mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 18:17:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6627 from markmckinnon/7213-fixes-in-xml-for-aleapp

Browse Source 
7213-fixes-in-xml-for-aleapp
This commit is contained in:
Richard Cordovano 2021-01-14 11:02:40 -05:00 committed by GitHub
commit 651a872aba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 138 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java
View File

@ -162,7 +162,7 @@ public final class LeappFileProcessor {
* Process the Leapp files that were found that match the xml mapping file
*
* @param LeappFilesToProcess List of files to process
* @param LeappImageFile Abstract file to create artifact for
* @param LeappImageFile Abstract file to create artifact for
*
* @throws FileNotFoundException
* @throws IOException
@ -197,7 +197,7 @@ public final class LeappFileProcessor {
* Process the Leapp files that were found that match the xml mapping file
*
* @param LeappFilesToProcess List of files to process
* @param dataSource The data source.
* @param dataSource The data source.
*
* @throws FileNotFoundException
* @throws IOException
@ -258,20 +258,22 @@ public final class LeappFileProcessor {
/**
* Process the line read and create the necessary attributes for it
*
* @param line a tsv line to process that was read
* @param line a tsv line to process that was read
* @param columnNumberToProcess Which columns to process in the tsv line
* @param fileName name of file begin processed
* @param fileName name of file begin processed
*
* @return
*/
private Collection<BlackboardAttribute> processReadLine(String line, Map<Integer, String> columnNumberToProcess, String fileName) throws IngestModuleException {
String[] columnValues;
// Check to see if the 2 values are equal, they may not be equal if there is no corresponding data in the line.
// Check to see if the 2 values are equal, they may not be equal if there is no corresponding data in the line
// or if the size of the line to split is not equal to the column numbers we are looking to process. This
// can happen when the last value of the tsv line has no data in it.
// If this happens then adding an empty value(s) for each columnValue where data does not exist
Integer maxColumnNumber = Collections.max(columnNumberToProcess.keySet());
if (maxColumnNumber > line.split("\\t").length) {
if ((maxColumnNumber > line.split("\\t").length) || (columnNumberToProcess.size() > line.split("\\t").length)) {
columnValues = Arrays.copyOf(line.split("\\t"), maxColumnNumber + 1);
} else {
columnValues = line.split("\\t");
@ -283,15 +285,17 @@ public final class LeappFileProcessor {
Integer columnNumber = columnToProcess.getKey();
String attributeName = columnToProcess.getValue();
try {
BlackboardAttribute.Type attributeType = Case.getCurrentCase().getSleuthkitCase().getAttributeType(attributeName.toUpperCase());
if (attributeType == null) {
break;
if (columnValues[columnNumber] != null) {
try {
BlackboardAttribute.Type attributeType = Case.getCurrentCase().getSleuthkitCase().getAttributeType(attributeName.toUpperCase());
if (attributeType == null) {
break;
}
String attrType = attributeType.getValueType().getLabel().toUpperCase();
checkAttributeType(bbattributes, attrType, columnValues, columnNumber, attributeType, fileName);
} catch (TskCoreException ex) {
throw new IngestModuleException(String.format("Error getting Attribute type for Attribute Name %s", attributeName), ex); //NON-NLS
}
String attrType = attributeType.getValueType().getLabel().toUpperCase();
checkAttributeType(bbattributes, attrType, columnValues, columnNumber, attributeType, fileName);
} catch (TskCoreException ex) {
throw new IngestModuleException(String.format("Error getting Attribute type for Attribute Name %s", attributeName), ex); //NON-NLS
}
}
@ -343,11 +347,11 @@ public final class LeappFileProcessor {
* headings to the columns in the XML mapping file so we know which columns
* to process.
