mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Grouping hash reporting by hashset names, addition of email reporting

Browse Source
This commit is contained in:
Alex Ebadirad 2012-06-27 08:14:33 -07:00
parent 6956a968fd
commit 7d135bbd8e
3 changed files with 159 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
Report/src/org/sleuthkit/autopsy/report/Report.java
View File

@ -35,14 +35,14 @@ import org.sleuthkit.datamodel.SleuthkitCase;
import java.sql.*; import java.sql.*;
import org.sleuthkit.autopsy.recentactivity.dbconnect; import org.sleuthkit.autopsy.recentactivity.dbconnect;
public class Report { public class Report {
private void Report() { private void Report() {
} }
/** /**
* Returns all the keywords related artifact/attributes and groups them based on keyword * Returns all the keywords related artifact/attributes and groups them
* based on keyword
* *
* @return String table is a string of an html table * @return String table is a string of an html table
* *
@ -106,10 +106,131 @@ public class Report {
} }
/** /**
* Returns a hashmap of associated blackboard artifacts/attributes that were requested by the config param * Returns all the hash lookups related artifact/attributes and groups them
* based on hashset name
* *
* @param config is a ReportConfiguration object that has all the types of artifacts desired from the blackboard * @return String table is a string of an html table
* @return reportMap a hashmap of all the artifacts for artifact types were input *
*/
public String getGroupedHashsetHit() {
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
tempDb.copyCaseDB(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", "jdbc:sqlite:" + currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashset;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashname;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hash;");
String temp1 = "CREATE TABLE report_hashset AS SELECT value_text as hashset,blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HASHSET_NAME.getTypeID() + ";";
String temp5 = "CREATE TABLE report_hashname AS SELECT name, size, report_hashset.artifact_id from tsk_files,blackboard_artifacts, report_hashset WHERE blackboard_artifacts.artifact_id = report_hashset.artifact_id AND blackboard_artifacts.obj_id = tsk_files.obj_id;";
String temp6 = "CREATE TABLE report_hash AS SELECT hashset,size,name from report_hashset INNER JOIN report_hashname ON report_hashset.artifact_id=report_hashname.artifact_id;";
tempdbconnect.executeStmt(temp1);
tempdbconnect.executeStmt(temp5);
tempdbconnect.executeStmt(temp6);
ResultSet uniqueresults = tempdbconnect.executeQry("SELECT name, size, hashset FROM report_hash ORDER BY hashset ASC");
String keyword = "";
while (uniqueresults.next()) {
if (uniqueresults.getString("hashset") == null ? keyword == null : uniqueresults.getString("hashset").equals(keyword)) {
} else {
table.append("</tbody></table><br /><br />");
keyword = uniqueresults.getString("hashset");
table.append("<strong>").append(keyword).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Size</th></tr><tbody>");
}
table.append("<tr><td>").append(uniqueresults.getString("name")).append("</td>");
table.append("<td>").append(uniqueresults.getString("size")).append("</td>").append("</tr>");
}
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashset;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hashname;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_hash;");
tempdbconnect.closeConnection();
File f1 = new File(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
boolean success = f1.delete();
} catch (Exception e) {
Logger.getLogger(Report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return table.toString();
}
/**
* Returns all the hash lookups related artifact/attributes and groups them
* based on hashset name
*
* @return String table is a string of an html table
*
*/
public String getGroupedEmailHit() {
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
tempDb.copyCaseDB(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", "jdbc:sqlite:" + currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_keyword;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_preview;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_exp;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_list;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_name;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report;");
String temp1 = "CREATE TABLE report_keyword AS SELECT value_text as keyword,blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID() + ";";
String temp2 = "CREATE TABLE report_preview AS SELECT value_text as preview, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID() + ";";
String temp3 = "CREATE TABLE report_exp AS SELECT value_text as exp, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID() + ";";
String temp4 = "CREATE TABLE report_list AS SELECT value_text as list, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ";";
String temp5 = "CREATE TABLE report_name AS SELECT name, report_keyword.artifact_id from tsk_files,blackboard_artifacts, report_keyword WHERE blackboard_artifacts.artifact_id = report_keyword.artifact_id AND blackboard_artifacts.obj_id = tsk_files.obj_id;";
String temp6 = "CREATE TABLE report AS SELECT keyword,preview,exp,list,name from report_keyword INNER JOIN report_preview ON report_keyword.artifact_id=report_preview.artifact_id INNER JOIN report_exp ON report_preview.artifact_id=report_exp.artifact_id INNER JOIN report_list ON report_exp.artifact_id=report_list.artifact_id INNER JOIN report_name ON report_list.artifact_id=report_name.artifact_id;";
tempdbconnect.executeStmt(temp1);
tempdbconnect.executeStmt(temp2);
tempdbconnect.executeStmt(temp3);
tempdbconnect.executeStmt(temp4);
tempdbconnect.executeStmt(temp5);
tempdbconnect.executeStmt(temp6);
ResultSet uniqueresults = tempdbconnect.executeQry("SELECT keyword, exp, preview, list, name FROM report ORDER BY keyword ASC");
String keyword = "";
while (uniqueresults.next()) {
if (uniqueresults.getString("keyword") == null ? keyword == null : uniqueresults.getString("keyword").equals(keyword)) {
} else {
table.append("</tbody></table><br /><br />");
keyword = uniqueresults.getString("keyword");
table.append("<strong>").append(keyword).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
}
table.append("<tr><td>").append(uniqueresults.getString("name")).append("</td>");
table.append("<td>").append(uniqueresults.getString("preview")).append("</td>").append("<td>").append(uniqueresults.getString("list")).append("<br />(").append(uniqueresults.getString("exp")).append(")").append("</td>").append("</tr>");
}
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_keyword;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_preview;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_exp;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_name;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_list;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report;");
tempdbconnect.closeConnection();
File f1 = new File(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
boolean success = f1.delete();
} catch (Exception e) {
Logger.getLogger(Report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return table.toString();
}
/**
* Returns a hashmap of associated blackboard artifacts/attributes that were
* requested by the config param
*
* @param config is a ReportConfiguration object that has all the types of
* artifacts desired from the blackboard
* @return reportMap a hashmap of all the artifacts for artifact types were
* input
*/ */
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getAllTypes(ReportConfiguration config) { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getAllTypes(ReportConfiguration config) {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();

