mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-19 11:07:43 +00:00
Combine OS attributes found in the registry.
This commit is contained in:
APriestman
parent
93eb80364a
commit
8ac91c2cb8
@ -59,9 +59,11 @@ import org.sleuthkit.autopsy.ingest.IngestJobContext;
|
||||
import org.sleuthkit.datamodel.*;
|
||||
|
||||
/**
|
||||
* Extracts activity from Internet Explorer browser, as well as recent documents in windows.
|
||||
* Extracts activity from Internet Explorer browser, as well as recent documents
|
||||
* in windows.
|
||||
*/
|
||||
class ExtractIE extends Extract {
|
||||
|
||||
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
|
||||
private IngestServices services = IngestServices.getInstance();
|
||||
private String moduleTempResultsDir;
|
||||
@ -99,7 +101,7 @@ class ExtractIE extends Extract {
|
||||
logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
|
||||
this.getName()));
|
||||
this.getName()));
|
||||
return;
|
||||
}
|
||||
|
||||
@ -128,21 +130,21 @@ class ExtractIE extends Extract {
|
||||
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), url));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), url));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), name));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), name));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), datetime));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), datetime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"),
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"),
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
|
||||
}
|
||||
services.fireModuleDataEvent(new ModuleDataEvent(
|
||||
@ -165,12 +167,12 @@ class ExtractIE extends Extract {
|
||||
logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
|
||||
fav.getName()));
|
||||
fav.getName()));
|
||||
} catch (IndexOutOfBoundsException ex) {
|
||||
logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
|
||||
fav.getName()));
|
||||
fav.getName()));
|
||||
} finally {
|
||||
try {
|
||||
reader.close();
|
||||
@ -218,7 +220,7 @@ class ExtractIE extends Extract {
|
||||
logger.log(Level.SEVERE, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
|
||||
this.getName(), cookiesFile.getName()));
|
||||
this.getName(), cookiesFile.getName()));
|
||||
continue;
|
||||
}
|
||||
String cookieString = new String(t);
|
||||
@ -233,24 +235,24 @@ class ExtractIE extends Extract {
|
||||
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), url));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), url));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), datetime));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), datetime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), (name != null) ? name : ""));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), (name != null) ? name : ""));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), value));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), value));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"),
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"),
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||
}
|
||||
services.fireModuleDataEvent(new ModuleDataEvent(
|
||||
@ -288,7 +290,7 @@ class ExtractIE extends Extract {
|
||||
indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
|
||||
} catch (TskCoreException ex) {
|
||||
this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
|
||||
this.getName()));
|
||||
this.getName()));
|
||||
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
|
||||
return;
|
||||
}
|
||||
@ -321,7 +323,7 @@ class ExtractIE extends Extract {
|
||||
logger.log(Level.SEVERE, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
|
||||
datFile.getAbsolutePath()));
|
||||
datFile.getAbsolutePath()));
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -354,6 +356,7 @@ class ExtractIE extends Extract {
|
||||
|
||||
/**
|
||||
* Execute pasco on a single file that has been saved to disk.
