mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-19 11:07:43 +00:00
Combine OS attributes found in the registry.
This commit is contained in:
parent
93eb80364a
commit
8ac91c2cb8
@ -59,14 +59,16 @@ import org.sleuthkit.autopsy.ingest.IngestJobContext;
|
|||||||
import org.sleuthkit.datamodel.*;
|
import org.sleuthkit.datamodel.*;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extracts activity from Internet Explorer browser, as well as recent documents in windows.
|
* Extracts activity from Internet Explorer browser, as well as recent documents
|
||||||
|
* in windows.
|
||||||
*/
|
*/
|
||||||
class ExtractIE extends Extract {
|
class ExtractIE extends Extract {
|
||||||
|
|
||||||
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
|
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
|
||||||
private IngestServices services = IngestServices.getInstance();
|
private IngestServices services = IngestServices.getInstance();
|
||||||
private String moduleTempResultsDir;
|
private String moduleTempResultsDir;
|
||||||
private String PASCO_LIB_PATH;
|
private String PASCO_LIB_PATH;
|
||||||
private String JAVA_PATH;
|
private String JAVA_PATH;
|
||||||
private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
|
private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
|
||||||
private Content dataSource;
|
private Content dataSource;
|
||||||
private IngestJobContext context;
|
private IngestJobContext context;
|
||||||
@ -90,7 +92,7 @@ class ExtractIE extends Extract {
|
|||||||
/**
|
/**
|
||||||
* Finds the files storing bookmarks and creates artifacts
|
* Finds the files storing bookmarks and creates artifacts
|
||||||
*/
|
*/
|
||||||
private void getBookmark() {
|
private void getBookmark() {
|
||||||
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
||||||
List<AbstractFile> favoritesFiles;
|
List<AbstractFile> favoritesFiles;
|
||||||
try {
|
try {
|
||||||
@ -99,7 +101,7 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
|
logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
|
NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
|
||||||
this.getName()));
|
this.getName()));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -107,17 +109,17 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.INFO, "Didn't find any IE bookmark files."); //NON-NLS
|
logger.log(Level.INFO, "Didn't find any IE bookmark files."); //NON-NLS
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
dataFound = true;
|
dataFound = true;
|
||||||
for (AbstractFile fav : favoritesFiles) {
|
for (AbstractFile fav : favoritesFiles) {
|
||||||
if (fav.getSize() == 0) {
|
if (fav.getSize() == 0) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (context.dataSourceIngestIsCancelled()) {
|
if (context.dataSourceIngestIsCancelled()) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
String url = getURLFromIEBookmarkFile(fav);
|
String url = getURLFromIEBookmarkFile(fav);
|
||||||
|
|
||||||
String name = fav.getName();
|
String name = fav.getName();
|
||||||
@ -128,27 +130,27 @@ class ExtractIE extends Extract {
|
|||||||
|
|
||||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), url));
|
"ExtractIE.parentModuleName.noSpace"), url));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), name));
|
"ExtractIE.parentModuleName.noSpace"), name));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), datetime));
|
"ExtractIE.parentModuleName.noSpace"), datetime));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"),
|
"ExtractIE.parentModuleName.noSpace"),
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||||
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
|
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
|
||||||
}
|
}
|
||||||
services.fireModuleDataEvent(new ModuleDataEvent(
|
services.fireModuleDataEvent(new ModuleDataEvent(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
|
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
|
||||||
}
|
}
|
||||||
|
|
||||||
private String getURLFromIEBookmarkFile(AbstractFile fav) {
|
private String getURLFromIEBookmarkFile(AbstractFile fav) {
|
||||||
BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));
|
BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));
|
||||||
String line, url = "";
|
String line, url = "";
|
||||||
@ -165,12 +167,12 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
|
logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
|
NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
|
||||||
fav.getName()));
|
fav.getName()));
|
||||||
} catch (IndexOutOfBoundsException ex) {
|
} catch (IndexOutOfBoundsException ex) {
|
||||||
logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
|
logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
|
NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
|
||||||
fav.getName()));
|
fav.getName()));
|
||||||
} finally {
|
} finally {
|
||||||
try {
|
try {
|
||||||
reader.close();
|
reader.close();
|
||||||
@ -178,14 +180,14 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS
|
logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return url;
|
return url;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Finds files that store cookies and adds artifacts for them.
|
* Finds files that store cookies and adds artifacts for them.
|
||||||
*/
|
*/
|
||||||
private void getCookie() {
|
private void getCookie() {
|
||||||
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
||||||
List<AbstractFile> cookiesFiles;
|
List<AbstractFile> cookiesFiles;
|
||||||
try {
|
try {
|
||||||
@ -201,7 +203,7 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.INFO, "Didn't find any IE cookies files."); //NON-NLS
|
logger.log(Level.INFO, "Didn't find any IE cookies files."); //NON-NLS
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
dataFound = true;
|
dataFound = true;
|
||||||
for (AbstractFile cookiesFile : cookiesFiles) {
|
for (AbstractFile cookiesFile : cookiesFiles) {
|
||||||
if (context.dataSourceIngestIsCancelled()) {
|
if (context.dataSourceIngestIsCancelled()) {
|
||||||
@ -218,7 +220,7 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.SEVERE, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
|
logger.log(Level.SEVERE, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
|
NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
|
||||||
this.getName(), cookiesFile.getName()));
|
this.getName(), cookiesFile.getName()));
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
String cookieString = new String(t);
|
String cookieString = new String(t);
|
||||||
@ -233,24 +235,24 @@ class ExtractIE extends Extract {
|
|||||||
|
|
||||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), url));
|
"ExtractIE.parentModuleName.noSpace"), url));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), datetime));
|
"ExtractIE.parentModuleName.noSpace"), datetime));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), (name != null) ? name : ""));
|
"ExtractIE.parentModuleName.noSpace"), (name != null) ? name : ""));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), value));
|
"ExtractIE.parentModuleName.noSpace"), value));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"),
|
"ExtractIE.parentModuleName.noSpace"),
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||||
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||||
}
|
}
|
||||||
services.fireModuleDataEvent(new ModuleDataEvent(
|
services.fireModuleDataEvent(new ModuleDataEvent(
|
||||||
@ -258,7 +260,7 @@ class ExtractIE extends Extract {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Locates index.dat files, runs Pasco on them, and creates artifacts.
