diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index ea5a20b9a8..5f80fb7e1e 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -82,6 +82,7 @@ public class Chrome extends Extract { @Override public void process(PipelineContextpipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { + historyFound = true; this.getHistory(dataSource, controller); this.getBookmark(dataSource, controller); this.getCookie(dataSource, controller); @@ -104,6 +105,7 @@ public class Chrome extends Extract { String msg = "Error when trying to get Chrome history files."; logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getName() + ": " + msg); + historyFound = false; return; } @@ -117,7 +119,10 @@ public class Chrome extends Extract { // log a message if we don't have any allocated history files if (allocatedHistoryFiles.isEmpty()) { - logger.log(Level.INFO, "Could not find any allocated Chrome history files."); + String msg = "Could not find any allocated Chrome history files."; + logger.log(Level.INFO, msg); + addErrorMessage(getName() + ": " + msg); + historyFound = false; return; } @@ -380,9 +385,11 @@ public class Chrome extends Extract { break; } - List> tempList = this.dbConnect(temps, downloadQuery); + List> tempList = null; - if (tempList.isEmpty()) { + if (isChromePreVersion30(temps)) { + tempList = this.dbConnect(temps, downloadQuery); + } else { tempList = this.dbConnect(temps, downloadQueryVersion30); } @@ -495,4 +502,16 @@ public class Chrome extends Extract { public boolean hasBackgroundJobsRunning() { return false; } + + private boolean isChromePreVersion30(String temps) { + String query = "PRAGMA table_info(downloads)"; + List> columns = this.dbConnect(temps, query); + for (HashMap col : columns) { + if (col.get("name").equals("url")) { + return true; + } + } + + return false; + } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java index b3a5a5fe2b..374b7767fb 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java @@ -40,10 +40,11 @@ abstract public class Extract extends IngestModuleDataSource{ public final Logger logger = Logger.getLogger(this.getClass().getName()); protected final ArrayList errorMessages = new ArrayList<>(); protected String moduleName = ""; + protected boolean historyFound = false; //hide public constructor to prevent from instantiation by ingest module loader Extract() { - + historyFound = true; } /** @@ -103,6 +104,7 @@ abstract public class Extract extends IngestModuleDataSource{ tempdbconnect.closeConnection(); } catch (SQLException ex) { logger.log(Level.SEVERE, "Error while trying to read into a sqlite db." + connectionString, ex); + errorMessages.add(getName() + ": Failed to query database."); return Collections.>emptyList(); } return list; @@ -142,4 +144,8 @@ abstract public class Extract extends IngestModuleDataSource{ public String getName() { return moduleName; } + + public boolean foundHistory() { + return historyFound; + } } \ No newline at end of file diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index eef5bb92cd..b816b600bf 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -93,6 +93,7 @@ public class ExtractIE extends Extract { @Override public void process(PipelineContextpipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { + historyFound = true; this.getBookmark(dataSource, controller); this.getCookie(dataSource, controller); this.getRecentDocuments(dataSource, controller); @@ -299,6 +300,14 @@ public class ExtractIE extends Extract { return; } + if (indexFiles.isEmpty()) { + String msg = "No InternetExplorer history files found."; + logger.log(Level.INFO, msg); + addErrorMessage(getName() + ": " + msg); + historyFound = false; + return; + } + String temps; String indexFileName; for (AbstractFile indexFile : indexFiles) { @@ -522,4 +531,4 @@ public class ExtractIE extends Extract { public boolean hasBackgroundJobsRunning() { return false; } -} \ No newline at end of file +} diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index bf0f009bda..24f1fb6ce9 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -74,7 +74,8 @@ public class Firefox extends Extract { } @Override - public void process(PipelineContextpipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { + public void process(PipelineContext pipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { + historyFound = true; this.getHistory(dataSource, controller); this.getBookmark(dataSource, controller); this.getDownload(dataSource, controller); @@ -94,6 +95,16 @@ public class Firefox extends Extract { String msg = "Error fetching internet history files for Firefox."; logger.log(Level.WARNING, msg); this.addErrorMessage(this.getName() + ": " + msg); + historyFound = false; + return; + } + + if (historyFiles.isEmpty()) { + String msg = "No FireFox history files found."; + logger.log(Level.INFO, msg); + addErrorMessage(getName() + ": " + msg); + historyFound = false; + return; } int j = 0; @@ -266,29 +277,8 @@ public class Firefox extends Extract { services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); } - /** - * Queries for downloads files and adds artifacts - * @param dataSource - * @param controller - */ - private void getDownload(Content dataSource, IngestDataSourceWorkerController controller) { - - FileManager fileManager = currentCase.getServices().getFileManager(); - List downloadsFiles = null; - try { - downloadsFiles = fileManager.findFiles(dataSource, "downloads.sqlite", "Firefox"); - } catch (TskCoreException ex) { - String msg = "Error fetching 