From 5f95835198eea3bd54ef0d3d3604cd904506be2e Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 19 Jan 2021 10:22:57 -0500 Subject: [PATCH 1/4] Update LeappFileProcessor.java Add creating custom artifact and remove check for already exists as there are issues with custom attributes. --- .../leappanalyzers/LeappFileProcessor.java | 30 +++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java index f4e24aca39..cb76601da0 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java @@ -18,6 +18,7 @@ */ package org.sleuthkit.autopsy.modules.leappanalyzers; +import com.google.common.collect.ImmutableMap; import java.io.BufferedReader; import java.io.File; import java.io.FileNotFoundException; @@ -127,6 +128,10 @@ public final class LeappFileProcessor { private final Map tsvFileArtifactComments; private final Map> tsvFileAttributes; + private static final Map CUSTOM_ARTIFACT_MAP = ImmutableMap.builder() + .put("TSK_IP_DHCP", "DHCP Information") + .build(); + Blackboard blkBoard; public LeappFileProcessor(String xmlFile) throws IOException, IngestModuleException, NoCurrentCaseException { @@ -138,6 +143,7 @@ public final class LeappFileProcessor { blkBoard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard(); + createCustomArtifacts(blkBoard); configExtractor(); loadConfigFile(); @@ -303,7 +309,7 @@ public final class LeappFileProcessor { while (line != null) { Collection bbattributes = processReadLine(line, columnNumberToProcess, fileName); - if (!bbattributes.isEmpty() && !blkBoard.artifactExists(dataSource, BlackboardArtifact.ARTIFACT_TYPE.fromID(artifactType.getTypeID()), bbattributes)) { + if (!bbattributes.isEmpty()) { BlackboardArtifact bbartifact = createArtifactWithAttributes(artifactType.getTypeID(), dataSource, bbattributes); if (bbartifact != null) { bbartifacts.add(bbartifact); @@ -397,7 +403,8 @@ public final class LeappFileProcessor { } } else if (attrType.matches("LONG")) { try { - bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, Long.valueOf(columnValue))); + bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, (long)Double.parseDouble(columnValue))); +// bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, Long.valueOf(columnValue))); } catch (NumberFormatException ex) { logger.log(Level.WARNING, String.format("Unable to format %s as an long.", columnValue), ex); } @@ -698,4 +705,23 @@ public final class LeappFileProcessor { xmlFile, true); } + /** + * Create custom artifacts that are defined in the xLeapp xml file(s). + * + */ + private void createCustomArtifacts(Blackboard blkBoard) { + + for (Map.Entry customArtifact : CUSTOM_ARTIFACT_MAP.entrySet()) { + String artifactName = customArtifact.getKey(); + String artifactDescription = customArtifact.getValue(); + + try { + BlackboardArtifact.Type customArtifactType = blkBoard.getOrAddArtifactType(artifactName, artifactDescription); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.WARNING, String.format("Failed to create custom artifact type %s.", artifactName), ex); + } + + } + } + } From 980629494e2020fafa7d2c0bb8b94f146612c954 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 19 Jan 2021 10:33:32 -0500 Subject: [PATCH 2/4] Update LeappFileProcessor.java Fix merge and remove comment. --- .../leappanalyzers/LeappFileProcessor.java | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java index e9026055cf..1776e1c3e9 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java @@ -408,7 +408,6 @@ public final class LeappFileProcessor { } else if (attrType.matches("LONG")) { try { bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, (long)Double.parseDouble(columnValue))); -// bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, Long.valueOf(columnValue))); } catch (NumberFormatException ex) { logger.log(Level.WARNING, String.format("Unable to format %s as an long.", columnValue), ex); } @@ -745,4 +744,23 @@ public final class LeappFileProcessor { return leappFilesToProcess; } + + /** + * Create custom artifacts that are defined in the xLeapp xml file(s). + * + */ + private void createCustomArtifacts(Blackboard blkBoard) { + + for (Map.Entry customArtifact : CUSTOM_ARTIFACT_MAP.entrySet()) { + String artifactName = customArtifact.getKey(); + String artifactDescription = customArtifact.getValue(); + + try { + BlackboardArtifact.Type customArtifactType = blkBoard.getOrAddArtifactType(artifactName, artifactDescription); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.WARNING, String.format("Failed to create custom artifact type %s.", artifactName), ex); + } + + } + } } From d42603f830ca2727ae7979e07abd695fa19ced07 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Wed, 20 Jan 2021 11:39:17 -0500 Subject: [PATCH 3/4] Update LeappFileProcessor.java Fix merge conflict --- .../autopsy/modules/leappanalyzers/LeappFileProcessor.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java index 1776e1c3e9..00f4c58c40 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java @@ -407,7 +407,8 @@ public final class LeappFileProcessor { } } else if (attrType.matches("LONG")) { try { - bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, (long)Double.parseDouble(columnValue))); + // parse as double to handle values of format like '21.0' and then convert to long + bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, Double.valueOf(columnValue).longValue())); } catch (NumberFormatException ex) { logger.log(Level.WARNING, String.format("Unable to format %s as an long.", columnValue), ex); } From db09a7a2a138fe77ed8cf1e6708ae85c329d4974 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Wed, 20 Jan 2021 11:40:38 -0500 Subject: [PATCH 4/4] Update LeappFileProcessor.java One more time --- .../autopsy/modules/leappanalyzers/LeappFileProcessor.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java index 00f4c58c40..a64d4b0c32 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java @@ -408,7 +408,7 @@ public final class LeappFileProcessor { } else if (attrType.matches("LONG")) { try { // parse as double to handle values of format like '21.0' and then convert to long - bbattributes.add(new BlackboardAttribute(attributeType, MODULE_NAME, Double.valueOf(columnValue).longValue())); + bbattributes.add(new BlackboardAttribute(attributeType, moduleName, Double.valueOf(columnValue).longValue())); } catch (NumberFormatException ex) { logger.log(Level.WARNING, String.format("Unable to format %s as an long.", columnValue), ex); }