From 500d3e085756812f0aef83a78c7fd3834518150c Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 10:22:01 +0200 Subject: [PATCH 01/17] depend on CoreLibs for utility libraries --- RecentActivity/nbproject/project.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml index 4d85f94e9b..6bcc77fd91 100644 --- a/RecentActivity/nbproject/project.xml +++ b/RecentActivity/nbproject/project.xml @@ -63,6 +63,15 @@ 10.12 + + org.sleuthkit.autopsy.corelibs + + + + 3 + 1.2 + + org.sleuthkit.autopsy.recentactivity From 080858ec3176555c6610b085f380c76f9727d89e Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 10:22:43 +0200 Subject: [PATCH 02/17] cleanup in Util.java --- .../autopsy/recentactivity/Util.java | 59 +++++++------------ 1 file changed, 20 insertions(+), 39 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java index 8b246b05aa..0b4f619bc0 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java @@ -1,19 +1,19 @@ - /* +/* * * Autopsy Forensic Browser - * + * * Copyright 2012-2018 Basis Technology Corp. - * + * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com * Project Contact/Architect: carrier sleuthkit org - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -22,7 +22,6 @@ */ package org.sleuthkit.autopsy.recentactivity; -import org.sleuthkit.autopsy.coreutils.SQLiteDBConnect; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -35,14 +34,16 @@ import java.sql.ResultSet; import java.text.SimpleDateFormat; import java.util.Date; import java.util.List; +import java.util.Objects; import java.util.StringTokenizer; import java.util.logging.Level; -import org.sleuthkit.autopsy.coreutils.Logger; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.services.FileManager; +import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.autopsy.coreutils.SQLiteDBConnect; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.TskCoreException; @@ -71,32 +72,24 @@ class Util { } public static String readFile(String path) throws IOException { - FileInputStream stream = new FileInputStream(new File(path)); - try { + try (FileInputStream stream = new FileInputStream(new File(path))) { FileChannel fc = stream.getChannel(); MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size()); /* * Instead of using default, pass in a decoder. */ return Charset.defaultCharset().decode(bb).toString(); - } finally { - stream.close(); } } public static String getBaseDomain(String url) { - String host = null; - + //TODO: There is no utility in apache or guave to do this for us? //strip protocol String cleanUrl = url.replaceFirst(".*:\\/\\/", ""); //strip after slashes String dirToks[] = cleanUrl.split("\\/"); - if (dirToks.length > 0) { - host = dirToks[0]; - } else { - host = cleanUrl; - } + String host = (dirToks.length > 0) ? dirToks[0] : cleanUrl; //get the domain part from host (last 2) StringTokenizer tok = new StringTokenizer(host, "."); @@ -118,6 +111,8 @@ class Util { } public static String extractDomain(String value) { + + //TODO: There is no utility in apache or guave to do this for us? if (value == null) { return ""; @@ -207,31 +202,17 @@ class Util { public static boolean checkColumn(String column, String tablename, String connection) { String query = "PRAGMA table_info(" + tablename + ")"; //NON-NLS - boolean found = false; - ResultSet temprs; - try { - SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", "jdbc:sqlite:" + connection); //NON-NLS - temprs = tempdbconnect.executeQry(query); + + try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", "jdbc:sqlite:" + connection); //NON-NLS + ResultSet temprs = tempdbconnect.executeQry(query);) { while (temprs.next()) { - if (temprs.getString("name") == null ? column == null : temprs.getString("name").equals(column)) { //NON-NLS - found = true; + if (Objects.equals(temprs.getString("name"), column)) { //NON-NLS + return true; } } } catch (Exception ex) { logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex); //NON-NLS } - return found; - } - - public static ResultSet runQuery(String query, String connection) { - ResultSet results = null; - try { - SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", "jdbc:sqlite:" + connection); //NON-NLS - results = tempdbconnect.executeQry(query); - tempdbconnect.closeConnection(); - } catch (Exception ex) { - logger.log(Level.WARNING, "Error while trying to run sql query: " + query + " : " + connection, ex); //NON-NLS - } - return results; + return false; } } From 4668a51ef0ac1eed7fa50dc5ed754992e1f6131f Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 10:23:37 +0200 Subject: [PATCH 03/17] rename RecentActivity Extractors; some other cleanup --- .../{Chrome.java => ChromeExtractor.java} | 351 +++++++++--------- .../{Extract.java => Extractor.java} | 60 ++- .../{Firefox.java => FirefoxExtractor.java} | 76 ++-- .../{ExtractIE.java => IEExtractor.java} | 42 ++- .../recentactivity/RAImageIngestModule.java | 70 ++-- ...Lnk.java => RecentDocumentsExtractor.java} | 27 +- ...ctRegistry.java => RegistryExtractor.java} | 62 ++-- .../SearchEngineURLQueryAnalyzer.java | 25 +- 8 files changed, 344 insertions(+), 369 deletions(-) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{Chrome.java => ChromeExtractor.java} (59%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{Extract.java => Extractor.java} (83%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{Firefox.java => FirefoxExtractor.java} (94%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{ExtractIE.java => IEExtractor.java} (95%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{RecentDocumentsByLnk.java => RecentDocumentsExtractor.java} (92%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{ExtractRegistry.java => RegistryExtractor.java} (97%) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java similarity index 59% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java index 0f9a98cd88..eaab061975 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java @@ -22,30 +22,44 @@ */ package org.sleuthkit.autopsy.recentactivity; +import com.google.common.collect.Lists; import com.google.gson.JsonArray; import com.google.gson.JsonElement; import com.google.gson.JsonIOException; import com.google.gson.JsonObject; import com.google.gson.JsonParser; import com.google.gson.JsonSyntaxException; -import org.openide.util.NbBundle; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.datamodel.ContentUtils; -import java.util.logging.Level; -import java.util.*; import java.io.File; import java.io.FileNotFoundException; import java.io.FileReader; import java.io.IOException; +import java.util.*; +import java.util.logging.Level; +import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.IngestJobContext; +import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REFERRER; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL_DECODED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException; import org.sleuthkit.datamodel.TskCoreException; @@ -54,20 +68,23 @@ import org.sleuthkit.datamodel.TskData; /** * Chrome recent activity extraction */ -class Chrome extends Extract { +class ChromeExtractor extends Extractor { + private static final Logger logger = Logger.getLogger(ChromeExtractor.class.getName()); + private static final String PARENT_MODULE_NAME = NbBundle.getMessage(ChromeExtractor.class, "Chrome.parentModuleName"); private static final String HISTORY_QUERY = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS - + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS + + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS private static final String COOKIE_QUERY = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS private static final String DOWNLOAD_QUERY = "SELECT full_path, url, start_time, received_bytes FROM downloads"; //NON-NLS private static final String DOWNLOAD_QUERY_V30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS private static final String LOGIN_QUERY = "SELECT origin_url, username_value, signon_realm from logins"; //NON-NLS - private final Logger logger = Logger.getLogger(this.getClass().getName()); + private Content dataSource; private IngestJobContext context; - Chrome() { - moduleName = NbBundle.getMessage(Chrome.class, "Chrome.moduleName"); + @Override + protected String getModuleName() { + return NbBundle.getMessage(ChromeExtractor.class, "Chrome.moduleName"); } @Override @@ -85,7 +102,7 @@ class Chrome extends Extract { /** * Query for history databases and add artifacts */ - private void getHistory() { + private void getHistory() throws TskCoreException { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles; try { @@ -93,7 +110,7 @@ class Chrome extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -112,6 +129,7 @@ class Chrome extends Extract { return; } + //TODO why are we using historyFiles instead of allocatedHistoryfiles here? dataFound = true; Collection bbartifacts = new ArrayList<>(); int j = 0; @@ -127,13 +145,13 @@ class Chrome extends Extract { logger.log(Level.WARNING, String.format("Error reading Chrome web history artifacts file '%s' (id=%d).", historyFile.getName(), historyFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile", - this.getName(), historyFile.getName())); + this.getModuleName(), historyFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome web history artifacts file '%s' (id=%d).", temps, historyFile.getName(), historyFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile", - this.getName(), historyFile.getName())); + this.getModuleName(), historyFile.getName())); continue; } File dbFile = new File(temps); @@ -143,38 +161,34 @@ class Chrome extends Extract { } List> tempList; tempList = this.dbConnect(temps, HISTORY_QUERY); - logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS - - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes); - if (bbart != null) { - bbartifacts.add(bbart); - } + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("url"), "")), //NON-NLS + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - 11_644_473_600L), //TODO: what is this magic number? + new BlackboardAttribute( + TSK_REFERRER, PARENT_MODULE_NAME, + Objects.toString(result.get("from_visit"), "")), //NON-NLS + new BlackboardAttribute( + TSK_TITLE, PARENT_MODULE_NAME, + Objects.toString(result.get("title"), "")), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + Util.extractDomain(Objects.toString(result.get("url"), "")))); //NON-NLS + bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes)); } dbFile.delete(); } IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), + PARENT_MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts)); } @@ -189,7 +203,7 @@ class Chrome extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -214,17 +228,17 @@ class Chrome extends Extract { logger.log(Level.WARNING, String.format("Error reading Chrome bookmark artifacts file '%s' (id=%d).", bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile", - this.getName(), bookmarkFile.getName())); + this.getModuleName(), bookmarkFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome bookmark artifacts file '%s' (id=%d).", temps, bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile", - this.getName(), bookmarkFile.getName())); + this.getModuleName(), bookmarkFile.getName())); continue; } - logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{moduleName, temps}); //NON-NLS + logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{getModuleName(), temps}); //NON-NLS File dbFile = new File(temps); if (context.dataSourceIngestIsCancelled()) { dbFile.delete(); @@ -237,7 +251,7 @@ class Chrome extends Extract { } catch (FileNotFoundException ex) { logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getModuleName(), bookmarkFile.getName())); continue; } @@ -256,7 +270,7 @@ class Chrome extends Extract { } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) { logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3", - this.getName(), bookmarkFile.getName())); + this.getModuleName(), bookmarkFile.getName())); continue; } @@ -288,49 +302,44 @@ class Chrome extends Extract { } String domain = Util.extractDomain(url); try { - BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); - Collection bbattributes = new ArrayList<>(); - //TODO Revisit usage of deprecated constructor as per TSK-583 - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "Chrome.parentModuleName"), url)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE, - NbBundle.getMessage(this.getClass(), - "Chrome.parentModuleName"), name)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, - NbBundle.getMessage(this.getClass(), - "Chrome.parentModuleName"), (date / 1000000) - Long.valueOf("11644473600"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "Chrome.parentModuleName"), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "Chrome.parentModuleName"), domain)); - bbart.addAttributes(bbattributes); - // index the artifact for keyword search - this.indexArtifact(bbart); - bbartifacts.add(bbart); + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + url), + new BlackboardAttribute( + TSK_TITLE, PARENT_MODULE_NAME, + name), + new BlackboardAttribute( + TSK_DATETIME_CREATED, PARENT_MODULE_NAME, + (date / 1_000_000) - 11_644_473_600L), //TODO: What is this magic number? + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + domain)); + + bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes)); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS this.addErrorMessage( NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4", - this.getName(), bookmarkFile.getName())); + this.getModuleName(), bookmarkFile.getName())); } } dbFile.delete(); } IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), + PARENT_MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts)); } /** * Queries for cookie files and adds artifacts */ - private void getCookie() { + private void getCookie() throws TskCoreException { FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles; @@ -339,7 +348,7 @@ class Chrome extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -363,13 +372,13 @@ class Chrome extends Extract { logger.log(Level.WARNING, String.format("Error reading Chrome cookie artifacts file '%s' (id=%d).", cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile", - this.getName(), cookiesFile.getName())); + this.getModuleName(), cookiesFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome cookie artifacts file '%s' (id=%d).", temps, cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile", - this.getName(), cookiesFile.getName())); + this.getModuleName(), cookiesFile.getName())); continue; } File dbFile = new File(temps); @@ -379,48 +388,44 @@ class Chrome extends Extract { } List> tempList = this.dbConnect(temps, COOKIE_QUERY); - logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2}artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("host_key").toString() != null) ? result.get("host_key").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS - - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); String domain = result.get("host_key").toString(); //NON-NLS domain = domain.replaceFirst("^\\.+(?!$)", ""); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain)); - - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); - if (bbart != null) { - bbartifacts.add(bbart); - } + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + domain), + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("host_key"), "")), //NON-NLS + new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME, + (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - 11_644_473_600L), //NON-NLS + new BlackboardAttribute( + TSK_NAME, PARENT_MODULE_NAME, + Objects.toString(result.get("name"), "")), //NON-NLS + new BlackboardAttribute( + TSK_VALUE, PARENT_MODULE_NAME, + Objects.toString(result.get("value"), "")), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName())); + bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes)); } dbFile.delete(); } IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), + PARENT_MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts)); } /** * Queries for download files and adds artifacts */ - private void getDownload() { + private void getDownload() throws TskCoreException { FileManager fileManager = currentCase.getServices().getFileManager(); List downloadFiles; try { @@ -428,7 +433,7 @@ class Chrome extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -452,13 +457,13 @@ class Chrome extends Extract { logger.log(Level.WARNING, String.format("Error reading Chrome download artifacts file '%s' (id=%d).", downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1", - this.getName(), downloadFile.getName())); + this.getModuleName(), downloadFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome download artifacts file '%s' (id=%d).", temps, downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1", - this.getName(), downloadFile.getName())); + this.getModuleName(), downloadFile.getName())); continue; } File dbFile = new File(temps); @@ -467,42 +472,34 @@ class Chrome extends Extract { break; } - List> tempList; + List> tempList = this.dbConnect(temps, + (isChromePreVersion30(temps)) ? DOWNLOAD_QUERY : DOWNLOAD_QUERY_V30); - if (isChromePreVersion30(temps)) { - tempList = this.dbConnect(temps, DOWNLOAD_QUERY); - } else { - tempList = this.dbConnect(temps, DOWNLOAD_QUERY_V30); - } - - logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (result.get("full_path").toString()))); //NON-NLS + + Collection bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_PATH, PARENT_MODULE_NAME, + Objects.toString(result.get("full_path"), "")), //NON-NLS + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("url"), "")), //NON-NLS + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + (Long.valueOf(result.get("start_time").toString()) / 1000000) - 11_644_473_600L), //NON-NLS + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + Util.extractDomain(Objects.toString(result.get("url"), ""))), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()) + ); + long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS if (pathID != -1) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, - NbBundle.getMessage(this.getClass(), - "Chrome.parentModuleName"), pathID)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, PARENT_MODULE_NAME, pathID)); } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); - Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS - - //TODO Revisit usage of deprecated constructor as per TSK-583 - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", time)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), time)); - String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes); if (bbart != null) { bbartifacts.add(bbart); @@ -513,14 +510,14 @@ class Chrome extends Extract { } IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), + PARENT_MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts)); } /** * Queries for login files and adds artifacts */ - private void getLogin() { + private void getLogin() throws TskCoreException, TskCoreException { FileManager fileManager = currentCase.getServices().getFileManager(); List signonFiles; try { @@ -528,7 +525,7 @@ class Chrome extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -552,13 +549,13 @@ class Chrome extends Extract { logger.log(Level.WARNING, String.format("Error reading Chrome login artifacts file '%s' (id=%d).", signonFile.getName(), signonFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles", - this.getName(), signonFile.getName())); + this.getModuleName(), signonFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome login artifacts file '%s' (id=%d).", temps, signonFile.getName(), signonFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles", - this.getName(), signonFile.getName())); + this.getModuleName(), signonFile.getName())); continue; } File dbFile = new File(temps); @@ -567,55 +564,49 @@ class Chrome extends Extract { break; } List> tempList = this.dbConnect(temps, LOGIN_QUERY); - logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); //NON-NLS - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("origin_url").toString() != null) ? EscapeUtil.decodeURL(result.get("origin_url").toString()) : ""))); - //TODO Revisit usage of deprecated constructor as per TSK-583 - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - result.get("signon_realm").toString())); //NON-NLS + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("origin_url"), "")), //NON-NLS + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - 11_644_473_600L), //NON-NLS + new BlackboardAttribute( + TSK_REFERRER, PARENT_MODULE_NAME, + Objects.toString(result.get("from_visit"), "")), //NON-NLS + new BlackboardAttribute( + TSK_NAME, PARENT_MODULE_NAME, + Objects.toString(result.get("title").toString(), "")), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_URL_DECODED, PARENT_MODULE_NAME, + Util.extractDomain(Objects.toString(result.get("origin_url"), ""))), //NON-NLS + new BlackboardAttribute( + TSK_USER_NAME, PARENT_MODULE_NAME, + Objects.toString(result.get("username_value"), "").replaceAll("'", "''")), //NON-NLS + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + Objects.toString(result.get("signon_realm"), ""))); //NON-NLS - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes); - if (bbart != null) { - bbartifacts.add(bbart); - } + bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes)); // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent - Collection osAcctAttributes = new ArrayList<>(); - osAcctAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), - ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS - this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes); + //TODO: Why not? Because it has a different artifact type? + BlackboardAttribute osAcctAttribute = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, PARENT_MODULE_NAME, + Objects.toString(result.get("username_value"), "").replaceAll("'", "''")); //NON-NLS + + this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, Collections.singleton(osAcctAttribute)); } dbFile.delete(); } IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), + PARENT_MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts)); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java similarity index 83% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java index 0ffe8420f4..1a32e2b57b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java @@ -38,17 +38,21 @@ import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException; import org.sleuthkit.datamodel.*; -abstract class Extract { +abstract class Extractor { + + private static final Logger logger = Logger.getLogger(Extractor.class.getName()); protected Case currentCase; protected SleuthkitCase tskCase; - private final Logger logger = Logger.getLogger(this.getClass().getName()); private final ArrayList errorMessages = new ArrayList<>(); - String moduleName = ""; boolean dataFound = false; - Extract() { - } + /** + * Returns the name of the inheriting class + * + * @return Gets the moduleName + */ + abstract protected String getModuleName(); final void init() throws IngestModuleException { try { @@ -102,20 +106,17 @@ abstract class Extract { * @param bbattributes is the collection of blackboard attributes that need * to be added to the artifact after the artifact has * been created + * @return The newly-created artifact * - * @return The newly-created artifact, or null on error + * @throws org.sleuthkit.datamodel.TskCoreException If there was a problem + * creating the artifact. */ - protected BlackboardArtifact addArtifact(BlackboardArtifact.ARTIFACT_TYPE type, AbstractFile content, Collection bbattributes) { - try { - BlackboardArtifact bbart = content.newArtifact(type); - bbart.addAttributes(bbattributes); - // index the artifact for keyword search - this.indexArtifact(bbart); - return bbart; - } catch (TskException ex) { - logger.log(Level.SEVERE, "Error while trying to add an artifact", ex); //NON-NLS - } - return null; + protected BlackboardArtifact addArtifact(BlackboardArtifact.ARTIFACT_TYPE type, AbstractFile content, Collection bbattributes) throws TskCoreException { + BlackboardArtifact bbart = content.newArtifact(type); + bbart.addAttributes(bbattributes); + // index the artifact for keyword search + this.indexArtifact(bbart); + return bbart; } /** @@ -129,7 +130,7 @@ abstract class Extract { try { Blackboard blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard(); // index the artifact for keyword search - blackboard.postArtifact(bbart, NbBundle.getMessage(Extract.class, "Chrome.parentModuleName")); + blackboard.postArtifact(bbart, getModuleName()); } catch (Blackboard.BlackboardException ex) { logger.log(Level.SEVERE, "Unable to index blackboard artifact " + bbart.getDisplayName(), ex); //NON-NLS MessageNotifyUtil.Notify.error(Bundle.Extract_indexError_message(), bbart.getDisplayName()); @@ -151,20 +152,16 @@ abstract class Extract { * it that the query obtained */ protected List> dbConnect(String path, String query) { - ResultSet temprs; - List> list; + String connectionString = "jdbc:sqlite:" + path; //NON-NLS - try { - SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString); //NON-NLS - temprs = tempdbconnect.executeQry(query); - list = this.resultSetToArrayList(temprs); - tempdbconnect.closeConnection(); + try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString); //NON-NLS + ResultSet temprs = tempdbconnect.executeQry(query);) { + return this.resultSetToArrayList(temprs); } catch (SQLException ex) { logger.log(Level.SEVERE, "Error while trying to read into a sqlite db." + connectionString, ex); //NON-NLS - errorMessages.add(NbBundle.getMessage(this.getClass(), "Extract.dbConn.errMsg.failedToQueryDb", getName())); + errorMessages.add(NbBundle.getMessage(this.getClass(), "Extract.dbConn.errMsg.failedToQueryDb", getModuleName())); return Collections.>emptyList(); } - return list; } /** @@ -193,15 +190,6 @@ abstract class Extract { return list; } - /** - * Returns the name of the inheriting class - * - * @return Gets the moduleName set in the moduleName data member - */ - protected String getName() { - return moduleName; - } - public boolean foundData() { return dataFound; } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java similarity index 94% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java index 22459f4cf6..8d09631e1b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java @@ -1,19 +1,19 @@ - /* +/* * * Autopsy Forensic Browser - * + * * Copyright 2012-2018 Basis Technology Corp. - * + * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com * Project Contact/Architect: carrier sleuthkit org - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -31,7 +31,6 @@ import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.logging.Level; - import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; @@ -51,9 +50,9 @@ import org.sleuthkit.datamodel.TskCoreException; /** * Firefox recent activity extraction */ -class Firefox extends Extract { +class FirefoxExtractor extends Extractor { - private static final Logger logger = Logger.getLogger(Firefox.class.getName()); + private static final Logger logger = Logger.getLogger(FirefoxExtractor.class.getName()); private static final String HISTORY_QUERY = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000000) AS visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; //NON-NLS private static final String COOKIE_QUERY = "SELECT name,value,host,expiry,(lastAccessed/1000000) AS lastAccessed,(creationTime/1000000) AS creationTime FROM moz_cookies"; //NON-NLS private static final String COOKIE_QUERY_V3 = "SELECT name,value,host,expiry,(lastAccessed/1000000) AS lastAccessed FROM moz_cookies"; //NON-NLS @@ -64,8 +63,9 @@ class Firefox extends Extract { private Content dataSource; private IngestJobContext context; - Firefox() { - moduleName = NbBundle.getMessage(Firefox.class, "Firefox.moduleName"); + @Override + protected String getModuleName() { + return NbBundle.getMessage(FirefoxExtractor.class, "Firefox.getModuleName()"); } @Override @@ -87,7 +87,7 @@ class Firefox extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errFetchingFiles"); logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -113,14 +113,14 @@ class Firefox extends Extract { logger.log(Level.WARNING, String.format("Error reading Firefox web history artifacts file '%s' (id=%d).", fileName, historyFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Firefox web history artifacts file '%s' (id=%d).", temps, fileName, historyFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } @@ -130,7 +130,7 @@ class Firefox extends Extract { break; } List> tempList = this.dbConnect(temps, HISTORY_QUERY); - logger.log(Level.INFO, "{0} - Now getting history from {1} with {2} artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0} - Now getting history from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, @@ -153,7 +153,7 @@ class Firefox extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.moduleName"))); + NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS @@ -184,7 +184,7 @@ class Firefox extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Firefox.getBookmark.errMsg.errFetchFiles"); logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -208,14 +208,14 @@ class Firefox extends Extract { logger.log(Level.WARNING, String.format("Error reading Firefox bookmark artifacts file '%s' (id=%d).", fileName, bookmarkFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Firefox bookmark artifacts file '%s' (id=%d).", temps, fileName, bookmarkFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Firefox.getBookmark.errMsg.errAnalyzeFile", - this.getName(), fileName)); + this.getModuleName(), fileName)); continue; } File dbFile = new File(temps); @@ -224,7 +224,7 @@ class Firefox extends Extract { break; } List> tempList = this.dbConnect(temps, BOOKMARK_QUERY); - logger.log(Level.INFO, "{0} - Now getting bookmarks from {1} with {2} artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0} - Now getting bookmarks from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { Collection bbattributes = new ArrayList<>(); @@ -245,7 +245,7 @@ class Firefox extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.moduleName"))); + NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), @@ -276,7 +276,7 @@ class Firefox extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Firefox.getCookie.errMsg.errFetchFile"); logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -300,14 +300,14 @@ class Firefox extends Extract { logger.log(Level.WARNING, String.format("Error reading Firefox cookie artifacts file '%s' (id=%d).", fileName, cookiesFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Firefox cookie artifacts file '%s' (id=%d).", temps, fileName, cookiesFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getCookie.