktops)
devicetree - Show device tree
dlldump - Dump DLLs from a process address space
dlllist - Print list of loaded dlls for each process
driverirp - Driver IRP hook detection
drivermodule - Associate driver objects to kernel modules
driverscan - Pool scanner for driver objects
dumpcerts - Dump RSA private and public SSL keys
dumpfiles - Extract memory mapped and cached files
dumpregistry - Dumps registry files out to disk
envars - Display process environment variables
eventhooks - Print details on windows event hooks
evtlogs - Extract Windows Event Logs (XP/2003 only)
filescan - Pool scanner for file objects
gahti - Dump the USER handle type information
gditimers - Print installed GDI timers and callbacks
gdt - Display Global Descriptor Table
getservicesids - Get the names of services in the Registry and return Calculated SID
getsids - Print the SIDs owning each process
handles - Print list of open handles for each process
hashdump - Dumps passwords hashes (LM/NTLM) from memory
hibinfo - Dump hibernation file information
hivedump - Prints out a hive
hivelist - Print list of registry hives.
hivescan - Pool scanner for registry hives
hpakextract - Extract physical memory from an HPAK file
hpakinfo - Info on an HPAK file
idt - Display Interrupt Descriptor Table
iehistory - Reconstruct Internet Explorer cache / history
imagecopy - Copies a physical address space out as a raw DD image
imageinfo - Identify information for the image
impscan - Scan for calls to imported functions
joblinks - Print process job link information
kdbgscan - Search for and dump potential KDBG values
kpcrscan - Search for and dump potential KPCR values
ldrmodules - Detect unlinked DLLs
limeinfo - Dump Lime file format information
linux_apihooks - Checks for userland apihooks
linux_arp - Print the ARP table
linux_banner - Prints the Linux banner information
linux_bash - Recover bash history from bash process memory
linux_bash_env - Recover a process' dynamic environment variables
linux_bash_hash - Recover bash hash table from bash process memory
linux_check_afinfo - Verifies the operation function pointers of network protocols
linux_check_creds - Checks if any processes are sharing credential structures
linux_check_evt_arm - Checks the Exception Vector Table to look for syscall table hooking
linux_check_fop - Check file operation structures for rootkit modifications
linux_check_idt - Checks if the IDT has been altered
linux_check_inline_kernel - Check for inline kernel hooks
linux_check_modules - Compares module list to sysfs info, if available
linux_check_syscall - Checks if the system call table has been altered
linux_check_syscall_arm - Checks if the system call table has been altered
linux_check_tty - Checks tty devices for hooks
linux_cpuinfo - Prints info about each active processor
linux_dentry_cache - Gather files from the dentry cache
linux_dmesg - Gather dmesg buffer
linux_dump_map - Writes selected memory mappings to disk
linux_dynamic_env - Recover a process' dynamic environment variables
linux_elfs - Find ELF binaries in process mappings
linux_enumerate_files - Lists files referenced by the filesystem cache
linux_find_file - Lists and recovers files from memory
linux_getcwd - Lists current working directory of each process
linux_hidden_modules - Carves memory to find hidden kernel modules
linux_ifconfig - Gathers active interfaces
linux_info_regs - It's like 'info registers' in GDB. It prints out all the
linux_iomem - Provides output similar to /proc/iomem
linux_kernel_opened_files - Lists files that are opened from within the kernel
linux_keyboard_notifiers - Parses the keyboard notifier call chain
linux_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
linux_library_list - Lists libraries loaded into a process
linux_librarydump - Dumps shared libraries in process memory to disk
linux_list_raw - List applications with promiscuous sockets
linux_lsmod - Gather loaded kernel modules
linux_lsof - Lists file descriptors and their path
linux_malfind - Looks for suspicious process mappings
linux_memmap - Dumps the memory map for linux tasks
linux_moddump - Extract loaded kernel modules
linux_mount - Gather mounted fs/devices
linux_mount_cache - Gather mounted fs/devices from kmem_cache
linux_netfilter - Lists Netfilter hooks
linux_netscan - Carves for network connection structures
linux_netstat - Lists open sockets
linux_pidhashtable - Enumerates processes through the PID hash table
linux_pkt_queues - Writes per-process packet queues out to disk
linux_plthook - Scan ELF binaries' PLT for hooks to non-NEEDED images
linux_proc_maps - Gathers process memory maps
linux_proc_maps_rb - Gathers process maps for linux through the mappings red-black tree
linux_procdump - Dumps a process's executable image to disk
linux_process_hollow - Checks for signs of process hollowing
linux_psaux - Gathers processes along with full command line and start time
linux_psenv - Gathers processes along with their static environment variables
linux_pslist - Gather active tasks by walking the task_struct->task list
linux_pslist_cache - Gather tasks from the kmem_cache
linux_pstree - Shows the parent/child relationship between processes
linux_psxview - Find hidden processes with various process listings
