mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added ingest messages summarizing browser data found on the image.

Browse Source
This commit is contained in:
Jeff Wallace 2013-10-29 10:54:56 -04:00
parent 5e8517feb9
commit 7e967e2568
5 changed files with 107 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -82,6 +82,7 @@ public class Chrome extends Extract {
@Override
public void process(PipelineContext<IngestModuleDataSource>pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
historyFound = true;
this.getHistory(dataSource, controller);
this.getBookmark(dataSource, controller);
this.getCookie(dataSource, controller);
@ -104,6 +105,7 @@ public class Chrome extends Extract {
String msg = "Error when trying to get Chrome history files.";
logger.log(Level.SEVERE, msg, ex);
this.addErrorMessage(this.getName() + ": " + msg);
historyFound = false;
return;
}
@ -117,7 +119,10 @@ public class Chrome extends Extract {
// log a message if we don't have any allocated history files
if (allocatedHistoryFiles.isEmpty()) {
logger.log(Level.INFO, "Could not find any allocated Chrome history files.");
String msg = "Could not find any allocated Chrome history files.";
logger.log(Level.INFO, msg);
addErrorMessage(getName() + ": " + msg);
historyFound = false;
return;
}
@ -380,9 +385,11 @@ public class Chrome extends Extract {
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, downloadQuery);
List<HashMap<String, Object>> tempList = null;
if (tempList.isEmpty()) {
if (isChromePreVersion30(temps)) {
tempList = this.dbConnect(temps, downloadQuery);
} else {
tempList = this.dbConnect(temps, downloadQueryVersion30);
}
@ -495,4 +502,16 @@ public class Chrome extends Extract {
public boolean hasBackgroundJobsRunning() {
return false;
}
private boolean isChromePreVersion30(String temps) {
String query = "PRAGMA table_info(downloads)";
List<HashMap<String, Object>> columns = this.dbConnect(temps, query);
for (HashMap<String, Object> col : columns) {
if (col.get("name").equals("url")) {
return true;
}
}
return false;
}
}

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java
View File

@ -40,10 +40,11 @@ abstract public class Extract extends IngestModuleDataSource{
public final Logger logger = Logger.getLogger(this.getClass().getName());
protected final ArrayList<String> errorMessages = new ArrayList<>();
protected String moduleName = "";
protected boolean historyFound = false;
//hide public constructor to prevent from instantiation by ingest module loader
Extract() {
historyFound = true;
}
/**
@ -103,6 +104,7 @@ abstract public class Extract extends IngestModuleDataSource{
tempdbconnect.closeConnection();
} catch (SQLException ex) {
logger.log(Level.SEVERE, "Error while trying to read into a sqlite db." + connectionString, ex);
errorMessages.add(getName() + ": Failed to query database.");
return Collections.<HashMap<String,Object>>emptyList();
}
return list;
@ -142,4 +144,8 @@ abstract public class Extract extends IngestModuleDataSource{
public String getName() {
return moduleName;
}
public boolean foundHistory() {
return historyFound;
}
}

11
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -93,6 +93,7 @@ public class ExtractIE extends Extract {
@Override
public void process(PipelineContext<IngestModuleDataSource>pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
historyFound = true;
this.getBookmark(dataSource, controller);
this.getCookie(dataSource, controller);
this.getRecentDocuments(dataSource, controller);
@ -299,6 +300,14 @@ public class ExtractIE extends Extract {
return;
}
if (indexFiles.isEmpty()) {
String msg = "No InternetExplorer history files found.";
logger.log(Level.INFO, msg);
addErrorMessage(getName() + ": " + msg);
historyFound = false;
return;
}
String temps;
String indexFileName;
for (AbstractFile indexFile : indexFiles) {
@ -522,4 +531,4 @@ public class ExtractIE extends Extract {
public boolean hasBackgroundJobsRunning() {
return false;
}
}
}