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getCookie.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } @@ -325,7 +325,7 @@ class Firefox extends Extract { } List> tempList = this.dbConnect(temps, query); - logger.log(Level.INFO, "{0} - Now getting cookies from {1} with {2} artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0} - Now getting cookies from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { Collection bbattributes = new ArrayList<>(); @@ -348,7 +348,7 @@ class Firefox extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.moduleName"))); + NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); if (checkColumn == true) { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, @@ -398,7 +398,7 @@ class Firefox extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Firefox.getDlPre24.errMsg.errFetchFiles"); logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -423,14 +423,14 @@ class Firefox extends Extract { logger.log(Level.WARNING, String.format("Error reading Firefox download artifacts file '%s' (id=%d).", fileName, downloadsFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Firefox download artifacts file '%s' (id=%d).", temps, fileName, downloadsFile.getId()), ex); //NON-NLS this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Firefox.getDlPre24.errMsg.errAnalyzeFiles", - this.getName(), fileName)); + this.getModuleName(), fileName)); continue; } File dbFile = new File(temps); @@ -440,7 +440,7 @@ class Firefox extends Extract { } List> tempList = this.dbConnect(temps, DOWNLOAD_QUERY); - logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2} artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { Collection bbattributes = new ArrayList<>(); @@ -480,7 +480,7 @@ class Firefox extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.moduleName"))); + NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), @@ -494,7 +494,7 @@ class Firefox extends Extract { if (errors > 0) { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "Firefox.getDlPre24.errMsg.errParsingArtifacts", - this.getName(), errors)); + this.getModuleName(), errors)); } j++; dbFile.delete(); @@ -519,7 +519,7 @@ class Firefox extends Extract { } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Firefox.getDlV24.errMsg.errFetchFiles"); logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); return; } @@ -544,14 +544,14 @@ class Firefox extends Extract { logger.log(Level.WARNING, String.format("Error reading Firefox download artifacts file '%s' (id=%d).", fileName, downloadsFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getHistory.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Firefox download artifacts file '%s' (id=%d).", temps, fileName, downloadsFile.getId()), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Firefox.getDlV24.errMsg.errAnalyzeFile", this.getName(), + NbBundle.getMessage(this.getClass(), "Firefox.getDlV24.errMsg.errAnalyzeFile", this.getModuleName(), fileName)); continue; } @@ -563,7 +563,7 @@ class Firefox extends Extract { List> tempList = this.dbConnect(temps, DOWNLOAD_QUERY_V24); - logger.log(Level.INFO, "{0} - Now getting downloads from {1} with {2} artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS + logger.log(Level.INFO, "{0} - Now getting downloads from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { Collection bbattributes = new ArrayList<>(); @@ -603,7 +603,7 @@ class Firefox extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.moduleName"))); + NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName.noSpace"), @@ -616,7 +616,7 @@ class Firefox extends Extract { } if (errors > 0) { this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Firefox.getDlV24.errMsg.errParsingArtifacts", - this.getName(), errors)); + this.getModuleName(), errors)); } j++; dbFile.delete(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java similarity index 95% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java index 1af8761144..b8cec046f4 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java @@ -62,9 +62,9 @@ import org.sleuthkit.datamodel.*; * Extracts activity from Internet Explorer browser, as well as recent documents * in windows. */ -class ExtractIE extends Extract { +class IEExtractor extends Extractor { - private static final Logger logger = Logger.getLogger(ExtractIE.class.getName()); + private static final Logger logger = Logger.getLogger(IEExtractor.class.getName()); private final IngestServices services = IngestServices.getInstance(); private final String moduleTempResultsDir; private String PASCO_LIB_PATH; @@ -73,12 +73,16 @@ class ExtractIE extends Extract { private Content dataSource; private IngestJobContext context; - ExtractIE() throws NoCurrentCaseException { - moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractIE.moduleName.text"); + IEExtractor() throws NoCurrentCaseException { moduleTempResultsDir = RAImageIngestModule.getRATempPath(Case.getCurrentCaseThrows(), "IE") + File.separator + "results"; //NON-NLS JAVA_PATH = PlatformUtil.getJavaPath(); } + @Override + protected String getModuleName() { + return NbBundle.getMessage(IEExtractor.class, "ExtractIE.moduleName.text"); + } + @Override public void process(Content dataSource, IngestJobContext context) { this.dataSource = dataSource; @@ -101,7 +105,7 @@ class ExtractIE extends Extract { logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks", - this.getName())); + this.getModuleName())); return; } @@ -174,12 +178,12 @@ class ExtractIE extends Extract { } catch (IOException ex) { logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(), + NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getModuleName(), fav.getName())); } catch (IndexOutOfBoundsException ex) { logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(), + NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getModuleName(), fav.getName())); } finally { try { @@ -203,7 +207,7 @@ class ExtractIE extends Extract { } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error getting cookie files for IE"); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errGettingFile", this.getName())); + NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errGettingFile", this.getModuleName())); return; } @@ -229,7 +233,7 @@ class ExtractIE extends Extract { logger.log(Level.WARNING, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie", - this.getName(), cookiesFile.getName())); + this.getModuleName(), cookiesFile.getName())); continue; } String cookieString = new String(t); @@ -279,10 +283,10 @@ class ExtractIE extends Extract { logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS boolean foundHistory = false; - final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); //NON-NLS + final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", IEExtractor.class.getPackage().getName(), false); //NON-NLS if (pascoRoot == null) { this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName())); + NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getModuleName())); logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS return; } @@ -291,7 +295,7 @@ class ExtractIE extends Extract { logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS - + pascoHome + File.separator + "*"; + + pascoHome + File.separator + "*"; File resultsDir = new File(moduleTempResultsDir); resultsDir.mkdirs(); @@ -303,7 +307,7 @@ class ExtractIE extends Extract { indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS } catch (TskCoreException ex) { this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles", - this.getName())); + this.getModuleName())); logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS return; } @@ -336,7 +340,7 @@ class ExtractIE extends Extract { } catch (IOException e) { logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(), + NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getModuleName(), datFile.getAbsolutePath())); continue; } @@ -359,9 +363,9 @@ class ExtractIE extends Extract { //Delete index.dat file since it was succcessfully by Pasco datFile.delete(); } else { - logger.log(Level.WARNING, "pasco execution failed on: {0}", this.getName()); //NON-NLS + logger.log(Level.WARNING, "pasco execution failed on: {0}", this.getModuleName()); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName())); + NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getModuleName())); } } @@ -432,7 +436,7 @@ class ExtractIE extends Extract { File file = new File(fnAbs); if (file.exists() == false) { this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(), + NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getModuleName(), file.getName())); logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS return bbartifacts; @@ -449,7 +453,7 @@ class ExtractIE extends Extract { fileScanner = new Scanner(new FileInputStream(file.toString())); } catch (FileNotFoundException ex) { this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(), + NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getModuleName(), file.getName())); logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS return bbartifacts; @@ -507,7 +511,7 @@ class ExtractIE extends Extract { } catch (ParseException e) { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry", - this.getName())); + this.getModuleName())); logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index 7907db41bc..91b0e21963 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -1,19 +1,19 @@ - /* +/* * * Autopsy Forensic Browser - * + * * Copyright 2012-2018 Basis Technology Corp. - * + * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com * Project Contact/Architect: carrier sleuthkit org - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -23,7 +23,6 @@ package org.sleuthkit.autopsy.recentactivity; import java.io.File; -import java.io.FileNotFoundException; import java.util.ArrayList; import java.util.List; import java.util.logging.Level; @@ -33,12 +32,12 @@ import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.DataSourceIngestModule; import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress; -import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestMessage; import org.sleuthkit.autopsy.ingest.IngestMessage.MessageType; -import org.sleuthkit.datamodel.Content; import org.sleuthkit.autopsy.ingest.IngestModule.ProcessResult; -import org.sleuthkit.autopsy.ingest.IngestJobContext; +import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.datamodel.Content; /** * Recent activity image ingest module @@ -46,31 +45,27 @@ import org.sleuthkit.autopsy.ingest.IngestJobContext; public final class RAImageIngestModule implements DataSourceIngestModule { private static final Logger logger = Logger.getLogger(RAImageIngestModule.class.getName()); - private final List extracters = new ArrayList<>(); - private final List browserExtracters = new ArrayList<>(); - private IngestServices services = IngestServices.getInstance(); + private final List extracters = new ArrayList<>(); + private final List browserExtracters = new ArrayList<>(); + private final IngestServices services = IngestServices.getInstance(); private IngestJobContext context; - private StringBuilder subCompleted = new StringBuilder(); - - RAImageIngestModule() { - } @Override public void startUp(IngestJobContext context) throws IngestModuleException { this.context = context; - Extract iexplore; + Extractor iexplore; try { - iexplore = new ExtractIE(); + iexplore = new IEExtractor(); } catch (NoCurrentCaseException ex) { throw new IngestModuleException(ex.getMessage(), ex); } - Extract registry = new ExtractRegistry(); - Extract recentDocuments = new RecentDocumentsByLnk(); - Extract chrome = new Chrome(); - Extract firefox = new Firefox(); - Extract SEUQA = new SearchEngineURLQueryAnalyzer(); + Extractor registry = new RegistryExtractor(); + Extractor recentDocuments = new RecentDocumentsExtractor(); + Extractor chrome = new ChromeExtractor(); + Extractor firefox = new FirefoxExtractor(); + Extractor SEUQA = new SearchEngineURLQueryAnalyzer(); extracters.add(chrome); extracters.add(firefox); @@ -83,7 +78,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { browserExtracters.add(firefox); browserExtracters.add(iexplore); - for (Extract extracter : extracters) { + for (Extractor extracter : extracters) { extracter.init(); } } @@ -100,20 +95,18 @@ public final class RAImageIngestModule implements DataSourceIngestModule { ArrayList errors = new ArrayList<>(); for (int i = 0; i < extracters.size(); i++) { - Extract extracter = extracters.get(i); + Extractor extracter = extracters.get(i); if (context.dataSourceIngestIsCancelled()) { - logger.log(Level.INFO, "Recent Activity has been canceled, quitting before {0}", extracter.getName()); //NON-NLS + logger.log(Level.INFO, "Recent Activity has been canceled, quitting before {0}", extracter.getModuleName()); //NON-NLS break; } - progressBar.progress(extracter.getName(), i); + progressBar.progress(extracter.getModuleName(), i); try { extracter.process(dataSource, context); } catch (Exception ex) { - logger.log(Level.SEVERE, "Exception occurred in " + extracter.getName(), ex); //NON-NLS - subCompleted.append(NbBundle.getMessage(this.getClass(), "RAImageIngestModule.process.errModFailed", - extracter.getName())); + logger.log(Level.SEVERE, "Exception occurred in " + extracter.getModuleName(), ex); //NON-NLS errors.add( NbBundle.getMessage(this.getClass(), "RAImageIngestModule.process.errModErrs", RecentActivityExtracterModuleFactory.getModuleName())); } @@ -154,8 +147,8 @@ public final class RAImageIngestModule implements DataSourceIngestModule { StringBuilder historyMsg = new StringBuilder(); historyMsg.append( NbBundle.getMessage(this.getClass(), "RAImageIngestModule.process.histMsg.title", dataSource.getName())); - for (Extract module : browserExtracters) { - historyMsg.append("
  • ").append(module.getName()); //NON-NLS + for (Extractor module : browserExtracters) { + historyMsg.append("
  • ").append(module.getModuleName()); //NON-NLS historyMsg.append(": ").append((module.foundData()) ? NbBundle .getMessage(this.getClass(), "RAImageIngestModule.process.histMsg.found") : NbBundle .getMessage(this.getClass(), "RAImageIngestModule.process.histMsg.notFnd")); @@ -173,17 +166,6 @@ public final class RAImageIngestModule implements DataSourceIngestModule { return ProcessResult.OK; } - for (int i = 0; i < extracters.size(); i++) { - Extract extracter = extracters.get(i); - try { - extracter.complete(); - } catch (Exception ex) { - logger.log(Level.SEVERE, "Exception occurred when completing " + extracter.getName(), ex); //NON-NLS - subCompleted.append(NbBundle.getMessage(this.getClass(), "RAImageIngestModule.complete.errMsg.failed", - extracter.getName())); - } - } - return ProcessResult.OK; } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsExtractor.java similarity index 92% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsExtractor.java index bb200551fb..594e25d6a2 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsExtractor.java @@ -1,19 +1,19 @@ - /* +/* * * Autopsy Forensic Browser - * + * * Copyright 2012-2014 Basis Technology Corp. - * + * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com * Project Contact/Architect: carrier sleuthkit org - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -47,13 +47,18 @@ import org.sleuthkit.datamodel.*; * Recent documents class that will extract recent documents in the form of .lnk * files */ -class RecentDocumentsByLnk extends Extract { +class RecentDocumentsExtractor extends Extractor { - private static final Logger logger = Logger.getLogger(RecentDocumentsByLnk.class.getName()); - private IngestServices services = IngestServices.getInstance(); + private static final Logger logger = Logger.getLogger(RecentDocumentsExtractor.class.getName()); + private final IngestServices services = IngestServices.getInstance(); private Content dataSource; private IngestJobContext context; + @Override + protected String getModuleName() { + return ""; + } + /** * Find the documents that Windows stores about recent documents and make * artifacts. @@ -71,7 +76,7 @@ class RecentDocumentsByLnk extends Extract { logger.log(Level.WARNING, "Error searching for .lnk files."); //NON-NLS this.addErrorMessage( NbBundle.getMessage(this.getClass(), "RecentDocumentsByLnk.getRecDoc.errMsg.errGetLnkFiles", - this.getName())); + this.getModuleName())); return; } @@ -96,7 +101,7 @@ class RecentDocumentsByLnk extends Extract { } catch (JLnkParserException e) { //TODO should throw a specific checked exception boolean unalloc = recentFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) - || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC); + || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC); if (unalloc == false) { logger.log(Level.WARNING, "Error lnk parsing the file to get recent files {0}", recentFile); //NON-NLS } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java similarity index 97% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java index 0b1ec7db35..62148b69d3 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java @@ -24,6 +24,7 @@ package org.sleuthkit.autopsy.recentactivity; import java.io.*; import java.io.File; +import java.nio.file.Path; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.*; @@ -32,6 +33,7 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.openide.modules.InstalledFileLocator; +import org.openide.util.Lookup; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.coreutils.ExecUtil; import org.sleuthkit.autopsy.coreutils.Logger; @@ -39,23 +41,21 @@ import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator; import org.sleuthkit.autopsy.ingest.IngestJobContext; +import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException; +import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.ingest.ModuleDataEvent; +import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService; import org.sleuthkit.autopsy.recentactivity.UsbDeviceIdMapper.USBInfo; import org.sleuthkit.datamodel.*; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; import org.xml.sax.InputSource; import org.xml.sax.SAXException; -import java.nio.file.Path; -import org.openide.util.Lookup; -import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; -import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService; -import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException; /** * Extract windows registry data using regripper. Runs two versions of @@ -67,7 +67,7 @@ import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamExce "RegRipperNotFound=Autopsy RegRipper executable not found.", "RegRipperFullNotFound=Full version RegRipper executable not found." }) -class ExtractRegistry extends Extract { +class RegistryExtractor extends Extractor { private final Logger logger = Logger.getLogger(this.getClass().getName()); private String RR_PATH; @@ -80,18 +80,16 @@ class ExtractRegistry extends Extract { final private static String RIP_EXE = "rip.exe"; final private static String RIP_PL = "rip.pl"; private final List rrCmd = new ArrayList<>(); - private final List rrFullCmd= new ArrayList<>(); - + private final List rrFullCmd = new ArrayList<>(); - ExtractRegistry() throws IngestModuleException { - moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text"); - - final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS + RegistryExtractor() throws IngestModuleException { + + final File rrRoot = InstalledFileLocator.getDefault().locate("rr", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS if (rrRoot == null) { throw new IngestModuleException(Bundle.RegRipperNotFound()); } - final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS + final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS if (rrFullRoot == null) { throw new IngestModuleException(Bundle.RegRipperFullNotFound()); } @@ -104,25 +102,25 @@ class ExtractRegistry extends Extract { RR_PATH = rrHome.resolve(executableToRun).toString(); rrFullHome = rrFullRoot.toPath(); RR_FULL_PATH = rrFullHome.resolve(executableToRun).toString(); - + if (!(new File(RR_PATH).exists())) { throw new IngestModuleException(Bundle.RegRipperNotFound()); } if (!(new File(RR_FULL_PATH).exists())) { throw new IngestModuleException(Bundle.RegRipperFullNotFound()); } - if(PlatformUtil.isWindowsOS()){ + if (PlatformUtil.isWindowsOS()) { rrCmd.add(RR_PATH); rrFullCmd.add(RR_FULL_PATH); - }else{ + } else { String perl; File usrBin = new File("/usr/bin/perl"); File usrLocalBin = new File("/usr/local/bin/perl"); - if(usrBin.canExecute() && usrBin.exists() && !usrBin.isDirectory()){ + if (usrBin.canExecute() && usrBin.exists() && !usrBin.isDirectory()) { perl = "/usr/bin/perl"; - }else if(usrLocalBin.canExecute() && usrLocalBin.exists() && !usrLocalBin.isDirectory()){ + } else if (usrLocalBin.canExecute() && usrLocalBin.exists() && !usrLocalBin.isDirectory()) { perl = "/usr/local/bin/perl"; - }else{ + } else { throw new IngestModuleException("perl not found in your system"); } rrCmd.add(perl); @@ -131,6 +129,12 @@ class ExtractRegistry extends Extract { rrFullCmd.add(RR_FULL_PATH); } } + + @Override + protected String getModuleName() { + return NbBundle.getMessage(IEExtractor.class, "ExtractRegistry.moduleName.text"); + } + /** * Search for the registry hives on the system. */ @@ -154,7 +158,7 @@ class ExtractRegistry extends Extract { String msg = NbBundle.getMessage(this.getClass(), "ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName); logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); + this.addErrorMessage(this.getModuleName() + ": " + msg); } } return allRegistryFiles; @@ -188,14 +192,14 @@ class ExtractRegistry extends Extract { regFile.getName(), regFileId), ex); //NON-NLS this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp", - this.getName(), regFileName)); + this.getModuleName(), regFileName)); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp registry file '%s' for registry file '%s' (id=%d).", regFileNameLocal, regFile.getName(), regFileId), ex); //NON-NLS this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp", - this.getName(), regFileName)); + this.getModuleName(), regFileName)); continue; } @@ -211,7 +215,7 @@ class ExtractRegistry extends Extract { logger.log(Level.SEVERE, null, ex); } - logger.log(Level.INFO, "{0}- Now getting registry information from {1}", new Object[]{moduleName, regFileNameLocal}); //NON-NLS + logger.log(Level.INFO, "{0}- Now getting registry information from {1}", new Object[]{getModuleName(), regFileNameLocal}); //NON-NLS RegOutputFiles regOutputFiles = ripRegistryFile(regFileNameLocal, outputPathBase); if (context.dataSourceIngestIsCancelled()) { break; @@ -222,7 +226,7 @@ class ExtractRegistry extends Extract { if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", - this.getName(), regFileName)); + this.getModuleName(), regFileName)); } } @@ -318,7 +322,7 @@ class ExtractRegistry extends Extract { private void executeRegRipper(List regRipperPath, Path regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) { try { List commandLine = new ArrayList<>(); - for(String cmd: regRipperPath){ + for (String cmd : regRipperPath) { commandLine.add(cmd); } commandLine.add("-r"); //NON-NLS @@ -333,7 +337,7 @@ class ExtractRegistry extends Extract { ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context)); } catch (IOException ex) { logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName())); + this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getModuleName())); } } @@ -741,7 +745,7 @@ class ExtractRegistry extends Extract { } } // for if (!usbBBartifacts.isEmpty()) { - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, usbBBartifacts)); + IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(getModuleName(), BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, usbBBartifacts)); } return true; } catch (FileNotFoundException ex) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java index 4c8999ec47..ea3f73442d 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java @@ -64,7 +64,7 @@ import org.xml.sax.SAXException; "cannotParseXml=Unable to parse XML file: ", "# {0} - file name", "SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}." }) -class SearchEngineURLQueryAnalyzer extends Extract { +class SearchEngineURLQueryAnalyzer extends Extractor { private static final Logger logger = Logger.getLogger(SearchEngineURLQueryAnalyzer.class.getName()); private static final String XMLFILE = "SEUQAMappings.xml"; //NON-NLS @@ -74,8 +74,9 @@ class SearchEngineURLQueryAnalyzer extends Extract { private Content dataSource; private IngestJobContext context; - SearchEngineURLQueryAnalyzer() { - moduleName = NbBundle.getMessage(ExtractIE.class, "SearchEngineURLQueryAnalyzer.moduleName.text"); + @Override + protected String getModuleName() { + return NbBundle.getMessage(IEExtractor.class, "SearchEngineURLQueryAnalyzer.moduleName.text"); } /** @@ -239,17 +240,17 @@ class SearchEngineURLQueryAnalyzer extends Extract { return decoded; } catch (UnsupportedEncodingException exception) { //if it fails, return the encoded string logger.log(Level.FINE, "Error during URL decoding, returning undecoded value:" - + "\n\tURL: " + url - + "\n\tUndecoded value: " + x - + "\n\tEngine name: " + eng.getEngineName() - + "\n\tEngine domain: " + eng.getDomainSubstring(), exception); //NON-NLS + + "\n\tURL: " + url + + "\n\tUndecoded value: " + x + + "\n\tEngine name: " + eng.getEngineName() + + "\n\tEngine domain: " + eng.getDomainSubstring(), exception); //NON-NLS return x; } catch (IllegalArgumentException exception) { //if it fails, return the encoded string logger.log(Level.SEVERE, "Illegal argument passed to URL decoding, returning undecoded value:" - + "\n\tURL: " + url - + "\n\tUndecoded value: " + x - + "\n\tEngine name: " + eng.getEngineName() - + "\n\tEngine domain: " + eng.getDomainSubstring(), exception); //NON-NLS) + + "\n\tURL: " + url + + "\n\tUndecoded value: " + x + + "\n\tEngine name: " + eng.getEngineName() + + "\n\tEngine domain: " + eng.getDomainSubstring(), exception); //NON-NLS) return x; } } @@ -295,7 +296,7 @@ class SearchEngineURLQueryAnalyzer extends Extract { try { //from blackboard_artifacts Collection listArtifacts = currentCase.getSleuthkitCase().getMatchingArtifacts("WHERE (blackboard_artifacts.artifact_type_id = '" + ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID() //NON-NLS - + "' OR blackboard_artifacts.artifact_type_id = '" + ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID() + "') "); //List of every 'web_history' and 'bookmark' artifact NON-NLS + + "' OR blackboard_artifacts.artifact_type_id = '" + ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID() + "') "); //List of every 'web_history' and 'bookmark' artifact NON-NLS logger.log(Level.INFO, "Processing {0} blackboard artifacts.", listArtifacts.size()); //NON-NLS for (BlackboardArtifact artifact : listArtifacts) { From 10fac41f8e8f9f19e8104d3f87dfd3621490d961 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 10:35:10 +0200 Subject: [PATCH 04/17] extract SECONDS_SINCE_JAN_1_1601 constant --- .../recentactivity/ChromeExtractor.java | 47 +++++++++---------- 1 file changed, 22 insertions(+), 25 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java index eaab061975..a28d04c873 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java @@ -79,6 +79,8 @@ class ChromeExtractor extends Extractor { private static final String DOWNLOAD_QUERY_V30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS private static final String LOGIN_QUERY = "SELECT origin_url, username_value, signon_realm from logins"; //NON-NLS + private static final long SECONDS_SINCE_JAN_1_1601 = 11_644_473_600L; + private Content dataSource; private IngestJobContext context; @@ -163,13 +165,12 @@ class ChromeExtractor extends Extractor { tempList = this.dbConnect(temps, HISTORY_QUERY); logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = Arrays.asList( - new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME, - Objects.toString(result.get("url"), "")), //NON-NLS + Collection bbattributes = Arrays.asList(new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("url"), "")), //NON-NLS new BlackboardAttribute( TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, - (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - 11_644_473_600L), //TODO: what is this magic number? + (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - SECONDS_SINCE_JAN_1_1601), new BlackboardAttribute( TSK_REFERRER, PARENT_MODULE_NAME, Objects.toString(result.get("from_visit"), "")), //NON-NLS @@ -303,16 +304,15 @@ class ChromeExtractor extends Extractor { String domain = Util.extractDomain(url); try { - Collection bbattributes = Arrays.asList( - new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME, - url), + Collection bbattributes = Arrays.asList(new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + url), new BlackboardAttribute( TSK_TITLE, PARENT_MODULE_NAME, name), new BlackboardAttribute( TSK_DATETIME_CREATED, PARENT_MODULE_NAME, - (date / 1_000_000) - 11_644_473_600L), //TODO: What is this magic number? + (date / 1_000_000) - SECONDS_SINCE_JAN_1_1601), new BlackboardAttribute( TSK_PROG_NAME, PARENT_MODULE_NAME, getModuleName()), @@ -392,16 +392,15 @@ class ChromeExtractor extends Extractor { for (HashMap result : tempList) { String domain = result.get("host_key").toString(); //NON-NLS domain = domain.replaceFirst("^\\.