mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 09:17:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

File encryption module handle files better

Browse Source 
Handle file extension/location used to also determine if a file is encrypted or not.
This commit is contained in:
Mark McKinnon 2019-09-20 10:48:25 -04:00
parent d6496f2d31
commit 7334e8b6b0
2 changed files with 49 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/Bundle.properties-MERGED
View File

@ -1,6 +1,7 @@
EncryptionDetectionDataSourceIngestModule.artifactComment.bitlocker=Bitlocker encryption detected. EncryptionDetectionDataSourceIngestModule.artifactComment.bitlocker=Bitlocker encryption detected.
EncryptionDetectionDataSourceIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f). EncryptionDetectionDataSourceIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f).
EncryptionDetectionDataSourceIngestModule.processing.message=Checking image for encryption. EncryptionDetectionDataSourceIngestModule.processing.message=Checking image for encryption.
EncryptionDetectionFileIngestModule.artifactComment.location=Location/File Extension determine encrypted file.
EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected. EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected.
EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f). EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f).
EncryptionDetectionFileIngestModule.getDesc.text=Looks for files with the specified minimum entropy. EncryptionDetectionFileIngestModule.getDesc.text=Looks for files with the specified minimum entropy.

53
Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
View File

@ -29,6 +29,8 @@ import java.io.BufferedInputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.nio.BufferUnderflowException; import java.nio.BufferUnderflowException;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level; import java.util.logging.Level;
import org.apache.tika.exception.EncryptedDocumentException; import org.apache.tika.exception.EncryptedDocumentException;
import org.apache.tika.exception.TikaException; import org.apache.tika.exception.TikaException;
@ -76,6 +78,8 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
private static final String[] FILE_IGNORE_LIST = {"hiberfile.sys", "pagefile.sys"}; private static final String[] FILE_IGNORE_LIST = {"hiberfile.sys", "pagefile.sys"};
private final Map<String, String> knownEncryptedLocationExtensions = createLocationExtensionMap();
private final IngestServices services = IngestServices.getInstance(); private final IngestServices services = IngestServices.getInstance();
private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName()); private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName());
private FileTypeDetector fileTypeDetector; private FileTypeDetector fileTypeDetector;
@ -106,7 +110,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException { public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException {
try { try {
validateSettings(); validateSettings();
this.context = context; this.context = context;
blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard(); blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard();
fileTypeDetector = new FileTypeDetector(); fileTypeDetector = new FileTypeDetector();
@ -119,6 +123,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
@Messages({ @Messages({
"EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected.", "EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected.",
"EncryptionDetectionFileIngestModule.artifactComment.location=Location/File Extension determine encrypted file.",
"EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f)." "EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f)."
}) })
@Override @Override
@ -130,12 +135,12 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
* verify the file hasn't been deleted. * verify the file hasn't been deleted.
*/ */
if (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) if (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR) && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR)
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR) && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR)
&& (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed) && (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed)
&& !file.getKnown().equals(TskData.FileKnown.KNOWN) && !file.getKnown().equals(TskData.FileKnown.KNOWN)
&& !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) { && !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) {
/* /*
* Is the file in FILE_IGNORE_LIST? * Is the file in FILE_IGNORE_LIST?
*/ */
@ -155,6 +160,9 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
*/ */
String mimeType = fileTypeDetector.getMIMEType(file); String mimeType = fileTypeDetector.getMIMEType(file);
if (mimeType.equals("application/octet-stream") && isFileEncryptionSuspected(file)) { if (mimeType.equals("application/octet-stream") && isFileEncryptionSuspected(file)) {
if (checkFileLocationExtension(file)) {
return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_location());
}
return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED,
String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy)); String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy));
} else if (isFilePasswordProtected(file)) { } else if (isFilePasswordProtected(file)) {
@ -406,4 +414,35 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
return possiblyEncrypted; return possiblyEncrypted;
} }
/**
* This method checks if the AbstractFile input is in a location that is
* known to hold encrypted files. It must meet the requirements and location
* of known encrypted file(s)
*
* @param file AbstractFile to be checked.
*
* @return True if file extension and location match known values.
*
*/
private boolean checkFileLocationExtension(AbstractFile file) {
String filePath = file.getParentPath().replace("/", "");
if (knownEncryptedLocationExtensions.containsKey(filePath)) {
if (knownEncryptedLocationExtensions.get(filePath).equals(file.getNameExtension())) {
return true;
}
}
return false;
}
/*
* This method creates the map of paths and extensions that are known to have encrypted files
*
* @return Map of path and extension of files
*/
private Map<String, String> createLocationExtensionMap() {
Map<String, String> locationExtensionMap = new HashMap<String, String>();
locationExtensionMap.put(".android_secure", "asec");
return locationExtensionMap;
}
} }