From 7d135bbd8e87b8ba2006a6f52ff8e19bc99a0b0c Mon Sep 17 00:00:00 2001 From: Alex Ebadirad Date: Wed, 27 Jun 2012 08:14:33 -0700 Subject: [PATCH] Grouping hash reporting by hashset names, addition of email reporting --- .../org/sleuthkit/autopsy/report/Report.java | 143 ++++++++++++++++-- .../sleuthkit/autopsy/report/ReportHTML.java | 28 +++- .../sleuthkit/autopsy/report/ReportXML.java | 5 + 3 files changed, 159 insertions(+), 17 deletions(-) diff --git a/Report/src/org/sleuthkit/autopsy/report/Report.java b/Report/src/org/sleuthkit/autopsy/report/Report.java index 8610b11642..b5f938d325 100644 --- a/Report/src/org/sleuthkit/autopsy/report/Report.java +++ b/Report/src/org/sleuthkit/autopsy/report/Report.java @@ -35,18 +35,18 @@ import org.sleuthkit.datamodel.SleuthkitCase; import java.sql.*; import org.sleuthkit.autopsy.recentactivity.dbconnect; - public class Report { private void Report() { } /** - * Returns all the keywords related artifact/attributes and groups them based on keyword - * - * @return String table is a string of an html table - * - */ + * Returns all the keywords related artifact/attributes and groups them + * based on keyword + * + * @return String table is a string of an html table + * + */ public String getGroupedKeywordHit() { StringBuilder table = new StringBuilder(); HashMap> reportMap = new HashMap>(); @@ -106,11 +106,132 @@ public class Report { } /** - * Returns a hashmap of associated blackboard artifacts/attributes that were requested by the config param - * - * @param config is a ReportConfiguration object that has all the types of artifacts desired from the blackboard - * @return reportMap a hashmap of all the artifacts for artifact types were input - */ + * Returns all the hash lookups related artifact/attributes and groups them + * based on hashset name + * + * @return String table is a string of an html table + * + */ + public String getGroupedHashsetHit() { + StringBuilder table = new StringBuilder(); + HashMap> reportMap = new HashMap>(); + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try { + tempDb.copyCaseDB(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db"); + dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", "jdbc:sqlite:" + currentCase.getTempDirectory() + File.separator + "autopsy-copy.db"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashset;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashname;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hash;"); + String temp1 = "CREATE TABLE report_hashset AS SELECT value_text as hashset,blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HASHSET_NAME.getTypeID() + ";"; + String temp5 = "CREATE TABLE report_hashname AS SELECT name, size, report_hashset.artifact_id from tsk_files,blackboard_artifacts, report_hashset WHERE blackboard_artifacts.artifact_id = report_hashset.artifact_id AND blackboard_artifacts.obj_id = tsk_files.obj_id;"; + String temp6 = "CREATE TABLE report_hash AS SELECT hashset,size,name from report_hashset INNER JOIN report_hashname ON report_hashset.artifact_id=report_hashname.artifact_id;"; + tempdbconnect.executeStmt(temp1); + tempdbconnect.executeStmt(temp5); + tempdbconnect.executeStmt(temp6); + ResultSet uniqueresults = tempdbconnect.executeQry("SELECT name, size, hashset FROM report_hash ORDER BY hashset ASC"); + String keyword = ""; + while (uniqueresults.next()) { + if (uniqueresults.getString("hashset") == null ? keyword == null : uniqueresults.getString("hashset").equals(keyword)) { + } else { + table.append("