+(?!$)", ""); - Collection bbattributes = Arrays.asList( - new BlackboardAttribute( - TSK_DOMAIN, PARENT_MODULE_NAME, - domain), + Collection bbattributes = Arrays.asList(new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + domain), new BlackboardAttribute( TSK_URL, PARENT_MODULE_NAME, Objects.toString(result.get("host_key"), "")), //NON-NLS new BlackboardAttribute( TSK_DATETIME, PARENT_MODULE_NAME, - (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - 11_644_473_600L), //NON-NLS + (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - SECONDS_SINCE_JAN_1_1601), //NON-NLS new BlackboardAttribute( TSK_NAME, PARENT_MODULE_NAME, Objects.toString(result.get("name"), "")), //NON-NLS @@ -478,16 +477,15 @@ class ChromeExtractor extends Extractor { logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = Lists.newArrayList( - new BlackboardAttribute( - TSK_PATH, PARENT_MODULE_NAME, - Objects.toString(result.get("full_path"), "")), //NON-NLS + Collection bbattributes = Lists.newArrayList(new BlackboardAttribute( + TSK_PATH, PARENT_MODULE_NAME, + Objects.toString(result.get("full_path"), "")), //NON-NLS new BlackboardAttribute( TSK_URL, PARENT_MODULE_NAME, Objects.toString(result.get("url"), "")), //NON-NLS new BlackboardAttribute( TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, - (Long.valueOf(result.get("start_time").toString()) / 1000000) - 11_644_473_600L), //NON-NLS + (Long.valueOf(result.get("start_time").toString()) / 1000000) - SECONDS_SINCE_JAN_1_1601), //NON-NLS new BlackboardAttribute( TSK_DOMAIN, PARENT_MODULE_NAME, Util.extractDomain(Objects.toString(result.get("url"), ""))), //NON-NLS @@ -566,13 +564,12 @@ class ChromeExtractor extends Extractor { List> tempList = this.dbConnect(temps, LOGIN_QUERY); logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = Arrays.asList( - new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME, - Objects.toString(result.get("origin_url"), "")), //NON-NLS + Collection bbattributes = Arrays.asList(new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("origin_url"), "")), //NON-NLS new BlackboardAttribute( TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, - (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - 11_644_473_600L), //NON-NLS + (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - SECONDS_SINCE_JAN_1_1601), //NON-NLS new BlackboardAttribute( TSK_REFERRER, PARENT_MODULE_NAME, Objects.toString(result.get("from_visit"), "")), //NON-NLS From 978bbce5bf50fae2921a7486de7f7886bf425127 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 10:41:12 +0200 Subject: [PATCH 05/17] cleanup --- .../autopsy/recentactivity/ChromeExtractor.java | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java index a28d04c873..3d908b79db 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java @@ -216,7 +216,6 @@ class ChromeExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); int j = 0; - while (j < bookmarkFiles.size()) { AbstractFile bookmarkFile = bookmarkFiles.get(j++); if (bookmarkFile.getSize() == 0) { @@ -610,12 +609,7 @@ class ChromeExtractor extends Extractor { private boolean isChromePreVersion30(String temps) { String query = "PRAGMA table_info(downloads)"; //NON-NLS List> columns = this.dbConnect(temps, query); - for (HashMap col : columns) { - if (col.get("name").equals("url")) { //NON-NLS - return true; - } - } - - return false; + return columns.stream() + .anyMatch(col -> "url".equals(col.get("name"))); } } From 14806c908323f4dfcdba54068eebdd8aaa22e379 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 11:45:20 +0200 Subject: [PATCH 06/17] rename RecentDocumentsLnkExtractor --- .../sleuthkit/autopsy/recentactivity/RAImageIngestModule.java | 2 +- ...cumentsExtractor.java => RecentDocumentsLnkExtractor.java} | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{RecentDocumentsExtractor.java => RecentDocumentsLnkExtractor.java} (98%) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index 91b0e21963..cc1a5799c0 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -62,7 +62,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { } Extractor registry = new RegistryExtractor(); - Extractor recentDocuments = new RecentDocumentsExtractor(); + Extractor recentDocuments = new RecentDocumentsLnkExtractor(); Extractor chrome = new ChromeExtractor(); Extractor firefox = new FirefoxExtractor(); Extractor SEUQA = new SearchEngineURLQueryAnalyzer(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java similarity index 98% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsExtractor.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java index 594e25d6a2..efef7851d9 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java @@ -47,9 +47,9 @@ import org.sleuthkit.datamodel.*; * Recent documents class that will extract recent documents in the form of .lnk * files */ -class RecentDocumentsExtractor extends Extractor { +class RecentDocumentsLnkExtractor extends Extractor { - private static final Logger logger = Logger.getLogger(RecentDocumentsExtractor.class.getName()); + private static final Logger logger = Logger.getLogger(RecentDocumentsLnkExtractor.class.getName()); private final IngestServices services = IngestServices.getInstance(); private Content dataSource; private IngestJobContext context; From e41ddc86da4dde3fa4dd75c1c1d025bc3fd976d8 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 11:45:59 +0200 Subject: [PATCH 07/17] cleanup IEExtractor.java --- .../autopsy/recentactivity/IEExtractor.java | 466 +++++++++--------- 1 file changed, 220 insertions(+), 246 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java index b8cec046f4..4bc0d6c70d 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java @@ -22,41 +22,55 @@ */ package org.sleuthkit.autopsy.recentactivity; +import com.google.common.collect.Sets; import java.io.BufferedReader; - -import org.openide.util.NbBundle; -import org.sleuthkit.autopsy.coreutils.ExecUtil; import java.io.File; import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStreamReader; +import java.nio.file.Path; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.ArrayList; -import java.util.List; -import java.util.Set; -import java.util.HashSet; -import java.util.logging.Level; -import org.sleuthkit.autopsy.coreutils.Logger; +import java.util.Arrays; import java.util.Collection; +import java.util.Collections; +import java.util.List; import java.util.Scanner; +import java.util.Set; +import java.util.logging.Level; import java.util.stream.Collectors; +import org.apache.commons.lang3.StringUtils; import org.openide.modules.InstalledFileLocator; +import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; -import org.sleuthkit.autopsy.datamodel.ContentUtils; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; -import org.sleuthkit.datamodel.BlackboardArtifact; -import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; -import org.sleuthkit.datamodel.BlackboardAttribute; -import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; -import org.sleuthkit.datamodel.Content; +import org.sleuthkit.autopsy.casemodule.services.FileManager; +import org.sleuthkit.autopsy.coreutils.ExecUtil; +import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.PlatformUtil; +import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator; import org.sleuthkit.autopsy.ingest.IngestJobContext; +import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.*; +import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE; +import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REFERRER; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE; /** * Extracts activity from Internet Explorer browser, as well as recent documents @@ -65,17 +79,19 @@ import org.sleuthkit.datamodel.*; class IEExtractor extends Extractor { private static final Logger logger = Logger.getLogger(IEExtractor.class.getName()); + private static final String PARENT_MODULE_NAME_NO_SPACE + = NbBundle.getMessage(IEExtractor.class, "ExtractIE.parentModuleName.noSpace"); + private static final String PASCO_DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"; + private final IngestServices services = IngestServices.getInstance(); private final String moduleTempResultsDir; - private String PASCO_LIB_PATH; - private final String JAVA_PATH; - private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"); + private final String JAVA_PATH = PlatformUtil.getJavaPath(); + private Content dataSource; private IngestJobContext context; IEExtractor() throws NoCurrentCaseException { moduleTempResultsDir = RAImageIngestModule.getRATempPath(Case.getCurrentCaseThrows(), "IE") + File.separator + "results"; //NON-NLS - JAVA_PATH = PlatformUtil.getJavaPath(); } @Override @@ -96,8 +112,8 @@ class IEExtractor extends Extractor { /** * Finds the files storing bookmarks and creates artifacts */ - private void getBookmark() { - org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + private void getBookmark() throws TskCoreException { + FileManager fileManager = currentCase.getServices().getFileManager(); List favoritesFiles; try { favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); //NON-NLS @@ -125,36 +141,21 @@ class IEExtractor extends Extractor { break; } - String url = getURLFromIEBookmarkFile(fav); + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME_NO_SPACE, getURLFromIEBookmarkFile(fav)), + new BlackboardAttribute( + TSK_TITLE, PARENT_MODULE_NAME_NO_SPACE, fav.getName()), + new BlackboardAttribute( + TSK_DATETIME_CREATED, PARENT_MODULE_NAME_NO_SPACE, fav.getCrtime()), + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME_NO_SPACE, + NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, Util.extractDomain(getURLFromIEBookmarkFile(fav)))); - String name = fav.getName(); - Long datetime = fav.getCrtime(); - String Tempdate = datetime.toString(); - datetime = Long.valueOf(Tempdate); - String domain = Util.extractDomain(url); + bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes)); - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), url)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), name)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), datetime)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), domain)); - - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes); - if (bbart != null) { - bbartifacts.add(bbart); - } } services.fireModuleDataEvent(new ModuleDataEvent( NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), @@ -162,18 +163,14 @@ class IEExtractor extends Extractor { } private String getURLFromIEBookmarkFile(AbstractFile fav) { - BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav))); - String line, url = ""; - try { - line = reader.readLine(); - while (null != line) { + String line; + try (BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));) { + while (null != (line = reader.readLine())) { // The actual shortcut line we are interested in is of the // form URL=http://path/to/website if (line.startsWith("URL")) { //NON-NLS - url = line.substring(line.indexOf("=") + 1); - break; + return StringUtils.substringAfter(line, "="); //NON-NLS } - line = reader.readLine(); } } catch (IOException ex) { logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS @@ -185,22 +182,16 @@ class IEExtractor extends Extractor { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getModuleName(), fav.getName())); - } finally { - try { - reader.close(); - } catch (IOException ex) { - logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS - } } - return url; + return ""; } /** * Finds files that store cookies and adds artifacts for them. */ - private void getCookie() { - org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + private void getCookie() throws TskCoreException { + FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles; try { cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); //NON-NLS @@ -226,9 +217,9 @@ class IEExtractor extends Extractor { continue; } - byte[] t = new byte[(int) cookiesFile.getSize()]; + byte[] cookiesBuffer = new byte[(int) cookiesFile.getSize()]; try { - final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize()); + cookiesFile.read(cookiesBuffer, 0, cookiesFile.getSize()); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS this.addErrorMessage( @@ -236,44 +227,33 @@ class IEExtractor extends Extractor { this.getModuleName(), cookiesFile.getName())); continue; } - String cookieString = new String(t); - String[] values = cookieString.split("\n"); - String url = values.length > 2 ? values[2] : ""; - String value = values.length > 1 ? values[1] : ""; - String name = values.length > 0 ? values[0] : ""; - Long datetime = cookiesFile.getCrtime(); - String tempDate = datetime.toString(); - datetime = Long.valueOf(tempDate); - String domain = Util.extractDomain(url); - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), url)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), datetime)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), (name != null) ? name : "")); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), value)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), domain)); - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); - if (bbart != null) { - bbartifacts.add(bbart); - } + String[] values = new String(cookiesBuffer).split("\n"); + String URL = values.length > 2 ? values[2] : ""; + + Collection bbattributes = Arrays.asList(new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME_NO_SPACE, + cookiesFile.getCrtime()), + new BlackboardAttribute( + TSK_NAME, PARENT_MODULE_NAME_NO_SPACE, + values.length > 0 ? values[0] : ""), + new BlackboardAttribute( + TSK_VALUE, PARENT_MODULE_NAME_NO_SPACE, + values.length > 1 ? values[1] : ""), + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME_NO_SPACE, + URL), + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME_NO_SPACE, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, + Util.extractDomain(URL))); + + bbartifacts.add(this.addArtifact(TSK_WEB_COOKIE, cookiesFile, bbattributes)); } services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts)); + NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), TSK_WEB_COOKIE, bbartifacts)); } /** @@ -281,8 +261,8 @@ class IEExtractor extends Extractor { */ private void getHistory() { logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS - boolean foundHistory = false; + //TODO: Why are we getting the pasoc library path for datasource we process? final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", IEExtractor.class.getPackage().getName(), false); //NON-NLS if (pascoRoot == null) { this.addErrorMessage( @@ -294,14 +274,14 @@ class IEExtractor extends Extractor { final String pascoHome = pascoRoot.getAbsolutePath(); logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS - PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS - + pascoHome + File.separator + "*"; + String pascoLibPath = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS + + pascoHome + File.separator + "*"; File resultsDir = new File(moduleTempResultsDir); resultsDir.mkdirs(); // get index.dat files - org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + FileManager fileManager = currentCase.getServices().getFileManager(); List indexFiles; try { indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS @@ -319,18 +299,20 @@ class IEExtractor extends Extractor { } dataFound = true; + boolean foundHistory = false; Collection bbartifacts = new ArrayList<>(); - String temps; - String indexFileName; + for (AbstractFile indexFile : indexFiles) { - // Since each result represent an index.dat file, - // just create these files with the following notation: - // index.dat (i.e. index0.dat, index1.dat,..., indexN.dat) - // Write each index.dat file to a temp directory. - //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); - indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //NON-NLS - //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat"; - temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; //NON-NLS + /* Since each result represent an index.dat file, just create these + * files with the following notation: index.dat (i.e. + * index0.dat, index1.dat,..., indexN.dat) Write each index.dat file + * to a temp directory. + * + * TODO: this comment is not accurate. It implies we use an + * sequential id number but actualy we use the file id from the db. + */ + String indexFileName = "index" + indexFile.getId() + ".dat"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; //NON-NLS File datFile = new File(temps); if (context.dataSourceIngestIsCancelled()) { break; @@ -346,13 +328,13 @@ class IEExtractor extends Extractor { } String filename = "pasco2Result." + indexFile.getId() + ".txt"; //NON-NLS - boolean bPascProcSuccess = executePasco(temps, filename); + boolean bPascProcSuccess = executePasco(pascoLibPath, temps, filename); if (context.dataSourceIngestIsCancelled()) { return; } - //At this point pasco2 proccessed the index files. - //Now fetch the results, parse them and the delete the files. + //At this point pasco2 proccessed the index file. + //Now fetch the results, parse them and the delete the file. if (bPascProcSuccess) { // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent bbartifacts.addAll(parsePascoOutput(indexFile, filename).stream() @@ -360,7 +342,7 @@ class IEExtractor extends Extractor { .collect(Collectors.toList())); foundHistory = true; - //Delete index.dat file since it was succcessfully by Pasco + //Delete index.dat file since it was succcessfully parsed by Pasco datFile.delete(); } else { logger.log(Level.WARNING, "pasco execution failed on: {0}", this.getModuleName()); //NON-NLS @@ -382,22 +364,22 @@ class IEExtractor extends Extractor { * @param indexFilePath Path to local index.dat file to analyze * @param outputFileName Name of file to save output to * - * @return false on error + * @return the boolean */ - private boolean executePasco(String indexFilePath, String outputFileName) { + private boolean executePasco(String pascoLibraryPath, String indexFilePath, String outputFileName) { boolean success = true; try { final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName; final String errFileFullPath = moduleTempResultsDir + File.separator + outputFileName + ".err"; //NON-NLS logger.log(Level.INFO, "Writing pasco results to: {0}", outputFileFullPath); //NON-NLS - List commandLine = new ArrayList<>(); - commandLine.add(JAVA_PATH); - commandLine.add("-cp"); //NON-NLS - commandLine.add(PASCO_LIB_PATH); - commandLine.add("isi.pasco2.Main"); //NON-NLS - commandLine.add("-T"); //NON-NLS - commandLine.add("history"); //NON-NLS - commandLine.add(indexFilePath); + List commandLine = Arrays.asList( + JAVA_PATH, + "-cp",//NON-NLS + pascoLibraryPath, + "isi.pasco2.Main", //NON-NLS + "-T", //NON-NLS + "history", //NON-NLS + indexFilePath); ProcessBuilder processBuilder = new ProcessBuilder(commandLine); processBuilder.redirectOutput(new File(outputFileFullPath)); processBuilder.redirectError(new File(errFileFullPath)); @@ -430,7 +412,6 @@ class IEExtractor extends Extractor { */ private Collection parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) { - Collection bbartifacts = new ArrayList<>(); String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName; File file = new File(fnAbs); @@ -439,131 +420,124 @@ class IEExtractor extends Extractor { NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getModuleName(), file.getName())); logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS - return bbartifacts; + return Collections.emptySet(); } // Make sure the file the is not empty or the Scanner will // throw a "No Line found" Exception if (file.length() == 0) { - return bbartifacts; + return Collections.emptySet(); } + try (Scanner fileScanner = new Scanner(new FileInputStream(file.toString()));) { - Scanner fileScanner; - try { - fileScanner = new Scanner(new FileInputStream(file.toString())); + // Keep a list of reported user accounts to avoid repeats. + // Initialize it with the empty string to represent an unknown user. + Set reportedUserAccounts = Sets.newHashSet(""); + Collection bbartifacts = new ArrayList<>(); + while (fileScanner.hasNext()) { + String line = fileScanner.nextLine(); + if (!line.startsWith("URL")) { //NON-NLS + continue; + } + + String[] lineBuff = line.split("\\t"); //NON-NLS + + if (lineBuff.length < 4) { + logger.log(Level.INFO, "Found unrecognized IE history format."); //NON-NLS + continue; + } + + String actime = lineBuff[3]; + Long ftime = (long) 0; + String user; + String realurl; + String domain; + + /* + * We've seen two types of lines: URL http://XYZ.com .... URL + * Visited: Joe@http://XYZ.com .... + */ + if (lineBuff[1].contains("@")) { + String url[] = lineBuff[1].split("@", 2); + user = url[0]; + user = user.replace("Visited:", ""); //NON-NLS + user = user.replace(":Host:", ""); //NON-NLS + user = user.replaceAll(":(.*?):", ""); + user = user.trim(); + realurl = url[1]; + realurl = realurl.replace("Visited:", ""); //NON-NLS + realurl = realurl.replaceAll(":(.*?):", ""); + realurl = realurl.replace(":Host:", ""); //NON-NLS + realurl = realurl.trim(); + } else { + user = ""; + realurl = lineBuff[1].trim(); + } + + domain = Util.extractDomain(realurl); + + if (!actime.isEmpty()) { + try { + Long epochtime = new SimpleDateFormat(PASCO_DATE_FORMAT).parse(actime).getTime(); + ftime = epochtime / 1000; + } catch (ParseException e) { + this.addErrorMessage( + NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry", + this.getModuleName())); + logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS + } + } + + try { + BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME_NO_SPACE, + realurl), + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME_NO_SPACE, + ftime), + //TODO: why are we adding an attribute that is always blank? + new BlackboardAttribute( + TSK_REFERRER, PARENT_MODULE_NAME_NO_SPACE, + ""), + // @@@ NOte that other browser modules are adding TITLE in here for the title + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME_NO_SPACE, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, + domain), + new BlackboardAttribute( + TSK_USER_NAME, PARENT_MODULE_NAME_NO_SPACE, + user)); + bbart.addAttributes(bbattributes); + + // index the artifact for keyword search + this.indexArtifact(bbart); + bbartifacts.add(bbart); + + if (reportedUserAccounts.contains(user) == false) { + BlackboardArtifact osAttr = origFile.newArtifact(TSK_OS_ACCOUNT); + osAttr.addAttribute(new BlackboardAttribute(TSK_USER_NAME, PARENT_MODULE_NAME_NO_SPACE, user)); + + // index the artifact for keyword search + this.indexArtifact(osAttr); + bbartifacts.add(osAttr); + + reportedUserAccounts.add(user); + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS + } + } + return bbartifacts; } catch (FileNotFoundException ex) { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getModuleName(), file.getName())); logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS - return bbartifacts; + return Collections.emptySet(); } - - // Keep a list of reported user accounts to avoid repeats - Set reportedUserAccounts = new HashSet<>(); - - while (fileScanner.hasNext()) { - String line = fileScanner.nextLine(); - if (!line.startsWith("URL")) { //NON-NLS - continue; - } - - String[] lineBuff = line.split("\\t"); //NON-NLS - - if (lineBuff.length < 4) { - logger.log(Level.INFO, "Found unrecognized IE history format."); //NON-NLS - continue; - } - - String actime = lineBuff[3]; - Long ftime = (long) 0; - String user; - String realurl; - String domain; - - /* - * We've seen two types of lines: URL http://XYZ.com .... URL - * Visited: Joe@http://XYZ.com .... - */ - if (lineBuff[1].contains("@")) { - String url[] = lineBuff[1].split("@", 2); - user = url[0]; - user = user.replace("Visited:", ""); //NON-NLS - user = user.replace(":Host:", ""); //NON-NLS - user = user.replaceAll("(:)(.*?)(:)", ""); - user = user.trim(); - realurl = url[1]; - realurl = realurl.replace("Visited:", ""); //NON-NLS - realurl = realurl.replaceAll(":(.*?):", ""); - realurl = realurl.replace(":Host:", ""); //NON-NLS - realurl = realurl.trim(); - } else { - user = ""; - realurl = lineBuff[1].trim(); - } - - domain = Util.extractDomain(realurl); - - if (!actime.isEmpty()) { - try { - Long epochtime = dateFormatter.parse(actime).getTime(); - ftime = epochtime / 1000; - } catch (ParseException e) { - this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry", - this.getModuleName())); - logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS - } - } - - try { - BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), realurl)); - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl))); - - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), ftime)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), "")); - // @@@ NOte that other browser modules are adding TITLE in hre for the title - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), - "ExtractIE.moduleName.text"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), domain)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, - NbBundle.getMessage(this.getClass(), - "ExtractIE.parentModuleName.noSpace"), user)); - bbart.addAttributes(bbattributes); - - // index the artifact for keyword search - this.indexArtifact(bbart); - bbartifacts.add(bbart); - - if ((!user.isEmpty()) && (!reportedUserAccounts.contains(user))) { - BlackboardArtifact osAttr = origFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT); - osAttr.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, - NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user)); - - // index the artifact for keyword search - this.indexArtifact(osAttr); - bbartifacts.add(osAttr); - - reportedUserAccounts.add(user); - } - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS - } - } - fileScanner.close(); - return bbartifacts; } } From 0b1b353a7728e62cb561335cd3f3c0f6bf065421 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 13:24:55 +0200 Subject: [PATCH 08/17] cleanup RegistryExtractor.java --- .../recentactivity/RegistryExtractor.java | 805 +++++++++--------- 1 file changed, 417 insertions(+), 388 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java index 62148b69d3..a1b4b1f3c0 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java @@ -22,8 +22,15 @@ */ package org.sleuthkit.autopsy.recentactivity; -import java.io.*; +import com.google.common.collect.ImmutableList; +import com.google.common.collect.ImmutableSet; +import com.google.common.collect.Lists; import java.io.File; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileWriter; +import java.io.IOException; +import java.io.StringReader; import java.nio.file.Path; import java.text.ParseException; import java.text.SimpleDateFormat; @@ -35,6 +42,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.openide.modules.InstalledFileLocator; import org.openide.util.Lookup; import org.openide.util.NbBundle; +import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.ExecUtil; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.PlatformUtil; @@ -46,10 +54,41 @@ import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService; import org.sleuthkit.autopsy.recentactivity.UsbDeviceIdMapper.USBInfo; -import org.sleuthkit.datamodel.