|
* Locates index.dat files, runs Pasco on them, and creates artifacts.
|
||||||
*/
|
*/
|
||||||
private void getHistory() {
|
private void getHistory() {
|
||||||
logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS
|
logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS
|
||||||
@ -270,8 +272,8 @@ class ExtractIE extends Extract {
|
|||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName()));
|
NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName()));
|
||||||
logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS
|
logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
final String pascoHome = pascoRoot.getAbsolutePath();
|
final String pascoHome = pascoRoot.getAbsolutePath();
|
||||||
logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS
|
logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS
|
||||||
|
|
||||||
@ -280,7 +282,7 @@ class ExtractIE extends Extract {
|
|||||||
|
|
||||||
File resultsDir = new File(moduleTempResultsDir);
|
File resultsDir = new File(moduleTempResultsDir);
|
||||||
resultsDir.mkdirs();
|
resultsDir.mkdirs();
|
||||||
|
|
||||||
// get index.dat files
|
// get index.dat files
|
||||||
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
||||||
List<AbstractFile> indexFiles;
|
List<AbstractFile> indexFiles;
|
||||||
@ -288,7 +290,7 @@ class ExtractIE extends Extract {
|
|||||||
indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
|
indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
|
||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
|
this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
|
||||||
this.getName()));
|
this.getName()));
|
||||||
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
|
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -298,7 +300,7 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.INFO, msg);
|
logger.log(Level.INFO, msg);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
dataFound = true;
|
dataFound = true;
|
||||||
String temps;
|
String temps;
|
||||||
String indexFileName;
|
String indexFileName;
|
||||||
@ -321,7 +323,7 @@ class ExtractIE extends Extract {
|
|||||||
logger.log(Level.SEVERE, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
|
logger.log(Level.SEVERE, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
|
NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
|
||||||
datFile.getAbsolutePath()));
|
datFile.getAbsolutePath()));
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -336,7 +338,7 @@ class ExtractIE extends Extract {
|
|||||||
if (bPascProcSuccess) {
|
if (bPascProcSuccess) {
|
||||||
parsePascoOutput(indexFile, filename);
|
parsePascoOutput(indexFile, filename);
|
||||||
foundHistory = true;
|
foundHistory = true;
|
||||||
|
|
||||||
//Delete index<n>.dat file since it was succcessfully by Pasco
|
//Delete index<n>.dat file since it was succcessfully by Pasco
|
||||||
datFile.delete();
|
datFile.delete();
|
||||||
} else {
|
} else {
|
||||||
@ -345,7 +347,7 @@ class ExtractIE extends Extract {
|
|||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName()));
|
NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName()));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (foundHistory) {
|
if (foundHistory) {
|
||||||
services.fireModuleDataEvent(new ModuleDataEvent(
|
services.fireModuleDataEvent(new ModuleDataEvent(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
|
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
|
||||||
@ -353,7 +355,8 @@ class ExtractIE extends Extract {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Execute pasco on a single file that has been saved to disk.
|
* Execute pasco on a single file that has been saved to disk.
|
||||||
|
*
|
||||||
* @param indexFilePath Path to local index.dat file to analyze
|
* @param indexFilePath Path to local index.dat file to analyze
|
||||||
* @param outputFileName Name of file to save output to
|
* @param outputFileName Name of file to save output to
|
||||||
* @return false on error
|
* @return false on error
|
||||||
@ -386,18 +389,20 @@ class ExtractIE extends Extract {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* parse Pasco output and create artifacts
|
* parse Pasco output and create artifacts
|
||||||
* @param origFile Original index.dat file that was analyzed to get this output
|
*
|
||||||
|
* @param origFile Original index.dat file that was analyzed to get this
|
||||||
|
* output
|
||||||
* @param pascoOutputFileName name of pasco output file
|
* @param pascoOutputFileName name of pasco output file
|
||||||
*/
|
*/
|
||||||
private void parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
|
private void parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
|
||||||
|
|
||||||
String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
|
String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
|
||||||
|
|
||||||
File file = new File(fnAbs);
|
File file = new File(fnAbs);
|
||||||
if (file.exists() == false) {
|
if (file.exists() == false) {
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
|
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
|
||||||
file.getName()));
|
file.getName()));
|
||||||
logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
|
logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -414,11 +419,11 @@ class ExtractIE extends Extract {
|
|||||||
} catch (FileNotFoundException ex) {
|
} catch (FileNotFoundException ex) {
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
|
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
|
||||||
file.getName()));
|
file.getName()));
|
||||||
logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
|
logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Keep a list of reported user accounts to avoid repeats
|
// Keep a list of reported user accounts to avoid repeats
|
||||||
Set<String> reportedUserAccounts = new HashSet<String>();
|
Set<String> reportedUserAccounts = new HashSet<String>();
|
||||||
|
|
||||||
@ -478,7 +483,7 @@ class ExtractIE extends Extract {
|
|||||||
} catch (ParseException e) {
|
} catch (ParseException e) {
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
|
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
|
||||||
this.getName()));
|
this.getName()));
|
||||||
logger.log(Level.SEVERE, "Error parsing Pasco results.", e); //NON-NLS
|
logger.log(Level.SEVERE, "Error parsing Pasco results.", e); //NON-NLS