linux_recover_filesystem - Recovers the entire cached file system from memory
linux_route_cache - Recovers the routing cache from memory
linux_sk_buff_cache - Recovers packets from the sk_buff kmem_cache
linux_slabinfo - Mimics /proc/slabinfo on a running machine
linux_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
linux_threads - Prints threads of processes
linux_tmpfs - Recovers tmpfs filesystems from memory
linux_truecrypt_passphrase - Recovers cached Truecrypt passphrases
linux_vma_cache - Gather VMAs from the vm_area_struct cache
linux_volshell - Shell in the memory image
linux_yarascan - A shell in the Linux memory image
lsadump - Dump (decrypted) LSA secrets from the registry
mac_adium - Lists Adium messages
mac_apihooks - Checks for API hooks in processes
mac_apihooks_kernel - Checks to see if system call and kernel functions are hooked
mac_arp - Prints the arp table
mac_bash - Recover bash history from bash process memory
mac_bash_env - Recover bash's environment variables
mac_bash_hash - Recover bash hash table from bash process memory
mac_calendar - Gets calendar events from Calendar.app
mac_check_mig_table - Lists entires in the kernel's MIG table
mac_check_syscall_shadow - Looks for shadow system call tables
mac_check_syscalls - Checks to see if system call table entries are hooked
mac_check_sysctl - Checks for unknown sysctl handlers
mac_check_trap_table - Checks to see if mach trap table entries are hooked
mac_compressed_swap - Prints Mac OS X VM compressor stats and dumps all compressed pages
mac_contacts - Gets contact names from Contacts.app
mac_dead_procs - Prints terminated/de-allocated processes
mac_dead_sockets - Prints terminated/de-allocated network sockets
mac_dead_vnodes - Lists freed vnode structures
mac_dmesg - Prints the kernel debug buffer
mac_dump_file - Dumps a specified file
mac_dump_maps - Dumps memory ranges of process(es), optionally including pages in compressed swap
mac_dyld_maps - Gets memory maps of processes from dyld data structures
mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
mac_get_profile - Automatically detect Mac profiles
mac_ifconfig - Lists network interface information for all devices
mac_ip_filters - Reports any hooked IP filters
mac_keychaindump - Recovers possbile keychain keys. Use chainbreaker to open related keychain files
mac_ldrmodules - Compares the output of proc maps with the list of libraries from libdl
mac_librarydump - Dumps the executable of a process
mac_list_files - Lists files in the file cache
mac_list_kauth_listeners - Lists Kauth Scope listeners
mac_list_kauth_scopes - Lists Kauth Scopes and their status
mac_list_raw - List applications with promiscuous sockets
mac_list_sessions - Enumerates sessions
mac_list_zones - Prints active zones
mac_lsmod - Lists loaded kernel modules
mac_lsmod_iokit - Lists loaded kernel modules through IOkit
mac_lsmod_kext_map - Lists loaded kernel modules
mac_lsof - Lists per-process opened files
mac_machine_info - Prints machine information about the sample
mac_malfind - Looks for suspicious process mappings
mac_memdump - Dump addressable memory pages to a file
mac_moddump - Writes the specified kernel extension to disk
mac_mount - Prints mounted device information
mac_netstat - Lists active per-process network connections
mac_network_conns - Lists network connections from kernel network structures
mac_notesapp - Finds contents of Notes messages
mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_orphan_threads - Lists threads that don't map back to known modules/processes
mac_pgrp_hash_table - Walks the process group hash table
mac_pid_hash_table - Walks the pid hash table
mac_print_boot_cmdline - Prints kernel boot arguments
mac_proc_maps - Gets memory maps of processes
mac_procdump - Dumps the executable of a process
mac_psaux - Prints processes with arguments in user land (**argv)
mac_psenv - Prints processes with environment in user land (**envp)
mac_pslist - List Running Processes
mac_pstree - Show parent/child relationship of processes
mac_psxview - Find hidden processes with various process listings
mac_recover_filesystem - Recover the cached filesystem
mac_route - Prints the routing table
mac_socket_filters - Reports socket filters
mac_strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
mac_tasks - List Active Tasks
mac_threads - List Process Threads
mac_threads_simple - Lists threads along with their start time and priority
mac_trustedbsd - Lists malicious trustedbsd policies
mac_version - Prints the Mac version
mac_volshell - Shell in the memory image
mac_yarascan - Scan memory for yara signatures
machoinfo - Dump Mach-O file format information
malfind - Find hidden and injected code
mbrparser - Scans for and parses potential Master Boot Records (MBRs)
memdump - Dump the addressable memory for a process
memmap - Print the memory map
messagehooks - List desktop and thread window message hooks
mftparser - Scans for and parses potential MFT entries
moddump - Dump a kernel driver to an executable file sample
modscan - Pool scanner for kernel modules
modules - Print list of loaded modules
multiscan - Scan for various objects at once
mutantscan - Pool scanner for mutex objects
netscan - Scan a Vista (or later) image for connections and sockets
notepad - List currently displayed notepad text