*; +import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; -import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_REMOTE_DRIVE; +import org.sleuthkit.datamodel.BlackboardAttribute; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MAKE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MODEL; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCAL_PATH; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ORGANIZATION; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_OWNER; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PRODUCT_ID; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REMOTE_PATH; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEMP_DIR; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_ID; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VERSION; +import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException; +import org.sleuthkit.datamodel.Report; +import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskCoreException; +import org.w3c.dom.DOMException; import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -69,49 +108,47 @@ import org.xml.sax.SAXException; }) class RegistryExtractor extends Extractor { - private final Logger logger = Logger.getLogger(this.getClass().getName()); - private String RR_PATH; - private String RR_FULL_PATH; - private Path rrHome; // Path to the Autopsy version of RegRipper - private Path rrFullHome; // Path to the full version of RegRipper - private Content dataSource; - private IngestJobContext context; + private static final Logger logger = Logger.getLogger(RegistryExtractor.class.getName()); + private final static String PARENT_MODULE_NAME = NbBundle.getMessage(RegistryExtractor.class, "ExtractRegistry.parentModuleName.noSpace"); final private static UsbDeviceIdMapper USB_MAPPER = new UsbDeviceIdMapper(); final private static String RIP_EXE = "rip.exe"; final private static String RIP_PL = "rip.pl"; + final private static ImmutableList REG_FILE_NAMES = ImmutableList.of("system", "software", "security", "sam"); //NON-NLS + private final Path rrHome; // Path to the Autopsy version of RegRipper + private final Path rrFullHome; // Path to the full version of RegRipper + private Content dataSource; + private IngestJobContext context; + private final List rrCmd = new ArrayList<>(); private final List rrFullCmd = new ArrayList<>(); RegistryExtractor() throws IngestModuleException { - - final File rrRoot = InstalledFileLocator.getDefault().locate("rr", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS + InstalledFileLocator installedFileLocator = InstalledFileLocator.getDefault(); + final File rrRoot = installedFileLocator.locate("rr", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS if (rrRoot == null) { throw new IngestModuleException(Bundle.RegRipperNotFound()); } - - final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS + final File rrFullRoot = installedFileLocator.locate("rr-full", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS if (rrFullRoot == null) { throw new IngestModuleException(Bundle.RegRipperFullNotFound()); } - String executableToRun = RIP_EXE; - if (!PlatformUtil.isWindowsOS()) { - executableToRun = RIP_PL; - } - rrHome = rrRoot.toPath(); - RR_PATH = rrHome.resolve(executableToRun).toString(); - rrFullHome = rrFullRoot.toPath(); - RR_FULL_PATH = rrFullHome.resolve(executableToRun).toString(); + String executableToRun = PlatformUtil.isWindowsOS() ? RIP_EXE : RIP_PL; - if (!(new File(RR_PATH).exists())) { + rrHome = rrRoot.toPath(); + String rrPath = rrHome.resolve(executableToRun).toString(); + if (!(new File(rrPath).exists())) { throw new IngestModuleException(Bundle.RegRipperNotFound()); } - if (!(new File(RR_FULL_PATH).exists())) { + rrFullHome = rrFullRoot.toPath(); + String rrFullPath = rrFullHome.resolve(executableToRun).toString(); + + if (!(new File(rrFullPath).exists())) { throw new IngestModuleException(Bundle.RegRipperFullNotFound()); } if (PlatformUtil.isWindowsOS()) { - rrCmd.add(RR_PATH); - rrFullCmd.add(RR_FULL_PATH); + rrCmd.add(rrPath); + rrFullCmd.add(rrFullPath); } else { String perl; File usrBin = new File("/usr/bin/perl"); @@ -124,15 +161,15 @@ class RegistryExtractor extends Extractor { throw new IngestModuleException("perl not found in your system"); } rrCmd.add(perl); - rrCmd.add(RR_PATH); + rrCmd.add(rrPath); rrFullCmd.add(perl); - rrFullCmd.add(RR_FULL_PATH); + rrFullCmd.add(rrFullPath); } } @Override protected String getModuleName() { - return NbBundle.getMessage(IEExtractor.class, "ExtractRegistry.moduleName.text"); + return NbBundle.getMessage(RegistryExtractor.class, "ExtractRegistry.moduleName.text"); } /** @@ -140,24 +177,23 @@ class RegistryExtractor extends Extractor { */ private List findRegistryFiles() { List allRegistryFiles = new ArrayList<>(); - org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + FileManager fileManager = currentCase.getServices().getFileManager(); // find the user-specific ntuser-dat files try { allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); //NON-NLS } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); //NON-NLS + logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file.", ex); //NON-NLS } // find the system hives' - String[] regFileNames = new String[]{"system", "software", "security", "sam"}; //NON-NLS - for (String regFileName : regFileNames) { + for (String regFileName : REG_FILE_NAMES) { try { allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(this.getClass(), + String msg = NbBundle.getMessage(RegistryExtractor.class, "ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName); - logger.log(Level.WARNING, msg); + logger.log(Level.WARNING, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); } } @@ -171,6 +207,7 @@ class RegistryExtractor extends Extractor { private void analyzeRegistryFiles() { List allRegistryFiles = findRegistryFiles(); + //TODO: The handleing of the log file seems odd // open the log file FileWriter logFile = null; try { @@ -231,7 +268,7 @@ class RegistryExtractor extends Extractor { } // create a report for the full output - if (!regOutputFiles.fullPlugins.isEmpty()) { + if (regOutputFiles.fullPlugins.isEmpty() == false) { try { Report report = currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), @@ -344,20 +381,17 @@ class RegistryExtractor extends Extractor { // @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT /** * - * @param regFilePath Path to the output file produced by RegRipper. - * @param regFile File object for registry that we are parsing (to make - * blackboard artifacts with) + * @param regFilePath Path to the output file produced by RegRipper. + * @param regAbstractFile File object for registry that we are parsing (to + * make blackboard artifacts with) * * @return */ - private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) { - FileInputStream fstream = null; - try { - SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regAbstractFile) { + SleuthkitCase caseDB = currentCase.getSleuthkitCase(); - // Read the file in and create a Document and elements - File regfile = new File(regFilePath); - fstream = new FileInputStream(regfile); + // Read the file in and create a Document and elements + try (FileInputStream fstream = new FileInputStream(regFilePath);) { String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS String startdoc = ""; //NON-NLS @@ -376,6 +410,7 @@ class RegistryExtractor extends Extractor { Element oroot = doc.getDocumentElement(); NodeList children = oroot.getChildNodes(); int len = children.getLength(); + // Add all "usb" dataType nodes to collection of BlackboardArtifacts // that we will submit in a ModuleDataEvent for additional processing. Collection usbBBartifacts = new ArrayList<>(); @@ -383,23 +418,17 @@ class RegistryExtractor extends Extractor { for (int i = 0; i < len; i++) { Element tempnode = (Element) children.item(i); - String dataType = tempnode.getNodeName(); - NodeList timenodes = tempnode.getElementsByTagName("mtime"); //NON-NLS Long mtime = null; if (timenodes.getLength() > 0) { - Element timenode = (Element) timenodes.item(0); - String etime = timenode.getTextContent(); + String etime = timenodes.item(0).getTextContent(); try { Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime(); - mtime = epochtime; - String Tempdate = mtime.toString(); - mtime = Long.valueOf(Tempdate) / 1000; + mtime = epochtime / 1000; } catch (ParseException ex) { logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry."); //NON-NLS } } - NodeList artroots = tempnode.getElementsByTagName("artifacts"); //NON-NLS if (artroots.getLength() == 0) { // If there isn't an artifact node, skip this entry @@ -408,344 +437,28 @@ class RegistryExtractor extends Extractor { Element artroot = (Element) artroots.item(0); NodeList myartlist = artroot.getChildNodes(); - String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"); - String winver = ""; + String dataType = tempnode.getNodeName(); // If all artifact nodes should really go under one Blackboard artifact, need to process it differently switch (dataType) { - case "WinVersion": //NON-NLS - String version = ""; - String systemRoot = ""; - String productId = ""; - String regOwner = ""; - String regOrg = ""; - Long installtime = null; - for (int j = 0; j < myartlist.getLength(); j++) { - Node artchild = myartlist.item(j); - // If it has attributes, then it is an Element (based off API) - if (artchild.hasAttributes()) { - Element artnode = (Element) artchild; - - String value = artnode.getTextContent().trim(); - String name = artnode.getAttribute("name"); //NON-NLS - switch (name) { - case "ProductName": // NON-NLS - version = value; - break; - case "CSDVersion": // NON-NLS - // This is dependant on the fact that ProductName shows up first in the module output - version = version + " " + value; - break; - case "SystemRoot": //NON-NLS - systemRoot = value; - break; - case "ProductId": //NON-NLS - productId = value; - break; - case "RegisteredOwner": //NON-NLS - regOwner = value; - break; - case "RegisteredOrganization": //NON-NLS - regOrg = value; - break; - case "InstallDate": //NON-NLS - try { - Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime(); - installtime = epochtime; - String Tempdate = installtime.toString(); - installtime = Long.valueOf(Tempdate) / 1000; - } catch (ParseException e) { - logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS - } - break; - default: - break; - } - } - } - try { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, version)); - if (installtime != null) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, installtime)); - } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, parentModuleName, systemRoot)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID, parentModuleName, productId)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER, parentModuleName, regOwner)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION, parentModuleName, regOrg)); - - // Check if there is already an OS_INFO artifact for this file, and add to that if possible. - ArrayList results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId()); - if (results.isEmpty()) { - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO); - bbart.addAttributes(bbattributes); - - // index the artifact for keyword search - this.indexArtifact(bbart); - } else { - results.get(0).addAttributes(bbattributes); - } - - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS - } + case "WinVersion": + processWinVersion(myartlist, caseDB, regAbstractFile); break; - case "Profiler": // NON-NLS - String os = ""; - String procArch = ""; - String procId = ""; - String tempDir = ""; - for (int j = 0; j < myartlist.getLength(); j++) { - Node artchild = myartlist.item(j); - // If it has attributes, then it is an Element (based off API) - if (artchild.hasAttributes()) { - Element artnode = (Element) artchild; - - String value = artnode.getTextContent().trim(); - String name = artnode.getAttribute("name"); //NON-NLS - switch (name) { - case "OS": // NON-NLS - os = value; - break; - case "PROCESSOR_ARCHITECTURE": // NON-NLS - procArch = value; - break; - case "PROCESSOR_IDENTIFIER": //NON-NLS - procId = value; - break; - case "TEMP": //NON-NLS - tempDir = value; - break; - default: - break; - } - } - } - try { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VERSION, parentModuleName, os)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE, parentModuleName, procArch)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR, parentModuleName, tempDir)); - - // Check if there is already an OS_INFO artifact for this file and add to that if possible - ArrayList results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId()); - if (results.isEmpty()) { - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO); - bbart.addAttributes(bbattributes); - - // index the artifact for keyword search - this.indexArtifact(bbart); - } else { - results.get(0).addAttributes(bbattributes); - } - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS - } + case "Profiler": + processProfiler(myartlist, caseDB, regAbstractFile); break; - case "CompName": // NON-NLS - String compName = ""; - String domain = ""; - for (int j = 0; j < myartlist.getLength(); j++) { - Node artchild = myartlist.item(j); - // If it has attributes, then it is an Element (based off API) - if (artchild.hasAttributes()) { - Element artnode = (Element) artchild; - - String value = artnode.getTextContent().trim(); - String name = artnode.getAttribute("name"); //NON-NLS - - if (name.equals("ComputerName")) { // NON-NLS - compName = value; - } else if (name.equals("Domain")) { // NON-NLS - domain = value; - } - } - } - try { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, compName)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, parentModuleName, domain)); - - // Check if there is already an OS_INFO artifact for this file and add to that if possible - ArrayList results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId()); - if (results.isEmpty()) { - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO); - bbart.addAttributes(bbattributes); - - // index the artifact for keyword search - this.indexArtifact(bbart); - } else { - results.get(0).addAttributes(bbattributes); - } - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS - } + case "CompName": + processCompName(myartlist, caseDB, regAbstractFile); break; default: - for (int j = 0; j < myartlist.getLength(); j++) { - Node artchild = myartlist.item(j); - // If it has attributes, then it is an Element (based off API) - if (artchild.hasAttributes()) { - Element artnode = (Element) artchild; - - String value = artnode.getTextContent().trim(); - Collection bbattributes = new ArrayList<>(); - - switch (dataType) { - case "recentdocs": //NON-NLS - // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime)); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem)); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value)); - // bbart.addAttributes(bbattributes); - // @@@ BC: Why are we ignoring this... - break; - case "usb": //NON-NLS - try { - Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS - usbMtime = Long.valueOf(usbMtime.toString()); - - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, usbMtime)); - String dev = artnode.getAttribute("dev"); //NON-NLS - String make = ""; - String model = dev; - if (dev.toLowerCase().contains("vid")) { //NON-NLS - USBInfo info = USB_MAPPER.parseAndLookup(dev); - if (info.getVendor() != null) { - make = info.getVendor(); - } - if (info.getProduct() != null) { - model = info.getProduct(); - } - } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE, parentModuleName, make)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL, parentModuleName, model)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID, parentModuleName, value)); - bbart.addAttributes(bbattributes); - - // index the artifact for keyword search - this.indexArtifact(bbart); - // add to collection for ModuleDataEvent - usbBBartifacts.add(bbart); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS - } - break; - case "uninstall": //NON-NLS - Long itemMtime = null; - try { - Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS - itemMtime = epochtime; - itemMtime = itemMtime / 1000; - } catch (ParseException e) { - logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS - } - - try { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime)); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); - bbart.addAttributes(bbattributes); - - // index the artifact for keyword search - this.indexArtifact(bbart); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS - } - break; - case "office": //NON-NLS - String officeName = artnode.getAttribute("name"); //NON-NLS - - try { - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item - if (mtime != null) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, parentModuleName, mtime)); - } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, officeName)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName())); - bbart.addAttributes(bbattributes); - - // index the artifact for keyword search - this.indexArtifact(bbart); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS - } - break; - - case "ProcessorArchitecture": //NON-NLS - // Architecture is now included under Profiler - //try { - // String processorArchitecture = value; - // if (processorArchitecture.equals("AMD64")) - // processorArchitecture = "x86-64"; - - // BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, processorArchitecture)); - // bbart.addAttributes(bbattributes); - //} catch (TskCoreException ex) { - // logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS - //} - break; - - case "ProfileList": //NON-NLS - try { - - String homeDir = value; - String sid = artnode.getAttribute("sid"); //NON-NLS - String username = artnode.getAttribute("username"); //NON-NLS - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, - parentModuleName, username)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID, - parentModuleName, sid)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, - parentModuleName, homeDir)); - - bbart.addAttributes(bbattributes); - // index the artifact for keyword search - this.indexArtifact(bbart); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS - } - break; - - case "NtuserNetwork": // NON-NLS - try { - String localPath = artnode.getAttribute("localPath"); //NON-NLS - String remoteName = value; - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH, - parentModuleName, localPath)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH, - parentModuleName, remoteName)); - bbart.addAttributes(bbattributes); - // index the artifact for keyword search - this.indexArtifact(bbart); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding network artifact to blackboard."); //NON-NLS - } - break; - - case "shellfolders": // NON-NLS - // The User Shell Folders subkey stores the paths to Windows Explorer folders for the current user of the computer - // (https://technet.microsoft.com/en-us/library/Cc962613.aspx). - // No useful information. Skip. - break; - - default: - logger.log(Level.WARNING, "Unrecognized node name: {0}", dataType); //NON-NLS - break; - } - } - } + processOtherDataType(myartlist, dataType, regAbstractFile, usbBBartifacts, mtime); break; } } // for + + //TODO: why do we only send module data events for USB artifacts if (!usbBBartifacts.isEmpty()) { - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(getModuleName(), BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, usbBBartifacts)); + IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(getModuleName(), TSK_DEVICE_ATTACHED, usbBBartifacts)); } return true; } catch (FileNotFoundException ex) { @@ -756,17 +469,333 @@ class RegistryExtractor extends Extractor { logger.log(Level.SEVERE, "Error building the document parser: {0}", ex); //NON-NLS } catch (ParserConfigurationException ex) { logger.log(Level.SEVERE, "Error configuring the registry parser: {0}", ex); //NON-NLS - } finally { - try { - if (fstream != null) { - fstream.close(); - } - } catch (IOException ex) { - } } return false; } + private void processOtherDataType(NodeList myartlist, String dataType, AbstractFile regAbstractFile, Collection usbBBartifacts, Long mtime) throws IllegalArgumentException, DOMException { + for (int j = 0; j < myartlist.getLength(); j++) { + Node artchild = myartlist.item(j); + // If it has attributes, then it is an Element (based off API) + if (artchild.hasAttributes()) { + Element artnode = (Element) artchild; + + String value = artnode.getTextContent().trim(); + + switch (dataType) { + case "recentdocs": //NON-NLS + // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime)); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem)); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value)); + // bbart.addAttributes(bbattributes); + // @@@ BC: Why are we ignoring this... + break; + case "usb"://NON-NLS + processUSB(artnode, regAbstractFile, value, usbBBartifacts); + break; + case "uninstall"://NON-NLS + processUninstall(artnode, value, regAbstractFile); + break; + case "office"://NON-NLS + processOffice(artnode, regAbstractFile, mtime, value); + break; + case "ProcessorArchitecture": //NON-NLS + // Architecture is now included under Profiler + break; + case "ProfileList"://NON-NLS + processProfileList(value, artnode, regAbstractFile); + break; + case "NtuserNetwork"://NON-NLS + processNtuserNetwork(artnode, value, regAbstractFile); + break; + case "shellfolders": // NON-NLS + // The User Shell Folders subkey stores the paths to Windows Explorer folders for the current user of the computer + // (https://technet.microsoft.com/en-us/library/Cc962613.aspx). + // No useful information. Skip. + break; + default: + logger.log(Level.WARNING, "Unrecognized node name: {0}", dataType); //NON-NLS + break; + } + } + } + } + + private void processNtuserNetwork(Element artnode, String remoteName, AbstractFile regAbstractFile) throws IllegalArgumentException { + + try { + List bbattributes = Arrays.asList( + new BlackboardAttribute(TSK_LOCAL_PATH, PARENT_MODULE_NAME, + artnode.getAttribute("localPath")), //NON-NLS + new BlackboardAttribute(TSK_REMOTE_PATH, PARENT_MODULE_NAME, + remoteName)); + + addArtifact(TSK_REMOTE_DRIVE, regAbstractFile, bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding network drive artifact to blackboard."); //NON-NLS + } + } + + private void processProfileList(String homeDir, Element artnode, AbstractFile regAbstractFile) throws IllegalArgumentException { + try { + List bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_USER_NAME, PARENT_MODULE_NAME, + artnode.getAttribute("username")), //NON-NLS + new BlackboardAttribute( + TSK_USER_ID, PARENT_MODULE_NAME, + artnode.getAttribute("sid")),//NON-NLS + new BlackboardAttribute( + TSK_PATH, PARENT_MODULE_NAME, + homeDir)); + + addArtifact(TSK_OS_ACCOUNT, regAbstractFile, bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS + } + } + + private void processOffice(Element artnode, AbstractFile regAbstractFile, Long mtime, String value) throws IllegalArgumentException { + try { + List bbattributes = Lists.newArrayList( + new BlackboardAttribute(TSK_NAME, PARENT_MODULE_NAME, + artnode.getAttribute("name")), //NON-NLS + new BlackboardAttribute(TSK_VALUE, PARENT_MODULE_NAME, + value), + new BlackboardAttribute(TSK_PROG_NAME, PARENT_MODULE_NAME, + artnode.getNodeName())); + + // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item + if (mtime != null) { + bbattributes.add(new BlackboardAttribute(TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, mtime)); + } + addArtifact(TSK_RECENT_OBJECT, regAbstractFile, bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS + } + } + + private void processUninstall(Element artnode, String progName, AbstractFile regAbstractFile) throws IllegalArgumentException { + Long itemMtime = null; + try { + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS + itemMtime = epochtime / 1000; + } catch (ParseException e) { + logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS + } + + try { + List bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + progName), + new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME, + itemMtime)); + addArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG, regAbstractFile, bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS + } + } + + private void processUSB(Element artnode, AbstractFile regAbstractFile, String deviceID, Collection usbBBartifacts) throws IllegalArgumentException { + + try { + String model = artnode.getAttribute("dev"); //NON-NLS + String make = ""; + if (model.toLowerCase().contains("vid")) { //NON-NLS + USBInfo info = USB_MAPPER.parseAndLookup(model); + if (info.getVendor() != null) { + make = info.getVendor(); + } + if (info.getProduct() != null) { + model = info.getProduct(); + } + } + List bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME, + Long.parseLong(artnode.getAttribute("mtime"))), + new BlackboardAttribute( + TSK_DEVICE_MAKE, PARENT_MODULE_NAME, + make), + new BlackboardAttribute( + TSK_DEVICE_MODEL, PARENT_MODULE_NAME, + model), + new BlackboardAttribute( + TSK_DEVICE_ID, PARENT_MODULE_NAME, + deviceID)); + usbBBartifacts.add(addArtifact(TSK_DEVICE_ATTACHED, regAbstractFile, bbattributes)); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS + } + } + + private void processCompName(NodeList myartlist, SleuthkitCase caseDB, AbstractFile regAbstractFile) throws DOMException, IllegalArgumentException { + String compName = ""; + String domain = ""; + for (int j = 0; j < myartlist.getLength(); j++) { + Node artchild = myartlist.item(j); + // If it has attributes, then it is an Element (based off API) + if (artchild.hasAttributes()) { + Element artnode = (Element) artchild; + + String value = artnode.getTextContent().trim(); + String name = artnode.getAttribute("name"); //NON-NLS + + if (name.equals("ComputerName")) { // NON-NLS + compName = value; + } else if (name.equals("Domain")) { // NON-NLS + domain = value; + } + } + } + try { + List bbattributes = Lists.newArrayList( + new BlackboardAttribute(TSK_NAME, PARENT_MODULE_NAME, compName), + new BlackboardAttribute(TSK_DOMAIN, PARENT_MODULE_NAME, domain)); + + // Check if there is already an OS_INFO artifact for this file and add to that if possible + ArrayList results = caseDB.getBlackboardArtifacts(TSK_OS_INFO, regAbstractFile.getId()); + if (results.isEmpty()) { + addArtifact(TSK_OS_INFO, regAbstractFile, bbattributes); + } else { + results.get(0).addAttributes(bbattributes); + //TODO: does it need to get re-indexed? + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS + } + } + + private void processProfiler(NodeList myartlist, SleuthkitCase caseDB, AbstractFile regAbstractFile) throws IllegalArgumentException, DOMException { + Set keys = ImmutableSet.of("PROCESSOR_IDENTIFIER",// TODO: should this go into an attribute? //NON-NLS + "OS", "PROCESSOR_ARCHITECTURE", "TEMP"); //NON-NLS + Map attributeValues = new HashMap<>(); + for (int j = 0; j < myartlist.getLength(); j++) { + Node artchild = myartlist.item(j); + // If it has attributes, then it is an Element (based off API) + if (artchild.hasAttributes()) { + Element artnode = (Element) artchild; + + String name = artnode.getAttribute("name"); //NON-NLS + if (keys.contains(name)) { + attributeValues.put(name, artnode.getTextContent().trim()); + } + } + } + try { + List bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_VERSION, PARENT_MODULE_NAME, + attributeValues.get("OS")), //NON-NLS + new BlackboardAttribute( + TSK_PROCESSOR_ARCHITECTURE, PARENT_MODULE_NAME, + attributeValues.get("PROCESSOR_ARCHITECTURE")), //NON-NLS + new BlackboardAttribute( + TSK_TEMP_DIR, PARENT_MODULE_NAME, + attributeValues.get("TEMP"))); //NON-NLS + + // Check if there is already an OS_INFO artifact for this file and add to that if possible + ArrayList results = caseDB.getBlackboardArtifacts(TSK_OS_INFO, regAbstractFile.getId()); + if (results.isEmpty()) { + addArtifact(TSK_OS_INFO, regAbstractFile, bbattributes); + } else { + results.get(0).addAttributes(bbattributes); + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS + } + } + + private void processWinVersion(NodeList myartlist, SleuthkitCase caseDB, AbstractFile regAbstractFile) throws NumberFormatException, IllegalArgumentException, DOMException { + + String version = ""; + String systemRoot = ""; + String productId = ""; + String regOwner = ""; + String regOrg = ""; + Long installtime = null; + for (int j = 0; j < myartlist.getLength(); j++) { + Node artchild = myartlist.item(j); + // If it has attributes, then it is an Element (based off API) + if (artchild.hasAttributes()) { + Element artnode = (Element) artchild; + + String value = artnode.getTextContent().trim(); + String name = artnode.getAttribute("name"); //NON-NLS + switch (name) { + case "ProductName": // NON-NLS + version = value; + break; + case "CSDVersion": // NON-NLS + // This is dependant on the fact that ProductName shows up first in the module output + version = version + " " + value; + break; + case "SystemRoot": //NON-NLS + systemRoot = value; + break; + case "ProductId": //NON-NLS + productId = value; + break; + case "RegisteredOwner": //NON-NLS + regOwner = value; + break; + case "RegisteredOrganization": //NON-NLS + regOrg = value; + break; + case "InstallDate": //NON-NLS + try { + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime(); + installtime = epochtime; + String Tempdate = installtime.toString(); + installtime = Long.valueOf(Tempdate) / 1000; + } catch (ParseException e) { + logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS + } + break; + default: + break; + } + } + } + try { + List bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + version), + new BlackboardAttribute( + TSK_PATH, PARENT_MODULE_NAME, + systemRoot), + new BlackboardAttribute( + TSK_PRODUCT_ID, PARENT_MODULE_NAME, + productId), + new BlackboardAttribute( + TSK_OWNER, PARENT_MODULE_NAME, + regOwner), + new BlackboardAttribute( + TSK_ORGANIZATION, PARENT_MODULE_NAME, + regOrg + )); + if (installtime != null) { + bbattributes.add(new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME, + installtime)); + } + // Check if there is already an OS_INFO artifact for this file, and add to that if possible. + ArrayList results = caseDB.getBlackboardArtifacts(TSK_OS_INFO, regAbstractFile.getId()); + if (results.isEmpty()) { + addArtifact(TSK_OS_INFO, regAbstractFile, bbattributes); + } else { + results.get(0).addAttributes(bbattributes); + } + + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS + } + } + @Override public void process(Content dataSource, IngestJobContext context) { this.dataSource = dataSource; From 595eefaa6fc0c0c54fefb3fdc0346dd91e2bb87d Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 13 Aug 2018 14:35:42 +0200 Subject: [PATCH 09/17] cleanup FirefoxExtractor and fix it for new approach. --- .../recentactivity/ChromeExtractor.java | 222 +++++---- .../autopsy/recentactivity/Extractor.java | 74 ++- .../recentactivity/FirefoxExtractor.java | 456 +++++++++--------- .../autopsy/recentactivity/IEExtractor.java | 10 +- .../RecentDocumentsLnkExtractor.java | 3 +- .../recentactivity/RegistryExtractor.java | 25 +- .../SearchEngineURLQueryAnalyzer.java | 3 +- 7 files changed, 420 insertions(+), 373 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java index 3d908b79db..d83eb296fc 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java @@ -40,11 +40,11 @@ import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.IngestJobContext; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; @@ -68,7 +68,7 @@ import org.sleuthkit.datamodel.TskData; /** * Chrome recent activity extraction */ -class ChromeExtractor extends Extractor { +final class ChromeExtractor extends Extractor { private static final Logger logger = Logger.getLogger(ChromeExtractor.class.getName()); private static final String PARENT_MODULE_NAME = NbBundle.getMessage(ChromeExtractor.class, "Chrome.parentModuleName"); @@ -83,6 +83,7 @@ class ChromeExtractor extends Extractor { private Content dataSource; private IngestJobContext context; + private FileManager fileManager; @Override protected String getModuleName() { @@ -104,13 +105,15 @@ class ChromeExtractor extends Extractor { /** * Query for history databases and add artifacts */ - private void getHistory() throws TskCoreException { - FileManager fileManager = currentCase.getServices().getFileManager(); + @NbBundle.Messages({"# {0} - Extractor / program name", + "Extractor.errPostingArtifacts={0}:Error while trying to post artifacts."