80
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -74,7 +74,8 @@ public class Firefox extends Extract {
}
@Override
public void process(PipelineContext<IngestModuleDataSource>pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
public void process(PipelineContext<IngestModuleDataSource> pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) {
historyFound = true;
this.getHistory(dataSource, controller);
this.getBookmark(dataSource, controller);
this.getDownload(dataSource, controller);
@ -94,6 +95,16 @@ public class Firefox extends Extract {
String msg = "Error fetching internet history files for Firefox.";
logger.log(Level.WARNING, msg);
this.addErrorMessage(this.getName() + ": " + msg);
historyFound = false;
return;
}
if (historyFiles.isEmpty()) {
String msg = "No FireFox history files found.";
logger.log(Level.INFO, msg);
addErrorMessage(getName() + ": " + msg);
historyFound = false;
return;
}
int j = 0;
@ -266,29 +277,8 @@ public class Firefox extends Extract {
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
/**
* Queries for downloads files and adds artifacts
* @param dataSource
* @param controller
*/
private void getDownload(Content dataSource, IngestDataSourceWorkerController controller) {
FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> downloadsFiles = null;
try {
downloadsFiles = fileManager.findFiles(dataSource, "downloads.sqlite", "Firefox");
} catch (TskCoreException ex) {
String msg = "Error fetching 'downloads' files for Firefox.";
logger.log(Level.WARNING, msg);
this.addErrorMessage(this.getName() + ": " + msg);
return;
}
if (downloadsFiles.isEmpty()) {
getDownloadVersion24(dataSource, controller);
return;
}
private void getDownloadPreVersion24(Content dataSource, IngestDataSourceWorkerController controller, List<AbstractFile> downloadsFiles) {
int j = 0;
for (AbstractFile downloadsFile : downloadsFiles) {
if (downloadsFile.getSize() == 0) {
@ -311,10 +301,6 @@ public class Firefox extends Extract {
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, downloadQuery);
if (tempList.isEmpty()) {
getDownloadVersion24(dataSource, controller);
return;
}
logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
@ -350,6 +336,28 @@ public class Firefox extends Extract {
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
}
/**
* Queries for downloads files and adds artifacts
* @param dataSource
* @param controller
*/
private void getDownload(Content dataSource, IngestDataSourceWorkerController controller) {
FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> downloadsFiles = null;
List<AbstractFile> placesFiles = null;
try {
downloadsFiles = fileManager.findFiles(dataSource, "downloads.sqlite", "Firefox");
placesFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox");
} catch (TskCoreException ex) {
String msg = "Error fetching 'downloads' files for Firefox.";
logger.log(Level.WARNING, msg);
this.addErrorMessage(this.getName() + ": " + msg);
return;
}
getDownloadPreVersion24(dataSource, controller, downloadsFiles);
getDownloadVersion24(dataSource, controller, placesFiles);
}
@Override
public void init(IngestModuleInit initContext) {
@ -374,18 +382,7 @@ public class Firefox extends Extract {
return false;
}
private void getDownloadVersion24(Content dataSource, IngestDataSourceWorkerController controller) {
FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> downloadsFiles = null;
try {
downloadsFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox");
} catch (TskCoreException ex) {
String msg = "Error fetching 'places' files for Firefox.";
logger.log(Level.WARNING, msg);
this.addErrorMessage(this.getName() + ": " + msg);
return;
}
private void getDownloadVersion24(Content dataSource, IngestDataSourceWorkerController controller, List<AbstractFile> downloadsFiles) {
int j = 0;
for (AbstractFile downloadsFile : downloadsFiles) {
if (downloadsFile.getSize() == 0) {
@ -406,8 +403,9 @@ public class Firefox extends Extract {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, downloadQueryVersion24);
logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {

35
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java
View File

@ -23,8 +23,8 @@
package org.sleuthkit.autopsy.recentactivity;
import java.io.File;
import java.nio.file.Path;
import java.util.ArrayList;
import java.util.List;
import java.util.logging.Level;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Logger;
@ -49,6 +49,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource {
private static int messageId = 0;
private StringBuilder subCompleted = new StringBuilder();
private ArrayList<Extract> modules;
private List<Extract> browserModules;
final public static String MODULE_VERSION = "1.0";
//public constructor is required
@ -106,6 +107,17 @@ public final class RAImageIngestModule extends IngestModuleDataSource {
}
final IngestMessage msg = IngestMessage.createMessage(++messageId, msgLevel, this, "Finished " + dataSource.getName()+ " - " + errorMsgSubject, errorMessage.toString());
services.postMessage(msg);
StringBuilder historyMsg = new StringBuilder();
historyMsg.append("<p>Browser Data on ").append(dataSource.getName()).append(":<ul>\n");
for (Extract module : browserModules) {
historyMsg.append("<li>").append(module.getName());
historyMsg.append(": ").append((module.foundHistory()) ? " Found." : " Not Found.");
historyMsg.append("</li>");
}
historyMsg.append("</ul>");
final IngestMessage inboxMsg = IngestMessage.createMessage(++messageId, MessageType.INFO, this, dataSource.getName() + " - Browser Results", historyMsg.toString());
services.postMessage(inboxMsg);
}
@Override
@ -139,18 +151,29 @@ public final class RAImageIngestModule extends IngestModuleDataSource {
@Override
public void init(IngestModuleInit initContext) {
modules = new ArrayList<>();
browserModules = new ArrayList();
logger.log(Level.INFO, "init() {0}", this.toString());
services = IngestServices.getDefault();
modules.add(new Chrome());
modules.add(new Firefox());
modules.add(new ExtractIE());
final Extract registry = new ExtractRegistry();
final Extract iexplore = new ExtractIE();
final Extract chrome = new Chrome();
final Extract firefox = new Firefox();
final Extract SEUQA = new SearchEngineURLQueryAnalyzer();
modules.add(chrome);
modules.add(firefox);
modules.add(iexplore);
// this needs to run after the web browser modules
modules.add(new SearchEngineURLQueryAnalyzer());
modules.add(SEUQA);
// this runs last because it is slowest
modules.add(new ExtractRegistry());
modules.add(registry);
browserModules.add(chrome);
browserModules.add(firefox);
browserModules.add(iexplore);
for (Extract module : modules) {
try {
module.init(initContext);