20
Report/src/org/sleuthkit/autopsy/report/ReportHTML.java
View File

@ -89,6 +89,7 @@ public class ReportHTML implements ReportModule {
int countKeyword = 0; int countKeyword = 0;
int countHash = 0; int countHash = 0;
int countDevice = 0; int countDevice = 0;
int countEmail = 0;
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) { for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) { if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++; countGen++;
@ -125,6 +126,9 @@ public class ReportHTML implements ReportModule {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) { if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++; countDevice++;
} }
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) {
countDevice++;
}
} }
@ -226,6 +230,9 @@ public class ReportHTML implements ReportModule {
if (countDevice > 0) { if (countDevice > 0) {
formatted_Report.append("<tr><td><a href=\"#device\">Attached Devices</a></td><td>").append(countDevice).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#device\">Attached Devices</a></td><td>").append(countDevice).append("</td></tr>");
} }
if (countDevice > 0) {
formatted_Report.append("<tr><td><a href=\"#email\">Email Messages</a></td><td>").append(countEmail).append("</td></tr>");
}
formatted_Report.append("</tbody></table><br />"); formatted_Report.append("</tbody></table><br />");
String tableHeader = "<table><thead><tr>"; String tableHeader = "<table><thead><tr>";
StringBuilder nodeGen = new StringBuilder("<h3>General Information (").append(countGen).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>"); StringBuilder nodeGen = new StringBuilder("<h3>General Information (").append(countGen).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
@ -239,6 +246,7 @@ public class ReportHTML implements ReportModule {
StringBuilder nodeKeyword = new StringBuilder("<h3><a name=\"keyword\">Keyword Search Hits (").append(countKeyword).append(")</h3>"); StringBuilder nodeKeyword = new StringBuilder("<h3><a name=\"keyword\">Keyword Search Hits (").append(countKeyword).append(")</h3>");
StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Size</th><th>Hashset Name</th></tr></thead><tbody>"); StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Size</th><th>Hashset Name</th></tr></thead><tbody>");
StringBuilder nodeDevice = new StringBuilder("<h3><a name=\"device\">Attached Devices (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Serial #</th><th>Time</th></tr></thead><tbody>"); StringBuilder nodeDevice = new StringBuilder("<h3><a name=\"device\">Attached Devices (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Serial #</th><th>Time</th></tr></thead><tbody>");
StringBuilder nodeEmail = new StringBuilder("<h3><a name=\"email\">Email Messages (").append(countHash).append(")</h3>");
int alt = 0; int alt = 0;
String altRow = ""; String altRow = "";
@ -377,6 +385,8 @@ public class ReportHTML implements ReportModule {
artifact.append("</tr>"); artifact.append("</tr>");
nodeDevice.append(artifact); nodeDevice.append(artifact);
} }
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) {
}
} }
//Add them back in order //Add them back in order
//formatted_Report.append(nodeGen); //formatted_Report.append(nodeGen);
@ -417,14 +427,20 @@ public class ReportHTML implements ReportModule {
} }
if (countHash > 0) { if (countHash > 0) {
formatted_Report.append(nodeHash); formatted_Report.append(nodeHash);
formatted_Report.append("</tbody></table>"); Report hashset = new Report();
formatted_Report.append(hashset.getGroupedHashsetHit());
} }
if (countDevice > 0) { if (countDevice > 0) {
formatted_Report.append(nodeDevice); formatted_Report.append(nodeDevice);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
//end of master loop //end of master loop
if (countEmail > 0) {
formatted_Report.append(nodeEmail);
Report email = new Report();
formatted_Report.append(email.getGroupedEmailHit());
}
formatted_Report.append("</div></div></body></html>"); formatted_Report.append("</div></div></body></html>");
formatted_header.append(formatted_Report); formatted_header.append(formatted_Report);
// unformatted_header.append(formatted_Report); // unformatted_header.append(formatted_Report);

5
Report/src/org/sleuthkit/autopsy/report/ReportXML.java
View File

@ -103,6 +103,7 @@ public class ReportXML implements ReportModule {
Element nodeKeyword = new Element("Keyword-Search-Hits"); Element nodeKeyword = new Element("Keyword-Search-Hits");
Element nodeHash = new Element("Hashset-Hits"); Element nodeHash = new Element("Hashset-Hits");
Element nodeDevice = new Element("Attached-Devices"); Element nodeDevice = new Element("Attached-Devices");
Element nodeEmail = new Element("Email-Messages");
//remove bytes //remove bytes
Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]"); Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]");
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) { for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
@ -177,6 +178,9 @@ public class ReportXML implements ReportModule {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) { if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
nodeDevice.addContent(artifact); nodeDevice.addContent(artifact);
} }
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) {
nodeEmail.addContent(artifact);
}
//end of master loop //end of master loop
} }
@ -193,6 +197,7 @@ public class ReportXML implements ReportModule {
root.addContent(nodeKeyword); root.addContent(nodeKeyword);
root.addContent(nodeHash); root.addContent(nodeHash);
root.addContent(nodeDevice); root.addContent(nodeDevice);
root.addContent(nodeEmail);
//Export it the first time //Export it the first time