From e51e1697281dffdc52f810278c0a38ce8e8a66ec Mon Sep 17 00:00:00 2001 From: millmanorama Date: Thu, 28 Mar 2019 09:55:48 +0100 Subject: [PATCH 1/8] plaso module settings initial commit --- .../autopsy/modules/plaso/Bundle.properties | 3 + .../modules/plaso/PlasoModuleFactory.java | 65 ++++++++-- .../modules/plaso/PlasoModuleSettings.java | 50 ++++++++ .../plaso/PlasoModuleSettingsPanel.form | 84 +++++++++++++ .../plaso/PlasoModuleSettingsPanel.java | 116 ++++++++++++++++++ 5 files changed, 306 insertions(+), 12 deletions(-) create mode 100644 Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties create mode 100644 Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java create mode 100644 Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form create mode 100644 Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties new file mode 100644 index 0000000000..41fafe0295 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties @@ -0,0 +1,3 @@ +PlasoModuleSettingsPanel.jTextArea1.text=All plaso parsers except chrome_cache and the ones listed below are run. chrome_cache duplicates data collected by the RecentActivity module. The parsers below add significantly to the processing time and should only be enabled if the events they produce are needed. +PlasoModuleSettingsPanel.winRegCheckBox.text=winreg: Parser for Windows NT Registry (REGF) files. +PlasoModuleSettingsPanel.peCheckBox.text=pe: Parser for Portable Executable (PE) files. diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java index 9191569220..8b11a0f205 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2018 Basis Technology Corp. + * Copyright 2018-2019 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -22,20 +22,21 @@ import org.openide.util.NbBundle; import org.openide.util.lookup.ServiceProvider; import org.sleuthkit.autopsy.coreutils.Version; import org.sleuthkit.autopsy.ingest.DataSourceIngestModule; +import org.sleuthkit.autopsy.ingest.FileIngestModule; import org.sleuthkit.autopsy.ingest.IngestModuleFactory; -import org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter; +import org.sleuthkit.autopsy.ingest.IngestModuleGlobalSettingsPanel; import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; +import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettingsPanel; /** - * An factory that creates data source ingest modules that runs plaso - * against an image and saves the storage file to module output. + * An factory that creates data source ingest modules that runs plaso against an + * image and saves the storage file to module output. */ @ServiceProvider(service = IngestModuleFactory.class) -public class PlasoModuleFactory extends IngestModuleFactoryAdapter { - @NbBundle.Messages({ - "PlasoModuleFactory_moduleName=Plaso" - }) +public class PlasoModuleFactory implements IngestModuleFactory { + + @NbBundle.Messages({"PlasoModuleFactory_moduleName=Plaso"}) static String getModuleName() { return Bundle.PlasoModuleFactory_moduleName(); } @@ -45,10 +46,7 @@ public class PlasoModuleFactory extends IngestModuleFactoryAdapter { return getModuleName(); } - @NbBundle.Messages({ - "PlasoModuleFactory_moduleDesc=Runs Plaso against a Data Source." - }) - + @NbBundle.Messages({"PlasoModuleFactory_moduleDesc=Runs Plaso against a Data Source."}) @Override public String getModuleDescription() { return Bundle.PlasoModuleFactory_moduleDesc(); @@ -68,4 +66,47 @@ public class PlasoModuleFactory extends IngestModuleFactoryAdapter { public DataSourceIngestModule createDataSourceIngestModule(IngestModuleIngestJobSettings ingestOptions) { return new PlasoIngestModule(); } + + @Override + public boolean hasGlobalSettingsPanel() { + return false; + } + + @Override + public IngestModuleGlobalSettingsPanel getGlobalSettingsPanel() { + throw new UnsupportedOperationException(); + } + + @Override + public IngestModuleIngestJobSettings getDefaultIngestJobSettings() { + return new PlasoModuleSettings(); + } + + @Override + public boolean hasIngestJobSettingsPanel() { + return true; + } + + @NbBundle.Messages({"PlasoModuleFactory.getIngestJobSettingsPanel.exception.msg=Expected settings argument to be instanceof PlasoModuleSettings"}) + @Override + public IngestModuleIngestJobSettingsPanel getIngestJobSettingsPanel(IngestModuleIngestJobSettings settings) { + assert settings instanceof PlasoModuleSettings; + if (settings instanceof PlasoModuleSettings) { + return new PlasoModuleSettingsPanel((PlasoModuleSettings) settings); + } else { + throw new IllegalArgumentException(NbBundle.getMessage(PlasoModuleFactory.class, + "PlasoModuleFactory.getIngestJobSettingsPanel.exception.msg")); + } + + } + + @Override + public boolean isFileIngestModuleFactory() { + return false; + } + + @Override + public FileIngestModule createFileIngestModule(IngestModuleIngestJobSettings settings) { + throw new UnsupportedOperationException(); + } } diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java new file mode 100644 index 0000000000..8fe0fa08e0 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java @@ -0,0 +1,50 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2019 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.modules.plaso; + +import java.util.HashMap; +import java.util.Map; +import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; + +/** + * + */ +public class PlasoModuleSettings implements IngestModuleIngestJobSettings { + + private static final long serialVersionUID = 1L; + + Map parsers = new HashMap<>(); + + public PlasoModuleSettings() { + } + + /** + * Gets the serialization version number. + * + * @return A serialization version number. + */ + @Override + public long getVersionNumber() { + return serialVersionUID; + } + + void setParserEnabled(String parserName, boolean selected) { + parsers.put(parserName, selected); + } +} diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form new file mode 100644 index 0000000000..3f398c5069 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form @@ -0,0 +1,84 @@ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java new file mode 100644 index 0000000000..3738a28e08 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java @@ -0,0 +1,116 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2019 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.modules.plaso; + +import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; +import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettingsPanel; + +/** + * + * + */ +public class PlasoModuleSettingsPanel extends IngestModuleIngestJobSettingsPanel { + + private final PlasoModuleSettings settings; + + public PlasoModuleSettingsPanel(PlasoModuleSettings settings) { + this.settings = settings; + initComponents(); + } + + /** This method is called from within the constructor to initialize the + * form. WARNING: Do NOT modify this code. The content of this method is + * always regenerated by the Form Editor. + */ + @SuppressWarnings("unchecked") + // //GEN-BEGIN:initComponents + private void initComponents() { + + winRegCheckBox = new javax.swing.JCheckBox(); + peCheckBox = new javax.swing.JCheckBox(); + jTextArea1 = new javax.swing.JTextArea(); + + org.openide.awt.Mnemonics.setLocalizedText(winRegCheckBox, org.openide.util.NbBundle.getMessage(PlasoModuleSettingsPanel.class, "PlasoModuleSettingsPanel.winRegCheckBox.text")); // NOI18N + winRegCheckBox.addActionListener(new java.awt.event.ActionListener() { + public void actionPerformed(java.awt.event.ActionEvent evt) { + winRegCheckBoxActionPerformed(evt); + } + }); + + org.openide.awt.Mnemonics.setLocalizedText(peCheckBox, org.openide.util.NbBundle.getMessage(PlasoModuleSettingsPanel.class, "PlasoModuleSettingsPanel.peCheckBox.text")); // NOI18N + peCheckBox.addActionListener(new java.awt.event.ActionListener() { + public void actionPerformed(java.awt.event.ActionEvent evt) { + peCheckBoxActionPerformed(evt); + } + }); + + jTextArea1.setEditable(false); + jTextArea1.setBackground(new java.awt.Color(240, 240, 240)); + jTextArea1.setColumns(20); + jTextArea1.setLineWrap(true); + jTextArea1.setRows(5); + jTextArea1.setText(org.openide.util.NbBundle.getMessage(PlasoModuleSettingsPanel.class, "PlasoModuleSettingsPanel.jTextArea1.text")); // NOI18N + jTextArea1.setWrapStyleWord(true); + jTextArea1.setBorder(null); + + javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this); + this.setLayout(layout); + layout.setHorizontalGroup( + layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addGroup(layout.createSequentialGroup() + .addContainerGap() + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addComponent(jTextArea1) + .addComponent(peCheckBox) + .addComponent(winRegCheckBox)) + .addContainerGap()) + ); + layout.setVerticalGroup( + layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) + .addGroup(layout.createSequentialGroup() + .addContainerGap() + .addComponent(jTextArea1, javax.swing.GroupLayout.DEFAULT_SIZE, 117, Short.MAX_VALUE) + .addGap(18, 18, 18) + .addComponent(winRegCheckBox) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) + .addComponent(peCheckBox) + .addContainerGap()) + ); + }// //GEN-END:initComponents + + private void winRegCheckBoxActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_winRegCheckBoxActionPerformed + settings.setParserEnabled("winreg", winRegCheckBox.isSelected()); + }//GEN-LAST:event_winRegCheckBoxActionPerformed + + private void peCheckBoxActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_peCheckBoxActionPerformed + settings.setParserEnabled("pe", peCheckBox.isSelected()); + }//GEN-LAST:event_peCheckBoxActionPerformed + + @Override + public IngestModuleIngestJobSettings getSettings() { + return settings; + } + + + // Variables declaration - do not modify//GEN-BEGIN:variables + private javax.swing.JTextArea jTextArea1; + private javax.swing.JCheckBox peCheckBox; + private javax.swing.JCheckBox winRegCheckBox; + // End of variables declaration//GEN-END:variables +} From c606b25b1d0659f6be744baeaaeff269eaea0494 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Thu, 28 Mar 2019 16:47:10 +0100 Subject: [PATCH 2/8] disable winreg, pe, firefox, chrome and MSIE, modules by default. user can reenable winreg and pe --- .../modules/plaso/Bundle.properties-MERGED | 4 ++ .../modules/plaso/PlasoIngestModule.java | 37 +++++++++++-------- .../modules/plaso/PlasoModuleFactory.java | 18 ++++----- .../modules/plaso/PlasoModuleSettings.java | 28 +++++++++++++- .../recentactivity/Bundle.properties-MERGED | 1 + 5 files changed, 63 insertions(+), 25 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED index 343f36aabc..8cfcc87f63 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED @@ -20,5 +20,9 @@ PlasoIngestModule_psort_executable_not_found=psort Executable Not Found PlasoIngestModule_running_log2timeline=Running Log2timeline PlasoIngestModule_running_psort=Running Psort PlasoIngestModule_startUp_message=Starting Plaso Run. +PlasoModuleFactory.ingestJobSettings.exception.msg=Expected settings argument to be instanceof PlasoModuleSettings PlasoModuleFactory_moduleDesc=Runs Plaso against a Data Source. PlasoModuleFactory_moduleName=Plaso +PlasoModuleSettingsPanel.jTextArea1.text=All plaso parsers except chrome_cache and the ones listed below are run. chrome_cache duplicates data collected by the RecentActivity module. The parsers below add significantly to the processing time and should only be enabled if the events they produce are needed. +PlasoModuleSettingsPanel.winRegCheckBox.text=winreg: Parser for Windows NT Registry (REGF) files. +PlasoModuleSettingsPanel.peCheckBox.text=pe: Parser for Portable Executable (PE) files. diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java index 79c8093670..191174c9f3 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java @@ -28,6 +28,8 @@ import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Level; +import java.util.stream.Collectors; +import javax.swing.JOptionPane; import org.openide.modules.InstalledFileLocator; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; @@ -79,8 +81,10 @@ public class PlasoIngestModule implements DataSourceIngestModule { private File psortExecutable; private Image image; private AbstractFile previousFile = null; // cache used when looking up files in Autopsy DB + private final PlasoModuleSettings settings; - PlasoIngestModule() { + PlasoIngestModule(PlasoModuleSettings settings) { + this.settings = settings; } @NbBundle.Messages({ @@ -156,7 +160,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running_log2timeline()); return ProcessResult.OK; } - + // sort the output statusHelper.progress(Bundle.PlasoIngestModule_running_psort(), 33); ExecUtil.execute(psortCommand, new DataSourceIngestModuleProcessTerminator(context)); @@ -171,7 +175,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running_psort()); return ProcessResult.OK; } - + // parse the output and make artifacts createPlasoArtifacts(plasoFile.getAbsolutePath(), statusHelper); @@ -188,23 +192,26 @@ public class PlasoIngestModule implements DataSourceIngestModule { private ProcessBuilder buildLog2TimeLineCommand(File log2TimeLineExecutable, String moduleOutputPath, String imageName, String timeZone) { + String parsersString = settings.getParsers().entrySet().stream() + .filter(entry -> entry.getValue() == false) + .map(entry -> "!" + entry.getKey()) + .collect(Collectors.joining(",", "\"", "\"")); + new JOptionPane(parsersString).setVisible(true); List commandLine = Arrays.asList( "\"" + log2TimeLineExecutable + "\"", //NON-NLS - "--vss-stores", //NON-NLS - "all", //NON-NLS - "-z", - timeZone, - "--partitions", - "all", - "--hasher_file_size_limit", - "1", - "--hashers", - "none", + "--vss-stores", "all", //NON-NLS + "-d", + "-z", timeZone, + "--partitions", "all", + "--hasher_file_size_limit", "1", + "--hashers", "none", + "--parsers", parsersString, "--no_dependencies_check", moduleOutputPath + File.separator + PLASO, imageName ); + System.out.println(commandLine); ProcessBuilder processBuilder = new ProcessBuilder(commandLine); /* * Add an environment variable to force log2timeline to run with the @@ -280,7 +287,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString); //NON-NLS ResultSet resultSet = tempdbconnect.executeQry(sqlStatement)) { - + while (resultSet.next()) { if (context.dataSourceIngestIsCancelled()) { logger.log(Level.INFO, Bundle.PlasoIngestModule_create_artifacts_cancelled()); //NON-NLS @@ -305,7 +312,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { logger.log(Level.INFO, "File from Plaso output not found. Associating with data source instead: {0}", resultSet.getString("filename")); resolvedFile = image; } - + long eventType = findEventSubtype(resultSet.getString("source"), resultSet.getString("filename"), resultSet.getString("type"), resultSet.getString("description"), resultSet.getString("sourcetype")); Collection bbattributes = Arrays.asList( new BlackboardAttribute( diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java index 8b11a0f205..4e082a0e6e 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleFactory.java @@ -29,11 +29,11 @@ import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettingsPanel; /** - * An factory that creates data source ingest modules that runs plaso against an + * A factory that creates data source ingest modules that run Plaso against an * image and saves the storage file to module output. */ @ServiceProvider(service = IngestModuleFactory.class) - +@NbBundle.Messages({"PlasoModuleFactory.ingestJobSettings.exception.msg=Expected settings argument to be instanceof PlasoModuleSettings"}) public class PlasoModuleFactory implements IngestModuleFactory { @NbBundle.Messages({"PlasoModuleFactory_moduleName=Plaso"}) @@ -63,8 +63,12 @@ public class PlasoModuleFactory implements IngestModuleFactory { } @Override - public DataSourceIngestModule createDataSourceIngestModule(IngestModuleIngestJobSettings ingestOptions) { - return new PlasoIngestModule(); + public DataSourceIngestModule createDataSourceIngestModule(IngestModuleIngestJobSettings settings) { + assert settings instanceof PlasoModuleSettings; + if (settings instanceof PlasoModuleSettings) { + return new PlasoIngestModule((PlasoModuleSettings) settings); + } + throw new IllegalArgumentException(Bundle.PlasoModuleFactory_ingestJobSettings_exception_msg()); } @Override @@ -87,17 +91,13 @@ public class PlasoModuleFactory implements IngestModuleFactory { return true; } - @NbBundle.Messages({"PlasoModuleFactory.getIngestJobSettingsPanel.exception.msg=Expected