*
* @param line a tsv heading line of the columns in the file
* @param line a tsv heading line of the columns in the file
* @param attrList the list of headings we want to process
*
* @return the numbered column(s) and attribute(s) we want to use for the
* column(s)
* column(s)
*/
private Map<Integer, String> findColumnsToProcess(String line, List<List<String>> attrList) {
String[] columnNames = line.split("\\t");
@ -466,13 +470,12 @@ public final class LeappFileProcessor {
/**
* Generic method for creating a blackboard artifact with attributes
*
* @param type is a blackboard.artifact_type enum to determine which
* type the artifact should be
* @param type is a blackboard.artifact_type enum to determine which type
* the artifact should be
* @param abstractFile is the AbstractFile object that needs to have the
* artifact added for it
* artifact added for it
* @param bbattributes is the collection of blackboard attributes that need
* to be added to the artifact after the artifact has
* been created
* to be added to the artifact after the artifact has been created
*
* @return The newly-created artifact, or null on error
*/
@ -490,13 +493,12 @@ public final class LeappFileProcessor {
/**
* Generic method for creating a blackboard artifact with attributes
*
* @param type is a blackboard.artifact_type enum to determine which
* type the artifact should be
* @param dataSource is the Content object that needs to have the artifact
* added for it
* @param type is a blackboard.artifact_type enum to determine which type
* the artifact should be
* @param dataSource is the Content object that needs to have the artifact
* added for it
* @param bbattributes is the collection of blackboard attributes that need
* to be added to the artifact after the artifact has
* been created
* to be added to the artifact after the artifact has been created
*
* @return The newly-created artifact, or null on error
*/
@ -515,7 +517,7 @@ public final class LeappFileProcessor {
* Method to post a list of BlackboardArtifacts to the blackboard.
*
* @param artifacts A list of artifacts. IF list is empty or null, the
* function will return.
* function will return.
*/
void postArtifacts(Collection<BlackboardArtifact> artifacts) {
if (artifacts == null || artifacts.isEmpty()) {

138
Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleap-artifact-attribute-reference.xml
View File

@ -31,8 +31,8 @@
<FileName filename="accounts ce 0.tsv" description="Accounts_ce">
<ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="accounts ce 0">
<AttributeName attributename="TSK_USER_ID" columnName="Name" required="yes" />
<AttributeName attributename="TSK_PROG_NAME" columnName=" Type" required="yes" />
<AttributeName attributename="TSK_PASSWORD" columnName=" Password" required="yes" />
<AttributeName attributename="TSK_PROG_NAME" columnName="Type" required="yes" />
<AttributeName attributename="TSK_PASSWORD" columnName="Password" required="yes" />
</ArtifactName>
</FileName>
@ -40,9 +40,9 @@
<ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="Authtokens">
<AttributeName attributename="null" columnName="ID" required="no" />
<AttributeName attributename="TSK_USER_ID" columnName=" Name" required="yes" />
<AttributeName attributename="TSK_PROG_NAME" columnName=" Account Type" required="yes" />
<AttributeName attributename="TSK_PROG_NAME" columnName="Account Type" required="yes" />
<AttributeName attributename="null" columnName="Authtoken Type" required="no" />
<AttributeName attributename="TSK_PASSWORD" columnName=" Authtoken" required="yes" />
<AttributeName attributename="TSK_PASSWORD" columnName="Authtoken" required="yes" />
</ArtifactName>
</FileName>
@ -56,17 +56,17 @@
<FileName filename="Browser Bookmarks.tsv" description="Browser Bookmarks">
<ArtifactName artifactname="TSK_WEB_BOOKMARK" comment="Browser Bookmarks">
<AttributeName attributename="TSK_DATETIME_CREATED " columnName="Added Date" required="yes" />
<AttributeName attributename="TSK_URL" columnName=" URL" required="yes" />
<AttributeName attributename="TSK_TITLE" columnName=" Name" required="yes" />
<AttributeName attributename="null" columnName=" Parent" required="no" />
<AttributeName attributename="null" columnName=" Type" required="no" />
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Added Date" required="yes" />
<AttributeName attributename="TSK_URL" columnName="URL" required="yes" />
<AttributeName attributename="TSK_TITLE" columnName="Name" required="yes" />
<AttributeName attributename="null" columnName="Parent" required="no" />
<AttributeName attributename="null" columnName="Type" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Browser cookies.tsv" description="Browser Cookies">
<ArtifactName artifactname="TSK_WEB_COOKIE" comment="Browser Cookies">
<AttributeName attributename="TSK_DATETIME_ACCESS" columnName="Last Access Date" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Date" required="yes" />
<AttributeName attributename="TSK_DOMAIN" columnName="Host" required="yes" />