}) + private void getHistory() { + List historyFiles; try { historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -126,7 +129,7 @@ class ChromeExtractor extends Extractor { // log a message if we don't have any allocated history files if (allocatedHistoryFiles.isEmpty()) { - String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles"); + String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.couldntFindAnyFiles"); logger.log(Level.INFO, msg); return; } @@ -146,13 +149,13 @@ class ChromeExtractor extends Extractor { } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome web history artifacts file '%s' (id=%d).", historyFile.getName(), historyFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errAnalyzingFile", this.getModuleName(), historyFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome web history artifacts file '%s' (id=%d).", temps, historyFile.getName(), historyFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errAnalyzingFile", this.getModuleName(), historyFile.getName())); continue; } @@ -183,26 +186,36 @@ class ChromeExtractor extends Extractor { new BlackboardAttribute( TSK_DOMAIN, PARENT_MODULE_NAME, Util.extractDomain(Objects.toString(result.get("url"), "")))); //NON-NLS - bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes)); + try { + BlackboardArtifact bbart = historyFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); + bbart.addAttributes(bbattributes); + bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Chrome history artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errAnalyzingFile", + this.getModuleName(), historyFile.getName())); + } } dbFile.delete(); } - - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - PARENT_MODULE_NAME, - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Chrome history artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** * Search for bookmark files and make artifacts. */ private void getBookmark() { - FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles; try { bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -215,25 +228,25 @@ class ChromeExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; - while (j < bookmarkFiles.size()) { - AbstractFile bookmarkFile = bookmarkFiles.get(j++); + int index = 0; + while (index < bookmarkFiles.size()) { + AbstractFile bookmarkFile = bookmarkFiles.get(index++); if (bookmarkFile.getSize() == 0) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName() + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName() + index + ".db"; //NON-NLS try { ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome bookmark artifacts file '%s' (id=%d).", bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile", this.getModuleName(), bookmarkFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome bookmark artifacts file '%s' (id=%d).", temps, bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile", this.getModuleName(), bookmarkFile.getName())); continue; } @@ -251,7 +264,7 @@ class ChromeExtractor extends Extractor { } catch (FileNotFoundException ex) { logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getModuleName(), + NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getModuleName(), bookmarkFile.getName())); continue; } @@ -269,7 +282,7 @@ class ChromeExtractor extends Extractor { jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) { logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile3", this.getModuleName(), bookmarkFile.getName())); continue; } @@ -302,10 +315,10 @@ class ChromeExtractor extends Extractor { } String domain = Util.extractDomain(url); try { - - Collection bbattributes = Arrays.asList(new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME, - url), + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + url), new BlackboardAttribute( TSK_TITLE, PARENT_MODULE_NAME, name), @@ -318,34 +331,35 @@ class ChromeExtractor extends Extractor { new BlackboardAttribute( TSK_DOMAIN, PARENT_MODULE_NAME, domain)); - - bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes)); + BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); + bbart.addAttributes(bbattributes); + bbartifacts.add(bbart); } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS + logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4", + NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile4", this.getModuleName(), bookmarkFile.getName())); } } dbFile.delete(); } - - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - PARENT_MODULE_NAME, - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Chrome bookmark artifact{0}", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** * Queries for cookie files and adds artifacts */ - private void getCookie() throws TskCoreException { - - FileManager fileManager = currentCase.getServices().getFileManager(); + private void getCookie() { List cookiesFiles; try { cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -358,25 +372,25 @@ class ChromeExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; - while (j < cookiesFiles.size()) { - AbstractFile cookiesFile = cookiesFiles.get(j++); + int index = 0; + while (index < cookiesFiles.size()) { + AbstractFile cookiesFile = cookiesFiles.get(index++); if (cookiesFile.getSize() == 0) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName() + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName() + index + ".db"; //NON-NLS try { ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome cookie artifacts file '%s' (id=%d).", cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errAnalyzeFile", this.getModuleName(), cookiesFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome cookie artifacts file '%s' (id=%d).", temps, cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errAnalyzeFile", this.getModuleName(), cookiesFile.getName())); continue; } @@ -409,27 +423,37 @@ class ChromeExtractor extends Extractor { new BlackboardAttribute( TSK_PROG_NAME, PARENT_MODULE_NAME, getModuleName())); - bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes)); + try { + BlackboardArtifact bbart = cookiesFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); + bbart.addAttributes(bbattributes); + bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to insert Chrome cookie artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errAnalyzingFile", + this.getModuleName(), cookiesFile.getName())); + } } dbFile.delete(); } - - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - PARENT_MODULE_NAME, - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Chrome cookie artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** * Queries for download files and adds artifacts */ - private void getDownload() throws TskCoreException { - FileManager fileManager = currentCase.getServices().getFileManager(); + private void getDownload() { List downloadFiles; try { downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -442,25 +466,25 @@ class ChromeExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; - while (j < downloadFiles.size()) { - AbstractFile downloadFile = downloadFiles.get(j++); + int index = 0; + while (index < downloadFiles.size()) { + AbstractFile downloadFile = downloadFiles.get(index++); if (downloadFile.getSize() == 0) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName() + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName() + index + ".db"; //NON-NLS try { ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome download artifacts file '%s' (id=%d).", downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", this.getModuleName(), downloadFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome download artifacts file '%s' (id=%d).", temps, downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", this.getModuleName(), downloadFile.getName())); continue; } @@ -497,30 +521,37 @@ class ChromeExtractor extends Extractor { if (pathID != -1) { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, PARENT_MODULE_NAME, pathID)); } - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes); - if (bbart != null) { + try { + BlackboardArtifact bbart = downloadFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); + bbart.addAttributes(bbattributes); bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to insert Chrome download artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", + this.getModuleName(), downloadFile.getName())); } } dbFile.delete(); } - - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - PARENT_MODULE_NAME, - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Chrome download artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** * Queries for login files and adds artifacts */ - private void getLogin() throws TskCoreException, TskCoreException { - FileManager fileManager = currentCase.getServices().getFileManager(); + private void getLogin() { List signonFiles; try { signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -533,25 +564,25 @@ class ChromeExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; - while (j < signonFiles.size()) { - AbstractFile signonFile = signonFiles.get(j++); + int index = 0; + while (index < signonFiles.size()) { + AbstractFile signonFile = signonFiles.get(index++); if (signonFile.getSize() == 0) { continue; } - String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName() + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName() + index + ".db"; //NON-NLS try { ContentUtils.writeToFile(signonFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome login artifacts file '%s' (id=%d).", signonFile.getName(), signonFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getModuleName(), signonFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome login artifacts file '%s' (id=%d).", temps, signonFile.getName(), signonFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getModuleName(), signonFile.getName())); continue; } @@ -588,22 +619,47 @@ class ChromeExtractor extends Extractor { TSK_DOMAIN, PARENT_MODULE_NAME, Objects.toString(result.get("signon_realm"), ""))); //NON-NLS - bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes)); + try { + BlackboardArtifact bbart = signonFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); + bbart.addAttributes(bbattributes); + bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to insert Chrome login artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.getModuleName(), signonFile.getName())); + } // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent - //TODO: Why not? Because it has a different artifact type? - BlackboardAttribute osAcctAttribute = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, PARENT_MODULE_NAME, - Objects.toString(result.get("username_value"), "").replaceAll("'", "''")); //NON-NLS + //TODO: Why not? Because it has a different artifact type? We can just post it seperately? + try { + BlackboardAttribute osAcctAttribute = new BlackboardAttribute(TSK_USER_NAME, PARENT_MODULE_NAME, + Objects.toString(result.get("username_value"), "").replaceAll("'", "''")); //NON-NLS + BlackboardArtifact osAccountArtifact = signonFile.newArtifact(TSK_OS_ACCOUNT); + osAccountArtifact.addAttributes(Collections.singleton(osAcctAttribute)); - this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, Collections.singleton(osAcctAttribute)); + blackboard.postArtifact(osAccountArtifact, PARENT_MODULE_NAME); + + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to insert Chrome os account artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.getModuleName(), signonFile.getName())); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Chrome os account artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } dbFile.delete(); } - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - PARENT_MODULE_NAME, - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Chrome login artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } private boolean isChromePreVersion30(String temps) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java index 1a32e2b57b..becead2723 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java @@ -31,8 +31,8 @@ import org.openide.util.NbBundle; import org.openide.util.NbBundle.Messages; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; +import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; -import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil; import org.sleuthkit.autopsy.coreutils.SQLiteDBConnect; import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException; @@ -44,6 +44,9 @@ abstract class Extractor { protected Case currentCase; protected SleuthkitCase tskCase; + protected Blackboard blackboard; + protected FileManager fileManager; + private final ArrayList errorMessages = new ArrayList<>(); boolean dataFound = false; @@ -54,11 +57,16 @@ abstract class Extractor { */ abstract protected String getModuleName(); + @Messages({"Extract.indexError.message=Failed to index artifact for keyword search.", + "Extract.noOpenCase.errMsg=No open case available."}) final void init() throws IngestModuleException { try { currentCase = Case.getCurrentCaseThrows(); tskCase = currentCase.getSleuthkitCase(); + blackboard = tskCase.getBlackboard(); + fileManager = currentCase.getServices().getFileManager(); } catch (NoCurrentCaseException ex) { + //TODO: fix this error message throw new IngestModuleException(Bundle.Extract_indexError_message(), ex); } configExtractor(); @@ -95,51 +103,25 @@ abstract class Extractor { errorMessages.add(message); } - /** - * Generic method for adding a blackboard artifact to the blackboard and - * indexing it - * - * @param type is a blackboard.artifact_type enum to determine which - * type the artifact should be - * @param content is the AbstractFile object that needs to have the - * artifact added for it - * @param bbattributes is the collection of blackboard attributes that need - * to be added to the artifact after the artifact has - * been created - * @return The newly-created artifact - * - * @throws org.sleuthkit.datamodel.TskCoreException If there was a problem - * creating the artifact. - */ - protected BlackboardArtifact addArtifact(BlackboardArtifact.ARTIFACT_TYPE type, AbstractFile content, Collection bbattributes) throws TskCoreException { - BlackboardArtifact bbart = content.newArtifact(type); - bbart.addAttributes(bbattributes); - // index the artifact for keyword search - this.indexArtifact(bbart); - return bbart; - } - - /** - * Method to index a blackboard artifact for keyword search - * - * @param bbart Blackboard artifact to be indexed - */ - @Messages({"Extract.indexError.message=Failed to index artifact for keyword search.", - "Extract.noOpenCase.errMsg=No open case available."}) - void indexArtifact(BlackboardArtifact bbart) { - try { - Blackboard blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard(); - // index the artifact for keyword search - blackboard.postArtifact(bbart, getModuleName()); - } catch (Blackboard.BlackboardException ex) { - logger.log(Level.SEVERE, "Unable to index blackboard artifact " + bbart.getDisplayName(), ex); //NON-NLS - MessageNotifyUtil.Notify.error(Bundle.Extract_indexError_message(), bbart.getDisplayName()); - } catch (NoCurrentCaseException ex) { - logger.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS - MessageNotifyUtil.Notify.error(Bundle.Extract_noOpenCase_errMsg(), bbart.getDisplayName()); - } - } - +// +// /** +// * Method to index a blackboard artifact for keyword search +// * +// * @param bbart Blackboard artifact to be indexed +// */ +// +// void postArtifacts(Collections bbarts) throws Blackboard.BlackboardException { +// +// // index the artifact for keyword search +// blackboard.postArtifact(bbarts, getModuleName()); +//// } catch (Blackboard.BlackboardException ex) { +//// logger.log(Level.SEVERE, "Unable to index blackboard artifact " + bbart.getDisplayName(), ex); //NON-NLS +//// MessageNotifyUtil.Notify.error(Bundle.Extract_indexError_message(), bbart.getDisplayName()); +//// } catch (NoCurrentCaseException ex) { +//// logger.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS +//// MessageNotifyUtil.Notify.error(Bundle.Extract_noOpenCase_errMsg(), bbart.getDisplayName()); +//// } +// } /** * Returns a List from a result set based on sql query. This is used to * query sqlite databases storing user recent activity data, such as in diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java index 8d09631e1b..13d3bc787e 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java @@ -22,27 +22,42 @@ */ package org.sleuthkit.autopsy.recentactivity; +import com.google.common.collect.Lists; import java.io.File; import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.List; +import java.util.Objects; import java.util.logging.Level; import org.openide.util.NbBundle; -import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.IngestJobContext; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; -import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY; import org.sleuthkit.datamodel.BlackboardAttribute; -import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REFERRER; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException; import org.sleuthkit.datamodel.TskCoreException; @@ -50,22 +65,25 @@ import org.sleuthkit.datamodel.TskCoreException; /** * Firefox recent activity extraction */ -class FirefoxExtractor extends Extractor { +final class FirefoxExtractor extends Extractor { private static final Logger logger = Logger.getLogger(FirefoxExtractor.class.getName()); + private static final String PARENT_MODULE_NAME = NbBundle.getMessage(FirefoxExtractor.class, + "Firefox.parentModuleName.noSpace"); + private static final String HISTORY_QUERY = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000000) AS visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; //NON-NLS private static final String COOKIE_QUERY = "SELECT name,value,host,expiry,(lastAccessed/1000000) AS lastAccessed,(creationTime/1000000) AS creationTime FROM moz_cookies"; //NON-NLS private static final String COOKIE_QUERY_V3 = "SELECT name,value,host,expiry,(lastAccessed/1000000) AS lastAccessed FROM moz_cookies"; //NON-NLS private static final String BOOKMARK_QUERY = "SELECT fk, moz_bookmarks.title, url, (moz_bookmarks.dateAdded/1000000) AS dateAdded FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; //NON-NLS private static final String DOWNLOAD_QUERY = "SELECT target, source,(startTime/1000000) AS startTime, maxBytes FROM moz_downloads"; //NON-NLS private static final String DOWNLOAD_QUERY_V24 = "SELECT url, content AS target, (lastModified/1000000) AS lastModified FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND moz_annos.anno_attribute_id = 3"; //NON-NLS - private final IngestServices services = IngestServices.getInstance(); + private Content dataSource; private IngestJobContext context; @Override protected String getModuleName() { - return NbBundle.getMessage(FirefoxExtractor.class, "Firefox.getModuleName()"); + return NbBundle.getMessage(FirefoxExtractor.class, "Firefox.moduleName"); } @Override @@ -75,12 +93,12 @@ class FirefoxExtractor extends Extractor { dataFound = false; this.getHistory(); this.getBookmark(); - this.getDownload(); + getDownloadPreVersion24(); + getDownloadVersion24(); this.getCookie(); } private void getHistory() { - FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles; try { historyFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox"); //NON-NLS @@ -99,14 +117,14 @@ class FirefoxExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; + int index = 0; for (AbstractFile historyFile : historyFiles) { if (historyFile.getSize() == 0) { continue; } String fileName = historyFile.getName(); - String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + index + ".db"; //NON-NLS try { ContentUtils.writeToFile(historyFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -132,52 +150,53 @@ class FirefoxExtractor extends Extractor { List> tempList = this.dbConnect(temps, HISTORY_QUERY); logger.log(Level.INFO, "{0} - Now getting history from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - (Long.valueOf(result.get("visit_date").toString())))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("ref").toString() != null) ? result.get("ref").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes); - if (bbart != null) { + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("url"), "")),//NON-NLS + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + Long.valueOf(result.get("visit_date").toString())), //NON-NLS + new BlackboardAttribute( + TSK_REFERRER, PARENT_MODULE_NAME, + Objects.toString(result.get("ref"), "")), //NON-NLS + new BlackboardAttribute( + TSK_TITLE, PARENT_MODULE_NAME, + Objects.toString(result.get("title"), "")), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + Util.extractDomain(Objects.toString(result.get("url"), "")))); //NON-NLS + try { + BlackboardArtifact bbart = historyFile.newArtifact(TSK_WEB_HISTORY); + bbart.addAttributes(bbattributes); bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Firefox history artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Firefox.getHistory.errMsg.errAnalyzeFile=", //NON-NLS + this.getModuleName(), historyFile.getName())); } + } - ++j; + index++; dbFile.delete(); } - - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Firefox history artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** * Queries for bookmark files and adds artifacts */ private void getBookmark() { - - FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles; try { bookmarkFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox"); //NON-NLS @@ -195,13 +214,13 @@ class FirefoxExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; + int index = 0; for (AbstractFile bookmarkFile : bookmarkFiles) { if (bookmarkFile.getSize() == 0) { continue; } String fileName = bookmarkFile.getName(); - String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + index + ".db"; //NON-NLS try { ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -227,49 +246,51 @@ class FirefoxExtractor extends Extractor { logger.log(Level.INFO, "{0} - Now getting bookmarks from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS - if (Long.valueOf(result.get("dateAdded").toString()) > 0) { //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - (Long.valueOf(result.get("dateAdded").toString())))); //NON-NLS + Collection bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("url"), "")), //NON-NLS + new BlackboardAttribute( + TSK_TITLE, PARENT_MODULE_NAME, + Objects.toString(result.get("title"), "")), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + Util.extractDomain(Objects.toString(result.get("url"), "")))); //NON-NLS + Long createdTime = Long.valueOf(result.get("dateAdded").toString()); + if (createdTime > 0) { //NON-NLS + bbattributes.add(new BlackboardAttribute( + TSK_DATETIME_CREATED, PARENT_MODULE_NAME, + createdTime)); //NON-NLS } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS - - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes); - if (bbart != null) { + try { + BlackboardArtifact bbart = bookmarkFile.newArtifact(TSK_WEB_BOOKMARK); + bbart.addAttributes(bbattributes); bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Firefox bookmark artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Firefox.getBookmark.errMsg.errAnalyzeFile=", //NON-NLS + this.getModuleName(), bookmarkFile.getName())); } } - ++j; + index++; dbFile.delete(); } - - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Firefox bookmark artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** * Queries for cookies file and adds artifacts */ private void getCookie() { - FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles; try { cookiesFiles = fileManager.findFiles(dataSource, "cookies.sqlite", "Firefox"); //NON-NLS @@ -287,13 +308,13 @@ class FirefoxExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; + int index = 0; for (AbstractFile cookiesFile : cookiesFiles) { if (cookiesFile.getSize() == 0) { continue; } String fileName = cookiesFile.getName(); - String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + index + ".db"; //NON-NLS try { ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled); } catch (ReadContentInputStreamException ex) { @@ -317,71 +338,57 @@ class FirefoxExtractor extends Extractor { break; } boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", temps); //NON-NLS - String query; - if (checkColumn) { - query = COOKIE_QUERY; - } else { - query = COOKIE_QUERY_V3; - } + String query = checkColumn ? COOKIE_QUERY : COOKIE_QUERY_V3; List> tempList = this.dbConnect(temps, query); logger.log(Level.INFO, "{0} - Now getting cookies from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("host").toString() != null) ? result.get("host").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - (Long.valueOf(result.get("lastAccessed").toString())))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); - - if (checkColumn == true) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), + Collection bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("host"), "")), //NON-NLS + new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME, + Long.valueOf(result.get("lastAccessed").toString())), //NON-NLS + new BlackboardAttribute( + TSK_NAME, PARENT_MODULE_NAME, + Objects.toString(result.get("name"), "")), //NON-NLS + new BlackboardAttribute( + TSK_VALUE, PARENT_MODULE_NAME, + Objects.toString(result.get("value"), "")), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + Util.extractDomain(result.get("host").toString()).replaceFirst("^\\.+(?!$)", ""))); //NON-NLS + if (checkColumn) { + bbattributes.add(new BlackboardAttribute( + TSK_DATETIME_CREATED, PARENT_MODULE_NAME, (Long.valueOf(result.get("creationTime").toString())))); //NON-NLS } - String domain = Util.extractDomain(result.get("host").toString()); //NON-NLS - domain = domain.replaceFirst("^\\.+(?!