settings argument to be instanceof PlasoModuleSettings"}) @Override public IngestModuleIngestJobSettingsPanel getIngestJobSettingsPanel(IngestModuleIngestJobSettings settings) { assert settings instanceof PlasoModuleSettings; if (settings instanceof PlasoModuleSettings) { return new PlasoModuleSettingsPanel((PlasoModuleSettings) settings); - } else { - throw new IllegalArgumentException(NbBundle.getMessage(PlasoModuleFactory.class, - "PlasoModuleFactory.getIngestJobSettingsPanel.exception.msg")); } - + throw new IllegalArgumentException(Bundle.PlasoModuleFactory_ingestJobSettings_exception_msg()); } @Override diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java index 8fe0fa08e0..8071746b87 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java @@ -18,20 +18,46 @@ */ package org.sleuthkit.autopsy.modules.plaso; +import com.google.common.collect.ImmutableMap; import java.util.HashMap; import java.util.Map; import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; /** - * + * Settings for the Plaso Ingest Module. */ public class PlasoModuleSettings implements IngestModuleIngestJobSettings { private static final long serialVersionUID = 1L; + /** Map from parser name (or match pattern) to its enabled state. + * + */ Map parsers = new HashMap<>(); + Map getParsers() { + return ImmutableMap.copyOf(parsers); + } + public PlasoModuleSettings() { + parsers.put("winreg", Boolean.FALSE); + parsers.put("pe", Boolean.FALSE); + + parsers.put("chrome_preferences", Boolean.FALSE); + parsers.put("chrome_cache", Boolean.FALSE); + parsers.put("chrome_27_history", Boolean.FALSE); + parsers.put("chrome_8_history", Boolean.FALSE); + parsers.put("chrome_cookies", Boolean.FALSE); + parsers.put("chrome_extension_activity", Boolean.FALSE); + + parsers.put("firefox_cache", Boolean.FALSE); + parsers.put("firefox_cache2", Boolean.FALSE); + parsers.put("firefox_cookies", Boolean.FALSE); + parsers.put("firefox_downloads", Boolean.FALSE); + parsers.put("firefox_history", Boolean.FALSE); + + parsers.put("msiecf", Boolean.FALSE); + parsers.put("msie_webcache", Boolean.FALSE); } /** diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED index 6d0cee851a..fdfc6a4863 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED @@ -21,6 +21,7 @@ ExtractIE.getBookmark.errMsg.errPostingBookmarks=Error posting Internet Explorer ExtractIE.getCookie.errMsg.errPostingCookies=Error posting Internet Explorer Cookie artifacts. ExtractIE.getCookie.errMsg.errPostingCookiess=Error posting Internet Explorer Cookie artifacts. ExtractIE.getHistory.errMsg.errPostingHistory=Error posting Internet Explorer History artifacts. +ExtractIE.parentModuleName.noSpace=RecentActivity #{0} - the module name Extractor.errPostingArtifacts=Error posting {0} artifacts to the blackboard. ExtractOs.androidOs.label=Android From b8757321db68438a9d97285044bfbc8126868fb4 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Fri, 29 Mar 2019 13:03:21 +0100 Subject: [PATCH 3/8] minor cleanup --- .../modules/plaso/PlasoIngestModule.java | 22 +++++------- .../modules/plaso/PlasoModuleSettings.java | 36 +++++++++---------- 2 files changed, 27 insertions(+), 31 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java index 191174c9f3..09bf726cd7 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2018 Basis Technology Corp. + * Copyright 2018-2019 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -29,7 +29,6 @@ import java.util.Collection; import java.util.List; import java.util.logging.Level; import java.util.stream.Collectors; -import javax.swing.JOptionPane; import org.openide.modules.InstalledFileLocator; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; @@ -131,8 +130,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { } image = (Image) dataSource; - String currentTime = TimeUtilities.epochToTime(System.currentTimeMillis() / 1000); - currentTime = currentTime.replaceAll(":", "-"); + String currentTime = TimeUtilities.epochToTime(System.currentTimeMillis() / 1000) .replaceAll(":", "-"); String moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), PLASO, currentTime).toString(); File directory = new File(String.valueOf(moduleOutputPath)); if (!directory.exists()) { @@ -196,11 +194,11 @@ public class PlasoIngestModule implements DataSourceIngestModule { .filter(entry -> entry.getValue() == false) .map(entry -> "!" + entry.getKey()) .collect(Collectors.joining(",", "\"", "\"")); - new JOptionPane(parsersString).setVisible(true); + List commandLine = Arrays.asList( "\"" + log2TimeLineExecutable + "\"", //NON-NLS "--vss-stores", "all", //NON-NLS - "-d", + "-d", //TODO: remove after debugging "-z", timeZone, "--partitions", "all", "--hasher_file_size_limit", "1", @@ -211,7 +209,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { imageName ); - System.out.println(commandLine); + System.out.println(commandLine); //TODO: remove when done debugging ProcessBuilder processBuilder = new ProcessBuilder(commandLine); /* * Add an environment variable to force log2timeline to run with the @@ -295,12 +293,10 @@ public class PlasoIngestModule implements DataSourceIngestModule { return; } - // lots of bad dates - if (resultSet.getString("sourcetype").equals("PE Import Time")) { - continue; - } // bad dates and duplicates with what we have. - // TODO: merge results somehow - else if (resultSet.getString("source").equals("WEBHIST")) { + if ( // lots of bad dates + "PE Import Time".equalsIgnoreCase(resultSet.getString("sourcetype")) + // bad dates and duplicates with what we have. // TODO: merge results somehow + || "WEBHIST".equalsIgnoreCase(resultSet.getString("source"))) { continue; } diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java index 8071746b87..eb377e95c9 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettings.java @@ -30,34 +30,34 @@ public class PlasoModuleSettings implements IngestModuleIngestJobSettings { private static final long serialVersionUID = 1L; - /** Map from parser name (or match pattern) to its enabled state. - * + /** + * Map from parser name (or match pattern) to its enabled state. */ - Map parsers = new HashMap<>(); + final Map parsers = new HashMap<>(); Map getParsers() { return ImmutableMap.copyOf(parsers); } public PlasoModuleSettings() { - parsers.put("winreg", Boolean.FALSE); - parsers.put("pe", Boolean.FALSE); + parsers.put("winreg", false); + parsers.put("pe", false); - parsers.put("chrome_preferences", Boolean.FALSE); - parsers.put("chrome_cache", Boolean.FALSE); - parsers.put("chrome_27_history", Boolean.FALSE); - parsers.put("chrome_8_history", Boolean.FALSE); - parsers.put("chrome_cookies", Boolean.FALSE); - parsers.put("chrome_extension_activity", Boolean.FALSE); + parsers.put("chrome_preferences", false); + parsers.put("chrome_cache", false); + parsers.put("chrome_27_history", false); + parsers.put("chrome_8_history", false); + parsers.put("chrome_cookies", false); + parsers.put("chrome_extension_activity", false); - parsers.put("firefox_cache", Boolean.FALSE); - parsers.put("firefox_cache2", Boolean.FALSE); - parsers.put("firefox_cookies", Boolean.FALSE); - parsers.put("firefox_downloads", Boolean.FALSE); - parsers.put("firefox_history", Boolean.FALSE); + parsers.put("firefox_cache", false); + parsers.put("firefox_cache2", false); + parsers.put("firefox_cookies", false); + parsers.put("firefox_downloads", false); + parsers.put("firefox_history", false); - parsers.put("msiecf", Boolean.FALSE); - parsers.put("msie_webcache", Boolean.FALSE); + parsers.put("msiecf", false); + parsers.put("msie_webcache", false); } /** From 388e92b9912dc7c448ab19147ff886526bccb06b Mon Sep 17 00:00:00 2001 From: millmanorama Date: Fri, 29 Mar 2019 13:50:27 +0100 Subject: [PATCH 4/8] cleanup remove unneeded code to filter out WEBHIST and PE events --- .../modules/plaso/PlasoIngestModule.java | 116 +++++++++--------- 1 file changed, 59 insertions(+), 57 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java index 09bf726cd7..3b96421371 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java @@ -25,10 +25,12 @@ import java.nio.file.Paths; import java.sql.ResultSet; import java.sql.SQLException; import java.util.Arrays; +import static java.util.Arrays.asList; import