<AttributeName attributename="TSK_NAME" columnName="Name" required="yes" />
<AttributeName attributename="TSK_VALUE" columnName="Value" required="yes" />
@ -108,11 +108,11 @@
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="Browser Offline Pages">
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Creation Time" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Time" required="yes" />
<AttributeName attributename="TSK_URL" columnName=" Online URL" required="yes" />
<AttributeName attributename="null" columnName=" File Path" required="no" />
<AttributeName attributename="TSK_TITLE" columnName=" Title" required="no" />
<AttributeName attributename="null" columnName=" Access Count" required="no" />
<AttributeName attributename="null" columnName=" File Size" required="no" />
<AttributeName attributename="TSK_URL" columnName="Online URL" required="yes" />
<AttributeName attributename="null" columnName="File Path" required="no" />
<AttributeName attributename="TSK_TITLE" columnName="Title" required="no" />
<AttributeName attributename="null" columnName="Access Count" required="no" />
<AttributeName attributename="null" columnName="File Size" required="no" />
</ArtifactName>
</FileName>
@ -153,17 +153,17 @@
<FileName filename="Chrome Bookmarks.tsv" description="Chrome Bookmarks">
<ArtifactName artifactname="TSK_WEB_BOOKMARK" comment="Chrome Bookmarks">
<AttributeName attributename="TSK_DATETIME_CREATED " columnName="Added Date" required="yes" />
<AttributeName attributename="TSK_URL" columnName=" URL" required="yes" />
<AttributeName attributename="TSK_TITLE" columnName=" Name" required="yes" />
<AttributeName attributename="null" columnName=" Parent" required="no" />
<AttributeName attributename="null" columnName=" Type" required="no" />
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Added Date" required="yes" />
<AttributeName attributename="TSK_URL" columnName="URL" required="yes" />
<AttributeName attributename="TSK_TITLE" columnName="Name" required="yes" />
<AttributeName attributename="null" columnName="Parent" required="no" />
<AttributeName attributename="null" columnName="Type" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Chrome cookies.tsv" description="Chrome Cookies">
<ArtifactName artifactname="TSK_WEB_COOKIE" comment="Chrome Cookies">
<AttributeName attributename="TSK_DATETIME_ACCESS" columnName="Last Access Date" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Date" required="yes" />
<AttributeName attributename="TSK_DOMAIN" columnName="Host" required="yes" />
<AttributeName attributename="TSK_NAME" columnName="Name" required="yes" />
<AttributeName attributename="TSK_VALUE" columnName="Value" required="yes" />
@ -197,11 +197,11 @@
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="Chrome Offline Pages">
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Creation Time" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Time" required="yes" />
<AttributeName attributename="TSK_URL" columnName=" Online URL" required="yes" />
<AttributeName attributename="null" columnName=" File Path" required="no" />
<AttributeName attributename="TSK_TITLE" columnName=" Title" required="no" />
<AttributeName attributename="null" columnName=" Access Count" required="no" />
<AttributeName attributename="null" columnName=" File Size" required="no" />
<AttributeName attributename="TSK_URL" columnName="Online URL" required="yes" />
<AttributeName attributename="null" columnName="File Path" required="no" />
<AttributeName attributename="TSK_TITLE" columnName="Title" required="no" />
<AttributeName attributename="null" columnName="Access Count" required="no" />
<AttributeName attributename="null" columnName="File Size" required="no" />
</ArtifactName>
</FileName>
@ -224,6 +224,79 @@
</ArtifactName>
</FileName>
<FileName filename="Edge Bookmarks.tsv" description="Edge Bookmarks">
<ArtifactName artifactname="TSK_WEB_BOOKMARK" comment="Chrome Bookmarks">
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Added Date" required="yes" />
<AttributeName attributename="TSK_URL" columnName="URL" required="yes" />
<AttributeName attributename="TSK_TITLE" columnName="Name" required="yes" />
<AttributeName attributename="null" columnName="Parent" required="no" />
<AttributeName attributename="null" columnName="Type" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Edge cookies.tsv" description="Edge Cookies">
<ArtifactName artifactname="TSK_WEB_COOKIE" comment="Edge Cookies">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Date" required="yes" />
<AttributeName attributename="TSK_DOMAIN" columnName="Host" required="yes" />
<AttributeName attributename="TSK_NAME" columnName="Name" required="yes" />
<AttributeName attributename="TSK_VALUE" columnName="Value" required="yes" />
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Date" required="yes" />
<AttributeName attributename="TSK_DATETIME_END" columnName="Expiration Date" required="yes" />
<AttributeName attributename="TSK_PATH" columnName="Path" required="yes" />