$)", ""); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), domain)); - - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); - if (bbart != null) { + try { + BlackboardArtifact bbart = cookiesFile.newArtifact(TSK_WEB_COOKIE); + bbart.addAttributes(bbattributes); bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Firefox cookie artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Firefox.getCookie.errMsg.errAnalyzeFile=", //NON-NLS + this.getModuleName(), cookiesFile.getName())); } } - ++j; + ++index; dbFile.delete(); } - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts)); - } - - /** - * Queries for downloads files and adds artifacts - */ - private void getDownload() { - getDownloadPreVersion24(); - getDownloadVersion24(); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Firefox cookie artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** @@ -391,7 +398,6 @@ class FirefoxExtractor extends Extractor { */ private void getDownloadPreVersion24() { - FileManager fileManager = currentCase.getServices().getFileManager(); List downloadsFiles; try { downloadsFiles = fileManager.findFiles(dataSource, "downloads.sqlite", "Firefox"); //NON-NLS @@ -409,13 +415,13 @@ class FirefoxExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; + int index = 0; for (AbstractFile downloadsFile : downloadsFiles) { if (downloadsFile.getSize() == 0) { continue; } String fileName = downloadsFile.getName(); - String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + index + ".db"; //NON-NLS int errors = 0; try { ContentUtils.writeToFile(downloadsFile, new File(temps), context::dataSourceIngestIsCancelled); @@ -443,52 +449,43 @@ class FirefoxExtractor extends Extractor { logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("source").toString() != null) ? result.get("source").toString() : ""))); //NON-NLS - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? EscapeUtil.decodeURL(result.get("source").toString()) : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - (Long.valueOf(result.get("startTime").toString())))); //NON-NLS + Collection bbattributes = Lists.newArrayList( + new BlackboardAttribute(TSK_URL, PARENT_MODULE_NAME, + Objects.toString(result.get("source"), "")), //NON-NLS + new BlackboardAttribute(TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + Long.valueOf(result.get("startTime").toString())), //NON-NLS + new BlackboardAttribute(TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute(TSK_DOMAIN, PARENT_MODULE_NAME, + Util.extractDomain(Objects.toString(result.get("source"), "")))); //NON-NLS String target = result.get("target").toString(); //NON-NLS - if (target != null) { - try { - String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - decodedTarget)); - long pathID = Util.findID(dataSource, decodedTarget); - if (pathID != -1) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - pathID)); - } - } catch (UnsupportedEncodingException ex) { - logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex); //NON-NLS - errors++; + try { + String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS + bbattributes.add(new BlackboardAttribute( + TSK_PATH, PARENT_MODULE_NAME, + decodedTarget)); + long pathID = Util.findID(dataSource, decodedTarget); + if (pathID != -1) { + bbattributes.add(new BlackboardAttribute( + TSK_PATH_ID, PARENT_MODULE_NAME, + pathID)); } + } catch (UnsupportedEncodingException ex) { + logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex); //NON-NLS + errors++; } + try { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - (Util.extractDomain((result.get("source").toString() != null) ? result.get("source").toString() : "")))); //NON-NLS - - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes); - if (bbart != null) { + BlackboardArtifact bbart = downloadsFile.newArtifact(TSK_WEB_DOWNLOAD); + bbart.addAttributes(bbattributes); bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Firefox download artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Firefox.getDlPre24.errMsg.errAnalyzeFiles", //NON-NLS + this.getModuleName(), downloadsFile.getName())); } } if (errors > 0) { @@ -496,14 +493,16 @@ class FirefoxExtractor extends Extractor { NbBundle.getMessage(this.getClass(), "Firefox.getDlPre24.errMsg.errParsingArtifacts", this.getModuleName(), errors)); } - j++; + index++; dbFile.delete(); - break; } - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Firefox download artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } /** @@ -512,7 +511,6 @@ class FirefoxExtractor extends Extractor { * Downloads are stored in the places database. */ private void getDownloadVersion24() { - FileManager fileManager = currentCase.getServices().getFileManager(); List downloadsFiles; try { downloadsFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox"); //NON-NLS @@ -530,13 +528,13 @@ class FirefoxExtractor extends Extractor { dataFound = true; Collection bbartifacts = new ArrayList<>(); - int j = 0; + int index = 0; for (AbstractFile downloadsFile : downloadsFiles) { if (downloadsFile.getSize() == 0) { continue; } String fileName = downloadsFile.getName(); - String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + "-downloads" + j + ".db"; //NON-NLS + String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + "-downloads" + index + ".db"; //NON-NLS int errors = 0; try { ContentUtils.writeToFile(downloadsFile, new File(temps), context::dataSourceIngestIsCancelled); @@ -566,65 +564,63 @@ class FirefoxExtractor extends Extractor { logger.log(Level.INFO, "{0} - Now getting downloads from {1} with {2} artifacts identified.", new Object[]{getModuleName(), temps, tempList.size()}); //NON-NLS for (HashMap result : tempList) { - Collection bbattributes = new ArrayList<>(); - - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? EscapeUtil.decodeURL(result.get("source").toString()) : ""))); - //TODO Revisit usage of deprecated constructor as per TSK-583 - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString())))); + Collection bbattributes = Lists.newArrayList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + result.get("url").toString()), //NON-NLS + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + Long.valueOf(result.get("lastModified").toString())), //NON-NLS + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + Util.extractDomain(result.get("url").toString()))); //NON-NLS String target = result.get("target").toString(); //NON-NLS - if (target != null) { - try { - String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - decodedTarget)); - long pathID = Util.findID(dataSource, decodedTarget); - if (pathID != -1) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - pathID)); - } - } catch (UnsupportedEncodingException ex) { - logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex); //NON-NLS - errors++; - } - } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - Long.valueOf(result.get("lastModified").toString()))); //NON-NLS - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - NbBundle.getMessage(this.getClass(), "Firefox.getModuleName()"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "Firefox.parentModuleName.noSpace"), - (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS - BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes); - if (bbart != null) { + try { + String decodedTarget = URLDecoder.decode(target.replaceAll("file:///", ""), "UTF-8"); //NON-NLS + bbattributes.add(new BlackboardAttribute( + TSK_PATH, PARENT_MODULE_NAME, + decodedTarget)); + long pathID = Util.findID(dataSource, decodedTarget); + if (pathID != -1) { + bbattributes.add(new BlackboardAttribute( + TSK_PATH_ID, PARENT_MODULE_NAME, + pathID)); + } + } catch (UnsupportedEncodingException ex) { + logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex); //NON-NLS + errors++; + } + + try { + BlackboardArtifact bbart = downloadsFile.newArtifact(TSK_WEB_DOWNLOAD); + bbart.addAttributes(bbattributes); bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Firefox download artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "Firefox.getDlV24.errMsg.errAnalyzeFile", //NON-NLS + this.getModuleName(), downloadsFile.getName())); } } if (errors > 0) { this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Firefox.getDlV24.errMsg.errParsingArtifacts", this.getModuleName(), errors)); } - j++; + index++; dbFile.delete(); - break; + } - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts)); + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Firefox download artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java index 4bc0d6c70d..4e1b5bbaae 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java @@ -29,7 +29,6 @@ import java.io.FileInputStream; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStreamReader; -import java.nio.file.Path; import java.text.ParseException; import java.text.SimpleDateFormat; import java.util.ArrayList; @@ -59,7 +58,6 @@ import org.sleuthkit.datamodel.*; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE; -import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED; @@ -153,8 +151,10 @@ class IEExtractor extends Extractor { NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")), new BlackboardAttribute( TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, Util.extractDomain(getURLFromIEBookmarkFile(fav)))); + BlackboardArtifact bbart = fav.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); + bbart.addAttributes(bbattributes); - bbartifacts.add(this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes)); + bbartifacts.add(bbart); } services.fireModuleDataEvent(new ModuleDataEvent( @@ -249,8 +249,10 @@ class IEExtractor extends Extractor { new BlackboardAttribute( TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, Util.extractDomain(URL))); + BlackboardArtifact bbart = cookiesFile.newArtifact(TSK_WEB_COOKIE); + bbart.addAttributes(bbattributes); - bbartifacts.add(this.addArtifact(TSK_WEB_COOKIE, cookiesFile, bbattributes)); + bbartifacts.add(bbart); } services.fireModuleDataEvent(new ModuleDataEvent( NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), TSK_WEB_COOKIE, bbartifacts)); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java index efef7851d9..27899a82e9 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java @@ -122,7 +122,8 @@ class RecentDocumentsLnkExtractor extends Extractor { NbBundle.getMessage(this.getClass(), "RecentDocumentsByLnk.parentModuleName.noSpace"), recentFile.getCrtime())); - this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes); + BlackboardArtifact bbart = recentFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + bbart.addAttributes(bbattributes); } services.fireModuleDataEvent(new ModuleDataEvent( NbBundle.getMessage(this.getClass(), "RecentDocumentsByLnk.parentModuleName"), diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java index a1b4b1f3c0..7d38270de8 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java @@ -531,7 +531,8 @@ class RegistryExtractor extends Extractor { new BlackboardAttribute(TSK_REMOTE_PATH, PARENT_MODULE_NAME, remoteName)); - addArtifact(TSK_REMOTE_DRIVE, regAbstractFile, bbattributes); + BlackboardArtifact bbart = regAbstractFile.newArtifact(TSK_REMOTE_DRIVE); + bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding network drive artifact to blackboard."); //NON-NLS } @@ -550,7 +551,8 @@ class RegistryExtractor extends Extractor { TSK_PATH, PARENT_MODULE_NAME, homeDir)); - addArtifact(TSK_OS_ACCOUNT, regAbstractFile, bbattributes); + BlackboardArtifact bbart = regAbstractFile.newArtifact(TSK_OS_ACCOUNT); + bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS } @@ -570,7 +572,8 @@ class RegistryExtractor extends Extractor { if (mtime != null) { bbattributes.add(new BlackboardAttribute(TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, mtime)); } - addArtifact(TSK_RECENT_OBJECT, regAbstractFile, bbattributes); + BlackboardArtifact bbart = regAbstractFile.newArtifact(TSK_RECENT_OBJECT); + bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS } @@ -593,7 +596,8 @@ class RegistryExtractor extends Extractor { new BlackboardAttribute( TSK_DATETIME, PARENT_MODULE_NAME, itemMtime)); - addArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG, regAbstractFile, bbattributes); + BlackboardArtifact bbart = regAbstractFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); + bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS } @@ -626,7 +630,9 @@ class RegistryExtractor extends Extractor { new BlackboardAttribute( TSK_DEVICE_ID, PARENT_MODULE_NAME, deviceID)); - usbBBartifacts.add(addArtifact(TSK_DEVICE_ATTACHED, regAbstractFile, bbattributes)); + BlackboardArtifact bbart = regAbstractFile.newArtifact(TSK_DEVICE_ATTACHED); + bbart.addAttributes(bbattributes); + usbBBartifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS } @@ -659,7 +665,8 @@ class RegistryExtractor extends Extractor { // Check if there is already an OS_INFO artifact for this file and add to that if possible ArrayList results = caseDB.getBlackboardArtifacts(TSK_OS_INFO, regAbstractFile.getId()); if (results.isEmpty()) { - addArtifact(TSK_OS_INFO, regAbstractFile, bbattributes); + BlackboardArtifact bbart = regAbstractFile.newArtifact(TSK_OS_INFO); + bbart.addAttributes(bbattributes); } else { results.get(0).addAttributes(bbattributes); //TODO: does it need to get re-indexed? @@ -700,7 +707,8 @@ class RegistryExtractor extends Extractor { // Check if there is already an OS_INFO artifact for this file and add to that if possible ArrayList results = caseDB.getBlackboardArtifacts(TSK_OS_INFO, regAbstractFile.getId()); if (results.isEmpty()) { - addArtifact(TSK_OS_INFO, regAbstractFile, bbattributes); + BlackboardArtifact bbart = regAbstractFile.newArtifact(TSK_OS_INFO); + bbart.addAttributes(bbattributes); } else { results.get(0).addAttributes(bbattributes); } @@ -786,7 +794,8 @@ class RegistryExtractor extends Extractor { // Check if there is already an OS_INFO artifact for this file, and add to that if possible. ArrayList results = caseDB.getBlackboardArtifacts(TSK_OS_INFO, regAbstractFile.getId()); if (results.isEmpty()) { - addArtifact(TSK_OS_INFO, regAbstractFile, bbattributes); + BlackboardArtifact bbart = regAbstractFile.newArtifact(TSK_OS_INFO); + bbart.addAttributes(bbattributes); } else { results.get(0).addAttributes(bbattributes); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java index ea3f73442d..b87777766c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java @@ -367,7 +367,8 @@ class SearchEngineURLQueryAnalyzer extends Extractor { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, NbBundle.getMessage(this.getClass(), "SearchEngineURLQueryAnalyzer.parentModuleName"), last_accessed)); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY, file, bbattributes); + BlackboardArtifact bbart = file.newArtifact(ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY); + bbart.addAttributes(bbattributes); se.increment(); ++totalQueries; } From 9d526ae124bef8027fd13c8ef5716bc60a354020 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 11:58:38 +0200 Subject: [PATCH 10/17] fix IEExtractor.java for new API --- .../recentactivity/ChromeExtractor.java | 2 - .../recentactivity/FirefoxExtractor.java | 1 - .../autopsy/recentactivity/IEExtractor.java | 38 +++++++++---------- 3 files changed, 19 insertions(+), 22 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java index d83eb296fc..040974fdf0 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java @@ -36,7 +36,6 @@ import java.io.IOException; import java.util.*; import java.util.logging.Level; import org.openide.util.NbBundle; -import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.IngestJobContext; @@ -83,7 +82,6 @@ final class ChromeExtractor extends Extractor { private Content dataSource; private IngestJobContext context; - private FileManager fileManager; @Override protected String getModuleName() { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java index 13d3bc787e..13da43f9fc 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java @@ -180,7 +180,6 @@ final class FirefoxExtractor extends Extractor { NbBundle.getMessage(ChromeExtractor.class, "Firefox.getHistory.errMsg.errAnalyzeFile=", //NON-NLS this.getModuleName(), historyFile.getName())); } - } index++; dbFile.delete(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java index 4e1b5bbaae..6dc4058f6f 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java @@ -77,7 +77,7 @@ import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VAL class IEExtractor extends Extractor { private static final Logger logger = Logger.getLogger(IEExtractor.class.getName()); - private static final String PARENT_MODULE_NAME_NO_SPACE + private static final String PARENT_MODULE_NAME = NbBundle.getMessage(IEExtractor.class, "ExtractIE.parentModuleName.noSpace"); private static final String PASCO_DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"; @@ -141,16 +141,16 @@ class IEExtractor extends Extractor { Collection bbattributes = Arrays.asList( new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME_NO_SPACE, getURLFromIEBookmarkFile(fav)), + TSK_URL, PARENT_MODULE_NAME, getURLFromIEBookmarkFile(fav)), new BlackboardAttribute( - TSK_TITLE, PARENT_MODULE_NAME_NO_SPACE, fav.getName()), + TSK_TITLE, PARENT_MODULE_NAME, fav.getName()), new BlackboardAttribute( - TSK_DATETIME_CREATED, PARENT_MODULE_NAME_NO_SPACE, fav.getCrtime()), + TSK_DATETIME_CREATED, PARENT_MODULE_NAME, fav.getCrtime()), new BlackboardAttribute( - TSK_PROG_NAME, PARENT_MODULE_NAME_NO_SPACE, + TSK_PROG_NAME, PARENT_MODULE_NAME, NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")), new BlackboardAttribute( - TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, Util.extractDomain(getURLFromIEBookmarkFile(fav)))); + TSK_DOMAIN, PARENT_MODULE_NAME, Util.extractDomain(getURLFromIEBookmarkFile(fav)))); BlackboardArtifact bbart = fav.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); bbart.addAttributes(bbattributes); @@ -232,22 +232,22 @@ class IEExtractor extends Extractor { String URL = values.length > 2 ? values[2] : ""; Collection bbattributes = Arrays.asList(new BlackboardAttribute( - TSK_DATETIME, PARENT_MODULE_NAME_NO_SPACE, + TSK_DATETIME, PARENT_MODULE_NAME, cookiesFile.getCrtime()), new BlackboardAttribute( - TSK_NAME, PARENT_MODULE_NAME_NO_SPACE, + TSK_NAME, PARENT_MODULE_NAME, values.length > 0 ? values[0] : ""), new BlackboardAttribute( - TSK_VALUE, PARENT_MODULE_NAME_NO_SPACE, + TSK_VALUE, PARENT_MODULE_NAME, values.length > 1 ? values[1] : ""), new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME_NO_SPACE, + TSK_URL, PARENT_MODULE_NAME, URL), new BlackboardAttribute( - TSK_PROG_NAME, PARENT_MODULE_NAME_NO_SPACE, + TSK_PROG_NAME, PARENT_MODULE_NAME, getModuleName()), new BlackboardAttribute( - TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, + TSK_DOMAIN, PARENT_MODULE_NAME, Util.extractDomain(URL))); BlackboardArtifact bbart = cookiesFile.newArtifact(TSK_WEB_COOKIE); bbart.addAttributes(bbattributes); @@ -494,24 +494,24 @@ class IEExtractor extends Extractor { BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); Collection bbattributes = Arrays.asList( new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME_NO_SPACE, + TSK_URL, PARENT_MODULE_NAME, realurl), new BlackboardAttribute( - TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME_NO_SPACE, + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, ftime), //TODO: why are we adding an attribute that is always blank? new BlackboardAttribute( - TSK_REFERRER, PARENT_MODULE_NAME_NO_SPACE, + TSK_REFERRER, PARENT_MODULE_NAME, ""), // @@@ NOte that other browser modules are adding TITLE in here for the title new BlackboardAttribute( - TSK_PROG_NAME, PARENT_MODULE_NAME_NO_SPACE, + TSK_PROG_NAME, PARENT_MODULE_NAME, getModuleName()), new BlackboardAttribute( - TSK_DOMAIN, PARENT_MODULE_NAME_NO_SPACE, + TSK_DOMAIN, PARENT_MODULE_NAME, domain), new BlackboardAttribute( - TSK_USER_NAME, PARENT_MODULE_NAME_NO_SPACE, + TSK_USER_NAME, PARENT_MODULE_NAME, user)); bbart.addAttributes(bbattributes); @@ -521,7 +521,7 @@ class IEExtractor extends Extractor { if (reportedUserAccounts.contains(user) == false) { BlackboardArtifact osAttr = origFile.newArtifact(TSK_OS_ACCOUNT); - osAttr.addAttribute(new BlackboardAttribute(TSK_USER_NAME, PARENT_MODULE_NAME_NO_SPACE, user)); + osAttr.addAttribute(new BlackboardAttribute(TSK_USER_NAME, PARENT_MODULE_NAME, user)); // index the artifact for keyword search this.indexArtifact(osAttr); From 2febdce378d9f92796d5e622b1e3f6324da4a3fd Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 13:04:50 +0200 Subject: [PATCH 11/17] use new API in IEExtractor --- .../autopsy/recentactivity/IEExtractor.java | 179 +++++++++++------- 1 file changed, 106 insertions(+), 73 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java index 6dc4058f6f..32438be99c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java @@ -22,6 +22,7 @@ */ package org.sleuthkit.autopsy.recentactivity; +import com.google.common.collect.HashMultimap; import com.google.common.collect.Sets; import java.io.BufferedReader; import java.io.File; @@ -34,12 +35,10 @@ import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; -import java.util.Collections; import java.util.List; import java.util.Scanner; import java.util.Set; import java.util.logging.Level; -import java.util.stream.Collectors; import org.apache.commons.lang3.StringUtils; import org.openide.modules.InstalledFileLocator; import org.openide.util.NbBundle; @@ -52,12 +51,14 @@ import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator; import org.sleuthkit.autopsy.ingest.IngestJobContext; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; -import org.sleuthkit.datamodel.*; +import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.Blackboard; +import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY; +import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED; @@ -69,6 +70,9 @@ import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TIT import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE; +import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.ReadContentInputStream; +import org.sleuthkit.datamodel.TskCoreException; /** * Extracts activity from Internet Explorer browser, as well as recent documents @@ -81,7 +85,6 @@ class IEExtractor extends Extractor { = NbBundle.getMessage(IEExtractor.class, "ExtractIE.parentModuleName.noSpace"); private static final String PASCO_DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"; - private final IngestServices services = IngestServices.getInstance(); private final String moduleTempResultsDir; private final String JAVA_PATH = PlatformUtil.getJavaPath(); @@ -110,8 +113,7 @@ class IEExtractor extends Extractor { /** * Finds the files storing bookmarks and creates artifacts */ - private void getBookmark() throws TskCoreException { - FileManager fileManager = currentCase.getServices().getFileManager(); + private void getBookmark() { List favoritesFiles; try { favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); //NON-NLS @@ -151,15 +153,23 @@ class IEExtractor extends Extractor { NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")), new BlackboardAttribute( TSK_DOMAIN, PARENT_MODULE_NAME, Util.extractDomain(getURLFromIEBookmarkFile(fav)))); - BlackboardArtifact bbart = fav.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); - bbart.addAttributes(bbattributes); - - bbartifacts.add(bbart); - + try { + BlackboardArtifact bbart = fav.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); + bbart.addAttributes(bbattributes); + bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Internet Explorer bookmark artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getBookmark.errMsg.errGettingBookmarks", //NON-NLS + this.getModuleName(), fav.getName())); + } + } + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Internet Explorer bookmark artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); } - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts)); } private String getURLFromIEBookmarkFile(AbstractFile fav) { @@ -190,8 +200,7 @@ class IEExtractor extends Extractor { /** * Finds files that store cookies and adds artifacts for them. */ - private void getCookie() throws TskCoreException { - FileManager fileManager = currentCase.getServices().getFileManager(); + private void getCookie() { List cookiesFiles; try { cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); //NON-NLS @@ -231,9 +240,10 @@ class IEExtractor extends Extractor { String[] values = new String(cookiesBuffer).split("\n"); String URL = values.length > 2 ? values[2] : ""; - Collection bbattributes = Arrays.asList(new BlackboardAttribute( - TSK_DATETIME, PARENT_MODULE_NAME, - cookiesFile.getCrtime()), + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME, + cookiesFile.getCrtime()), new BlackboardAttribute( TSK_NAME, PARENT_MODULE_NAME, values.length > 0 ? values[0] : ""), @@ -249,13 +259,23 @@ class IEExtractor extends Extractor { new BlackboardAttribute( TSK_DOMAIN, PARENT_MODULE_NAME, Util.extractDomain(URL))); - BlackboardArtifact bbart = cookiesFile.newArtifact(TSK_WEB_COOKIE); - bbart.addAttributes(bbattributes); + try { + BlackboardArtifact bbart = cookiesFile.newArtifact(TSK_WEB_COOKIE); + bbart.addAttributes(bbattributes); + bbartifacts.add(bbart); + } catch (TskCoreException ex) { + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getCookie.errMsg.errReadingIECookie", //NON-NLS + this.getModuleName(), cookiesFile.getName())); - bbartifacts.add(bbart); + } + } + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Internet Explorer cookie artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); } - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), TSK_WEB_COOKIE, bbartifacts)); } /** @@ -264,7 +284,7 @@ class IEExtractor extends Extractor { private void getHistory() { logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS - //TODO: Why are we getting the pasoc library path for datasource we process? + //TODO: Why are we getting the pasco library path for datasource we process? final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", IEExtractor.class.getPackage().getName(), false); //NON-NLS if (pascoRoot == null) { this.addErrorMessage( @@ -302,7 +322,8 @@ class IEExtractor extends Extractor { dataFound = true; boolean foundHistory = false; - Collection bbartifacts = new ArrayList<>(); + Collection historyArtifacts = new ArrayList<>(); + Collection accountArtifacts = new ArrayList<>(); for (AbstractFile indexFile : indexFiles) { /* Since each result represent an index.dat file, just create these @@ -339,9 +360,9 @@ class IEExtractor extends Extractor { //Now fetch the results, parse them and the delete the file. if (bPascProcSuccess) { // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent - bbartifacts.addAll(parsePascoOutput(indexFile, filename).stream() - .filter(bbart -> bbart.getArtifactTypeID() == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) - .collect(Collectors.toList())); + HashMultimap artifacts = parsePascoOutput(indexFile, filename); + historyArtifacts.addAll(artifacts.get(TSK_WEB_HISTORY)); + accountArtifacts.addAll(artifacts.get(TSK_OS_ACCOUNT)); foundHistory = true; //Delete index.dat file since it was succcessfully parsed by Pasco @@ -354,9 +375,18 @@ class IEExtractor extends Extractor { } if (foundHistory) { - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts)); + try { + blackboard.postArtifacts(historyArtifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Internet Explorer history artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } + try { + blackboard.postArtifacts(accountArtifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post Internet Explorer os account artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } } @@ -412,7 +442,8 @@ class IEExtractor extends Extractor { * * @return A collection of created artifacts */ - private Collection parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) { + private HashMultimap parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) { + HashMultimap bbartifacts = HashMultimap.create(); String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName; @@ -422,20 +453,19 @@ class IEExtractor extends Extractor { NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getModuleName(), file.getName())); logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS - return Collections.emptySet(); + return bbartifacts; } // Make sure the file the is not empty or the Scanner will // throw a "No Line found" Exception if (file.length() == 0) { - return Collections.emptySet(); + return bbartifacts; } try (Scanner fileScanner = new Scanner(new FileInputStream(file.toString()));) { // Keep a list of reported user accounts to avoid repeats. // Initialize it with the empty string to represent an unknown user. Set reportedUserAccounts = Sets.newHashSet(""); - Collection bbartifacts = new ArrayList<>(); while (fileScanner.hasNext()) { String line = fileScanner.nextLine(); if (!line.startsWith("URL")) { //NON-NLS @@ -490,47 +520,50 @@ class IEExtractor extends Extractor { } } + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_URL, PARENT_MODULE_NAME, + realurl), + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + ftime), + //TODO: why are we adding an attribute that is always blank? + new BlackboardAttribute( + TSK_REFERRER, PARENT_MODULE_NAME, + ""), + // @@@ NOte that other browser modules are adding TITLE in here for the title + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + getModuleName()), + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + domain), + new BlackboardAttribute( + TSK_USER_NAME, PARENT_MODULE_NAME, + user)); try { - BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); - Collection bbattributes = Arrays.asList( - new BlackboardAttribute( - TSK_URL, PARENT_MODULE_NAME, - realurl), - new BlackboardAttribute( - TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, - ftime), - //TODO: why are we adding an attribute that is always blank? - new BlackboardAttribute( - TSK_REFERRER, PARENT_MODULE_NAME, - ""), - // @@@ NOte that other browser modules are adding TITLE in here for the title - new BlackboardAttribute( - TSK_PROG_NAME, PARENT_MODULE_NAME, - getModuleName()), - new BlackboardAttribute( - TSK_DOMAIN, PARENT_MODULE_NAME, - domain), - new BlackboardAttribute( - TSK_USER_NAME, PARENT_MODULE_NAME, - user)); + BlackboardArtifact bbart = origFile.newArtifact(TSK_WEB_HISTORY); bbart.addAttributes(bbattributes); + bbartifacts.put(TSK_WEB_HISTORY, bbart); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Internet Explorer history artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getHistory.errMsg.errProcHist", //NON-NLS + origFile.getName())); + } - // index the artifact for keyword search - this.indexArtifact(bbart); - bbartifacts.add(bbart); - - if (reportedUserAccounts.contains(user) == false) { + if (reportedUserAccounts.contains(user) == false) { + try { BlackboardArtifact osAttr = origFile.newArtifact(TSK_OS_ACCOUNT); osAttr.addAttribute(new BlackboardAttribute(TSK_USER_NAME, PARENT_MODULE_NAME, user)); - - // index the artifact for keyword search - this.indexArtifact(osAttr); - bbartifacts.add(osAttr); - + bbartifacts.put(TSK_OS_ACCOUNT, osAttr); reportedUserAccounts.add(user); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error while trying to create Internet Explorer os account artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getHistory.errMsg.errProcHist", //NON-NLS + origFile.getName())); } - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS } } return bbartifacts; @@ -539,7 +572,7 @@ class IEExtractor extends Extractor { NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getModuleName(), file.getName())); logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS - return Collections.emptySet(); + return bbartifacts; } } } From 16fdc53587d13d7c2f901635578e525f9da63233 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 13:24:20 +0200 Subject: [PATCH 12/17] update RecentDocumentsLnkExtractor to new API --- .../autopsy/recentactivity/Bundle.properties | 1 + .../RecentDocumentsLnkExtractor.java | 95 +++++++++++-------- 2 files changed, 56 insertions(+), 40 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties index 7eab1c94c8..6d33fbeea3 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties @@ -83,6 +83,7 @@ RAImageIngestModule.complete.errMsg.failed={0} failed to complete - see log for RAImageIngestModule.getName=Recent Activity RAImageIngestModule.getDesc=Extracts recent user activity, such as Web browsing, recently used documents and installed programs. RecentDocumentsByLnk.getRecDoc.errMsg.errGetLnkFiles={0}\: Error getting lnk Files. +RecentDocumentsByLnk.getRecDoc.errMsg.errCreatingArtifact={0}\: Error creating Recent Document artifact. RecentDocumentsByLnk.getRecDoc.errParsingFile={0}\: Error parsing Recent File {1} RecentDocumentsByLnk.parentModuleName.noSpace=RecentActivity RecentDocumentsByLnk.parentModuleName=Recent Activity diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java index 27899a82e9..dba4f328cb 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java @@ -2,7 +2,7 @@ * * Autopsy Forensic Browser * - * Copyright 2012-2014 Basis Technology Corp. + * Copyright 2012-2018 Basis Technology Corp. * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com @@ -23,25 +23,28 @@ package org.sleuthkit.autopsy.recentactivity; import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; import java.util.List; import java.util.logging.Level; - import org.openide.util.NbBundle; -import org.sleuthkit.autopsy.coreutils.Logger; -import java.util.Collection; import org.sleuthkit.autopsy.coreutils.JLNK; import org.sleuthkit.autopsy.coreutils.JLnkParser; import org.sleuthkit.autopsy.coreutils.JLnkParserException; -import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress; +import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.IngestJobContext; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; +import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; -import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT; import org.sleuthkit.datamodel.BlackboardAttribute; -import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID; import org.sleuthkit.datamodel.Content; -import org.sleuthkit.datamodel.