|
||||
*
|
||||
* @param indexFilePath Path to local index.dat file to analyze
|
||||
* @param outputFileName Name of file to save output to
|
||||
* @return false on error
|
||||
@ -386,7 +389,9 @@ class ExtractIE extends Extract {
|
||||
|
||||
/**
|
||||
* parse Pasco output and create artifacts
|
||||
* @param origFile Original index.dat file that was analyzed to get this output
|
||||
*
|
||||
* @param origFile Original index.dat file that was analyzed to get this
|
||||
* output
|
||||
* @param pascoOutputFileName name of pasco output file
|
||||
*/
|
||||
private void parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
|
||||
@ -397,7 +402,7 @@ class ExtractIE extends Extract {
|
||||
if (file.exists() == false) {
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
|
||||
file.getName()));
|
||||
file.getName()));
|
||||
logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
|
||||
return;
|
||||
}
|
||||
@ -414,7 +419,7 @@ class ExtractIE extends Extract {
|
||||
} catch (FileNotFoundException ex) {
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
|
||||
file.getName()));
|
||||
file.getName()));
|
||||
logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
|
||||
return;
|
||||
}
|
||||
@ -478,7 +483,7 @@ class ExtractIE extends Extract {
|
||||
} catch (ParseException e) {
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
|
||||
this.getName()));
|
||||
this.getName()));
|
||||
logger.log(Level.SEVERE, "Error parsing Pasco results.", e); //NON-NLS
|
||||
}
|
||||
}
|
||||
@ -487,34 +492,34 @@ class ExtractIE extends Extract {
|
||||
BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), realurl));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), realurl));
|
||||
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
|
||||
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), ftime));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), ftime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), ""));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), ""));
|
||||
// @@@ NOte that other browser modules are adding TITLE in hre for the title
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.moduleName.text")));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.moduleName.text")));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), domain));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), user));
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.parentModuleName.noSpace"), user));
|
||||
bbart.addAttributes(bbattributes);
|
||||
|
||||
if( (!user.isEmpty()) && (!reportedUserAccounts.contains(user))){
|
||||
if ((!user.isEmpty()) && (!reportedUserAccounts.contains(user))) {
|
||||
BlackboardArtifact osAttr = origFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
|
||||
osAttr.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user));
|
||||
NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user));
|
||||
reportedUserAccounts.add(user);
|
||||
}
|
||||
} catch (TskCoreException ex) {
|
||||
|
||||
@ -43,6 +43,8 @@ import org.sleuthkit.autopsy.recentactivity.UsbDeviceIdMapper.USBInfo;
|
||||
import org.sleuthkit.datamodel.*;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.OSUtility; // TEMP
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.Node;
|
||||
@ -51,10 +53,10 @@ import org.xml.sax.InputSource;
|
||||
import org.xml.sax.SAXException;
|
||||
|
||||
/**
|
||||
* Extract windows registry data using regripper.
|
||||
* Runs two versions of regripper. One is the generally available set of plug-ins
|
||||
* and the second is a set that were customized for Autopsy to produce a more structured
|
||||
* output of XML so that we can parse and turn into blackboard artifacts.
|
||||
* Extract windows registry data using regripper. Runs two versions of
|
||||
* regripper. One is the generally available set of plug-ins and the second is a
|
||||
* set that were customized for Autopsy to produce a more structured output of
|
||||
* XML so that we can parse and turn into blackboard artifacts.
|
||||
*/
|
||||
class ExtractRegistry extends Extract {
|
||||
|
||||
@ -97,10 +99,9 @@ class ExtractRegistry extends Extract {
|
||||
rrFullFound = true;
|
||||
}
|
||||
|
||||
if(rrFullRoot != null){
|
||||
if (rrFullRoot != null) {
|
||||
rrFullHome = rrFullRoot.getAbsolutePath();
|
||||
}
|
||||
else{
|
||||
} else {
|
||||
rrFullHome = "";
|
||||
}
|
||||
logger.log(Level.INFO, "RegRipper Full home: {0}", rrFullHome); //NON-NLS
|
||||
@ -122,20 +123,18 @@ class ExtractRegistry extends Extract {
|
||||
// find the user-specific ntuser-dat files
|
||||
try {
|
||||
allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); //NON-NLS
|
||||
}
|
||||
catch (TskCoreException ex) {
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); //NON-NLS
|
||||
}
|
||||
|
||||
// find the system hives'
|
||||
String[] regFileNames = new String[] {"system", "software", "security", "sam"}; //NON-NLS
|
||||
String[] regFileNames = new String[]{"system", "software", "security", "sam"}; //NON-NLS
|
||||
for (String regFileName : regFileNames) {
|
||||
try {
|
||||
allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS
|
||||
}
|
||||
catch (TskCoreException ex) {
|
||||
} catch (TskCoreException ex) {
|
||||
String msg = NbBundle.getMessage(this.getClass(),
|
||||
"ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
|
||||
"ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
|
||||
logger.log(Level.WARNING, msg);
|
||||
this.addErrorMessage(this.getName() + ": " + msg);
|
||||
}
|
||||
@ -144,7 +143,8 @@ class ExtractRegistry extends Extract {
|
||||
}
|
||||
|
||||
/**
|
||||
* Identifies registry files in the database by mtimeItem, runs regripper on them, and parses the output.