java.util.Collection; import java.util.List; import java.util.logging.Level; import java.util.stream.Collectors; +import org.apache.commons.lang3.StringUtils; import org.openide.modules.InstalledFileLocator; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; @@ -65,11 +67,13 @@ public class PlasoIngestModule implements DataSourceIngestModule { private static final Logger logger = Logger.getLogger(PlasoIngestModule.class.getName()); private static final String MODULE_NAME = PlasoModuleFactory.getModuleName(); - private static final String PLASO = "plaso"; - private static final String PLASO64 = "plaso//plaso-20180818-amd64"; - private static final String PLASO32 = "plaso//plaso-20180818-win32"; - private static final String LOG2TIMELINE_EXECUTABLE = "Log2timeline.exe"; - private static final String PSORT_EXECUTABLE = "psort.exe"; + private static final String PLASO = "plaso"; //NON-NLS + private static final String PLASO64 = "plaso//plaso-20180818-amd64";//NON-NLS + private static final String PLASO32 = "plaso//plaso-20180818-win32";//NON-NLS + private static final String LOG2TIMELINE_EXECUTABLE = "Log2timeline.exe";//NON-NLS + private static final String PSORT_EXECUTABLE = "psort.exe";//NON-NLS + + private static final String COOKIE = "cookie"; private final Case currentCase = Case.getCurrentCase(); private final FileManager fileManager = currentCase.getServices().getFileManager(); @@ -130,7 +134,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { } image = (Image) dataSource; - String currentTime = TimeUtilities.epochToTime(System.currentTimeMillis() / 1000) .replaceAll(":", "-"); + String currentTime = TimeUtilities.epochToTime(System.currentTimeMillis() / 1000).replaceAll(":", "-");//NON-NLS String moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), PLASO, currentTime).toString(); File directory = new File(String.valueOf(moduleOutputPath)); if (!directory.exists()) { @@ -167,9 +171,9 @@ public class PlasoIngestModule implements DataSourceIngestModule { MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_psort_cancelled()); return ProcessResult.OK; } - plasoFile = new File(moduleOutputPath + File.separator + "plasodb.db3"); + plasoFile = new File(moduleOutputPath + File.separator + "plasodb.db3");//NON-NLS if (!plasoFile.exists()) { - logger.log(Level.INFO, Bundle.PlasoIngestModule_error_running_psort()); //NON-NLS + logger.log(Level.INFO, Bundle.PlasoIngestModule_error_running_psort()); //NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running_psort()); return ProcessResult.OK; } @@ -178,7 +182,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { createPlasoArtifacts(plasoFile.getAbsolutePath(), statusHelper); } catch (IOException ex) { - logger.log(Level.SEVERE, Bundle.PlasoIngestModule_error_running(), ex); + logger.log(Level.SEVERE, Bundle.PlasoIngestModule_error_running(), ex);//NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running()); return ProcessResult.ERROR; } @@ -192,31 +196,27 @@ public class PlasoIngestModule implements DataSourceIngestModule { String parsersString = settings.getParsers().entrySet().stream() .filter(entry -> entry.getValue() == false) - .map(entry -> "!" + entry.getKey()) - .collect(Collectors.joining(",", "\"", "\"")); + .map(entry -> "!" + entry.getKey())//NON-NLS + .collect(Collectors.joining(","));//NON-NLS - List commandLine = Arrays.asList( - "\"" + log2TimeLineExecutable + "\"", //NON-NLS + ProcessBuilder processBuilder = new ProcessBuilder(asList( + "\"" + log2TimeLineExecutable + "\"", //NON-NLS "--vss-stores", "all", //NON-NLS - "-d", //TODO: remove after debugging - "-z", timeZone, - "--partitions", "all", - "--hasher_file_size_limit", "1", - "--hashers", "none", - "--parsers", parsersString, - "--no_dependencies_check", + "-z", timeZone,//NON-NLS + "--partitions", "all",//NON-NLS + "--hasher_file_size_limit", "1",//NON-NLS + "--hashers", "none",//NON-NLS + "--parsers", "\"" + parsersString + "\"",//NON-NLS + "--no_dependencies_check",//NON-NLS moduleOutputPath + File.separator + PLASO, imageName - ); - - System.out.println(commandLine); //TODO: remove when done debugging - ProcessBuilder processBuilder = new ProcessBuilder(commandLine); + )); /* * Add an environment variable to force log2timeline to run with the * same permissions Autopsy uses. */ processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS - processBuilder.redirectOutput(new File(moduleOutputPath + File.separator + "log2timeline_output.txt")); + processBuilder.redirectOutput(new File(moduleOutputPath + File.separator + "log2timeline_output.txt"));//NON-NLS processBuilder.redirectError(new File(moduleOutputPath + File.separator + "log2timeline_err.txt")); //NON-NLS return processBuilder; @@ -224,15 +224,13 @@ public class PlasoIngestModule implements DataSourceIngestModule { private ProcessBuilder buildPsortCommand(File psortExecutable, String moduleOutputPath) { - List commandLine = Arrays.asList( + //NON-NLS + ProcessBuilder processBuilder = new ProcessBuilder(asList( "\"" + psortExecutable + "\"", //NON-NLS - "-o", //NON-NLS - "4n6time_sqlite", //NON-NLS - "-w", - moduleOutputPath + File.separator + "plasodb.db3", - moduleOutputPath + File.separator + PLASO); - - ProcessBuilder processBuilder = new ProcessBuilder(commandLine); + "-o", "4n6time_sqlite", //NON-NLS + "-w", moduleOutputPath + File.separator + "plasodb.db3",//NON-NLS + moduleOutputPath + File.separator + PLASO + )); /* * Add an environment variable to force psort to run with the same * permissions Autopsy uses. @@ -280,8 +278,13 @@ public class PlasoIngestModule implements DataSourceIngestModule { SleuthkitCase sleuthkitCase = Case.getCurrentCase().getSleuthkitCase(); blackboard = sleuthkitCase.getBlackboard(); String connectionString = "jdbc:sqlite:" + plasoDb; //NON-NLS - String sqlStatement = "select substr(filename,1) filename, strftime('%s', datetime) 'epoch_date', description, source, type, sourcetype \n" - + " from log2timeline where source not in ('FILE') and sourcetype not in ('UNKNOWN');"; + String sqlStatement = "SELECT substr(filename,1) AS filename, " + + " strftime('%s', datetime) AS epoch_date, " + + " description, " + + " source, " + + " sourcetype, " + + " type " + + " FROM log2timeline WHERE source NOT IN ('FILE') AND sourcetype NOT IN ('UNKNOWN');";//NON-NLS try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", connectionString); //NON-NLS ResultSet resultSet = tempdbconnect.executeQry(sqlStatement)) { @@ -293,30 +296,26 @@ public class PlasoIngestModule implements DataSourceIngestModule { return; } - if ( // lots of bad dates - "PE Import Time".equalsIgnoreCase(resultSet.getString("sourcetype")) - // bad dates and duplicates with what we have. // TODO: merge results somehow - || "WEBHIST".equalsIgnoreCase(resultSet.getString("source"))) { - continue; - } + String currentFileName = resultSet.getString("filename"); //NON-NLS + statusHelper.progress("Adding events to case: " + currentFileName, 66); - String currentFile = resultSet.getString("filename"); - statusHelper.progress("Adding events to case: " + currentFile, 66); - - Content resolvedFile = getAbstractFile(currentFile); + Content resolvedFile = getAbstractFile(currentFileName); if (resolvedFile == null) { - logger.log(Level.INFO, "File from Plaso output not found. Associating with data source instead: {0}", resultSet.getString("filename")); + logger.log(Level.INFO, "File from Plaso output not found. Associating with data source instead: {0}", currentFileName);//NON-NLS resolvedFile = image; } - long eventType = findEventSubtype(resultSet.getString("source"), resultSet.getString("filename"), resultSet.getString("type"), resultSet.getString("description"), resultSet.getString("sourcetype")); + long eventType = findEventSubtype(resultSet.getString("source"), + currentFileName, resultSet.getString("type"), + resultSet.getString("sourcetype"));//NON-NLS + Collection bbattributes = Arrays.asList( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DATETIME, MODULE_NAME, - resultSet.getLong("epoch_date")), + resultSet.getLong("epoch_date")),//NON-NLS new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DESCRIPTION, MODULE_NAME, - resultSet.getString("description")), + resultSet.getString("description")),//NON-NLS