*; +import org.sleuthkit.datamodel.ReadContentInputStream; +import org.sleuthkit.datamodel.TskCoreException; +import org.sleuthkit.datamodel.TskData; /** * Recent documents class that will extract recent documents in the form of .lnk @@ -50,13 +53,23 @@ import org.sleuthkit.datamodel.*; class RecentDocumentsLnkExtractor extends Extractor { private static final Logger logger = Logger.getLogger(RecentDocumentsLnkExtractor.class.getName()); - private final IngestServices services = IngestServices.getInstance(); + + private static final String PARENT_MODULE_NAME = NbBundle.getMessage(RecentDocumentsLnkExtractor.class, + "RecentDocumentsByLnk.parentModuleName.noSpace"); private Content dataSource; private IngestJobContext context; @Override protected String getModuleName() { - return ""; + return "lnk files"; + } + + @Override + public void process(Content dataSource, IngestJobContext context) { + this.dataSource = dataSource; + this.context = context; + dataFound = false; + this.getRecentDocuments(); } /** @@ -67,8 +80,6 @@ class RecentDocumentsLnkExtractor extends Extractor { * @param controller */ private void getRecentDocuments() { - - org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List recentFiles; try { recentFiles = fileManager.findFiles(dataSource, "%.lnk", "Recent"); //NON-NLS @@ -86,6 +97,8 @@ class RecentDocumentsLnkExtractor extends Extractor { } dataFound = true; + + Collection bbartifacts = new ArrayList<>(); for (AbstractFile recentFile : recentFiles) { if (context.dataSourceIngestIsCancelled()) { break; @@ -107,34 +120,36 @@ class RecentDocumentsLnkExtractor extends Extractor { } continue; } - - Collection bbattributes = new ArrayList<>(); String path = lnk.getBestPath(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, - NbBundle.getMessage(this.getClass(), - "RecentDocumentsByLnk.parentModuleName.noSpace"), - path)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID, - NbBundle.getMessage(this.getClass(), - "RecentDocumentsByLnk.parentModuleName.noSpace"), - Util.findID(dataSource, path))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, - NbBundle.getMessage(this.getClass(), - "RecentDocumentsByLnk.parentModuleName.noSpace"), - recentFile.getCrtime())); - BlackboardArtifact bbart = recentFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - bbart.addAttributes(bbattributes); + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_PATH, PARENT_MODULE_NAME, + path), + new BlackboardAttribute( + TSK_PATH_ID, PARENT_MODULE_NAME, + Util.findID(dataSource, path)), + new BlackboardAttribute( + TSK_DATETIME, PARENT_MODULE_NAME, + recentFile.getCrtime())); + try { + BlackboardArtifact bbart = recentFile.newArtifact(TSK_RECENT_OBJECT); + bbart.addAttributes(bbattributes); + bbartifacts.add(bbart); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error creating recent document artifact.", ex); //NON-NLS + this.addErrorMessage( + NbBundle.getMessage(this.getClass(), "RecentDocumentsByLnk.getRecDoc.errMsg.errCreatingArtifact", + this.getModuleName())); + } + } + + //TODO: why weren't these getting indexed before? + try { + blackboard.postArtifacts(bbartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post recent document artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); } - services.fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "RecentDocumentsByLnk.parentModuleName"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); } - @Override - public void process(Content dataSource, IngestJobContext context) { - this.dataSource = dataSource; - this.context = context; - dataFound = false; - this.getRecentDocuments(); - } } From f73a35ed165375ef7f3deb081d0d2222f689fe86 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 13:34:34 +0200 Subject: [PATCH 13/17] index usb artifacts --- .../autopsy/recentactivity/RegistryExtractor.java | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java index 7d38270de8..4b259336e1 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java @@ -55,6 +55,7 @@ import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService; import org.sleuthkit.autopsy.recentactivity.UsbDeviceIdMapper.USBInfo; import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED; @@ -458,7 +459,12 @@ class RegistryExtractor extends Extractor { //TODO: why do we only send module data events for USB artifacts if (!usbBBartifacts.isEmpty()) { - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(getModuleName(), TSK_DEVICE_ATTACHED, usbBBartifacts)); + try { + blackboard.postArtifacts(usbBBartifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Error while trying to post usb device artifact.", ex); //NON-NLS + this.addErrorMessage(Bundle.Extractor_errPostingArtifacts(getModuleName())); + } } return true; } catch (FileNotFoundException ex) { From ce504e0c433227721129ec53776ec7b0fdfc0e55 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 13:35:00 +0200 Subject: [PATCH 14/17] rename and update SearchEngineURLQueryExtractor --- .../recentactivity/RAImageIngestModule.java | 2 +- ...ava => SearchEngineURLQueryExtractor.java} | 75 +++++++++++-------- 2 files changed, 44 insertions(+), 33 deletions(-) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{SearchEngineURLQueryAnalyzer.java => SearchEngineURLQueryExtractor.java} (85%) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index cc1a5799c0..cc2b4f219b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -65,7 +65,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { Extractor recentDocuments = new RecentDocumentsLnkExtractor(); Extractor chrome = new ChromeExtractor(); Extractor firefox = new FirefoxExtractor(); - Extractor SEUQA = new SearchEngineURLQueryAnalyzer(); + Extractor SEUQA = new SearchEngineURLQueryExtractor(); extracters.add(chrome); extracters.add(firefox); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java similarity index 85% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java index b87777766c..43b1738b5b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java @@ -23,6 +23,7 @@ import java.io.IOException; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Level; @@ -40,8 +41,13 @@ import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY; import org.sleuthkit.datamodel.BlackboardAttribute; -import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.TskCoreException; import org.w3c.dom.Document; @@ -64,12 +70,15 @@ import org.xml.sax.SAXException; "cannotParseXml=Unable to parse XML file: ", "# {0} - file name", "SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}." }) -class SearchEngineURLQueryAnalyzer extends Extractor { +final class SearchEngineURLQueryExtractor extends Extractor { + + private static final Logger logger = Logger.getLogger(SearchEngineURLQueryExtractor.class.getName()); + private static final String PARENT_MODULE_NAME = NbBundle.getMessage(SearchEngineURLQueryExtractor.class, + "SearchEngineURLQueryAnalyzer.parentModuleName"); - private static final Logger logger = Logger.getLogger(SearchEngineURLQueryAnalyzer.class.getName()); private static final String XMLFILE = "SEUQAMappings.xml"; //NON-NLS private static final String XSDFILE = "SearchEngineSchema.xsd"; //NON-NLS - private static SearchEngineURLQueryAnalyzer.SearchEngine[] engines; + private static SearchEngineURLQueryExtractor.SearchEngine[] engines; private Content dataSource; private IngestJobContext context; @@ -163,7 +172,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { DocumentBuilder db = dbf.newDocumentBuilder(); xmlinput = db.parse(f); - if (!XMLUtil.xmlIsValid(xmlinput, SearchEngineURLQueryAnalyzer.class, XSDFILE)) { + if (!XMLUtil.xmlIsValid(xmlinput, SearchEngineURLQueryExtractor.class, XSDFILE)) { logger.log(Level.WARNING, "Error loading Search Engines: could not validate against [" + XSDFILE + "], results may not be accurate."); //NON-NLS } @@ -176,7 +185,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { } NodeList nlist = xmlinput.getElementsByTagName("SearchEngine"); //NON-NLS - SearchEngineURLQueryAnalyzer.SearchEngine[] listEngines = new SearchEngineURLQueryAnalyzer.SearchEngine[nlist.getLength()]; + SearchEngineURLQueryExtractor.SearchEngine[] listEngines = new SearchEngineURLQueryExtractor.SearchEngine[nlist.getLength()]; for (int i = 0; i < nlist.getLength(); i++) { NamedNodeMap nnm = nlist.item(i).getAttributes(); @@ -191,7 +200,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { } } - SearchEngineURLQueryAnalyzer.SearchEngine Se = new SearchEngineURLQueryAnalyzer.SearchEngine(EngineName, EnginedomainSubstring, keys); + SearchEngineURLQueryExtractor.SearchEngine Se = new SearchEngineURLQueryExtractor.SearchEngine(EngineName, EnginedomainSubstring, keys); listEngines[i] = Se; } engines = listEngines; @@ -207,7 +216,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { * is found * */ - private static SearchEngineURLQueryAnalyzer.SearchEngine getSearchEngineFromUrl(String domain) { + private static SearchEngineURLQueryExtractor.SearchEngine getSearchEngineFromUrl(String domain) { if (engines == null) { return null; } @@ -226,7 +235,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { * * @return The extracted search query. */ - private String extractSearchEngineQuery(SearchEngineURLQueryAnalyzer.SearchEngine eng, String url) { + private String extractSearchEngineQuery(SearchEngineURLQueryExtractor.SearchEngine eng, String url) { String x = ""; //NON-NLS for (KeyPair kp : eng.getKeys()) { @@ -292,6 +301,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { } private void findSearchQueries() { + int totalQueries = 0; try { //from blackboard_artifacts @@ -322,12 +332,12 @@ class SearchEngineURLQueryAnalyzer extends Extractor { continue; } - SearchEngineURLQueryAnalyzer.SearchEngine se = null; + SearchEngineURLQueryExtractor.SearchEngine se = null; //from blackboard_attributes Collection listAttributes = currentCase.getSleuthkitCase().getMatchingAttributes("WHERE artifact_id = " + artifact.getArtifactID()); //NON-NLS for (BlackboardAttribute attribute : listAttributes) { - if (attribute.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL.getTypeID()) { + if (attribute.getAttributeType().getTypeID() == TSK_URL.getTypeID()) { final String urlString = attribute.getValueString(); se = getSearchEngineFromUrl(urlString); if (se == null) { @@ -335,39 +345,39 @@ class SearchEngineURLQueryAnalyzer extends Extractor { } query = extractSearchEngineQuery(se, attribute.getValueString()); - if (query.equals("")) //False positive match, artifact was not a query. NON-NLS + if (query.isEmpty()) //False positive match, artifact was not a query. NON-NLS { break; } - } else if (attribute.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID()) { + } else if (attribute.getAttributeType().getTypeID() == TSK_PROG_NAME.getTypeID()) { browser = attribute.getValueString(); - } else if (attribute.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID()) { + } else if (attribute.getAttributeType().getTypeID() == TSK_DOMAIN.getTypeID()) { searchEngineDomain = attribute.getValueString(); - } else if (attribute.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID()) { + } else if (attribute.getAttributeType().getTypeID() == TSK_DATETIME_ACCESSED.getTypeID()) { last_accessed = attribute.getValueLong(); } } - if (se != null && !query.equals("")) { //NON-NLS + if (se != null && !query.isEmpty()) { //NON-NLS // If date doesn't exist, change to 0 (instead of 1969) if (last_accessed == -1) { last_accessed = 0; } - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, - NbBundle.getMessage(this.getClass(), - "SearchEngineURLQueryAnalyzer.parentModuleName"), searchEngineDomain)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEXT, - NbBundle.getMessage(this.getClass(), - "SearchEngineURLQueryAnalyzer.parentModuleName"), query)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, - NbBundle.getMessage(this.getClass(), - "SearchEngineURLQueryAnalyzer.parentModuleName"), browser)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, - NbBundle.getMessage(this.getClass(), - "SearchEngineURLQueryAnalyzer.parentModuleName"), last_accessed)); - BlackboardArtifact bbart = file.newArtifact(ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY); + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + searchEngineDomain), + new BlackboardAttribute( + TSK_TEXT, PARENT_MODULE_NAME, + query), + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + browser), + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + last_accessed)); + BlackboardArtifact bbart = file.newArtifact(TSK_WEB_SEARCH_QUERY); bbart.addAttributes(bbattributes); se.increment(); ++totalQueries; @@ -379,6 +389,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { if (context.dataSourceIngestIsCancelled()) { logger.info("Operation terminated by user."); //NON-NLS } + //TODO: should this be batched? Should it include the actual artifact(s)? IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( NbBundle.getMessage(this.getClass(), "SearchEngineURLQueryAnalyzer.parentModuleName.noSpace"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY)); @@ -391,7 +402,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { if (engines == null) { return total; } - for (SearchEngineURLQueryAnalyzer.SearchEngine se : engines) { + for (SearchEngineURLQueryExtractor.SearchEngine se : engines) { total += se.getEngineName() + " : " + se.getTotal() + "\n"; } return total; @@ -408,7 +419,7 @@ class SearchEngineURLQueryAnalyzer extends Extractor { @Override void configExtractor() throws IngestModuleException { try { - PlatformUtil.extractResourceToUserConfigDir(SearchEngineURLQueryAnalyzer.class, XMLFILE, true); + PlatformUtil.extractResourceToUserConfigDir(SearchEngineURLQueryExtractor.class, XMLFILE, true); } catch (IOException e) { String message = Bundle.SearchEngineURLQueryAnalyzer_init_exception_msg(XMLFILE); logger.log(Level.SEVERE, message, e); From bd0e0b5dcd53db9a11c11a725921954750e091eb Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 15:29:58 +0200 Subject: [PATCH 15/17] some more minor cleanup --- .../org/sleuthkit/autopsy/coreutils/SQLiteDBConnect.java | 3 ++- .../autopsy/examples/SampleDataSourceIngestModule.java | 3 --- .../autopsy/modules/plaso/PlasoIngestModule.java | 8 ++++---- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/coreutils/SQLiteDBConnect.java b/Core/src/org/sleuthkit/autopsy/coreutils/SQLiteDBConnect.java index fcaa5e203e..d6c9097cd3 100644 --- a/Core/src/org/sleuthkit/autopsy/coreutils/SQLiteDBConnect.java +++ b/Core/src/org/sleuthkit/autopsy/coreutils/SQLiteDBConnect.java @@ -30,7 +30,7 @@ import java.sql.Statement; import java.util.logging.Level; /** - * Database connection class & utilities * + * Database connection class & utilities. */ public class SQLiteDBConnect implements AutoCloseable { @@ -127,6 +127,7 @@ public class SQLiteDBConnect implements AutoCloseable { } catch (SQLException ex) { logger.log(Level.WARNING, "Unable to close connection to SQLite DB at " + sUrl, ex); } + //Implementing Autoclosable.close() allows this class to be used in try-with-resources. } @Override diff --git a/Core/src/org/sleuthkit/autopsy/examples/SampleDataSourceIngestModule.java b/Core/src/org/sleuthkit/autopsy/examples/SampleDataSourceIngestModule.java index 9a1bd96cc7..152df6f55f 100644 --- a/Core/src/org/sleuthkit/autopsy/examples/SampleDataSourceIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/examples/SampleDataSourceIngestModule.java @@ -34,13 +34,10 @@ import java.util.logging.Level; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.services.FileManager; -import org.sleuthkit.autopsy.casemodule.services.Services; import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress; import org.sleuthkit.autopsy.ingest.IngestModule; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Content; -import org.sleuthkit.datamodel.FsContent; -import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.DataSourceIngestModule; diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java index ee7eb4db1b..a9070b458f 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java @@ -80,8 +80,8 @@ public class PlasoIngestModule implements DataSourceIngestModule { @NbBundle.Messages({ "PlasoIngestModule_error_running=Error running Plaso, see log file.", "PlasoIngestModule_log2timeline_executable_not_found=Log2timeline Executable Not Found", - "PlasoIngestModule_psort_executable_not_found=psort Executable Not Found",}) - + "PlasoIngestModule_psort_executable_not_found=psort Executable Not Found" + }) @Override public void startUp(IngestJobContext context) throws IngestModuleException { this.context = context; @@ -111,8 +111,8 @@ public class PlasoIngestModule implements DataSourceIngestModule { "PlasoIngestModule_running_log2timeline=Running Log2timeline", "PlasoIngestModule_running_psort=Running Psort", "PlasoIngestModule_completed=Plaso Processing Completed", - "PlasoIngestModule_has_run=Plaso Plugin has been run.",}) - + "PlasoIngestModule_has_run=Plaso Plugin has been run." + }) @Override public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress statusHelper) { statusHelper.switchToIndeterminate(); From 47c298fa890f4d571a2a4e6337a8cc0b4f07ff2f Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 15:37:13 +0200 Subject: [PATCH 16/17] revert class name changes that broke Github diffs --- .../{ChromeExtractor.java => Chrome.java} | 63 +++++++++---------- .../{Extractor.java => Extract.java} | 4 +- .../{IEExtractor.java => ExtractIE.java} | 20 +++--- ...tryExtractor.java => ExtractRegistry.java} | 16 ++--- .../recentactivity/FirefoxExtractor.java | 12 ++-- .../recentactivity/RAImageIngestModule.java | 24 +++---- .../RecentDocumentsLnkExtractor.java | 2 +- .../SearchEngineURLQueryExtractor.java | 4 +- 8 files changed, 69 insertions(+), 76 deletions(-) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{ChromeExtractor.java => Chrome.java} (91%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{Extractor.java => Extract.java} (99%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{IEExtractor.java => ExtractIE.java} (96%) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{RegistryExtractor.java => ExtractRegistry.java} (98%) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java similarity index 91% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 040974fdf0..7d77546eea 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -67,10 +67,10 @@ import org.sleuthkit.datamodel.TskData; /** * Chrome recent activity extraction */ -final class ChromeExtractor extends Extractor { +final class Chrome extends Extract { - private static final Logger logger = Logger.getLogger(ChromeExtractor.class.getName()); - private static final String PARENT_MODULE_NAME = NbBundle.getMessage(ChromeExtractor.class, "Chrome.parentModuleName"); + private static final Logger logger = Logger.getLogger(Chrome.class.getName()); + private static final String PARENT_MODULE_NAME = NbBundle.getMessage(Chrome.class, "Chrome.parentModuleName"); private static final String HISTORY_QUERY = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS private static final String COOKIE_QUERY = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS @@ -85,7 +85,7 @@ final class ChromeExtractor extends Extractor { @Override protected String getModuleName() { - return NbBundle.getMessage(ChromeExtractor.class, "Chrome.moduleName"); + return NbBundle.getMessage(Chrome.class, "Chrome.moduleName"); } @Override @@ -111,7 +111,7 @@ final class ChromeExtractor extends Extractor { try { historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(Chrome.class, "Chrome.getHistory.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -127,7 +127,7 @@ final class ChromeExtractor extends Extractor { // log a message if we don't have any allocated history files if (allocatedHistoryFiles.isEmpty()) { - String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.couldntFindAnyFiles"); + String msg = NbBundle.getMessage(Chrome.class, "Chrome.getHistory.errMsg.couldntFindAnyFiles"); logger.log(Level.INFO, msg); return; } @@ -147,13 +147,13 @@ final class ChromeExtractor extends Extractor { } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome web history artifacts file '%s' (id=%d).", historyFile.getName(), historyFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getHistory.errMsg.errAnalyzingFile", this.getModuleName(), historyFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome web history artifacts file '%s' (id=%d).", temps, historyFile.getName(), historyFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getHistory.errMsg.errAnalyzingFile", this.getModuleName(), historyFile.getName())); continue; } @@ -190,8 +190,7 @@ final class ChromeExtractor extends Extractor { bbartifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Chrome history artifact.", ex); //NON-NLS - this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Chrome.getHistory.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getHistory.errMsg.errAnalyzingFile", this.getModuleName(), historyFile.getName())); } } @@ -213,7 +212,7 @@ final class ChromeExtractor extends Extractor { try { bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(Chrome.class, "Chrome.getBookmark.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -238,13 +237,13 @@ final class ChromeExtractor extends Extractor { } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome bookmark artifacts file '%s' (id=%d).", bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getBookmark.errMsg.errAnalyzingFile", this.getModuleName(), bookmarkFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome bookmark artifacts file '%s' (id=%d).", temps, bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getBookmark.errMsg.errAnalyzingFile", this.getModuleName(), bookmarkFile.getName())); continue; } @@ -261,8 +260,7 @@ final class ChromeExtractor extends Extractor { tempReader = new FileReader(temps); } catch (FileNotFoundException ex) { logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS - this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getModuleName(), + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getModuleName(), bookmarkFile.getName())); continue; } @@ -280,7 +278,7 @@ final class ChromeExtractor extends Extractor { jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) { logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile3", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getBookmark.errMsg.errAnalyzingFile3", this.getModuleName(), bookmarkFile.getName())); continue; } @@ -334,8 +332,7 @@ final class ChromeExtractor extends Extractor { bbartifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact.", ex); //NON-NLS - this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Chrome.getBookmark.errMsg.errAnalyzingFile4", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getBookmark.errMsg.errAnalyzingFile4", this.getModuleName(), bookmarkFile.getName())); } } @@ -357,7 +354,7 @@ final class ChromeExtractor extends Extractor { try { cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(Chrome.class, "Chrome.getCookie.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -382,13 +379,13 @@ final class ChromeExtractor extends Extractor { } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome cookie artifacts file '%s' (id=%d).", cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errAnalyzeFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getCookie.errMsg.errAnalyzeFile", this.getModuleName(), cookiesFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome cookie artifacts file '%s' (id=%d).", temps, cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errAnalyzeFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getCookie.errMsg.errAnalyzeFile", this.getModuleName(), cookiesFile.getName())); continue; } @@ -427,8 +424,7 @@ final class ChromeExtractor extends Extractor { bbartifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to insert Chrome cookie artifact.", ex); //NON-NLS - this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Chrome.getCookie.errMsg.errAnalyzingFile", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getCookie.errMsg.errAnalyzingFile", this.getModuleName(), cookiesFile.getName())); } } @@ -451,7 +447,7 @@ final class ChromeExtractor extends Extractor { try { downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(Chrome.class, "Chrome.getDownload.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -476,13 +472,13 @@ final class ChromeExtractor extends Extractor { } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome download artifacts file '%s' (id=%d).", downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", this.getModuleName(), downloadFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome download artifacts file '%s' (id=%d).", temps, downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", this.getModuleName(), downloadFile.getName())); continue; } @@ -525,8 +521,7 @@ final class ChromeExtractor extends Extractor { bbartifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to insert Chrome download artifact.", ex); //NON-NLS - this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getDownload.errMsg.errAnalyzeFiles1", this.getModuleName(), downloadFile.getName())); } } @@ -549,7 +544,7 @@ final class ChromeExtractor extends Extractor { try { signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errGettingFiles"); + String msg = NbBundle.getMessage(Chrome.class, "Chrome.getLogin.