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -487,40 +492,40 @@ class ExtractIE extends Extract {
|
|||||||
BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
|
BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
|
||||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), realurl));
|
"ExtractIE.parentModuleName.noSpace"), realurl));
|
||||||
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
|
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
|
||||||
|
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), ftime));
|
"ExtractIE.parentModuleName.noSpace"), ftime));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), ""));
|
"ExtractIE.parentModuleName.noSpace"), ""));
|
||||||
// @@@ NOte that other browser modules are adding TITLE in hre for the title
|
// @@@ NOte that other browser modules are adding TITLE in hre for the title
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"),
|
"ExtractIE.parentModuleName.noSpace"),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.moduleName.text")));
|
"ExtractIE.moduleName.text")));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(),
|
NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractIE.parentModuleName.noSpace"), user));
|
"ExtractIE.parentModuleName.noSpace"), user));
|
||||||
bbart.addAttributes(bbattributes);
|
bbart.addAttributes(bbattributes);
|
||||||
|
|
||||||
if( (!user.isEmpty()) && (!reportedUserAccounts.contains(user))){
|
if ((!user.isEmpty()) && (!reportedUserAccounts.contains(user))) {
|
||||||
BlackboardArtifact osAttr = origFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
|
BlackboardArtifact osAttr = origFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
|
||||||
osAttr.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
osAttr.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user));
|
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user));
|
||||||
reportedUserAccounts.add(user);
|
reportedUserAccounts.add(user);
|
||||||
}
|
}
|
||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS
|
logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
fileScanner.close();
|
fileScanner.close();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -43,6 +43,8 @@ import org.sleuthkit.autopsy.recentactivity.UsbDeviceIdMapper.USBInfo;
|
|||||||
import org.sleuthkit.datamodel.*;
|
import org.sleuthkit.datamodel.*;
|
||||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||||
|
import org.sleuthkit.datamodel.OSUtility; // TEMP
|
||||||
|
import org.sleuthkit.autopsy.casemodule.Case;
|
||||||
import org.w3c.dom.Document;
|
import org.w3c.dom.Document;
|
||||||
import org.w3c.dom.Element;
|
import org.w3c.dom.Element;
|
||||||
import org.w3c.dom.Node;
|
import org.w3c.dom.Node;
|
||||||
@ -51,10 +53,10 @@ import org.xml.sax.InputSource;
|
|||||||
import org.xml.sax.SAXException;
|
import org.xml.sax.SAXException;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Extract windows registry data using regripper.
|
* Extract windows registry data using regripper. Runs two versions of
|
||||||
* Runs two versions of regripper. One is the generally available set of plug-ins
|
* regripper. One is the generally available set of plug-ins and the second is a
|
||||||
* and the second is a set that were customized for Autopsy to produce a more structured
|
* set that were customized for Autopsy to produce a more structured output of
|
||||||
* output of XML so that we can parse and turn into blackboard artifacts.
|
* XML so that we can parse and turn into blackboard artifacts.
|
||||||
*/
|
*/
|
||||||
class ExtractRegistry extends Extract {
|
class ExtractRegistry extends Extract {
|
||||||
|
|
||||||
@ -68,7 +70,7 @@ class ExtractRegistry extends Extract {
|
|||||||
private Content dataSource;
|
private Content dataSource;
|
||||||
private IngestJobContext context;
|
private IngestJobContext context;
|
||||||
final private static UsbDeviceIdMapper usbMapper = new UsbDeviceIdMapper();
|
final private static UsbDeviceIdMapper usbMapper = new UsbDeviceIdMapper();
|
||||||
|
|
||||||
ExtractRegistry() {
|
ExtractRegistry() {
|
||||||
moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text");
|
moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text");
|
||||||
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
|
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
|
||||||
@ -79,7 +81,7 @@ class ExtractRegistry extends Extract {
|
|||||||
} else {
|
} else {
|
||||||
rrFound = true;
|
rrFound = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
rrHome = rrRoot.getAbsolutePath();
|
rrHome = rrRoot.getAbsolutePath();
|
||||||
logger.log(Level.INFO, "RegRipper home: {0}", rrHome); //NON-NLS
|
logger.log(Level.INFO, "RegRipper home: {0}", rrHome); //NON-NLS
|
||||||
|
|
||||||
@ -88,7 +90,7 @@ class ExtractRegistry extends Extract {
|
|||||||
} else {
|
} else {
|
||||||
RR_PATH = "perl " + rrHome + File.separator + "rip.pl"; //NON-NLS
|
RR_PATH = "perl " + rrHome + File.separator + "rip.pl"; //NON-NLS
|
||||||
}
|
}
|
||||||
|
|
||||||
final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
|
final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
|
||||||
if (rrFullRoot == null) {
|
if (rrFullRoot == null) {
|
||||||
logger.log(Level.SEVERE, "RegRipper Full not found"); //NON-NLS
|
logger.log(Level.SEVERE, "RegRipper Full not found"); //NON-NLS
|
||||||
@ -96,11 +98,10 @@ class ExtractRegistry extends Extract {
|
|||||||
} else {
|
} else {
|
||||||
rrFullFound = true;
|
rrFullFound = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(rrFullRoot != null){
|
if (rrFullRoot != null) {
|
||||||
rrFullHome = rrFullRoot.getAbsolutePath();
|
rrFullHome = rrFullRoot.getAbsolutePath();
|
||||||
}
|
} else {
|
||||||
else{
|
|
||||||
rrFullHome = "";
|
rrFullHome = "";
|
||||||
}
|
}
|
||||||
logger.log(Level.INFO, "RegRipper Full home: {0}", rrFullHome); //NON-NLS
|
logger.log(Level.INFO, "RegRipper Full home: {0}", rrFullHome); //NON-NLS
|
||||||
@ -111,44 +112,43 @@ class ExtractRegistry extends Extract {
|
|||||||
RR_FULL_PATH = "perl " + rrFullHome + File.separator + "rip.pl"; //NON-NLS
|
RR_FULL_PATH = "perl " + rrFullHome + File.separator + "rip.pl"; //NON-NLS
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Search for the registry hives on the system.
|
* Search for the registry hives on the system.
