mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fixed ExtractUSB

Browse Source 
Signed-off-by: Sean-M <Smoss117@gmail.com>
This commit is contained in:
Sean-M 2013-06-05 13:41:47 -04:00
parent 89c30f9cf5
commit 6e3d951e45
2 changed files with 58 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

90
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -64,7 +64,6 @@ public class ExtractRegistry extends Extract {
private int sysid;
private IngestServices services;
final public static String MODULE_VERSION = "1.0";
private ExecUtil execRR;
//hide public constructor to prevent from instantiation by ingest module loader
@ -92,8 +91,7 @@ public class ExtractRegistry extends Extract {
if (PlatformUtil.isWindowsOS()) {
RR_PATH = rrHome + File.separator + "rip.exe";
}
else {
} else {
RR_PATH = "perl " + rrHome + File.separator + "rip.pl";
}
}
@ -103,9 +101,8 @@ public class ExtractRegistry extends Extract {
return MODULE_VERSION;
}
private void getRegistryFiles(Image image, IngestImageWorkerController controller) {
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> allRegistryFiles = new ArrayList<FsContent>();
try {
@ -113,10 +110,10 @@ public class ExtractRegistry extends Extract {
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file.");
}
// try to find each of the listed registry files whose parent directory
// is like '%/system32/config%'
String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"};
String[] regFileNames = new String[]{"system", "software", "security", "sam", "default"};
for (String regFileName : regFileNames) {
try {
allRegistryFiles.addAll(fileManager.findFiles(image, regFileName, "%/system32/config%"));
@ -124,7 +121,7 @@ public class ExtractRegistry extends Extract {
logger.log(Level.WARNING, "Error fetching registry file: " + regFileName);
}
}
ExtractUSB extrctr = new ExtractUSB();
int j = 0;
for (FsContent regFile : allRegistryFiles) {
String regFileName = regFile.getName();
@ -136,14 +133,13 @@ public class ExtractRegistry extends Extract {
}
File aRegFile = new File(temps);
logger.log(Level.INFO, moduleName + "- Now getting registry information from " + temps);
ExtractUSB extrctr = new ExtractUSB();
String txtPath = executeRegRip(temps, j++);
if (txtPath.length() > 0) {
if (parseReg(txtPath, regFile.getId(),extrctr) == false) {
if (parseReg(txtPath, regFile.getId(), extrctr) == false) {
continue;
}
}
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
aRegFile.delete();
@ -160,26 +156,20 @@ public class ExtractRegistry extends Extract {
try {
if (regFilePath.toLowerCase().contains("system")) {
type = "autopsysystem";
}
else if (regFilePath.toLowerCase().contains("software")) {
} else if (regFilePath.toLowerCase().contains("software")) {
type = "autopsysoftware";
}
else if (regFilePath.toLowerCase().contains("ntuser")) {
} else if (regFilePath.toLowerCase().contains("ntuser")) {
type = "autopsy";
}
else if (regFilePath.toLowerCase().contains("default")) {
} else if (regFilePath.toLowerCase().contains("default")) {
type = "1default";
}
else if (regFilePath.toLowerCase().contains("sam")) {
} else if (regFilePath.toLowerCase().contains("sam")) {
type = "1sam";
}
else if (regFilePath.toLowerCase().contains("security")) {
} else if (regFilePath.toLowerCase().contains("security")) {
type = "1security";
}
else {
} else {
type = "1default";
}
logger.log(Level.INFO, "Writing RegRipper results to: " + txtPath);
writer = new FileWriter(txtPath);
execRR = new ExecUtil();
@ -190,8 +180,7 @@ public class ExtractRegistry extends Extract {
logger.log(Level.SEVERE, "Unable to RegRipper and process parse some registry files.", ex);
} catch (InterruptedException ex) {
logger.log(Level.SEVERE, "RegRipper has been interrupted, failed to parse registry.", ex);
}
finally {
} finally {
if (writer != null) {
try {
writer.close();
@ -200,7 +189,7 @@ public class ExtractRegistry extends Extract {
}
}
}
return txtPath;
}
@ -229,13 +218,13 @@ public class ExtractRegistry extends Extract {
Element oroot = doc.getDocumentElement();
NodeList children = oroot.getChildNodes();
int len = children.getLength();
for(int i=0; i<len; i++) {
for (int i = 0; i < len; i++) {
Element tempnode = (Element) children.item(i);
String context = tempnode.getNodeName();
NodeList timenodes = tempnode.getElementsByTagName("time");
Long time = null;
if(timenodes.getLength() > 0) {
if (timenodes.getLength() > 0) {
Element timenode = (Element) timenodes.item(0);
String etime = timenode.getTextContent();
try {
@ -249,7 +238,7 @@ public class ExtractRegistry extends Extract {
}
NodeList artroots = tempnode.getElementsByTagName("artifacts");
if(artroots.getLength() == 0) {
if (artroots.getLength() == 0) {
// If there isn't an artifact node, skip this entry
continue;
}
@ -257,10 +246,10 @@ public class ExtractRegistry extends Extract {
NodeList myartlist = artroot.getChildNodes();
String winver = "";
String installdate = "";
for(int j=0; j<myartlist.getLength(); j++) {
for (int j = 0; j < myartlist.getLength(); j++) {
Node artchild = myartlist.item(j);
// If it has attributes, then it is an Element (based off API)
if(artchild.hasAttributes()) {
if (artchild.hasAttributes()) {
Element artnode = (Element) artchild;
String name = artnode.getAttribute("name");
String value = artnode.getTextContent().trim();
@ -282,16 +271,18 @@ public class ExtractRegistry extends Extract {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, utime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", utime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", utime));
String dev = artnode.getAttribute("dev");
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", value));
USB_Info info = extrctr.get(dev);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", info.get_Vendor()));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", info.get_Product()));
if (dev.toLowerCase().contains("vid")) {
USB_Info info = extrctr.get(dev);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", info.get_Vendor()));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", info.get_Product()));
}
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard.");
@ -305,15 +296,15 @@ public class ExtractRegistry extends Extract {
} catch (ParseException e) {
logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact.");
}
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, ftime));
try {
if(time != null) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time));
if (time != null) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", ftime));
@ -349,7 +340,7 @@ public class ExtractRegistry extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", installtime));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
} catch(TskCoreException ex) {
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.");
}
}
@ -361,14 +352,14 @@ public class ExtractRegistry extends Extract {
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, artnode.getName()));
if(time != null) {
if (time != null) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", artnode.getNodeName()));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", artnode.getNodeName()));
bbart.addAttributes(bbattributes);
} catch(TskCoreException ex) {
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.");
}
@ -401,7 +392,7 @@ public class ExtractRegistry extends Extract {
}
@Override
public void process(PipelineContext<IngestModuleImage>pipelineContext, Image image, IngestImageWorkerController controller) {
public void process(PipelineContext<IngestModuleImage> pipelineContext, Image image, IngestImageWorkerController controller) {
this.getRegistryFiles(image, controller);
}
@ -421,7 +412,7 @@ public class ExtractRegistry extends Extract {
execRR.stop();
execRR = null;
}
}
@Override
@ -434,7 +425,6 @@ public class ExtractRegistry extends Extract {
return "Extracts activity from the Windows registry utilizing RegRipper.";
}
@Override
public boolean hasBackgroundJobsRunning() {
return false;