"); + keyword = uniqueresults.getString("hashset"); + table.append("").append(keyword).append(""); + table.append(""); + } + table.append(""); + table.append("").append(""); + + } + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashset;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashname;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hash;"); + tempdbconnect.closeConnection(); + + File f1 = new File(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db"); + boolean success = f1.delete(); + + } catch (Exception e) { + Logger.getLogger(Report.class.getName()).log(Level.WARNING, "Exception occurred", e); + } + + return table.toString(); + } + + /** + * Returns all the hash lookups related artifact/attributes and groups them + * based on hashset name + * + * @return String table is a string of an html table + * + */ + public String getGroupedEmailHit() { + StringBuilder table = new StringBuilder(); + HashMap> reportMap = new HashMap>(); + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try { + tempDb.copyCaseDB(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db"); + dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", "jdbc:sqlite:" + currentCase.getTempDirectory() + File.separator + "autopsy-copy.db"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_keyword;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_preview;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_exp;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_list;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_name;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report;"); + String temp1 = "CREATE TABLE report_keyword AS SELECT value_text as keyword,blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID() + ";"; + String temp2 = "CREATE TABLE report_preview AS SELECT value_text as preview, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID() + ";"; + String temp3 = "CREATE TABLE report_exp AS SELECT value_text as exp, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID() + ";"; + String temp4 = "CREATE TABLE report_list AS SELECT value_text as list, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ";"; + String temp5 = "CREATE TABLE report_name AS SELECT name, report_keyword.artifact_id from tsk_files,blackboard_artifacts, report_keyword WHERE blackboard_artifacts.artifact_id = report_keyword.artifact_id AND blackboard_artifacts.obj_id = tsk_files.obj_id;"; + String temp6 = "CREATE TABLE report AS SELECT keyword,preview,exp,list,name from report_keyword INNER JOIN report_preview ON report_keyword.artifact_id=report_preview.artifact_id INNER JOIN report_exp ON report_preview.artifact_id=report_exp.artifact_id INNER JOIN report_list ON report_exp.artifact_id=report_list.artifact_id INNER JOIN report_name ON report_list.artifact_id=report_name.artifact_id;"; + tempdbconnect.executeStmt(temp1); + tempdbconnect.executeStmt(temp2); + tempdbconnect.executeStmt(temp3); + tempdbconnect.executeStmt(temp4); + tempdbconnect.executeStmt(temp5); + tempdbconnect.executeStmt(temp6); + ResultSet uniqueresults = tempdbconnect.executeQry("SELECT keyword, exp, preview, list, name FROM report ORDER BY keyword ASC"); + String keyword = ""; + while (uniqueresults.next()) { + if (uniqueresults.getString("keyword") == null ? keyword == null : uniqueresults.getString("keyword").equals(keyword)) { + } else { + table.append("
").append("File Name").append("Size
").append(uniqueresults.getString("name")).append("").append(uniqueresults.getString("size")).append("


"); + keyword = uniqueresults.getString("keyword"); + table.append("").append(keyword).append(""); + table.append(""); + } + table.append(""); + table.append("").append("").append(""); + + } + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_keyword;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_preview;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_exp;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_name;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_list;"); + tempdbconnect.executeStmt("DROP TABLE IF EXISTS report;"); + tempdbconnect.closeConnection(); + + File f1 = new File(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db"); + boolean success = f1.delete(); + + } catch (Exception e) { + Logger.getLogger(Report.class.getName()).log(Level.WARNING, "Exception occurred", e); + } + + return table.toString(); + } + + /** + * Returns a hashmap of associated blackboard artifacts/attributes that were + * requested by the config param + * + * @param config is a ReportConfiguration object that has all the types of + * artifacts desired from the blackboard + * @return reportMap a hashmap of all the artifacts for artifact types were + * input + */ public HashMap> getAllTypes(ReportConfiguration config) { HashMap> reportMap = new HashMap>(); Case currentCase = Case.getCurrentCase(); // get the most updated case diff --git a/Report/src/org/sleuthkit/autopsy/report/ReportHTML.java b/Report/src/org/sleuthkit/autopsy/report/ReportHTML.java index f88af81995..5529261e5c 100644 --- a/Report/src/org/sleuthkit/autopsy/report/ReportHTML.java +++ b/Report/src/org/sleuthkit/autopsy/report/ReportHTML.java @@ -89,6 +89,7 @@ public class ReportHTML implements ReportModule { int countKeyword = 0; int countHash = 0; int countDevice = 0; + int countEmail = 0; for (Entry> entry : report.entrySet()) { if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) { countGen++; @@ -125,6 +126,9 @@ public class ReportHTML implements ReportModule { if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) { countDevice++; } + if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) { + countDevice++; + } } @@ -226,6 +230,9 @@ public class ReportHTML implements ReportModule { if (countDevice > 0) { formatted_Report.append(""); } + if (countDevice > 0) { + formatted_Report.append(""); + } formatted_Report.append("
").append("File Name").append("PreviewKeyword List
").append(uniqueresults.getString("name")).append("").append(uniqueresults.getString("preview")).append("").append(uniqueresults.getString("list")).append("
(").append(uniqueresults.getString("exp")).append(")").append("
Attached Devices").append(countDevice).append("
Email Messages").append(countEmail).append("