|
||||||
*/
|
*/
|
||||||
private List<AbstractFile> findRegistryFiles() {
|
private List<AbstractFile> findRegistryFiles() {
|
||||||
List<AbstractFile> allRegistryFiles = new ArrayList<>();
|
List<AbstractFile> allRegistryFiles = new ArrayList<>();
|
||||||
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
|
||||||
|
|
||||||
// find the user-specific ntuser-dat files
|
// find the user-specific ntuser-dat files
|
||||||
try {
|
try {
|
||||||
allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); //NON-NLS
|
allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); //NON-NLS
|
||||||
}
|
} catch (TskCoreException ex) {
|
||||||
catch (TskCoreException ex) {
|
|
||||||
logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); //NON-NLS
|
logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); //NON-NLS
|
||||||
}
|
}
|
||||||
|
|
||||||
// find the system hives'
|
// find the system hives'
|
||||||
String[] regFileNames = new String[] {"system", "software", "security", "sam"}; //NON-NLS
|
String[] regFileNames = new String[]{"system", "software", "security", "sam"}; //NON-NLS
|
||||||
for (String regFileName : regFileNames) {
|
for (String regFileName : regFileNames) {
|
||||||
try {
|
try {
|
||||||
allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS
|
allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS
|
||||||
}
|
} catch (TskCoreException ex) {
|
||||||
catch (TskCoreException ex) {
|
|
||||||
String msg = NbBundle.getMessage(this.getClass(),
|
String msg = NbBundle.getMessage(this.getClass(),
|
||||||
"ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
|
"ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
|
||||||
logger.log(Level.WARNING, msg);
|
logger.log(Level.WARNING, msg);
|
||||||
this.addErrorMessage(this.getName() + ": " + msg);
|
this.addErrorMessage(this.getName() + ": " + msg);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
return allRegistryFiles;
|
return allRegistryFiles;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Identifies registry files in the database by mtimeItem, runs regripper on them, and parses the output.
|
* Identifies registry files in the database by mtimeItem, runs regripper on
|
||||||
|
* them, and parses the output.
|
||||||
*/
|
*/
|
||||||
private void analyzeRegistryFiles() {
|
private void analyzeRegistryFiles() {
|
||||||
List<AbstractFile> allRegistryFiles = findRegistryFiles();
|
List<AbstractFile> allRegistryFiles = findRegistryFiles();
|
||||||
|
|
||||||
// open the log file
|
// open the log file
|
||||||
FileWriter logFile = null;
|
FileWriter logFile = null;
|
||||||
try {
|
try {
|
||||||
@ -156,7 +156,7 @@ class ExtractRegistry extends Extract {
|
|||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
logger.log(Level.SEVERE, null, ex);
|
logger.log(Level.SEVERE, null, ex);
|
||||||
}
|
}
|
||||||
|
|
||||||
int j = 0;
|
int j = 0;
|
||||||
for (AbstractFile regFile : allRegistryFiles) {
|
for (AbstractFile regFile : allRegistryFiles) {
|
||||||
String regFileName = regFile.getName();
|
String regFileName = regFile.getName();
|
||||||
@ -169,52 +169,50 @@ class ExtractRegistry extends Extract {
|
|||||||
logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); //NON-NLS
|
logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); //NON-NLS
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
|
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
|
||||||
this.getName(), regFileName));
|
this.getName(), regFileName));
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (context.dataSourceIngestIsCancelled()) {
|
if (context.dataSourceIngestIsCancelled()) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (logFile != null) {
|
if (logFile != null) {
|
||||||
logFile.write(Integer.toString(j-1) + "\t" + regFile.getUniquePath() + "\n");
|
logFile.write(Integer.toString(j - 1) + "\t" + regFile.getUniquePath() + "\n");
|
||||||
}
|
}
|
||||||
}
|
} catch (TskCoreException | IOException ex) {
|
||||||
catch (TskCoreException | IOException ex) {
|
|
||||||
logger.log(Level.SEVERE, null, ex);
|
logger.log(Level.SEVERE, null, ex);
|
||||||
}
|
}
|
||||||
|
|
||||||
logger.log(Level.INFO, "{0}- Now getting registry information from {1}", new Object[]{moduleName, regFileNameLocal}); //NON-NLS
|
logger.log(Level.INFO, "{0}- Now getting registry information from {1}", new Object[]{moduleName, regFileNameLocal}); //NON-NLS
|
||||||
RegOutputFiles regOutputFiles = ripRegistryFile(regFileNameLocal, outputPathBase);
|
RegOutputFiles regOutputFiles = ripRegistryFile(regFileNameLocal, outputPathBase);
|
||||||
if (context.dataSourceIngestIsCancelled()) {
|
if (context.dataSourceIngestIsCancelled()) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
// parse the autopsy-specific output
|
// parse the autopsy-specific output
|
||||||
if (regOutputFiles.autopsyPlugins.isEmpty() == false) {
|
if (regOutputFiles.autopsyPlugins.isEmpty() == false) {
|
||||||
if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) {
|
if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) {
|
||||||
this.addErrorMessage(
|
this.addErrorMessage(
|
||||||
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
|
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
|
||||||
this.getName(), regFileName));
|
this.getName(), regFileName));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// create a report for the full output
|
// create a report for the full output
|
||||||
if (regOutputFiles.fullPlugins.isEmpty() == false) {
|
if (regOutputFiles.fullPlugins.isEmpty() == false) {
|
||||||
try {
|
try {
|
||||||
currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(),"ExtractRegistry.parentModuleName.noSpace"), "RegRipper " + regFile.getUniquePath() );
|
currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), "RegRipper " + regFile.getUniquePath());
|
||||||
}
|
} catch (TskCoreException e) {
|
||||||
catch (TskCoreException e) {
|
|
||||||
this.addErrorMessage("Error adding regripper output as Autopsy report: " + e.getLocalizedMessage());
|
this.addErrorMessage("Error adding regripper output as Autopsy report: " + e.getLocalizedMessage());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// delete the hive
|
// delete the hive
|
||||||
regFileNameLocalFile.delete();
|
regFileNameLocalFile.delete();
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if (logFile != null) {
|
if (logFile != null) {
|
||||||
logFile.close();
|
logFile.close();
|
||||||
@ -223,45 +221,43 @@ class ExtractRegistry extends Extract {
|
|||||||
logger.log(Level.SEVERE, null, ex);
|
logger.log(Level.SEVERE, null, ex);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private class RegOutputFiles {
|
private class RegOutputFiles {
|
||||||
|
|
||||||
public String autopsyPlugins = "";
|
public String autopsyPlugins = "";
|
||||||
public String fullPlugins = "";
|
public String fullPlugins = "";
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Execute regripper on the given registry.
