diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED index d909db9e71..8c51d5e2a6 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED @@ -2,6 +2,7 @@ cannotBuildXmlParser=Unable to build XML parser: cannotLoadSEUQA=Unable to load Search Engine URL Query Analyzer settings file, SEUQAMappings.xml: cannotParseXml=Unable to parse XML file: ChromeCacheExtractor.moduleName=ChromeCacheExtractor +ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3} DataSourceUsage_AndroidMedia=Android Media Card DataSourceUsage_FlashDrive=Flash Drive # {0} - OS name @@ -134,6 +135,7 @@ Progress_Message_Analyze_Registry=Analyzing Registry Files Progress_Message_Analyze_Usage=Data Sources Usage Analysis Progress_Message_Chrome_AutoFill=Chrome Auto Fill Progress_Message_Chrome_Bookmarks=Chrome Bookmarks +Progress_Message_Chrome_Cache=Chrome Cache Progress_Message_Chrome_Cookies=Chrome Cookies Progress_Message_Chrome_Downloads=Chrome Downloads Progress_Message_Chrome_FormHistory=Chrome Form History diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 23a6f3ab22..5006ee27b5 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -93,6 +93,7 @@ class Chrome extends Extract { "Progress_Message_Chrome_FormHistory=Chrome Form History", "Progress_Message_Chrome_AutoFill=Chrome Auto Fill", "Progress_Message_Chrome_Logins=Chrome Logins", + "Progress_Message_Chrome_Cache=Chrome Cache", }) Chrome() { @@ -123,7 +124,8 @@ class Chrome extends Extract { progressBar.progress(Bundle.Progress_Message_Chrome_Downloads()); this.getDownload(); - ChromeCacheExtractor chromeCacheExtractor = new ChromeCacheExtractor(dataSource, context); + progressBar.progress(Bundle.Progress_Message_Chrome_Cache()); + ChromeCacheExtractor chromeCacheExtractor = new ChromeCacheExtractor(dataSource, context, progressBar); chromeCacheExtractor.getCaches(); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java index 1f7eb0580e..c9ae1b674c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java @@ -44,6 +44,7 @@ import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.datamodel.ContentUtils; +import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress; import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException; import org.sleuthkit.autopsy.ingest.IngestServices; @@ -55,7 +56,6 @@ import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.DerivedFile; -import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.TimeUtilities; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -93,12 +93,17 @@ final class ChromeCacheExtractor { private final Content dataSource; private final IngestJobContext context; + private final DataSourceIngestModuleProgress progressBar; private final IngestServices services = IngestServices.getInstance(); private Case currentCase; private FileManager fileManager; + // A file table to cache copies of index and data_n files. private final Map filesTable = new HashMap<>(); + // A file table to cache the f_* files. + private final Map externalFilesTable = new HashMap<>(); + /** * Encapsulates abstract file for a cache file as well as a temp file copy * that can be accessed as a random access file. @@ -127,12 +132,14 @@ final class ChromeCacheExtractor { } @NbBundle.Messages({ - "ChromeCacheExtractor.moduleName=ChromeCacheExtractor" + "ChromeCacheExtractor.moduleName=ChromeCacheExtractor", + "ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3}" }) - ChromeCacheExtractor(Content dataSource, IngestJobContext context ) { + ChromeCacheExtractor(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar ) { moduleName = Bundle.ChromeCacheExtractor_moduleName(); this.dataSource = dataSource; this.context = context; + this.progressBar = progressBar; } @@ -171,6 +178,7 @@ final class ChromeCacheExtractor { void subInit(String cachePath) throws IngestModuleException { filesTable.clear(); + externalFilesTable.clear(); String cacheAbsOutputFolderName = this.getAbsOutputFolderName() + cachePath; File outDir = new File(cacheAbsOutputFolderName); @@ -284,6 +292,9 @@ final class ChromeCacheExtractor { return; } } + + // find all f_* files in a single query. + findExternalFiles(cachePath); } catch (TskCoreException | IngestModuleException