|
||||
* Identifies registry files in the database by mtimeItem, runs regripper on
|
||||
* them, and parses the output.
|
||||
*/
|
||||
private void analyzeRegistryFiles() {
|
||||
List<AbstractFile> allRegistryFiles = findRegistryFiles();
|
||||
@ -169,7 +169,7 @@ class ExtractRegistry extends Extract {
|
||||
logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); //NON-NLS
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
|
||||
this.getName(), regFileName));
|
||||
this.getName(), regFileName));
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -179,10 +179,9 @@ class ExtractRegistry extends Extract {
|
||||
|
||||
try {
|
||||
if (logFile != null) {
|
||||
logFile.write(Integer.toString(j-1) + "\t" + regFile.getUniquePath() + "\n");
|
||||
logFile.write(Integer.toString(j - 1) + "\t" + regFile.getUniquePath() + "\n");
|
||||
}
|
||||
}
|
||||
catch (TskCoreException | IOException ex) {
|
||||
} catch (TskCoreException | IOException ex) {
|
||||
logger.log(Level.SEVERE, null, ex);
|
||||
}
|
||||
|
||||
@ -197,16 +196,15 @@ class ExtractRegistry extends Extract {
|
||||
if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) {
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
|
||||
this.getName(), regFileName));
|
||||
this.getName(), regFileName));
|
||||
}
|
||||
}
|
||||
|
||||
// create a report for the full output
|
||||
if (regOutputFiles.fullPlugins.isEmpty() == false) {
|
||||
try {
|
||||
currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(),"ExtractRegistry.parentModuleName.noSpace"), "RegRipper " + regFile.getUniquePath() );
|
||||
}
|
||||
catch (TskCoreException e) {
|
||||
currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), "RegRipper " + regFile.getUniquePath());
|
||||
} catch (TskCoreException e) {
|
||||
this.addErrorMessage("Error adding regripper output as Autopsy report: " + e.getLocalizedMessage());
|
||||
}
|
||||
}
|
||||
@ -225,14 +223,17 @@ class ExtractRegistry extends Extract {
|
||||
}
|
||||
|
||||
private class RegOutputFiles {
|
||||
|
||||
public String autopsyPlugins = "";
|
||||
public String fullPlugins = "";
|
||||
}
|
||||
|
||||
/**
|
||||
* Execute regripper on the given registry.
|
||||
*
|
||||
* @param regFilePath Path to local copy of registry
|
||||
* @param outFilePathBase Path to location to save output file to. Base mtimeItem that will be extended on
|
||||
* @param outFilePathBase Path to location to save output file to. Base
|
||||
* mtimeItem that will be extended on
|
||||
*/
|
||||
private RegOutputFiles ripRegistryFile(String regFilePath, String outFilePathBase) {
|
||||
String autopsyType = ""; // Type argument for rr for autopsy-specific modules
|
||||
@ -243,22 +244,17 @@ class ExtractRegistry extends Extract {
|
||||
if (regFilePath.toLowerCase().contains("system")) { //NON-NLS
|
||||
autopsyType = "autopsysystem"; //NON-NLS
|
||||
fullType = "system"; //NON-NLS
|
||||
}
|
||||
else if (regFilePath.toLowerCase().contains("software")) { //NON-NLS
|
||||
} else if (regFilePath.toLowerCase().contains("software")) { //NON-NLS
|
||||
autopsyType = "autopsysoftware"; //NON-NLS
|
||||
fullType = "software"; //NON-NLS
|
||||
}
|
||||
else if (regFilePath.toLowerCase().contains("ntuser")) { //NON-NLS
|
||||
} else if (regFilePath.toLowerCase().contains("ntuser")) { //NON-NLS
|
||||
autopsyType = "autopsyntuser"; //NON-NLS
|
||||
fullType = "ntuser"; //NON-NLS
|
||||
}
|
||||
else if (regFilePath.toLowerCase().contains("sam")) { //NON-NLS
|
||||
} else if (regFilePath.toLowerCase().contains("sam")) { //NON-NLS
|
||||
fullType = "sam"; //NON-NLS
|
||||
}
|
||||
else if (regFilePath.toLowerCase().contains("security")) { //NON-NLS
|
||||
} else if (regFilePath.toLowerCase().contains("security")) { //NON-NLS
|
||||
fullType = "security"; //NON-NLS
|
||||
}
|
||||
else {
|
||||
} else {
|
||||
return regOutputFiles;
|
||||
}
|
||||
|
||||
@ -308,7 +304,8 @@ class ExtractRegistry extends Extract {
|
||||
/**
|
||||
*
|
||||
* @param regFilePath Path to the output file produced by RegRipper.