|
* Execute regripper on the given registry.
|
||||||
|
*
|
||||||
* @param regFilePath Path to local copy of registry
|
* @param regFilePath Path to local copy of registry
|
||||||
* @param outFilePathBase Path to location to save output file to. Base mtimeItem that will be extended on
|
* @param outFilePathBase Path to location to save output file to. Base
|
||||||
|
* mtimeItem that will be extended on
|
||||||
*/
|
*/
|
||||||
private RegOutputFiles ripRegistryFile(String regFilePath, String outFilePathBase) {
|
private RegOutputFiles ripRegistryFile(String regFilePath, String outFilePathBase) {
|
||||||
String autopsyType = ""; // Type argument for rr for autopsy-specific modules
|
String autopsyType = ""; // Type argument for rr for autopsy-specific modules
|
||||||
String fullType; // Type argument for rr for full set of modules
|
String fullType; // Type argument for rr for full set of modules
|
||||||
|
|
||||||
RegOutputFiles regOutputFiles = new RegOutputFiles();
|
RegOutputFiles regOutputFiles = new RegOutputFiles();
|
||||||
|
|
||||||
if (regFilePath.toLowerCase().contains("system")) { //NON-NLS
|
if (regFilePath.toLowerCase().contains("system")) { //NON-NLS
|
||||||
autopsyType = "autopsysystem"; //NON-NLS
|
autopsyType = "autopsysystem"; //NON-NLS
|
||||||
fullType = "system"; //NON-NLS
|
fullType = "system"; //NON-NLS
|
||||||
}
|
} else if (regFilePath.toLowerCase().contains("software")) { //NON-NLS
|
||||||
else if (regFilePath.toLowerCase().contains("software")) { //NON-NLS
|
|
||||||
autopsyType = "autopsysoftware"; //NON-NLS
|
autopsyType = "autopsysoftware"; //NON-NLS
|
||||||
fullType = "software"; //NON-NLS
|
fullType = "software"; //NON-NLS
|
||||||
}
|
} else if (regFilePath.toLowerCase().contains("ntuser")) { //NON-NLS
|
||||||
else if (regFilePath.toLowerCase().contains("ntuser")) { //NON-NLS
|
|
||||||
autopsyType = "autopsyntuser"; //NON-NLS
|
autopsyType = "autopsyntuser"; //NON-NLS
|
||||||
fullType = "ntuser"; //NON-NLS
|
fullType = "ntuser"; //NON-NLS
|
||||||
}
|
} else if (regFilePath.toLowerCase().contains("sam")) { //NON-NLS
|
||||||
else if (regFilePath.toLowerCase().contains("sam")) { //NON-NLS
|
|
||||||
fullType = "sam"; //NON-NLS
|
fullType = "sam"; //NON-NLS
|
||||||
}
|
} else if (regFilePath.toLowerCase().contains("security")) { //NON-NLS
|
||||||
else if (regFilePath.toLowerCase().contains("security")) { //NON-NLS
|
|
||||||
fullType = "security"; //NON-NLS
|
fullType = "security"; //NON-NLS
|
||||||
}
|
} else {
|
||||||
else {
|
|
||||||
return regOutputFiles;
|
return regOutputFiles;
|
||||||
}
|
}
|
||||||
|
|
||||||
// run the autopsy-specific set of modules
|
// run the autopsy-specific set of modules
|
||||||
if (!autopsyType.isEmpty() && rrFound) {
|
if (!autopsyType.isEmpty() && rrFound) {
|
||||||
regOutputFiles.autopsyPlugins = outFilePathBase + "-autopsy.txt"; //NON-NLS
|
regOutputFiles.autopsyPlugins = outFilePathBase + "-autopsy.txt"; //NON-NLS
|
||||||
@ -272,17 +268,17 @@ class ExtractRegistry extends Extract {
|
|||||||
if (context.dataSourceIngestIsCancelled()) {
|
if (context.dataSourceIngestIsCancelled()) {
|
||||||
return regOutputFiles;
|
return regOutputFiles;
|
||||||
}
|
}
|
||||||
|
|
||||||
// run the full set of rr modules
|
// run the full set of rr modules
|
||||||
if (!fullType.isEmpty() && rrFullFound) {
|
if (!fullType.isEmpty() && rrFullFound) {
|
||||||
regOutputFiles.fullPlugins = outFilePathBase + "-full.txt"; //NON-NLS
|
regOutputFiles.fullPlugins = outFilePathBase + "-full.txt"; //NON-NLS
|
||||||
String errFilePath = outFilePathBase + "-full.err.txt"; //NON-NLS
|
String errFilePath = outFilePathBase + "-full.err.txt"; //NON-NLS
|
||||||
logger.log(Level.INFO, "Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins); //NON-NLS
|
logger.log(Level.INFO, "Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins); //NON-NLS
|
||||||
executeRegRipper(RR_FULL_PATH, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath);
|
executeRegRipper(RR_FULL_PATH, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath);
|
||||||
}
|
}
|
||||||
return regOutputFiles;
|
return regOutputFiles;
|
||||||
}
|
}
|
||||||
|
|
||||||
private void executeRegRipper(String regRipperPath, String regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) {
|
private void executeRegRipper(String regRipperPath, String regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) {
|
||||||
try {
|
try {
|
||||||
logger.log(Level.INFO, "Writing RegRipper results to: {0}", outputFile); //NON-NLS
|
logger.log(Level.INFO, "Writing RegRipper results to: {0}", outputFile); //NON-NLS
|
||||||
@ -292,7 +288,7 @@ class ExtractRegistry extends Extract {
|
|||||||
commandLine.add(hiveFilePath);
|
commandLine.add(hiveFilePath);
|
||||||
commandLine.add("-f"); //NON-NLS
|
commandLine.add("-f"); //NON-NLS
|
||||||
commandLine.add(hiveFileType);
|
commandLine.add(hiveFileType);
|
||||||
|
|
||||||
ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
|
ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
|
||||||
processBuilder.directory(new File(regRipperHomeDir)); // RegRipper 2.8 has to be run from its own directory
|
processBuilder.directory(new File(regRipperHomeDir)); // RegRipper 2.8 has to be run from its own directory
|
||||||
processBuilder.redirectOutput(new File(outputFile));
|
processBuilder.redirectOutput(new File(outputFile));
|
||||||
@ -301,25 +297,26 @@ class ExtractRegistry extends Extract {
|
|||||||
} catch (IOException ex) {
|
} catch (IOException ex) {
|
||||||
logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS
|
logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS
|
||||||
this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
|
this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT
|
// @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @param regFilePath Path to the output file produced by RegRipper.