new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_TL_EVENT_TYPE, MODULE_NAME, eventType)); @@ -349,9 +348,9 @@ public class PlasoIngestModule implements DataSourceIngestModule { Path path = Paths.get(file); String fileName = path.getFileName().toString(); - String filePath = path.getParent().toString().replaceAll("\\\\", "/"); - if (filePath.endsWith("/") == false) { - filePath += "/"; + String filePath = path.getParent().toString().replaceAll("\\\\", "/");//NON-NLS + if (filePath.endsWith("/") == false) {//NON-NLS + filePath += "/";//NON-NLS } // check the cached file @@ -380,19 +379,22 @@ public class PlasoIngestModule implements DataSourceIngestModule { return null; } - private long findEventSubtype(String plasoSource, String fileName, String plasoType, String plasoDescription, String sourceType) { + private long findEventSubtype(String plasoSource, String plasoFileName, String plasoType, String plasoSourceType) { - if (plasoSource.matches("WEBHIST")) { - if (fileName.toLowerCase().contains("cookie") || plasoType.toLowerCase().contains("cookie") || plasoDescription.toLowerCase().contains("cookie")) { + if (plasoSource.matches("WEBHIST")) {//NON-NLS + if (plasoFileName.toLowerCase().contains(COOKIE) + || plasoType.toLowerCase().contains(COOKIE)) { return EventType.WEB_COOKIE.getTypeID(); } return EventType.WEB_HISTORY.getTypeID(); } - if (plasoSource.matches("EVT") || plasoSource.matches("LOG")) { + if (plasoSource.matches("EVT") || plasoSource.matches("LOG")) {//NON-NLS return EventType.LOG_ENTRY.getTypeID(); } if (plasoSource.matches("REG")) { - if (sourceType.toLowerCase().matches("unknown : usb entries") || sourceType.toLowerCase().matches("unknown : usbstor entries")) { + String plasoSourceTypeLower = plasoSourceType.toLowerCase(); + if (plasoSourceTypeLower.matches("unknown : usb entries")//NON-NLS + || plasoSourceTypeLower.matches("unknown : usbstor entries")) {//NON-NLS return EventType.DEVICES_ATTACHED.getTypeID(); } return EventType.REGISTRY.getTypeID(); From bfd45897043513ae0e79a6151c5aec2986ae8556 Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 15 Apr 2019 14:05:11 +0200 Subject: [PATCH 5/8] refactor PlasoIngestModule --- .../modules/plaso/PlasoIngestModule.java | 179 ++++++++---------- .../autopsy/timeline/utils/FilterUtils.java | 2 +- 2 files changed, 82 insertions(+), 99 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java index e68d406d92..1d9b3b78db 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java @@ -21,6 +21,7 @@ package org.sleuthkit.autopsy.modules.plaso; import java.io.BufferedReader; import java.io.BufferedWriter; import java.io.File; +import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStreamReader; import java.nio.file.Files; @@ -32,6 +33,7 @@ import java.text.SimpleDateFormat; import java.util.Arrays; import java.util.Collection; import java.util.List; +import static java.util.Objects.nonNull; import java.util.logging.Level; import java.util.stream.Collectors; import org.openide.modules.InstalledFileLocator; @@ -73,61 +75,55 @@ public class PlasoIngestModule implements DataSourceIngestModule { private static final String MODULE_NAME = PlasoModuleFactory.getModuleName(); private static final String PLASO = "plaso"; //NON-NLS - private static final String PLASO64 = "plaso//plaso-20180818-amd64";//NON-NLS - private static final String PLASO32 = "plaso//plaso-20180818-win32";//NON-NLS + private static final String PLASO64 = "plaso-20180818-amd64";//NON-NLS + private static final String PLASO32 = "plaso-20180818-win32";//NON-NLS private static final String LOG2TIMELINE_EXECUTABLE = "Log2timeline.exe";//NON-NLS private static final String PSORT_EXECUTABLE = "psort.exe";//NON-NLS - - private static final String WEBHIST = "WEBHIST"; private static final String COOKIE = "cookie"; - private IngestJobContext context; - private File log2TimeLineExecutable; private File psortExecutable; - private Image image; - private AbstractFile previousFile = null; // cache used when looking up files in Autopsy DB + + private IngestJobContext context; private final PlasoModuleSettings settings; private Case currentCase; private FileManager fileManager; + private Image image; + private AbstractFile previousFile = null; // cache used when looking up files in Autopsy DB PlasoIngestModule(PlasoModuleSettings settings) { this.settings = settings; } - @NbBundle.Messages({ - "PlasoIngestModule.error.running=Error running Plaso, see log file.", - "PlasoIngestModule.log2timeline.executable.not.found=Log2timeline Executable Not Found", - "PlasoIngestModule.psort.executable.not.found=psort Executable Not Found"}) + @NbBundle.Messages({"PlasoIngestModule.error.running=Error running Plaso, see log file."}) @Override public void startUp(IngestJobContext context) throws IngestModuleException { this.context = context; - - log2TimeLineExecutable = locateExecutable(LOG2TIMELINE_EXECUTABLE); - if (this.log2TimeLineExecutable == null) { - logger.log(Level.SEVERE, Bundle.PlasoIngestModule_log2timeline_executable_not_found()); - MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running()); - throw new IngestModuleException(Bundle.PlasoIngestModule_log2timeline_executable_not_found()); + if (false == PlatformUtil.isWindowsOS()) { + throw new IngestModuleException("Plaso module requires windows."); } - psortExecutable = locateExecutable(PSORT_EXECUTABLE); - if (psortExecutable == null) { - logger.log(Level.SEVERE, Bundle.PlasoIngestModule_psort_executable_not_found()); + + try { + log2TimeLineExecutable = locateExecutable(LOG2TIMELINE_EXECUTABLE); + psortExecutable = locateExecutable(PSORT_EXECUTABLE); + } catch (FileNotFoundException exception) { + logger.log(Level.WARNING, "Plaso executable not found.", exception); //NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running()); - throw new IngestModuleException(Bundle.PlasoIngestModule_psort_executable_not_found()); + throw new IngestModuleException("Plaso Executable Not Found.", exception); //NON-NLS } } @NbBundle.Messages({ - "PlasoIngestModule.startUp.message=Starting Plaso Run.", "PlasoIngestModule.error.running.log2timeline=Error running log2timeline, see log file.", "PlasoIngestModule.error.running.psort=Error running Psort, see log file.", "PlasoIngestModule.log2timeline.cancelled=Log2timeline run was canceled", "PlasoIngestModule.psort.cancelled=psort run was canceled", "PlasoIngestModule.bad.imageFile=Cannot find image file name and path", "PlasoIngestModule.dataSource.not.an.image=Datasource is not an Image.", - "PlasoIngestModule.running.log2timeline=Running Log2timeline", - "PlasoIngestModule.running.psort=Running Psort", + "PlasoIngestModule.starting.log2timeline=Starting Log2timeline", + "PlasoIngestModule.starting.psort=Starting Psort", "PlasoIngestModule.completed=Plaso Processing Completed", + "PlasoIngestModule.error.creating.output.dir=Error creating Plaso module output directory.", "PlasoIngestModule.has.run=Plaso Plugin has been run."}) @Override public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress statusHelper) { @@ -135,66 +131,66 @@ public class PlasoIngestModule implements DataSourceIngestModule { currentCase = Case.getCurrentCase(); fileManager = currentCase.getServices().getFileManager(); + //TODO: why don't we do this check in the starup method? if (!