|
||||
* @param regFile File object for registry that we are parsing (to make blackboard artifacts with)
|
||||
* @param regFile File object for registry that we are parsing (to make
|
||||
* blackboard artifacts with)
|
||||
* @return
|
||||
*/
|
||||
private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
|
||||
@ -369,7 +366,7 @@ class ExtractRegistry extends Extract {
|
||||
String winver = "";
|
||||
|
||||
// If all artifact nodes should really go under one Blackboard artifact, need to process it differently
|
||||
if(dataType.equals("WinVersion")){
|
||||
if (dataType.equals("WinVersion")) {
|
||||
|
||||
String version = "";
|
||||
String systemRoot = "";
|
||||
@ -387,26 +384,20 @@ class ExtractRegistry extends Extract {
|
||||
String value = artnode.getTextContent().trim();
|
||||
String name = artnode.getAttribute("name");
|
||||
|
||||
if(name.equals("ProductName")){ // NON_NLS
|
||||
if (name.equals("ProductName")) { // NON_NLS
|
||||
version = value;
|
||||
}
|
||||
else if(name.equals("CSDVersion")){ // NON_NLS
|
||||
} else if (name.equals("CSDVersion")) { // NON_NLS
|
||||
// This is dependant on the fact that ProductName shows up first in the module output
|
||||
version = version + " " + value;
|
||||
}
|
||||
else if(name.equals("SystemRoot")){
|
||||
} else if (name.equals("SystemRoot")) {
|
||||
systemRoot = value;
|
||||
}
|
||||
else if(name.equals("ProductId")){
|
||||
} else if (name.equals("ProductId")) {
|
||||
productId = value;
|
||||
}
|
||||
else if(name.equals("RegisteredOwner")){
|
||||
} else if (name.equals("RegisteredOwner")) {
|
||||
regOwner = value;
|
||||
}
|
||||
else if(name.equals("RegisteredOrganization")){
|
||||
} else if (name.equals("RegisteredOrganization")) {
|
||||
regOrg = value;
|
||||
}
|
||||
else if(name.equals("InstallDate")){
|
||||
} else if (name.equals("InstallDate")) {
|
||||
try {
|
||||
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime();
|
||||
installtime = epochtime;
|
||||
@ -422,20 +413,27 @@ class ExtractRegistry extends Extract {
|
||||
try {
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, version));
|
||||
if(installtime != null){
|
||||
if (installtime != null) {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, installtime));
|
||||
}
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), parentModuleName, systemRoot));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID.getTypeID(), parentModuleName, productId));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER.getTypeID(), parentModuleName, regOwner));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION.getTypeID(), parentModuleName, regOrg));
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||
bbart.addAttributes(bbattributes);
|
||||
|
||||
// Check if there is already an OS_INFO artifact for this file, and add to that if possible.