|
* @param regFilePath Path to the output file produced by RegRipper.
|
||||||
* @param regFile File object for registry that we are parsing (to make blackboard artifacts with)
|
* @param regFile File object for registry that we are parsing (to make
|
||||||
* @return
|
* blackboard artifacts with)
|
||||||
|
* @return
|
||||||
*/
|
*/
|
||||||
private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
|
private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
|
||||||
FileInputStream fstream = null;
|
FileInputStream fstream = null;
|
||||||
try {
|
try {
|
||||||
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
|
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
|
||||||
|
|
||||||
// Read the file in and create a Document and elements
|
// Read the file in and create a Document and elements
|
||||||
File regfile = new File(regFilePath);
|
File regfile = new File(regFilePath);
|
||||||
fstream = new FileInputStream(regfile);
|
fstream = new FileInputStream(regfile);
|
||||||
|
|
||||||
String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS
|
String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS
|
||||||
String startdoc = "<?xml version=\"1.0\"?><document>"; //NON-NLS
|
String startdoc = "<?xml version=\"1.0\"?><document>"; //NON-NLS
|
||||||
String result = regString.replaceAll("----------------------------------------", "");
|
String result = regString.replaceAll("----------------------------------------", "");
|
||||||
@ -332,14 +329,14 @@ class ExtractRegistry extends Extract {
|
|||||||
String stringdoc = startdoc + result + enddoc;
|
String stringdoc = startdoc + result + enddoc;
|
||||||
DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
|
DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
|
||||||
Document doc = builder.parse(new InputSource(new StringReader(stringdoc)));
|
Document doc = builder.parse(new InputSource(new StringReader(stringdoc)));
|
||||||
|
|
||||||
// cycle through the elements in the doc
|
// cycle through the elements in the doc
|
||||||
Element oroot = doc.getDocumentElement();
|
Element oroot = doc.getDocumentElement();
|
||||||
NodeList children = oroot.getChildNodes();
|
NodeList children = oroot.getChildNodes();
|
||||||
int len = children.getLength();
|
int len = children.getLength();
|
||||||
for (int i = 0; i < len; i++) {
|
for (int i = 0; i < len; i++) {
|
||||||
Element tempnode = (Element) children.item(i);
|
Element tempnode = (Element) children.item(i);
|
||||||
|
|
||||||
String dataType = tempnode.getNodeName();
|
String dataType = tempnode.getNodeName();
|
||||||
|
|
||||||
NodeList timenodes = tempnode.getElementsByTagName("mtime"); //NON-NLS
|
NodeList timenodes = tempnode.getElementsByTagName("mtime"); //NON-NLS
|
||||||
@ -362,22 +359,22 @@ class ExtractRegistry extends Extract {
|
|||||||
// If there isn't an artifact node, skip this entry
|
// If there isn't an artifact node, skip this entry
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
Element artroot = (Element) artroots.item(0);
|
Element artroot = (Element) artroots.item(0);
|
||||||
NodeList myartlist = artroot.getChildNodes();
|
NodeList myartlist = artroot.getChildNodes();
|
||||||
String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace");
|
String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace");
|
||||||
String winver = "";
|
String winver = "";
|
||||||
|
|
||||||
// If all artifact nodes should really go under one Blackboard artifact, need to process it differently
|
// If all artifact nodes should really go under one Blackboard artifact, need to process it differently
|
||||||
if(dataType.equals("WinVersion")){
|
if (dataType.equals("WinVersion")) {
|
||||||
|
|
||||||
String version = "";
|
String version = "";
|
||||||
String systemRoot = "";
|
String systemRoot = "";
|
||||||
String productId = "";
|
String productId = "";
|
||||||
String regOwner = "";
|
String regOwner = "";
|
||||||
String regOrg = "";
|
String regOrg = "";
|
||||||
Long installtime = null;
|
Long installtime = null;
|
||||||
|
|
||||||
for (int j = 0; j < myartlist.getLength(); j++) {
|
for (int j = 0; j < myartlist.getLength(); j++) {
|
||||||
Node artchild = myartlist.item(j);
|
Node artchild = myartlist.item(j);
|
||||||
// If it has attributes, then it is an Element (based off API)
|
// If it has attributes, then it is an Element (based off API)
|
||||||
@ -386,27 +383,21 @@ class ExtractRegistry extends Extract {
|
|||||||
|
|
||||||
String value = artnode.getTextContent().trim();
|
String value = artnode.getTextContent().trim();
|
||||||
String name = artnode.getAttribute("name");
|
String name = artnode.getAttribute("name");
|
||||||
|
|
||||||
if(name.equals("ProductName")){ // NON_NLS
|
if (name.equals("ProductName")) { // NON_NLS
|
||||||
version = value;
|
version = value;
|
||||||
}
|
} else if (name.equals("CSDVersion")) { // NON_NLS
|
||||||
else if(name.equals("CSDVersion")){ // NON_NLS
|
|
||||||
// This is dependant on the fact that ProductName shows up first in the module output
|
// This is dependant on the fact that ProductName shows up first in the module output
|
||||||
version = version + " " + value;
|
version = version + " " + value;
|
||||||
}
|
} else if (name.equals("SystemRoot")) {
|
||||||
else if(name.equals("SystemRoot")){
|
|
||||||
systemRoot = value;
|
systemRoot = value;
|
||||||
}
|
} else if (name.equals("ProductId")) {
|
||||||
else if(name.equals("ProductId")){
|
|
||||||
productId = value;
|
productId = value;
|
||||||
}
|
} else if (name.equals("RegisteredOwner")) {
|
||||||
else if(name.equals("RegisteredOwner")){
|
|
||||||
regOwner = value;
|
regOwner = value;
|
||||||
}
|
} else if (name.equals("RegisteredOrganization")) {
|
||||||
else if(name.equals("RegisteredOrganization")){
|
|
||||||
regOrg = value;
|
regOrg = value;
|
||||||
}
|
} else if (name.equals("InstallDate")) {
|
||||||
else if(name.equals("InstallDate")){
|
|
||||||
try {
|
try {
|
||||||
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime();
|