objtypescan - Scan for Windows object type objects
patcher - Patches memory based on page scans
poolpeek - Configurable pool scanner plugin
pooltracker - Show a summary of pool tag usage
printkey - Print a registry key, and its subkeys and values
privs - Display process privileges
procdump - Dump a process to an executable file sample
pslist - Print all running processes by following the EPROCESS lists
psscan - Pool scanner for process objects
pstree - Print process list as a tree
psxview - Find hidden processes with various process listings
qemuinfo - Dump Qemu information
raw2dmp - Converts a physical memory sample to a windbg crash dump
screenshot - Save a pseudo-screenshot based on GDI windows
servicediff - List Windows services (ala Plugx)
sessions - List details on _MM_SESSION_SPACE (user logon sessions)
shellbags - Prints ShellBags info
shimcache - Parses the Application Compatibility Shim Cache registry key
shutdowntime - Print ShutdownTime of machine from registry
sockets - Print list of open sockets
sockscan - Pool scanner for tcp socket objects
ssdt - Display SSDT entries
strings - Match physical offsets to virtual addresses (may take a while, VERY verbose)
svcscan - Scan for Windows services
symlinkscan - Pool scanner for symlink objects
thrdscan - Pool scanner for thread objects
threads - Investigate _ETHREAD and _KTHREADs
timeliner - Creates a timeline from various artifacts in memory
timers - Print kernel timers and associated module DPCs
truecryptmaster - Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase - TrueCrypt Cached Passphrase Finder
truecryptsummary - TrueCrypt Summary
unloadedmodules - Print list of unloaded modules
userassist - Print userassist registry keys and information
userhandles - Dump the USER handle tables
vaddump - Dumps out the vad sections to a file
vadinfo - Dump the VAD info
vadtree - Walk the VAD tree and display in tree format
vadwalk - Walk the VAD tree
vboxinfo - Dump virtualbox information
verinfo - Prints out the version information from PE images
vmwareinfo - Dump VMware VMSS/VMSN information
volshell - Shell in the memory image
win10cookie - Find the ObHeaderCookie value for Windows 10
windows - Print Desktop Windows (verbose details)
wintree - Print Z-Order Desktop Windows Tree
wndscan - Pool scanner for window stations
yarascan - Scan process or kernel memory with Yara signatures
3. To get more information on a Windows memory sample and to make sure Volatility
supports that sample type, run 'python vol.py imageinfo -f <imagename>' or 'python vol.py kdbgscan -f <imagename>'
Example:
$ python vol.py imageinfo -f WIN-II7VOJTUNGL-20120324-193051.raw
Volatility Foundation Volatility Framework 2.5
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Path/to/WIN-II7VOJTUNGL-20120324-193051.raw)
PAE type : PAE
DTB : 0x187000L
KDBG : 0xf800016460a0
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xfffff80001647d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2012-03-24 19:30:53 UTC+0000
Image local date and time : 2012-03-25 03:30:53 +0800
4. Run some other plugins. -f is a required option for all plugins. Some
also require/accept other options. Run "python vol.py <plugin> -h" for
more information on a particular command. A Command Reference wiki
is also available on the Google Code site:
https://github.com/volatilityfoundation/volatility/wiki
as well as Basic Usage:
https://github.com/volatilityfoundation/volatility/wiki/Volatility-Usage
Licensing and Copyright
=======================
Copyright (C) 2007-2015 Volatility Foundation
All Rights Reserved
Volatility is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
Volatility is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Volatility. If not, see <http://www.gnu.org/licenses/>.
Bugs and Support
================
There is no support provided with Volatility. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
If you think you've found a bug, please report it at:
https://github.com/volatilityfoundation/volatility/issues
In order to help us solve your issues as quickly as possible,
please include the following information when filing a bug:
* The version of volatility you're using
* The operating system used to run volatility
* The version of python used to run volatility
* The suspected operating system of the memory image
* The complete command line you used to run volatility
Depending on the operating system of the memory image, you may need to provide
additional information, such as:
For Windows:
* The suspected Service Pack of the memory image
For Linux:
* The suspected kernel version of the memory image
Other options for communicaton can be found at:
https://github.com/volatilityfoundation/volatility/wiki
Missing or Truncated Information
================================
Volatility Foundation makes no claims about the validity or correctness of the
output of Volatility. Many factors may contribute to the
incorrectness of output from Volatility including, but not
limited to, malicious modifications to the operating system,
incomplete information due to swapping, and information corruption on
image acquisition.
Command Reference
====================
The following url contains a reference of all commands supported by
Volatility.
https://github.com/volatilityfoundation/volatility/wiki