|
||||
ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
|
||||
if (results.isEmpty()) {
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||
bbart.addAttributes(bbattributes);
|
||||
} else {
|
||||
results.get(0).addAttributes(bbattributes);
|
||||
}
|
||||
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
|
||||
}
|
||||
}
|
||||
else if(dataType.equals("Profiler")){ // NON-NLS
|
||||
} else if (dataType.equals("Profiler")) { // NON-NLS
|
||||
|
||||
String os = "";
|
||||
String procArch = "";
|
||||
@ -451,16 +449,13 @@ class ExtractRegistry extends Extract {
|
||||
String value = artnode.getTextContent().trim();
|
||||
String name = artnode.getAttribute("name");
|
||||
|
||||
if(name.equals("OS")){ // NON-NLS
|
||||
if (name.equals("OS")) { // NON-NLS
|
||||
os = value;
|
||||
}
|
||||
else if(name.equals("PROCESSOR_ARCHITECTURE")){ // NON-NLS
|
||||
} else if (name.equals("PROCESSOR_ARCHITECTURE")) { // NON-NLS
|
||||
procArch = value;
|
||||
}
|
||||
else if(name.equals("PROCESSOR_IDENTIFIER")){ //NON-NLS
|
||||
} else if (name.equals("PROCESSOR_IDENTIFIER")) { //NON-NLS
|
||||
procId = value;
|
||||
}
|
||||
else if(name.equals("TEMP")){
|
||||
} else if (name.equals("TEMP")) {
|
||||
tempDir = value;
|
||||
}
|
||||
}
|
||||
@ -472,13 +467,19 @@ class ExtractRegistry extends Extract {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, procArch));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_NAME.getTypeID(), parentModuleName, procId));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR.getTypeID(), parentModuleName, tempDir));
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||
bbart.addAttributes(bbattributes);
|
||||
|
||||
// Check if there is already an OS_INFO artifact for this file and add to that if possible
|
||||
ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
|
||||
if (results.isEmpty()) {
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||
bbart.addAttributes(bbattributes);
|
||||
} else {
|
||||
results.get(0).addAttributes(bbattributes);
|
||||
}
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
||||
}
|
||||
}
|
||||
else if(dataType.equals("CompName")){ // NON-NLS
|
||||
} else if (dataType.equals("CompName")) { // NON-NLS
|
||||
|
||||
String compName = "";
|
||||
String domain = "";
|
||||
@ -492,10 +493,9 @@ class ExtractRegistry extends Extract {
|
||||
String value = artnode.getTextContent().trim();
|
||||
String name = artnode.getAttribute("name");
|
||||
|
||||
if(name.equals("ComputerName")){ // NON-NLS
|
||||
if (name.equals("ComputerName")) { // NON-NLS
|
||||
compName = value;
|
||||
}
|
||||
else if(name.equals("Domain")){ // NON-NLS
|
||||
} else if (name.equals("Domain")) { // NON-NLS
|
||||
domain = value;
|
||||
}
|
||||
}
|
||||
@ -505,13 +505,19 @@ class ExtractRegistry extends Extract {
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), parentModuleName, compName));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), parentModuleName, domain));
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||
bbart.addAttributes(bbattributes);
|
||||
|
||||
// Check if there is already an OS_INFO artifact for this file and add to that if possible
|
||||
ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
|
||||
if (results.isEmpty()) {
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
|
||||
bbart.addAttributes(bbattributes);
|
||||
} else {
|
||||
results.get(0).addAttributes(bbattributes);
|
||||
}
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
|
||||
}
|
||||
}
|
||||
else{
|
||||
} else {
|
||||
for (int j = 0; j < myartlist.getLength(); j++) {
|
||||
Node artchild = myartlist.item(j);
|
||||
// If it has attributes, then it is an Element (based off API)
|
||||
@ -569,7 +575,7 @@ class ExtractRegistry extends Extract {
|
||||
|
||||
try {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, value));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),parentModuleName, itemMtime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, itemMtime));
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
|
||||
bbart.addAttributes(bbattributes);
|
||||
} catch (TskCoreException ex) {
|
||||
@ -618,26 +624,25 @@ class ExtractRegistry extends Extract {
|
||||
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
|
||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
|
||||
parentModuleName, username));
|
||||
parentModuleName, username));
|
||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID(),
|
||||
parentModuleName, sid));
|
||||
parentModuleName, sid));
|
||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),
|
||||
parentModuleName, homeDir));
|
||||
parentModuleName, homeDir));
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS
|
||||
}
|
||||
break;
|
||||
|
||||
case "NtuserNetwork": // NON-NLS
|
||||
try{
|
||||
try {
|
||||
String localPath = artnode.getAttribute("localPath");
|
||||
String remoteName = value;
|
||||
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
|
||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),
|
||||
parentModuleName, localPath));
|
||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),
|
||||
parentModuleName, remoteName));
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
|
||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH.getTypeID(),
|
||||
parentModuleName, localPath));
|
||||
bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH.getTypeID(),
|
||||
parentModuleName, remoteName));
|
||||
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding network artifact to blackboard."); //NON-NLS
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user