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime();
|
||||||
installtime = epochtime;
|
installtime = epochtime;
|
||||||
@ -418,30 +409,37 @@ class ExtractRegistry extends Extract {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, version));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, version));
|
||||||
if(installtime != null){
|
if (installtime != null) {
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, installtime));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, installtime));
|
||||||
}
|
}
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), parentModuleName, systemRoot));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), parentModuleName, systemRoot));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID.getTypeID(), parentModuleName, productId));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID.getTypeID(), parentModuleName, productId));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER.getTypeID(), parentModuleName, regOwner));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER.getTypeID(), parentModuleName, regOwner));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION.getTypeID(), parentModuleName, regOrg));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION.getTypeID(), parentModuleName, regOrg));
|
||||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
|
||||||
bbart.addAttributes(bbattributes);
|
// Check if there is already an OS_INFO artifact for this file, and add to that if possible.
|
||||||
|
ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
|
||||||
|
if (results.isEmpty()) {
|
||||||
|
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||||
|
bbart.addAttributes(bbattributes);
|
||||||
|
} else {
|
||||||
|
results.get(0).addAttributes(bbattributes);
|
||||||
|
}
|
||||||
|
|
||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
|
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
|
||||||
}
|
}
|
||||||
}
|
} else if (dataType.equals("Profiler")) { // NON-NLS
|
||||||
else if(dataType.equals("Profiler")){ // NON-NLS
|
|
||||||
|
|
||||||
String os = "";
|
String os = "";
|
||||||
String procArch = "";
|
String procArch = "";
|
||||||
String procId = "";
|
String procId = "";
|
||||||
String tempDir = "";
|
String tempDir = "";
|
||||||
|
|
||||||
for (int j = 0; j < myartlist.getLength(); j++) {
|
for (int j = 0; j < myartlist.getLength(); j++) {
|
||||||
Node artchild = myartlist.item(j);
|
Node artchild = myartlist.item(j);
|
||||||
// If it has attributes, then it is an Element (based off API)
|
// If it has attributes, then it is an Element (based off API)
|
||||||
@ -450,39 +448,42 @@ class ExtractRegistry extends Extract {
|
|||||||
|
|
||||||
String value = artnode.getTextContent().trim();
|
String value = artnode.getTextContent().trim();
|
||||||
String name = artnode.getAttribute("name");
|
String name = artnode.getAttribute("name");
|
||||||
|
|
||||||
if(name.equals("OS")){ // NON-NLS
|
if (name.equals("OS")) { // NON-NLS
|
||||||
os = value;
|
os = value;
|
||||||
}
|
} else if (name.equals("PROCESSOR_ARCHITECTURE")) { // NON-NLS
|
||||||
else if(name.equals("PROCESSOR_ARCHITECTURE")){ // NON-NLS
|
|
||||||
procArch = value;
|
procArch = value;
|
||||||
}
|
} else if (name.equals("PROCESSOR_IDENTIFIER")) { //NON-NLS
|
||||||
else if(name.equals("PROCESSOR_IDENTIFIER")){ //NON-NLS
|
|
||||||
procId = value;
|
procId = value;
|
||||||
}
|
} else if (name.equals("TEMP")) {
|
||||||
else if(name.equals("TEMP")){
|
|
||||||
tempDir = value;
|
tempDir = value;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VERSION.getTypeID(), parentModuleName, os));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VERSION.getTypeID(), parentModuleName, os));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, procArch));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, procArch));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_NAME.getTypeID(), parentModuleName, procId));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_NAME.getTypeID(), parentModuleName, procId));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR.getTypeID(), parentModuleName, tempDir));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR.getTypeID(), parentModuleName, tempDir));
|
||||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
|
||||||
bbart.addAttributes(bbattributes);
|
// Check if there is already an OS_INFO artifact for this file and add to that if possible
|
||||||
} catch (TskCoreException ex) {
|
ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
|
||||||
|
if (results.isEmpty()) {
|
||||||
|
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||||
|
bbart.addAttributes(bbattributes);
|
||||||
|
} else {
|
||||||
|
results.get(0).addAttributes(bbattributes);
|
||||||
|
}
|
||||||
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
||||||
}
|
}
|
||||||
}
|
} else if (dataType.equals("CompName")) { // NON-NLS
|
||||||
else if(dataType.equals("CompName")){ // NON-NLS
|
|
||||||
|
|
||||||
String compName = "";
|
String compName = "";
|
||||||
String domain = "";
|
String domain = "";
|
||||||
|
|
||||||
for (int j = 0; j < myartlist.getLength(); j++) {
|
for (int j = 0; j < myartlist.getLength(); j++) {
|
||||||
Node artchild = myartlist.item(j);
|
Node artchild = myartlist.item(j);
|
||||||
// If it has attributes, then it is an Element (based off API)
|
// If it has attributes, then it is an Element (based off API)
|
||||||
@ -491,27 +492,32 @@ class ExtractRegistry extends Extract {
|
|||||||
|
|
||||||
String value = artnode.getTextContent().trim();
|
String value = artnode.getTextContent().trim();
|
||||||
String name = artnode.getAttribute("name");
|
String name = artnode.getAttribute("name");
|
||||||
|
|
||||||
if(name.equals("ComputerName")){ // NON-NLS
|
if (name.equals("ComputerName")) { // NON-NLS
|
||||||
compName = value;
|
compName = value;
|
||||||
}
|
} else if (name.equals("Domain")) { // NON-NLS
|
||||||
else if(name.equals("Domain")){ // NON-NLS
|
|
||||||
domain = value;
|