</ArtifactName>
</FileName>
<FileName filename="Edge History.tsv" description="Edge History">
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="Edge History">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Visit Time" required="yes"/>
<AttributeName attributename="TSK_URL" columnName="URL" required="yes"/>
<AttributeName attributename="TSK_TITLE" columnName="Title" required="yes"/>
<AttributeName attributename="null" columnName="Visit Count" required="no"/>
<AttributeName attributename="null" columnName="Hidden" required="no"/>
</ArtifactName>
</FileName>
<FileName filename="Edge login data.tsv" description="Edge Login Data">
<ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="Edge Login">
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Created Time" required="yes" />
<AttributeName attributename="TSK_USER_NAME" columnName="Username" required="yes" />
<AttributeName attributename="TSK_PASSWORD" columnName="Password" required="yes" />
<AttributeName attributename="TSK_URL" columnName="Origin URL" required="no" />
<AttributeName attributename="null" columnName="Blacklisted by User" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Edge offline pages.tsv" description="Edge Offline Pages">
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="Edge Offline Pages">
<AttributeName attributename="TSK_DATETIME_CREATED" columnName="Creation Time" required="yes" />
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Access Time" required="yes" />
<AttributeName attributename="TSK_URL" columnName="Online URL" required="yes" />
<AttributeName attributename="null" columnName="File Path" required="no" />
<AttributeName attributename="TSK_TITLE" columnName="Title" required="no" />
<AttributeName attributename="null" columnName="Access Count" required="no" />
<AttributeName attributename="null" columnName="File Size" required="no" />
</ArtifactName>
</FileName>
<FileName filename="Edge search terms.tsv" description="Edge Search Terms">
<ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="Chrome Search Terms">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Last Visit Time" required="yes"/>
<AttributeName attributename="TSK_TEXT" columnName="Search Term" required="yes"/>
<AttributeName attributename="TSK_URL" columnName="URL" required="yes"/>
<AttributeName attributename="null" columnName="Title" required="no"/>
<AttributeName attributename="null" columnName="Visit Count" required="no"/>
</ArtifactName>
</FileName>
<FileName filename="Edge top sites.tsv" description="Edge Top Sites">
<ArtifactName artifactname="TSK_WEB_HISTORY" comment="Edge Top Sites">
<AttributeName attributename="TSK_URL" columnName="URL" required="yes" />
<AttributeName attributename="null" columnName="Rank" required="no" />
<AttributeName attributename="TSK_TITLE" columnName="Title" required="no" />
<AttributeName attributename="null" columnName="Redirects" required="no" />
</ArtifactName>
</FileName>
<FileName filename="google play searches.tsv" description="Google Play Searches">
<ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="Google Play Search">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Timestamp" required="yes" />
@ -233,10 +306,11 @@
</FileName>
<FileName filename="google quick search box.tsv" description="Google quick search box">
<ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="Google Quick Search Search">
<AttributeName attributename="TSK_DATETIME" columnName="File Timestamp" required="yes" />
<ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="Google Quick Search">
<AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="File Timestamp" required="yes" />
<AttributeName attributename="null" columnName="Type" required="no" />
<AttributeName attributename="TSK_TEXT" columnName="Queries Response" required="yes" />
<AttributeName attributename="TSK_TEXT" columnName="Queries" required="yes" />
<AttributeName attributename="null" columnName="Response" required="no" />
<AttributeName attributename="null" columnName="Source File" required="no" />
</ArtifactName>
</FileName>
@ -256,12 +330,12 @@
</FileName>
<FileName filename="installed apps vending.tsv" description="Installed Apps (Vending)">
<ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps (VEnding)">
<ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Installed Apps (Vending)">
<AttributeName attributename="TSK_DATETIME" columnName="First Download" required="yes" />
<AttributeName attributename="TSK_PROG_NAME" columnName="Package Name" required="yes" />
<AttributeName attributename="TSK_TITLE" columnName=" Title" required="yes" />
<AttributeName attributename="TSK_TITLE" columnName="Title" required="yes" />
<AttributeName attributename="null" columnName="Install Reason" required="no" />
<AttributeName attributename="null" columnName=" Auto Update?" required="no" />
<AttributeName attributename="null" columnName="Auto Update?" required="no" />
</ArtifactName>
</FileName>

BIN
thirdparty/aLeapp/aleapp.exe vendored
View File

Binary file not shown.