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); return; @@ -574,13 +569,13 @@ final class ChromeExtractor extends Extractor { } catch (ReadContentInputStreamException ex) { logger.log(Level.WARNING, String.format("Error reading Chrome login artifacts file '%s' (id=%d).", signonFile.getName(), signonFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getModuleName(), signonFile.getName())); continue; } catch (IOException ex) { logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome login artifacts file '%s' (id=%d).", temps, signonFile.getName(), signonFile.getId()), ex); //NON-NLS - this.addErrorMessage(NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getModuleName(), signonFile.getName())); continue; } @@ -623,8 +618,7 @@ final class ChromeExtractor extends Extractor { bbartifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to insert Chrome login artifact.", ex); //NON-NLS - this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getModuleName(), signonFile.getName())); } @@ -640,8 +634,7 @@ final class ChromeExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to insert Chrome os account artifact.", ex); //NON-NLS - this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", + this.addErrorMessage(NbBundle.getMessage(Chrome.class, "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getModuleName(), signonFile.getName())); } catch (Blackboard.BlackboardException ex) { logger.log(Level.SEVERE, "Error while trying to post Chrome os account artifact.", ex); //NON-NLS diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java similarity index 99% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java index becead2723..c4d5da703c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java @@ -38,9 +38,9 @@ import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException; import org.sleuthkit.datamodel.*; -abstract class Extractor { +abstract class Extract { - private static final Logger logger = Logger.getLogger(Extractor.class.getName()); + private static final Logger logger = Logger.getLogger(Extract.class.getName()); protected Case currentCase; protected SleuthkitCase tskCase; diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java similarity index 96% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 32438be99c..95a907d008 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/IEExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -78,11 +78,11 @@ import org.sleuthkit.datamodel.TskCoreException; * Extracts activity from Internet Explorer browser, as well as recent documents * in windows. */ -class IEExtractor extends Extractor { +class ExtractIE extends Extract { - private static final Logger logger = Logger.getLogger(IEExtractor.class.getName()); + private static final Logger logger = Logger.getLogger(ExtractIE.class.getName()); private static final String PARENT_MODULE_NAME - = NbBundle.getMessage(IEExtractor.class, "ExtractIE.parentModuleName.noSpace"); + = NbBundle.getMessage(ExtractIE.class, "ExtractIE.parentModuleName.noSpace"); private static final String PASCO_DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSS'Z'"; private final String moduleTempResultsDir; @@ -91,13 +91,13 @@ class IEExtractor extends Extractor { private Content dataSource; private IngestJobContext context; - IEExtractor() throws NoCurrentCaseException { + ExtractIE() throws NoCurrentCaseException { moduleTempResultsDir = RAImageIngestModule.getRATempPath(Case.getCurrentCaseThrows(), "IE") + File.separator + "results"; //NON-NLS } @Override protected String getModuleName() { - return NbBundle.getMessage(IEExtractor.class, "ExtractIE.moduleName.text"); + return NbBundle.getMessage(ExtractIE.class, "ExtractIE.moduleName.text"); } @Override @@ -160,7 +160,7 @@ class IEExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Internet Explorer bookmark artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getBookmark.errMsg.errGettingBookmarks", //NON-NLS + NbBundle.getMessage(Chrome.class, "ExtractIE.getBookmark.errMsg.errGettingBookmarks", //NON-NLS this.getModuleName(), fav.getName())); } } @@ -265,7 +265,7 @@ class IEExtractor extends Extractor { bbartifacts.add(bbart); } catch (TskCoreException ex) { this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getCookie.errMsg.errReadingIECookie", //NON-NLS + NbBundle.getMessage(Chrome.class, "ExtractIE.getCookie.errMsg.errReadingIECookie", //NON-NLS this.getModuleName(), cookiesFile.getName())); } @@ -285,7 +285,7 @@ class IEExtractor extends Extractor { logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS //TODO: Why are we getting the pasco library path for datasource we process? - final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", IEExtractor.class.getPackage().getName(), false); //NON-NLS + final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); //NON-NLS if (pascoRoot == null) { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getModuleName())); @@ -548,7 +548,7 @@ class IEExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Internet Explorer history artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getHistory.errMsg.errProcHist", //NON-NLS + NbBundle.getMessage(Chrome.class, "ExtractIE.getHistory.errMsg.errProcHist", //NON-NLS origFile.getName())); } @@ -561,7 +561,7 @@ class IEExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Internet Explorer os account artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "ExtractIE.getHistory.errMsg.errProcHist", //NON-NLS + NbBundle.getMessage(Chrome.class, "ExtractIE.getHistory.errMsg.errProcHist", //NON-NLS origFile.getName())); } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java similarity index 98% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 4b259336e1..531ddd1c83 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RegistryExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -107,10 +107,10 @@ import org.xml.sax.SAXException; "RegRipperNotFound=Autopsy RegRipper executable not found.", "RegRipperFullNotFound=Full version RegRipper executable not found." }) -class RegistryExtractor extends Extractor { +class ExtractRegistry extends Extract { - private static final Logger logger = Logger.getLogger(RegistryExtractor.class.getName()); - private final static String PARENT_MODULE_NAME = NbBundle.getMessage(RegistryExtractor.class, "ExtractRegistry.parentModuleName.noSpace"); + private static final Logger logger = Logger.getLogger(ExtractRegistry.class.getName()); + private final static String PARENT_MODULE_NAME = NbBundle.getMessage(ExtractRegistry.class, "ExtractRegistry.parentModuleName.noSpace"); final private static UsbDeviceIdMapper USB_MAPPER = new UsbDeviceIdMapper(); final private static String RIP_EXE = "rip.exe"; final private static String RIP_PL = "rip.pl"; @@ -123,13 +123,13 @@ class RegistryExtractor extends Extractor { private final List rrCmd = new ArrayList<>(); private final List rrFullCmd = new ArrayList<>(); - RegistryExtractor() throws IngestModuleException { + ExtractRegistry() throws IngestModuleException { InstalledFileLocator installedFileLocator = InstalledFileLocator.getDefault(); - final File rrRoot = installedFileLocator.locate("rr", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS + final File rrRoot = installedFileLocator.locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS if (rrRoot == null) { throw new IngestModuleException(Bundle.RegRipperNotFound()); } - final File rrFullRoot = installedFileLocator.locate("rr-full", RegistryExtractor.class.getPackage().getName(), false); //NON-NLS + final File rrFullRoot = installedFileLocator.locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS if (rrFullRoot == null) { throw new IngestModuleException(Bundle.RegRipperFullNotFound()); } @@ -170,7 +170,7 @@ class RegistryExtractor extends Extractor { @Override protected String getModuleName() { - return NbBundle.getMessage(RegistryExtractor.class, "ExtractRegistry.moduleName.text"); + return NbBundle.getMessage(ExtractRegistry.class, "ExtractRegistry.moduleName.text"); } /** @@ -192,7 +192,7 @@ class RegistryExtractor extends Extractor { try { allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS } catch (TskCoreException ex) { - String msg = NbBundle.getMessage(RegistryExtractor.class, + String msg = NbBundle.getMessage(ExtractRegistry.class, "ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName); logger.log(Level.WARNING, msg, ex); this.addErrorMessage(this.getModuleName() + ": " + msg); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java index 13da43f9fc..d07df39b0a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/FirefoxExtractor.java @@ -65,7 +65,7 @@ import org.sleuthkit.datamodel.TskCoreException; /** * Firefox recent activity extraction */ -final class FirefoxExtractor extends Extractor { +final class FirefoxExtractor extends Extract { private static final Logger logger = Logger.getLogger(FirefoxExtractor.class.getName()); private static final String PARENT_MODULE_NAME = NbBundle.getMessage(FirefoxExtractor.class, @@ -177,7 +177,7 @@ final class FirefoxExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Firefox history artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Firefox.getHistory.errMsg.errAnalyzeFile=", //NON-NLS + NbBundle.getMessage(Chrome.class, "Firefox.getHistory.errMsg.errAnalyzeFile=", //NON-NLS this.getModuleName(), historyFile.getName())); } } @@ -271,7 +271,7 @@ final class FirefoxExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Firefox bookmark artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Firefox.getBookmark.errMsg.errAnalyzeFile=", //NON-NLS + NbBundle.getMessage(Chrome.class, "Firefox.getBookmark.errMsg.errAnalyzeFile=", //NON-NLS this.getModuleName(), bookmarkFile.getName())); } } @@ -374,7 +374,7 @@ final class FirefoxExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Firefox cookie artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Firefox.getCookie.errMsg.errAnalyzeFile=", //NON-NLS + NbBundle.getMessage(Chrome.class, "Firefox.getCookie.errMsg.errAnalyzeFile=", //NON-NLS this.getModuleName(), cookiesFile.getName())); } } @@ -483,7 +483,7 @@ final class FirefoxExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Firefox download artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Firefox.getDlPre24.errMsg.errAnalyzeFiles", //NON-NLS + NbBundle.getMessage(Chrome.class, "Firefox.getDlPre24.errMsg.errAnalyzeFiles", //NON-NLS this.getModuleName(), downloadsFile.getName())); } } @@ -602,7 +602,7 @@ final class FirefoxExtractor extends Extractor { } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to create Firefox download artifact.", ex); //NON-NLS this.addErrorMessage( - NbBundle.getMessage(ChromeExtractor.class, "Firefox.getDlV24.errMsg.errAnalyzeFile", //NON-NLS + NbBundle.getMessage(Chrome.class, "Firefox.getDlV24.errMsg.errAnalyzeFile", //NON-NLS this.getModuleName(), downloadsFile.getName())); } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index cc2b4f219b..3be8d016c0 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -45,8 +45,8 @@ import org.sleuthkit.datamodel.Content; public final class RAImageIngestModule implements DataSourceIngestModule { private static final Logger logger = Logger.getLogger(RAImageIngestModule.class.getName()); - private final List extracters = new ArrayList<>(); - private final List browserExtracters = new ArrayList<>(); + private final List extracters = new ArrayList<>(); + private final List browserExtracters = new ArrayList<>(); private final IngestServices services = IngestServices.getInstance(); private IngestJobContext context; @@ -54,18 +54,18 @@ public final class RAImageIngestModule implements DataSourceIngestModule { public void startUp(IngestJobContext context) throws IngestModuleException { this.context = context; - Extractor iexplore; + Extract iexplore; try { - iexplore = new IEExtractor(); + iexplore = new ExtractIE(); } catch (NoCurrentCaseException ex) { throw new IngestModuleException(ex.getMessage(), ex); } - Extractor registry = new RegistryExtractor(); - Extractor recentDocuments = new RecentDocumentsLnkExtractor(); - Extractor chrome = new ChromeExtractor(); - Extractor firefox = new FirefoxExtractor(); - Extractor SEUQA = new SearchEngineURLQueryExtractor(); + Extract registry = new ExtractRegistry(); + Extract recentDocuments = new RecentDocumentsLnkExtractor(); + Extract chrome = new Chrome(); + Extract firefox = new FirefoxExtractor(); + Extract SEUQA = new SearchEngineURLQueryExtractor(); extracters.add(chrome); extracters.add(firefox); @@ -78,7 +78,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { browserExtracters.add(firefox); browserExtracters.add(iexplore); - for (Extractor extracter : extracters) { + for (Extract extracter : extracters) { extracter.init(); } } @@ -95,7 +95,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { ArrayList errors = new ArrayList<>(); for (int i = 0; i < extracters.size(); i++) { - Extractor extracter = extracters.get(i); + Extract extracter = extracters.get(i); if (context.dataSourceIngestIsCancelled()) { logger.log(Level.INFO, "Recent Activity has been canceled, quitting before {0}", extracter.getModuleName()); //NON-NLS break; @@ -147,7 +147,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { StringBuilder historyMsg = new StringBuilder(); historyMsg.append( NbBundle.getMessage(this.getClass(), "RAImageIngestModule.process.histMsg.title", dataSource.getName())); - for (Extractor module : browserExtracters) { + for (Extract module : browserExtracters) { historyMsg.append("
  • ").append(module.getModuleName()); //NON-NLS historyMsg.append(": ").append((module.foundData()) ? NbBundle .getMessage(this.getClass(), "RAImageIngestModule.process.histMsg.found") : NbBundle diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java index dba4f328cb..28c5eded7f 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsLnkExtractor.java @@ -50,7 +50,7 @@ import org.sleuthkit.datamodel.TskData; * Recent documents class that will extract recent documents in the form of .lnk * files */ -class RecentDocumentsLnkExtractor extends Extractor { +class RecentDocumentsLnkExtractor extends Extract { private static final Logger logger = Logger.getLogger(RecentDocumentsLnkExtractor.class.getName()); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java index 43b1738b5b..9ec68b276b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java @@ -70,7 +70,7 @@ import org.xml.sax.SAXException; "cannotParseXml=Unable to parse XML file: ", "# {0} - file name", "SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}." }) -final class SearchEngineURLQueryExtractor extends Extractor { +final class SearchEngineURLQueryExtractor extends Extract { private static final Logger logger = Logger.getLogger(SearchEngineURLQueryExtractor.class.getName()); private static final String PARENT_MODULE_NAME = NbBundle.getMessage(SearchEngineURLQueryExtractor.class, @@ -85,7 +85,7 @@ final class SearchEngineURLQueryExtractor extends Extractor { @Override protected String getModuleName() { - return NbBundle.getMessage(IEExtractor.class, "SearchEngineURLQueryAnalyzer.moduleName.text"); + return NbBundle.getMessage(ExtractIE.class, "SearchEngineURLQueryAnalyzer.moduleName.text"); } /** From 79018b91ff24239f147eae20772babb190e0852d Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 14 Aug 2018 17:51:14 +0200 Subject: [PATCH 17/17] update SearchEngineURLQueryExtractor.java --- .../SearchEngineURLQueryExtractor.java | 241 ++++++++---------- 1 file changed, 110 insertions(+), 131 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java index 9ec68b276b..eecc55e333 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryExtractor.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2012-2014 Basis Technology Corp. + * Copyright 2012-2018 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -27,7 +27,6 @@ import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Level; -import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.openide.util.NbBundle; @@ -36,9 +35,8 @@ import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.coreutils.XMLUtil; import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException; -import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY; @@ -78,7 +76,7 @@ final class SearchEngineURLQueryExtractor extends Extract { private static final String XMLFILE = "SEUQAMappings.xml"; //NON-NLS private static final String XSDFILE = "SearchEngineSchema.xsd"; //NON-NLS - private static SearchEngineURLQueryExtractor.SearchEngine[] engines; + private static SearchEngine[] engines; private Content dataSource; private IngestJobContext context; @@ -166,11 +164,9 @@ final class SearchEngineURLQueryExtractor extends Extract { Document xmlinput; try { String path = PlatformUtil.getUserConfigDirectory() + File.separator + XMLFILE; - File f = new File(path); + File configFile = new File(path); logger.log(Level.INFO, "Load successful"); //NON-NLS - DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder db = dbf.newDocumentBuilder(); - xmlinput = db.parse(f); + xmlinput = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(configFile); if (!XMLUtil.xmlIsValid(xmlinput, SearchEngineURLQueryExtractor.class, XSDFILE)) { logger.log(Level.WARNING, "Error loading Search Engines: could not validate against [" + XSDFILE + "], results may not be accurate."); //NON-NLS @@ -185,7 +181,7 @@ final class SearchEngineURLQueryExtractor extends Extract { } NodeList nlist = xmlinput.getElementsByTagName("SearchEngine"); //NON-NLS - SearchEngineURLQueryExtractor.SearchEngine[] listEngines = new SearchEngineURLQueryExtractor.SearchEngine[nlist.getLength()]; + SearchEngine[] listEngines = new SearchEngine[nlist.getLength()]; for (int i = 0; i < nlist.getLength(); i++) { NamedNodeMap nnm = nlist.item(i).getAttributes(); @@ -200,8 +196,8 @@ final class SearchEngineURLQueryExtractor extends Extract { } } - SearchEngineURLQueryExtractor.SearchEngine Se = new SearchEngineURLQueryExtractor.SearchEngine(EngineName, EnginedomainSubstring, keys); - listEngines[i] = Se; + SearchEngine searchEngine = new SearchEngine(EngineName, EnginedomainSubstring, keys); + listEngines[i] = searchEngine; } engines = listEngines; } @@ -216,7 +212,7 @@ final class SearchEngineURLQueryExtractor extends Extract { * is found * */ - private static SearchEngineURLQueryExtractor.SearchEngine getSearchEngineFromUrl(String domain) { + private static SearchEngine getSearchEngineFromUrl(String domain) { if (engines == null) { return null; } @@ -235,32 +231,31 @@ final class SearchEngineURLQueryExtractor extends Extract { * * @return The extracted search query. */ - private String extractSearchEngineQuery(SearchEngineURLQueryExtractor.SearchEngine eng, String url) { - String x = ""; //NON-NLS + private String extractSearchEngineQuery(SearchEngine eng, String url) { + String value = ""; //NON-NLS for (KeyPair kp : eng.getKeys()) { if (url.contains(kp.getKey())) { - x = getValue(url, kp.getKeyRegExp()); + value = getValue(url, kp.getKeyRegExp()); break; } } try { //try to decode the url - String decoded = URLDecoder.decode(x, "UTF-8"); //NON-NLS - return decoded; + return URLDecoder.decode(value, "UTF-8"); //NON-NLS } catch (UnsupportedEncodingException exception) { //if it fails, return the encoded string logger.log(Level.FINE, "Error during URL decoding, returning undecoded value:" + "\n\tURL: " + url - + "\n\tUndecoded value: " + x + + "\n\tUndecoded value: " + value + "\n\tEngine name: " + eng.getEngineName() + "\n\tEngine domain: " + eng.getDomainSubstring(), exception); //NON-NLS - return x; + return value; } catch (IllegalArgumentException exception) { //if it fails, return the encoded string logger.log(Level.SEVERE, "Illegal argument passed to URL decoding, returning undecoded value:" + "\n\tURL: " + url - + "\n\tUndecoded value: " + x + + "\n\tUndecoded value: " + value + "\n\tEngine name: " + eng.getEngineName() + "\n\tEngine domain: " + eng.getDomainSubstring(), exception); //NON-NLS) - return x; + return value; } } @@ -283,18 +278,16 @@ final class SearchEngineURLQueryExtractor extends Extract { * at more formal approaches of splitting on the "?" and then on "&" * resulting in missing things. */ + + //TODO: What does this old comment mean? : Want to determine if string contains a string based on splitkey, but we want to split the string on splitKeyConverted due to regex String value = ""; //NON-NLS - String v = regExpKey; - //Want to determine if string contains a string based on splitkey, but we want to split the string on splitKeyConverted due to regex - if (regExpKey.contains("\\?")) { - v = regExpKey.replace("\\?", "?"); - } - String[] sp = url.split(v); - if (sp.length >= 2) { - if (sp[sp.length - 1].contains("&")) { - value = sp[sp.length - 1].split("&")[0]; + + String[] tokens = url.split(regExpKey.replace("\\?", "?")); + if (tokens.length >= 2) { + if (tokens[tokens.length - 1].contains("&")) { + value = tokens[tokens.length - 1].split("&")[0]; } else { - value = sp[sp.length - 1]; + value = tokens[tokens.length - 1]; } } return value; @@ -302,110 +295,89 @@ final class SearchEngineURLQueryExtractor extends Extract { private void findSearchQueries() { - int totalQueries = 0; + Collection sourceArtifacts = new ArrayList<>(); try { - //from blackboard_artifacts - Collection listArtifacts = currentCase.getSleuthkitCase().getMatchingArtifacts("WHERE (blackboard_artifacts.artifact_type_id = '" + ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID() //NON-NLS - + "' OR blackboard_artifacts.artifact_type_id = '" + ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID() + "') "); //List of every 'web_history' and 'bookmark' artifact NON-NLS - logger.log(Level.INFO, "Processing {0} blackboard artifacts.", listArtifacts.size()); //NON-NLS + //List of every 'web_history' and 'bookmark' + sourceArtifacts.addAll(tskCase.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); + sourceArtifacts.addAll(tskCase.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_WEB_HISTORY)); + } catch (TskCoreException tskCoreException) { + logger.log(Level.SEVERE, "Error getting TSK_WEB_BOOKMARK or TSK_WEB_HISTORY artifacts", tskCoreException); //NON-NLS + } + logger.log(Level.INFO, "Processing {0} blackboard artifacts.", sourceArtifacts.size()); //NON-NLS - for (BlackboardArtifact artifact : listArtifacts) { - if (context.dataSourceIngestIsCancelled()) { - break; //User cancelled the process. - } - - //initializing default attributes - String query = ""; - String searchEngineDomain = ""; - String browser = ""; - long last_accessed = -1; - - long fileId = artifact.getObjectID(); - boolean isFromSource = tskCase.isFileFromSource(dataSource, fileId); - if (!isFromSource) { - //File was from a different dataSource. Skipping. - continue; - } - - AbstractFile file = tskCase.getAbstractFileById(fileId); - if (file == null) { - continue; - } - - SearchEngineURLQueryExtractor.SearchEngine se = null; - //from blackboard_attributes - Collection listAttributes = currentCase.getSleuthkitCase().getMatchingAttributes("WHERE artifact_id = " + artifact.getArtifactID()); //NON-NLS - - for (BlackboardAttribute attribute : listAttributes) { - if (attribute.getAttributeType().getTypeID() == TSK_URL.getTypeID()) { - final String urlString = attribute.getValueString(); - se = getSearchEngineFromUrl(urlString); - if (se == null) { - break; - } - - query = extractSearchEngineQuery(se, attribute.getValueString()); - if (query.isEmpty()) //False positive match, artifact was not a query. NON-NLS - { - break; - } - - } else if (attribute.getAttributeType().getTypeID() == TSK_PROG_NAME.getTypeID()) { - browser = attribute.getValueString(); - } else if (attribute.getAttributeType().getTypeID() == TSK_DOMAIN.getTypeID()) { - searchEngineDomain = attribute.getValueString(); - } else if (attribute.getAttributeType().getTypeID() == TSK_DATETIME_ACCESSED.getTypeID()) { - last_accessed = attribute.getValueLong(); - } - } - - if (se != null && !query.isEmpty()) { //NON-NLS - // If date doesn't exist, change to 0 (instead of 1969) - if (last_accessed == -1) { - last_accessed = 0; - } - Collection bbattributes = Arrays.asList( - new BlackboardAttribute( - TSK_DOMAIN, PARENT_MODULE_NAME, - searchEngineDomain), - new BlackboardAttribute( - TSK_TEXT, PARENT_MODULE_NAME, - query), - new BlackboardAttribute( - TSK_PROG_NAME, PARENT_MODULE_NAME, - browser), - new BlackboardAttribute( - TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, - last_accessed)); - BlackboardArtifact bbart = file.newArtifact(TSK_WEB_SEARCH_QUERY); - bbart.addAttributes(bbattributes); - se.increment(); - ++totalQueries; - } - } - } catch (TskCoreException e) { - logger.log(Level.SEVERE, "Encountered error retrieving artifacts for search engine queries", e); //NON-NLS - } finally { + Collection queryArtifacts = new ArrayList<>(); + for (BlackboardArtifact sourceArtifact : sourceArtifacts) { if (context.dataSourceIngestIsCancelled()) { - logger.info("Operation terminated by user."); //NON-NLS + break; //User cancelled the process. + } + long fileId = sourceArtifact.getObjectID(); + try { + if (false == tskCase.isFileFromSource(dataSource, fileId)) { + continue; //File was from a different dataSource. Skipping. + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Encountered error determining if file " + fileId + "is from datasource " + dataSource.getId(), ex); //NON-NLS + continue; } - //TODO: should this be batched? Should it include the actual artifact(s)? - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent( - NbBundle.getMessage(this.getClass(), "SearchEngineURLQueryAnalyzer.parentModuleName.noSpace"), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY)); - logger.log(Level.INFO, "Extracted {0} queries from the blackboard", totalQueries); //NON-NLS - } - } - private String getTotals() { - String total = ""; - if (engines == null) { - return total; + AbstractFile file; + try { + file = tskCase.getAbstractFileById(fileId); + if (file == null) { + logger.log(Level.WARNING, "There was no file for id {0}", fileId); //NON-NLS + continue; + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error getting file for id " + fileId, ex); //NON-NLS + continue; + } + + try { + final String urlString = sourceArtifact.getAttribute(new BlackboardAttribute.Type(TSK_URL)).getValueString(); + SearchEngine searchEngine = getSearchEngineFromUrl(urlString); + if (searchEngine == null) { //TODO: should we log this? + continue; + } + + String query = extractSearchEngineQuery(searchEngine, urlString); + if (query.isEmpty()) { //False positive match, artifact was not a query. + continue; + } + + String browser = sourceArtifact.getAttribute(new BlackboardAttribute.Type(TSK_PROG_NAME)).getValueString(); + String searchEngineDomain = sourceArtifact.getAttribute(new BlackboardAttribute.Type(TSK_DOMAIN)).getValueString(); + long last_accessed = sourceArtifact.getAttribute(new BlackboardAttribute.Type(TSK_DATETIME_ACCESSED)).getValueLong(); + + Collection bbattributes = Arrays.asList( + new BlackboardAttribute( + TSK_DOMAIN, PARENT_MODULE_NAME, + searchEngineDomain), + new BlackboardAttribute( + TSK_TEXT, PARENT_MODULE_NAME, + query), + new BlackboardAttribute( + TSK_PROG_NAME, PARENT_MODULE_NAME, + browser), + new BlackboardAttribute( + TSK_DATETIME_ACCESSED, PARENT_MODULE_NAME, + last_accessed)); + + BlackboardArtifact bbart = file.newArtifact(TSK_WEB_SEARCH_QUERY); + bbart.addAttributes(bbattributes); + queryArtifacts.add(bbart); + searchEngine.increment(); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Encountered error creating search query artifacts.", ex); //NON-NLS + } } - for (SearchEngineURLQueryExtractor.SearchEngine se : engines) { - total += se.getEngineName() + " : " + se.getTotal() + "\n"; + + try { + blackboard.postArtifacts(queryArtifacts, PARENT_MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, "Encountered error posting search query artifacts.", ex); //NON-NLS } - return total; + + logger.log(Level.INFO, "Extracted {0} queries from the blackboard", queryArtifacts.size()); //NON-NLS } @Override @@ -413,13 +385,20 @@ final class SearchEngineURLQueryExtractor extends Extract { this.dataSource = dataSource; this.context = context; this.findSearchQueries(); - logger.log(Level.INFO, "Search Engine stats: \n{0}", getTotals()); //NON-NLS + + String totals = ""; + for (SearchEngine se : engines) { + totals += se.getEngineName() + " : " + se.getTotal() + "\n"; + } + logger.log(Level.INFO, "Search Engine stats: \n{0}", totals); //NON-NLS } @Override + void configExtractor() throws IngestModuleException { try { - PlatformUtil.extractResourceToUserConfigDir(SearchEngineURLQueryExtractor.class, XMLFILE, true); + PlatformUtil.extractResourceToUserConfigDir(SearchEngineURLQueryExtractor.class, + XMLFILE, true); } catch (IOException e) { String message = Bundle.SearchEngineURLQueryAnalyzer_init_exception_msg(XMLFILE); logger.log(Level.SEVERE, message, e);