"); String tableHeader = ""; StringBuilder nodeGen = new StringBuilder("

General Information (").append(countGen).append(")

").append(tableHeader).append(""); @@ -239,6 +246,7 @@ public class ReportHTML implements ReportModule { StringBuilder nodeKeyword = new StringBuilder("

Keyword Search Hits (").append(countKeyword).append(")

"); StringBuilder nodeHash = new StringBuilder("

Hashset Hit (").append(countHash).append(")

").append(tableHeader).append(""); StringBuilder nodeDevice = new StringBuilder("

Attached Devices (").append(countHash).append(")

").append(tableHeader).append(""); + StringBuilder nodeEmail = new StringBuilder("

Email Messages (").append(countHash).append(")

"); int alt = 0; String altRow = ""; @@ -281,10 +289,10 @@ public class ReportHTML implements ReportModule { String value = ""; Integer type = tempatt.getAttributeTypeID(); if (type.equals(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID()) || type.equals(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID())) { - - SimpleDateFormat sdf = new java.text.SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); - value = sdf.format(new java.util.Date((tempatt.getValueLong() * 1000))); - + + SimpleDateFormat sdf = new java.text.SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); + value = sdf.format(new java.util.Date((tempatt.getValueLong() * 1000))); + } else { value = tempatt.getValueString(); } @@ -377,6 +385,8 @@ public class ReportHTML implements ReportModule { artifact.append(""); nodeDevice.append(artifact); } + if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) { + } } //Add them back in order //formatted_Report.append(nodeGen); @@ -417,14 +427,20 @@ public class ReportHTML implements ReportModule { } if (countHash > 0) { formatted_Report.append(nodeHash); - formatted_Report.append("
AttributeValue
NameSizeHashset Name
NameSerial #Time
"); + Report hashset = new Report(); + formatted_Report.append(hashset.getGroupedHashsetHit()); } + if (countDevice > 0) { formatted_Report.append(nodeDevice); formatted_Report.append(""); } //end of master loop - + if (countEmail > 0) { + formatted_Report.append(nodeEmail); + Report email = new Report(); + formatted_Report.append(email.getGroupedEmailHit()); + } formatted_Report.append(""); formatted_header.append(formatted_Report); // unformatted_header.append(formatted_Report); diff --git a/Report/src/org/sleuthkit/autopsy/report/ReportXML.java b/Report/src/org/sleuthkit/autopsy/report/ReportXML.java index ed199bda47..81f328889b 100644 --- a/Report/src/org/sleuthkit/autopsy/report/ReportXML.java +++ b/Report/src/org/sleuthkit/autopsy/report/ReportXML.java @@ -103,6 +103,7 @@ public class ReportXML implements ReportModule { Element nodeKeyword = new Element("Keyword-Search-Hits"); Element nodeHash = new Element("Hashset-Hits"); Element nodeDevice = new Element("Attached-Devices"); + Element nodeEmail = new Element("Email-Messages"); //remove bytes Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]"); for (Entry> entry : report.entrySet()) { @@ -177,6 +178,9 @@ public class ReportXML implements ReportModule { if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) { nodeDevice.addContent(artifact); } + if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) { + nodeEmail.addContent(artifact); + } //end of master loop } @@ -193,6 +197,7 @@ public class ReportXML implements ReportModule { root.addContent(nodeKeyword); root.addContent(nodeHash); root.addContent(nodeDevice); + root.addContent(nodeEmail); //Export it the first time