(dataSource instanceof Image)) { logger.log(Level.SEVERE, Bundle.PlasoIngestModule_dataSource_not_an_image()); MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running()); return ProcessResult.OK; } image = (Image) dataSource; - String currentTime = new SimpleDateFormat("yyyy-MM-dd HH-mm-ss z").format(System.currentTimeMillis());//NON-NLS + String currentTime = new SimpleDateFormat("yyyy-MM-dd HH-mm-ss z").format(System.currentTimeMillis());//NON-NLS Path moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), PLASO, currentTime); - File directory = moduleOutputPath.toFile(); - if (!directory.exists()) { - directory.mkdirs(); + try { + Files.createDirectories(moduleOutputPath); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Error creating Plaso module output directory.", ex); //NON-NLS + MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_creating_output_dir()); + return ProcessResult.ERROR; } + logger.log(Level.INFO, "Starting Plaso Run.");//NON-NLS + statusHelper.progress(Bundle.PlasoIngestModule_starting_log2timeline(), 0); ProcessBuilder log2TimeLineCommand = buildLog2TimeLineCommand(moduleOutputPath, image); - - logger.log(Level.INFO, Bundle.PlasoIngestModule_startUp_message()); - statusHelper.progress(Bundle.PlasoIngestModule_running_log2timeline(), 0); try { // Run log2timeline - Process log2TimeLine = log2TimeLineCommand.start(); + Process log2TimeLineProcess = log2TimeLineCommand.start(); - try (BufferedReader log2TimeLineOutpout = new BufferedReader(new InputStreamReader(log2TimeLine.getInputStream()))) { + try (BufferedReader log2TimeLineOutpout = new BufferedReader(new InputStreamReader(log2TimeLineProcess.getInputStream()))) { L2TStatusProcessor statusReader = new L2TStatusProcessor(log2TimeLineOutpout, statusHelper, moduleOutputPath); - new Thread(statusReader, "log2timeline status reader thread").start(); //NON-NLS + new Thread(statusReader, "log2timeline status reader").start(); //NON-NLS - ExecUtil.waitForTermination(LOG2TIMELINE_EXECUTABLE, log2TimeLine, new DataSourceIngestModuleProcessTerminator(context)); + ExecUtil.waitForTermination(LOG2TIMELINE_EXECUTABLE, log2TimeLineProcess, new DataSourceIngestModuleProcessTerminator(context)); statusReader.cancel(); } if (context.dataSourceIngestIsCancelled()) { - logger.log(Level.INFO, Bundle.PlasoIngestModule_log2timeline_cancelled()); //NON-NLS + logger.log(Level.INFO, "Log2timeline run was canceled"); //NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_log2timeline_cancelled()); return ProcessResult.OK; } - if (!moduleOutputPath.resolve(PLASO).toFile().exists()) { - logger.log(Level.INFO, Bundle.PlasoIngestModule_error_running_log2timeline()); //NON-NLS + if (Files.notExists(moduleOutputPath.resolve(PLASO))) { + logger.log(Level.WARNING, "Error running log2timeline: there was no storage file."); //NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running_log2timeline()); - return ProcessResult.OK; + return ProcessResult.ERROR; } // sort the output + statusHelper.progress(Bundle.PlasoIngestModule_starting_psort(), 33); ProcessBuilder psortCommand = buildPsortCommand(moduleOutputPath); - psortCommand.redirectError(moduleOutputPath.resolve("psort_err.txt").toFile()); //NON-NLS - psortCommand.redirectOutput(moduleOutputPath.resolve("psort_output.txt").toFile()); //NON-NLS - - statusHelper.progress(Bundle.PlasoIngestModule_running_psort(), 33); ExecUtil.execute(psortCommand, new DataSourceIngestModuleProcessTerminator(context)); if (context.dataSourceIngestIsCancelled()) { - logger.log(Level.INFO, Bundle.PlasoIngestModule_psort_cancelled()); //NON-NLS + logger.log(Level.INFO, "psort run was canceled"); //NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_psort_cancelled()); return ProcessResult.OK; } Path plasoFile = moduleOutputPath.resolve("plasodb.db3"); //NON-NLS - if (Files.exists(plasoFile) == false) { - logger.log(Level.INFO, Bundle.PlasoIngestModule_error_running_psort()); + if (Files.notExists(plasoFile)) { + logger.log(Level.SEVERE, "Error running Psort: there was no sqlite db file."); //NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running_psort()); - return ProcessResult.OK; + return ProcessResult.ERROR; } // parse the output and make artifacts @@ -262,18 +258,15 @@ public class PlasoIngestModule implements DataSourceIngestModule { return processBuilder; } - private static File locateExecutable(String executableName) { - if (!PlatformUtil.isWindowsOS()) { - return null; - } - - String executableToFindName = Paths.get(PlatformUtil.is64BitOS() ? PLASO64 : PLASO32, executableName).toString(); + private static File locateExecutable(String executableName) throws FileNotFoundException { + String architectureFolder = PlatformUtil.is64BitOS() ? PLASO64 : PLASO32; + String executableToFindName = Paths.get(PLASO, architectureFolder, executableName).toString(); File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PlasoIngestModule.class.getPackage().getName(), false); - if (null != exeFile && exeFile.canExecute()) { - return exeFile; + if (null == exeFile || exeFile.canExecute() == false) { + throw new FileNotFoundException(executableName + " executable not found."); } - return null; + return exeFile; } @NbBundle.Messages({ @@ -296,16 +289,16 @@ public class PlasoIngestModule implements DataSourceIngestModule { + " type, " + " sourcetype " + " FROM log2timeline " - + " WHERE source NOT IN ('FILE'," // bad dates and duplicates with what we have. - + "'WEBHSIST') " + + " WHERE source NOT IN ('FILE'," + + " 'WEBHIST') " // bad dates and duplicates with what we have. + " AND sourcetype NOT IN ('UNKNOWN'," - + "'PE Import Time');"; // lots of bad dates //NON-NLS + + " 'PE Import Time');"; // lots of bad dates //NON-NLS try (SQLiteDBConnect tempdbconnect = new SQLiteDBConnect("org.sqlite.JDBC", "jdbc:sqlite:" + plasoDb); //NON-NLS ResultSet resultSet = tempdbconnect.executeQry(sqlStatement)) { while (resultSet.next()) { if (context.dataSourceIngestIsCancelled()) { - logger.log(Level.INFO, Bundle.PlasoIngestModule_create_artifacts_cancelled()); //NON-NLS + logger.log(Level.INFO, "Cancelled Plaso Artifact Creation."); //NON-NLS MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_create_artifacts_cancelled()); return; } @@ -314,14 +307,9 @@ public class PlasoIngestModule implements DataSourceIngestModule { statusHelper.progress(Bundle.PlasoIngestModule_artifact_progress(currentFileName), 66); Content resolvedFile = getAbstractFile(currentFileName); if (resolvedFile == null) { - logger.log(Level.INFO, "File from Plaso output not found. Associating with data source instead: {0}", currentFileName);//NON-NLS + logger.log(Level.INFO, "File " + currentFileName + " from Plaso output not found in case. Associating it with the data source instead.");//NON-NLS resolvedFile = image; } - String source = resultSet.getString("source"); //NON-NLS - String sourceType = resultSet.getString("sourcetype"); //NON-NLS - String description = resultSet.getString("description"); //NON-NLS - String type = resultSet.getString("type"); - long eventType = findEventSubtype(source, currentFileName, type, sourceType); //NON-NLS Collection bbattributes = Arrays.asList( new BlackboardAttribute( @@ -329,20 +317,18 @@ public class PlasoIngestModule implements DataSourceIngestModule { resultSet.getLong("epoch_date")), //NON-NLS new BlackboardAttribute( TSK_DESCRIPTION, MODULE_NAME, - description), + resultSet.getString("description")),//NON-NLS new BlackboardAttribute( TSK_TL_EVENT_TYPE, MODULE_NAME, - eventType)); + findEventSubtype(currentFileName, resultSet))); try { BlackboardArtifact bbart = resolvedFile.newArtifact(TSK_TL_EVENT); bbart.addAttributes(bbattributes); try { - /* - * Post the artifact which will index the artifact for + /* Post the artifact which will index the artifact for * keyword search, and fire an event to notify UI of - * this new artifact - */ + * this new artifact */ blackboard.postArtifact(bbart, MODULE_NAME); } catch (BlackboardException ex) { logger.log(Level.SEVERE, Bundle.PlasoIngestModule_exception_posting_artifact(), ex); //NON-NLS @@ -392,29 +378,26 @@ public class PlasoIngestModule implements DataSourceIngestModule { return null; } - private long findEventSubtype(String plasoSource, String plasoFileName, String plasoType, String plasoSourceType) { - //These aren't actually used, but - if (plasoSource.matches(WEBHIST)) { - if (plasoFileName.toLowerCase().contains(COOKIE) - || plasoType.toLowerCase().contains(COOKIE)) { - return EventType.WEB_COOKIE.getTypeID(); - } - return EventType.WEB_HISTORY.getTypeID(); + private long findEventSubtype(String plasoFileName, ResultSet row) throws SQLException { + switch (row.getString("source")) {//NON-NLS + case "WEBHIST": //These shouldn't actually be present, but keeping the logic just in case some slip through. + return (plasoFileName.toLowerCase().contains(COOKIE) || row.getString("type").toLowerCase().contains(COOKIE)) + ? EventType.WEB_COOKIE.getTypeID() + : EventType.WEB_HISTORY.getTypeID(); + case "EVT"://NON-NLS + case "LOG"://NON-NLS + return EventType.LOG_ENTRY.getTypeID(); + case "REG"://NON-NLS + switch (row.getString("sourcetype").toLowerCase()) {//NON-NLS + case "unknown : usb entries"://NON-NLS + case "unknown : usbstor entries"://NON-NLS + return EventType.DEVICES_ATTACHED.getTypeID(); + default: + return EventType.REGISTRY.getTypeID(); + } + default: + return EventType.OTHER.getTypeID(); } - if (plasoSource.matches("EVT") - || plasoSource.matches("LOG")) {//NON-NLS - return EventType.LOG_ENTRY.getTypeID(); - } - if (plasoSource.matches("REG")) { - String plasoSourceTypeLower = plasoSourceType.toLowerCase(); - if (plasoSourceTypeLower.matches("unknown : usb entries")//NON-NLS - || plasoSourceTypeLower.matches("unknown : usbstor entries")) {//NON-NLS - - return EventType.DEVICES_ATTACHED.getTypeID(); - } - return EventType.REGISTRY.getTypeID(); - } - return EventType.OTHER.getTypeID(); } /** @@ -426,7 +409,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { private final BufferedReader log2TimeLineOutpout; private final DataSourceIngestModuleProgress statusHelper; - private boolean cancelled = false; + volatile private boolean cancelled = false; private final Path outputPath; private L2TStatusProcessor(BufferedReader log2TimeLineOutpout, DataSourceIngestModuleProgress statusHelper, Path outputPath) throws IOException { @@ -439,8 +422,8 @@ public class PlasoIngestModule implements DataSourceIngestModule { public void run() { try (BufferedWriter writer = Files.newBufferedWriter(outputPath.resolve("log2timeline_output.txt"));) {//NON-NLS String line; - while (null != (line = log2TimeLineOutpout.readLine()) - && cancelled == false) { + while (cancelled == false + && nonNull(line = log2TimeLineOutpout.readLine())) { statusHelper.progress(line); writer.write(line); writer.newLine(); diff --git a/Core/src/org/sleuthkit/autopsy/timeline/utils/FilterUtils.java b/Core/src/org/sleuthkit/autopsy/timeline/utils/FilterUtils.java index e3867266ba..30dcc00f2c 100644 --- a/Core/src/org/sleuthkit/autopsy/timeline/utils/FilterUtils.java +++ b/Core/src/org/sleuthkit/autopsy/timeline/utils/FilterUtils.java @@ -80,7 +80,7 @@ public final class FilterUtils { } @Override - protected String getSQLWhere(TimelineManager manager) { + public String getSQLWhere(TimelineManager manager) { return " NOT " + super.getSQLWhere(manager); } } From 4819f6254d245bf6f005df661859c8e42431132e Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 15 Apr 2019 14:35:48 +0200 Subject: [PATCH 6/8] address review comments --- .../autopsy/modules/plaso/Bundle.properties | 2 +- .../modules/plaso/Bundle.properties-MERGED | 44 +++++++++---------- .../plaso/PlasoModuleSettingsPanel.form | 16 +++---- .../plaso/PlasoModuleSettingsPanel.java | 27 ++++++------ 4 files changed, 44 insertions(+), 45 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties index 41fafe0295..9fe1026713 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties @@ -1,3 +1,3 @@ -PlasoModuleSettingsPanel.jTextArea1.text=All plaso parsers except chrome_cache and the ones listed below are run. chrome_cache duplicates data collected by the RecentActivity module. The parsers below add significantly to the processing time and should only be enabled if the events they produce are needed. PlasoModuleSettingsPanel.winRegCheckBox.text=winreg: Parser for Windows NT Registry (REGF) files. PlasoModuleSettingsPanel.peCheckBox.text=pe: Parser for Portable Executable (PE) files. +PlasoModuleSettingsPanel.plasoParserInfoTextArea.text=All plaso parsers except chrome_cache and the ones listed below are run. chrome_cache duplicates data collected by the RecentActivity module. The parsers below add significantly to the processing time and should only be enabled if the events they produce are needed. diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED index 8cfcc87f63..10e944d097 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/Bundle.properties-MERGED @@ -1,28 +1,28 @@ -PlasoIngestModule_bad_imageFile=Cannot find image file name and path -PlasoIngestModule_completed=Plaso Processing Completed -PlasoIngestModule_create_artifacts_cancelled=Cancelled Plaso Artifact Creation -PlasoIngestModule_dataSource_not_an_image=Datasource is not an Image. -PlasoIngestModule_error_posting_artifact=Error Posting Artifact -PlasoIngestModule_error_running=Error running Plaso, see log file. -PlasoIngestModule_error_running_log2timeline=Error running log2timeline, see log file. -PlasoIngestModule_error_running_psort=Error running Psort, see log file. -PlasoIngestModule_event_datetime=Event Date Time -PlasoIngestModule_event_description=Event Description -PlasoIngestModule_exception_adding_artifact=Exception Adding Artifact -PlasoIngestModule_exception_database_error=Error while trying to read into a sqlite db. +# {0} - file that events are from +PlasoIngestModule.artifact.progress=Adding events to case: {0} +PlasoIngestModule.bad.imageFile=Cannot find image file name and path +PlasoIngestModule.completed=Plaso Processing Completed +PlasoIngestModule.create.artifacts.cancelled=Cancelled Plaso Artifact Creation +PlasoIngestModule.dataSource.not.an.image=Datasource is not an Image. +PlasoIngestModule.error.creating.output.dir=Error creating Plaso module output directory. +PlasoIngestModule.error.posting.artifact=Error Posting Artifact +PlasoIngestModule.error.running=Error running Plaso, see log file. +PlasoIngestModule.error.running.log2timeline=Error running log2timeline, see log file. +PlasoIngestModule.error.running.psort=Error running Psort, see log file. +PlasoIngestModule.event.datetime=Event Date Time +PlasoIngestModule.event.description=Event Description +PlasoIngestModule.exception.adding.artifact=Exception Adding Artifact +PlasoIngestModule.exception.database.error=Error while trying to read into a sqlite db. +PlasoIngestModule.exception.posting.artifact=Exception Posting artifact. +PlasoIngestModule.has.run=Plaso Plugin has been run. +PlasoIngestModule.log2timeline.cancelled=Log2timeline run was canceled +PlasoIngestModule.psort.cancelled=psort run was canceled +PlasoIngestModule.starting.log2timeline=Starting Log2timeline +PlasoIngestModule.starting.psort=Starting Psort PlasoIngestModule_exception_find_file=Exception finding file. -PlasoIngestModule_exception_posting_artifact=Exception Posting artifact. -PlasoIngestModule_has_run=Plaso Plugin has been run. -PlasoIngestModule_log2timeline_cancelled=Log2timeline run was canceled -PlasoIngestModule_log2timeline_executable_not_found=Log2timeline Executable Not Found -PlasoIngestModule_psort_cancelled=psort run was canceled -PlasoIngestModule_psort_executable_not_found=psort Executable Not Found -PlasoIngestModule_running_log2timeline=Running Log2timeline -PlasoIngestModule_running_psort=Running Psort -PlasoIngestModule_startUp_message=Starting Plaso Run. PlasoModuleFactory.ingestJobSettings.exception.msg=Expected settings argument to be instanceof PlasoModuleSettings PlasoModuleFactory_moduleDesc=Runs Plaso against a Data Source. PlasoModuleFactory_moduleName=Plaso -PlasoModuleSettingsPanel.jTextArea1.text=All plaso parsers except chrome_cache and the ones listed below are run. chrome_cache duplicates data collected by the RecentActivity module. The parsers below add significantly to the processing time and should only be enabled if the events they produce are needed. PlasoModuleSettingsPanel.winRegCheckBox.text=winreg: Parser for Windows NT Registry (REGF) files. PlasoModuleSettingsPanel.peCheckBox.text=pe: Parser for Portable Executable (PE) files. +PlasoModuleSettingsPanel.plasoParserInfoTextArea.text=All plaso parsers except chrome_cache and the ones listed below are run. chrome_cache duplicates data collected by the RecentActivity module. The parsers below add significantly to the processing time and should only be enabled if the events they produce are needed. diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form index 3f398c5069..a7da26d3e5 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.form @@ -17,21 +17,21 @@ - + - + - + - - + + @@ -62,17 +62,17 @@ - + - + - + diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java index 3738a28e08..01937ebc2a 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoModuleSettingsPanel.java @@ -22,8 +22,7 @@ import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings; import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettingsPanel; /** - * - * + * Settings panel for the PlasoIngestModule. */ public class PlasoModuleSettingsPanel extends IngestModuleIngestJobSettingsPanel { @@ -44,7 +43,7 @@ public class PlasoModuleSettingsPanel extends IngestModuleIngestJobSettingsPanel winRegCheckBox = new javax.swing.JCheckBox(); peCheckBox = new javax.swing.JCheckBox(); - jTextArea1 = new javax.swing.JTextArea(); + plasoParserInfoTextArea = new javax.swing.JTextArea(); org.openide.awt.Mnemonics.setLocalizedText(winRegCheckBox, org.openide.util.NbBundle.getMessage(PlasoModuleSettingsPanel.class, "PlasoModuleSettingsPanel.winRegCheckBox.text")); // NOI18N winRegCheckBox.addActionListener(new java.awt.event.ActionListener() { @@ -60,14 +59,14 @@ public class PlasoModuleSettingsPanel extends IngestModuleIngestJobSettingsPanel } }); - jTextArea1.setEditable(false); - jTextArea1.setBackground(new java.awt.Color(240, 240, 240)); - jTextArea1.setColumns(20); - jTextArea1.setLineWrap(true); - jTextArea1.setRows(5); - jTextArea1.setText(org.openide.util.NbBundle.getMessage(PlasoModuleSettingsPanel.class, "PlasoModuleSettingsPanel.jTextArea1.text")); // NOI18N - jTextArea1.setWrapStyleWord(true); - jTextArea1.setBorder(null); + plasoParserInfoTextArea.setEditable(false); + plasoParserInfoTextArea.setBackground(javax.swing.UIManager.getDefaults().getColor("Panel.background")); + plasoParserInfoTextArea.setColumns(20); + plasoParserInfoTextArea.setLineWrap(true); + plasoParserInfoTextArea.setRows(5); + plasoParserInfoTextArea.setText(org.openide.util.NbBundle.getMessage(PlasoModuleSettingsPanel.class, "PlasoModuleSettingsPanel.plasoParserInfoTextArea.text")); // NOI18N + plasoParserInfoTextArea.setWrapStyleWord(true); + plasoParserInfoTextArea.setBorder(null); javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this); this.setLayout(layout); @@ -76,7 +75,7 @@ public class PlasoModuleSettingsPanel extends IngestModuleIngestJobSettingsPanel .addGroup(layout.createSequentialGroup() .addContainerGap() .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) - .addComponent(jTextArea1) + .addComponent(plasoParserInfoTextArea) .addComponent(peCheckBox) .addComponent(winRegCheckBox)) .addContainerGap()) @@ -85,7 +84,7 @@ public class PlasoModuleSettingsPanel extends IngestModuleIngestJobSettingsPanel layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(layout.createSequentialGroup() .addContainerGap() - .addComponent(jTextArea1, javax.swing.GroupLayout.DEFAULT_SIZE, 117, Short.MAX_VALUE) + .addComponent(plasoParserInfoTextArea, javax.swing.GroupLayout.DEFAULT_SIZE, 188, Short.MAX_VALUE) .addGap(18, 18, 18) .addComponent(winRegCheckBox) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) @@ -109,8 +108,8 @@ public class PlasoModuleSettingsPanel extends IngestModuleIngestJobSettingsPanel // Variables declaration - do not modify//GEN-BEGIN:variables - private javax.swing.JTextArea jTextArea1; private javax.swing.JCheckBox peCheckBox; + private javax.swing.JTextArea plasoParserInfoTextArea; private javax.swing.JCheckBox winRegCheckBox; // End of variables declaration//GEN-END:variables } From 549d480468bf3ce0c2624a53aea005c776b569aa Mon Sep 17 00:00:00 2001 From: millmanorama Date: Mon, 15 Apr 2019 18:19:33 +0200 Subject: [PATCH 7/8] update Bundle.properties-MERGED --- .../sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED | 2 +- .../sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED | 2 +- .../core/core.jar/org/netbeans/core/startup/Bundle.properties | 2 +- .../org/netbeans/core/windows/view/ui/Bundle.properties | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED index 2d4ce2abe0..2247d7e198 100755 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties-MERGED @@ -123,7 +123,7 @@ KeywordSearchEditListPanel.exportButtonActionPerformed.kwListExportedMsg=Keyword KeywordSearchEditListPanel.kwColName=Keyword KeywordSearchEditListPanel.addKeyword.message=Add a new word to the keyword search list: KeywordSearchEditListPanel.addKeyword.title=New Keyword -KeywordSearchFilterNode.getFileActions.openExternViewActLbl=Open in External Viewer +KeywordSearchFilterNode.getFileActions.openExternViewActLbl=Open in External Viewer Ctrl+E KeywordSearchFilterNode.getFileActions.searchSameMd5=Search for files with the same MD5 hash KeywordSearchFilterNode.getFileActions.viewInNewWinActionLbl=View in New Window KeywordSearchIngestModule.init.noKwInLstMsg=No keywords in keyword list. diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED index 91b6f1d953..5a764c0532 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED @@ -21,7 +21,7 @@ ExtractIE.getBookmark.errMsg.errPostingBookmarks=Error posting Internet Explorer ExtractIE.getCookie.errMsg.errPostingCookies=Error posting Internet Explorer Cookie artifacts. ExtractIE.getCookie.errMsg.errPostingCookiess=Error posting Internet Explorer Cookie artifacts. ExtractIE.getHistory.errMsg.errPostingHistory=Error posting Internet Explorer History artifacts. - +ExtractIE.parentModuleName.noSpace=RecentActivity # {0} - the module name Extractor.errPostingArtifacts=Error posting {0} artifacts to the blackboard. ExtractOs.androidOs.label=Android diff --git a/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties b/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties index 458b936acd..f5ab34cc88 100644 --- a/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties +++ b/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties @@ -1,5 +1,5 @@ #Updated by build script -#Fri, 22 Mar 2019 09:08:00 +0100 +#Mon, 15 Apr 2019 17:38:29 +0200 LBL_splash_window_title=Starting Autopsy SPLASH_HEIGHT=314 SPLASH_WIDTH=538 diff --git a/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties b/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties index 944b2c8584..d01dafb801 100644 --- a/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties +++ b/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties @@ -1,4 +1,4 @@ #Updated by build script -#Fri, 22 Mar 2019 09:08:00 +0100 +#Mon, 15 Apr 2019 17:38:29 +0200 CTL_MainWindow_Title=Autopsy 4.10.0 CTL_MainWindow_Title_No_Project=Autopsy 4.10.0 From 0c377a2b0df613c4ff8b6c01de91a002faa183ba Mon Sep 17 00:00:00 2001 From: millmanorama Date: Tue, 16 Apr 2019 12:06:00 +0200 Subject: [PATCH 8/8] remove redundant message pop-up. internationalize exception messages that end up in ui. --- .../autopsy/modules/plaso/PlasoIngestModule.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java index 1d9b3b78db..b56d5a0417 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java @@ -95,12 +95,14 @@ public class PlasoIngestModule implements DataSourceIngestModule { this.settings = settings; } - @NbBundle.Messages({"PlasoIngestModule.error.running=Error running Plaso, see log file."}) + @NbBundle.Messages({"PlasoIngestModule.error.running=Error running Plaso, see log file.", + "PlasoIngestModule.executable.not.found=Plaso Executable Not Found.", + "PlasoIngestModule.requires.windows=Plaso module requires windows."}) @Override public void startUp(IngestJobContext context) throws IngestModuleException { this.context = context; if (false == PlatformUtil.isWindowsOS()) { - throw new IngestModuleException("Plaso module requires windows."); + throw new IngestModuleException(Bundle.PlasoIngestModule_requires_windows()); } try { @@ -108,8 +110,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { psortExecutable = locateExecutable(PSORT_EXECUTABLE); } catch (FileNotFoundException exception) { logger.log(Level.WARNING, "Plaso executable not found.", exception); //NON-NLS - MessageNotifyUtil.Message.info(Bundle.PlasoIngestModule_error_running()); - throw new IngestModuleException("Plaso Executable Not Found.", exception); //NON-NLS + throw new IngestModuleException(Bundle.PlasoIngestModule_executable_not_found(), exception); } } @@ -138,7 +139,7 @@ public class PlasoIngestModule implements DataSourceIngestModule { return ProcessResult.OK; } image = (Image) dataSource; - + String currentTime = new SimpleDateFormat("yyyy-MM-dd HH-mm-ss z").format(System.currentTimeMillis());//NON-NLS Path moduleOutputPath = Paths.get(currentCase.getModuleDirectory(), PLASO, currentTime); try {