BIN
thirdparty/Volatility/volatility-2.5.standalone.exe vendored
View File

Binary file not shown.

4
thirdparty/opencv/README.txt vendored Normal file
View File

@ -0,0 +1,4 @@
README:
This is OpenCV jar and binaries from version 2.4.13.6 from opencv downloads:
https://opencv.org/releases

BIN
thirdparty/opencv/ext/opencv-248.jar vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/amd64/opencv_ffmpeg248_64.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/amd64/opencv_java248.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i386/opencv_ffmpeg2413.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i386/opencv_ffmpeg248.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i386/opencv_java2413.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i386/opencv_java248.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i586/opencv_ffmpeg2413_64.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i586/opencv_ffmpeg248_64.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i586/opencv_java2413.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i586/opencv_java248.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i686/opencv_ffmpeg2413_64.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i686/opencv_ffmpeg248_64.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i686/opencv_java2413.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/i686/opencv_java248.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/x86/opencv_ffmpeg2413.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/x86/opencv_ffmpeg248.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/x86/opencv_java2413.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/x86/opencv_java248.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/x86_64/opencv_ffmpeg248_64.dll vendored
View File

Binary file not shown.

BIN
thirdparty/opencv/lib/x86_64/opencv_java248.dll vendored
View File

Binary file not shown.