31
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractUSB.java
View File

@ -22,12 +22,15 @@
*/
package org.sleuthkit.autopsy.recentactivity;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.HashMap;
import java.util.Scanner;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.sleuthkit.autopsy.coreutils.PlatformUtil;
public class ExtractUSB {
private HashMap<String, USB_Info> devices;
@ -41,11 +44,11 @@ public class ExtractUSB {
} else {
pID = mID + dtokens[3];
}
//if (!devices.containsKey(pID)) {
// return new String[]{"No such Device", null};
//} else {
return devices.get(pID);
//}
if (!devices.containsKey(pID)) {
return new USB_Info("No such Device", null);
} else {
return devices.get(pID);
}
}
public ExtractUSB() {
@ -54,12 +57,15 @@ public class ExtractUSB {
} catch (FileNotFoundException ex) {
Logger.getLogger(ExtractUSB.class.getName()).log(Level.SEVERE, null, ex);
devices = null;
} catch (IOException ex) {
Logger.getLogger(ExtractUSB.class.getName()).log(Level.SEVERE, null, ex);
}
}
private void Devices() throws FileNotFoundException {
private void Devices() throws FileNotFoundException, IOException {
devices = new HashMap<String, USB_Info>();
try (Scanner dat = new Scanner(new FileInputStream(new java.io.File("src" + java.io.File.separator + "org" + java.io.File.separator + "sleuthkit" + java.io.File.separator + "autopsy" + java.io.File.separator + "recentactivity" + java.io.File.separator + "USB_DATA.txt")))) {
PlatformUtil.extractResourceToUserConfigDir(this.getClass(), "USB_DATA.txt");
try (Scanner dat = new Scanner(new FileInputStream(new java.io.File(PlatformUtil.getUserConfigDirectory() + File.separator + "USB_DATA.txt")))) {
String line = dat.nextLine();
while (dat.hasNext()) {
String dvc = "";
@ -69,23 +75,22 @@ public class ExtractUSB {
for (int n = 1; n < tokens.length; n++) {
dvc += tokens[n] + " ";
}
String pID = vID + "0000";
USB_Info info = new USB_Info(dvc, null);
devices.put(pID, info);
line = dat.nextLine();
if (line.startsWith("\t")) {
while (dat.hasNext() && line.startsWith("\t")) {
tokens = line.split("[\\t\\s]+");
String pID = vID + tokens[1];
pID = vID + tokens[1];
String device = "";
line = dat.nextLine();
for (int n = 2; n < tokens.length; n++) {
device += tokens[n] + " ";
}
USB_Info info = new USB_Info(dvc, device);
info = new USB_Info(dvc, device);
devices.put(pID, info);
}
} else {
String pID = vID + "0000";
USB_Info info = new USB_Info(dvc, null);
devices.put(pID, info);
}
} else {
line = dat.nextLine();