domain = value;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), parentModuleName, compName));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), parentModuleName, compName));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), parentModuleName, domain));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), parentModuleName, domain));
|
||||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
|
||||||
bbart.addAttributes(bbattributes);
|
// Check if there is already an OS_INFO artifact for this file and add to that if possible
|
||||||
} catch (TskCoreException ex) {
|
ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
|
||||||
|
if (results.isEmpty()) {
|
||||||
|
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||||
|
bbart.addAttributes(bbattributes);
|
||||||
|
} else {
|
||||||
|
results.get(0).addAttributes(bbattributes);
|
||||||
|
}
|
||||||
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
||||||
}
|
}
|
||||||
}
|
} else {
|
||||||
else{
|
|
||||||
for (int j = 0; j < myartlist.getLength(); j++) {
|
for (int j = 0; j < myartlist.getLength(); j++) {
|
||||||
Node artchild = myartlist.item(j);
|
Node artchild = myartlist.item(j);
|
||||||
// If it has attributes, then it is an Element (based off API)
|
// If it has attributes, then it is an Element (based off API)
|
||||||
@ -531,7 +537,7 @@ class ExtractRegistry extends Extract {
|
|||||||
// @@@ BC: Why are we ignoring this...
|
// @@@ BC: Why are we ignoring this...
|
||||||
break;
|
break;
|
||||||
case "usb": //NON-NLS
|
case "usb": //NON-NLS
|
||||||
try {
|
try {
|
||||||
Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS
|
Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS
|
||||||
usbMtime = Long.valueOf(usbMtime.toString());
|
usbMtime = Long.valueOf(usbMtime.toString());
|
||||||
|
|
||||||
@ -539,7 +545,7 @@ class ExtractRegistry extends Extract {
|
|||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, usbMtime));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, usbMtime));
|
||||||
String dev = artnode.getAttribute("dev"); //NON-NLS
|
String dev = artnode.getAttribute("dev"); //NON-NLS
|
||||||
String make = "";
|
String make = "";
|
||||||
String model = dev;
|
String model = dev;
|
||||||
if (dev.toLowerCase().contains("vid")) { //NON-NLS
|
if (dev.toLowerCase().contains("vid")) { //NON-NLS
|
||||||
USBInfo info = usbMapper.parseAndLookup(dev);
|
USBInfo info = usbMapper.parseAndLookup(dev);
|
||||||
if (info.getVendor() != null) {
|
if (info.getVendor() != null) {
|
||||||
@ -569,7 +575,7 @@ class ExtractRegistry extends Extract {
|
|||||||
|
|
||||||
try {
|
try {
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, value));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, value));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),parentModuleName, itemMtime));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, itemMtime));
|
||||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
|
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
|
||||||
bbart.addAttributes(bbattributes);
|
bbart.addAttributes(bbattributes);
|
||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
@ -593,7 +599,7 @@ class ExtractRegistry extends Extract {
|
|||||||
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS
|
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case "ProcessorArchitecture": //NON-NLS
|
case "ProcessorArchitecture": //NON-NLS
|
||||||
// Architecture is now included under Profiler
|
// Architecture is now included under Profiler
|
||||||
//try {
|
//try {
|
||||||
@ -608,7 +614,7 @@ class ExtractRegistry extends Extract {
|
|||||||
// logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
// logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
||||||
//}
|
//}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case "ProfileList": //NON-NLS
|
case "ProfileList": //NON-NLS
|
||||||
try {
|
try {
|
||||||
|
|
||||||
@ -618,31 +624,30 @@ class ExtractRegistry extends Extract {
|
|||||||
|
|
||||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
|
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
|
||||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
||||||
parentModuleName, username));
|
parentModuleName, username));
|
||||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID(),
|
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID(),
|
||||||
parentModuleName, sid));
|
parentModuleName, sid));
|
||||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),
|
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),
|
||||||
parentModuleName, homeDir));
|
parentModuleName, homeDir));
|
||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS
|
logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case "NtuserNetwork": // NON-NLS
|
case "NtuserNetwork": // NON-NLS
|
||||||
try{
|
try {
|
||||||
String localPath = artnode.getAttribute("localPath");
|
String localPath = artnode.getAttribute("localPath");
|
||||||
String remoteName = value;
|
String remoteName = value;
|
||||||
|
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
|
||||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
|
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH.getTypeID(),
|
||||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),
|
parentModuleName, localPath));
|
||||||
parentModuleName, localPath));
|
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH.getTypeID(),
|
||||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),
|
parentModuleName, remoteName));
|
||||||
parentModuleName, remoteName));
|
|
||||||
|
|
||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, "Error adding network artifact to blackboard."); //NON-NLS
|
logger.log(Level.SEVERE, "Error adding network artifact to blackboard."); //NON-NLS
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
default:
|
default:
|
||||||
logger.log(Level.WARNING, "Unrecognized node name: {0}", dataType);
|
logger.log(Level.WARNING, "Unrecognized node name: {0}", dataType);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user