ex) { String msg = "Failed to find cache files in path " + cachePath; //NON-NLS @@ -306,8 +317,10 @@ final class ChromeCacheExtractor { // Process each address in the table for (int i = 0; i < indexHdr.getTableLen(); i++) { CacheAddress addr = new CacheAddress(indexFileROBuffer.getInt() & UINT32_MASK, cachePath); - if (addr.isInitialized()) { + progressBar.progress( NbBundle.getMessage(this.getClass(), + "ChromeCacheExtractor.progressMsg", + moduleName, i, indexHdr.getTableLen(), cachePath) ); try { List addedFiles = this.getCacheEntry(addr, sourceArtifacts, webCacheArtifacts); derivedFiles.addAll(addedFiles); @@ -412,13 +425,10 @@ final class ChromeCacheExtractor { moduleName, dataFile.get().getUniquePath())); - long pathID = Util.findID(dataSource, dataFile.get().getUniquePath()); - if (pathID != -1) { - webCacheArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID, - moduleName, pathID)); - } + webCacheArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID, + moduleName, dataFile.get().getId())); - webCacheArtifacts.add(webCacheArtifact); + webCacheArtifacts.add(webCacheArtifact); } if (isBrotliCompressed) { @@ -459,12 +469,10 @@ final class ChromeCacheExtractor { webCacheArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, moduleName, derivedFile.getUniquePath())); - long pathID = Util.findID(dataSource, derivedFile.getUniquePath()); - if (pathID != -1) { - webCacheArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID, - moduleName, pathID)); - } - + + webCacheArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID, + moduleName, derivedFile.getId())); + webCacheArtifacts.add(webCacheArtifact); } @@ -485,13 +493,37 @@ final class ChromeCacheExtractor { } /** - * Finds abstract file for cache file with a specified name + * Finds all the f_* files in the specified path, and fills them in the + * effFilesTable, so that subsequent searches are fast. + * + * @param cachePath path under which to look for. + * + * @throws TskCoreException + */ + private void findExternalFiles(String cachePath) throws TskCoreException { + + List effFiles = fileManager.findFiles(dataSource, "f_%", cachePath); //NON-NLS + for (AbstractFile abstractFile : effFiles ) { + this.externalFilesTable.put(cachePath + abstractFile.getName(), abstractFile); + } + } + /** + * Finds abstract file for cache file with a specified name. + * First checks in the file tables. * * @param cacheFileName - * @return Opt + * @return Optional abstract file * @throws TskCoreException */ Optional findCacheFile(String cacheFileName, String cachePath) throws TskCoreException { + + String fileTableKey = cachePath + cacheFileName; + if (cacheFileName.startsWith("f_") && externalFilesTable.containsKey(fileTableKey)) { + return Optional.of(externalFilesTable.get(fileTableKey)); + } + if (filesTable.containsKey(fileTableKey)) { + return Optional.of(filesTable.get(fileTableKey).getAbstractFile()); + } List cacheFiles = fileManager.findFiles(dataSource, cacheFileName, cachePath); //NON-NLS if (!cacheFiles.isEmpty()) { @@ -914,9 +946,11 @@ final class ChromeCacheExtractor { return; } - cacheFileCopy = getCacheFileCopy(address.getFilename(), address.getCachePath()).get(); + // Don't extract data from external files. if (!address.isInExternalFile() ) { + cacheFileCopy = getCacheFileCopy(address.getFilename(), address.getCachePath()).get(); + this.data = new byte [length]; ByteBuffer buf = cacheFileCopy.getByteBuffer(); int dataOffset = DATAFILE_HDR_SIZE + address.getStartBlock() * address.getBlockSize(); @@ -952,8 +986,8 @@ final class ChromeCacheExtractor { i++; } - // hhtp headers are terminated by 0x00 0x00 - if (data[i+1] == 0) { + // http headers are terminated by 0x00 0x00 + if (i == data.length || data[i+1] == 0) { done = true; } @@ -965,10 +999,11 @@ final class ChromeCacheExtractor { httpResponse = headerLine; } else { int nPos = headerLine.indexOf(':'); - String key = headerLine.substring(0, nPos); - String val= headerLine.substring(nPos+1); - - httpHeaders.put(key.toLowerCase(), val); + if (nPos > 0 ) { + String key = headerLine.substring(0, nPos); + String val= headerLine.substring(nPos+1); + httpHeaders.put(key.toLowerCase(), val); + } } i++;