File encryption module handle files better

Handle file extension/location used to also determine if a file is encrypted or not.
2025-07-15 09:17:42 +00:00 · 2019-09-20 10:48:25 -04:00 · 2019-09-20 10:48:25 -04:00 · 7334e8b6b0
commit 7334e8b6b0
parent d6496f2d31
2 changed files with 49 additions and 9 deletions
--- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/Bundle.properties-MERGED
+++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/Bundle.properties-MERGED
@ -1,6 +1,7 @@
 EncryptionDetectionDataSourceIngestModule.artifactComment.bitlocker=Bitlocker encryption detected.
 EncryptionDetectionDataSourceIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f).
 EncryptionDetectionDataSourceIngestModule.processing.message=Checking image for encryption.
+EncryptionDetectionFileIngestModule.artifactComment.location=Location/File Extension determine encrypted file.
 EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected.
 EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f).
 EncryptionDetectionFileIngestModule.getDesc.text=Looks for files with the specified minimum entropy.
--- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
@ -29,6 +29,8 @@ import java.io.BufferedInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.BufferUnderflowException;
+import java.util.HashMap;
+import java.util.Map;
 import java.util.logging.Level;
 import org.apache.tika.exception.EncryptedDocumentException;
 import org.apache.tika.exception.TikaException;
@ -76,6 +78,8 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter

    private static final String[] FILE_IGNORE_LIST = {"hiberfile.sys", "pagefile.sys"};

+    private final Map<String, String> knownEncryptedLocationExtensions = createLocationExtensionMap();
+
    private final IngestServices services = IngestServices.getInstance();
    private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName());
    private FileTypeDetector fileTypeDetector;
@ -119,6 +123,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter

    @Messages({
        "EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected.",
+        "EncryptionDetectionFileIngestModule.artifactComment.location=Location/File Extension determine encrypted file.",
        "EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f)."
    })
    @Override
@ -155,6 +160,9 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
                 */
                String mimeType = fileTypeDetector.getMIMEType(file);
                if (mimeType.equals("application/octet-stream") && isFileEncryptionSuspected(file)) {
+                    if (checkFileLocationExtension(file)) {
+                        return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_location());
+                    }
                    return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED,
                            String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy));
                } else if (isFilePasswordProtected(file)) {
@ -406,4 +414,35 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter

        return possiblyEncrypted;
    }
+
+    /**
+     * This method checks if the AbstractFile input is in a location that is
+     * known to hold encrypted files. It must meet the requirements and location
+     * of known encrypted file(s)
+     *
+     * @param file AbstractFile to be checked.
+     *
+     * @return True if file extension and location match known values.
+     *
+     */
+    private boolean checkFileLocationExtension(AbstractFile file) {
+        String filePath = file.getParentPath().replace("/", "");
+        if (knownEncryptedLocationExtensions.containsKey(filePath)) {
+            if (knownEncryptedLocationExtensions.get(filePath).equals(file.getNameExtension())) {
+               return true; 
+            }
+        }
+        return false;
+    }
+    
+    /*
+     * This method creates the map of paths and extensions that are known to have encrypted files
+     * 
+     * @return Map of path and extension of files
+     */
+    private Map<String, String> createLocationExtensionMap() {
+        Map<String, String> locationExtensionMap = new HashMap<String, String>();
+        locationExtensionMap.put(".android_secure", "asec");
+        return locationExtensionMap;
+    }
 }