'downloads' files for Firefox."; - logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); - return; - } - - if (downloadsFiles.isEmpty()) { - getDownloadVersion24(dataSource, controller); - return; - } - + + private void getDownloadPreVersion24(Content dataSource, IngestDataSourceWorkerController controller, List downloadsFiles) { int j = 0; for (AbstractFile downloadsFile : downloadsFiles) { if (downloadsFile.getSize() == 0) { @@ -311,10 +301,6 @@ public class Firefox extends Extract { } List> tempList = this.dbConnect(temps, downloadQuery); - if (tempList.isEmpty()) { - getDownloadVersion24(dataSource, controller); - return; - } logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified."); for (HashMap result : tempList) { @@ -350,6 +336,28 @@ public class Firefox extends Extract { services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); } + /** + * Queries for downloads files and adds artifacts + * @param dataSource + * @param controller + */ + private void getDownload(Content dataSource, IngestDataSourceWorkerController controller) { + FileManager fileManager = currentCase.getServices().getFileManager(); + List downloadsFiles = null; + List placesFiles = null; + try { + downloadsFiles = fileManager.findFiles(dataSource, "downloads.sqlite", "Firefox"); + placesFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox"); + } catch (TskCoreException ex) { + String msg = "Error fetching 'downloads' files for Firefox."; + logger.log(Level.WARNING, msg); + this.addErrorMessage(this.getName() + ": " + msg); + return; + } + + getDownloadPreVersion24(dataSource, controller, downloadsFiles); + getDownloadVersion24(dataSource, controller, placesFiles); + } @Override public void init(IngestModuleInit initContext) { @@ -374,18 +382,7 @@ public class Firefox extends Extract { return false; } - private void getDownloadVersion24(Content dataSource, IngestDataSourceWorkerController controller) { - FileManager fileManager = currentCase.getServices().getFileManager(); - List downloadsFiles = null; - try { - downloadsFiles = fileManager.findFiles(dataSource, "places.sqlite", "Firefox"); - } catch (TskCoreException ex) { - String msg = "Error fetching 'places' files for Firefox."; - logger.log(Level.WARNING, msg); - this.addErrorMessage(this.getName() + ": " + msg); - return; - } - + private void getDownloadVersion24(Content dataSource, IngestDataSourceWorkerController controller, List downloadsFiles) { int j = 0; for (AbstractFile downloadsFile : downloadsFiles) { if (downloadsFile.getSize() == 0) { @@ -406,8 +403,9 @@ public class Firefox extends Extract { dbFile.delete(); break; } - + List> tempList = this.dbConnect(temps, downloadQueryVersion24); + logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified."); for (HashMap result : tempList) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index ae0584fbf0..1e81f63496 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -23,8 +23,8 @@ package org.sleuthkit.autopsy.recentactivity; import java.io.File; -import java.nio.file.Path; import java.util.ArrayList; +import java.util.List; import java.util.logging.Level; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.coreutils.Logger; @@ -49,6 +49,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource { private static int messageId = 0; private StringBuilder subCompleted = new StringBuilder(); private ArrayList modules; + private List browserModules; final public static String MODULE_VERSION = "1.0"; //public constructor is required @@ -106,6 +107,17 @@ public final class RAImageIngestModule extends IngestModuleDataSource { } final IngestMessage msg = IngestMessage.createMessage(++messageId, msgLevel, this, "Finished " + dataSource.getName()+ " - " + errorMsgSubject, errorMessage.toString()); services.postMessage(msg); + + StringBuilder historyMsg = new StringBuilder(); + historyMsg.append("

Browser Data on ").append(dataSource.getName()).append(":

    \n"); + for (Extract module : browserModules) { + historyMsg.append("
  • ").append(module.getName()); + historyMsg.append(": ").append((module.foundHistory()) ? " Found." : " Not Found."); + historyMsg.append("
    • "); + } + historyMsg.append("
"); + final IngestMessage inboxMsg = IngestMessage.createMessage(++messageId, MessageType.INFO, this, dataSource.getName() + " - Browser Results", historyMsg.toString()); + services.postMessage(inboxMsg); } @Override @@ -139,18 +151,29 @@ public final class RAImageIngestModule extends IngestModuleDataSource { @Override public void init(IngestModuleInit initContext) { modules = new ArrayList<>(); + browserModules = new ArrayList(); logger.log(Level.INFO, "init() {0}", this.toString()); services = IngestServices.getDefault(); - modules.add(new Chrome()); - modules.add(new Firefox()); - modules.add(new ExtractIE()); + final Extract registry = new ExtractRegistry(); + final Extract iexplore = new ExtractIE(); + final Extract chrome = new Chrome(); + final Extract firefox = new Firefox(); + final Extract SEUQA = new SearchEngineURLQueryAnalyzer(); + + modules.add(chrome); + modules.add(firefox); + modules.add(iexplore); // this needs to run after the web browser modules - modules.add(new SearchEngineURLQueryAnalyzer()); + modules.add(SEUQA); // this runs last because it is slowest - modules.add(new ExtractRegistry()); + modules.add(registry); + browserModules.add(chrome); + browserModules.add(firefox); + browserModules.add(iexplore); + for (Extract module : modules) { try { module.init(initContext);