diff --git a/RecentActivity/release/pasco2/commons-cli-1.0.jar b/RecentActivity/release/pasco2/commons-cli-1.0.jar new file mode 100644 index 0000000000..22a004e14e Binary files /dev/null and b/RecentActivity/release/pasco2/commons-cli-1.0.jar differ diff --git a/RecentActivity/release/pasco2/commons-collections-3.1.jar b/RecentActivity/release/pasco2/commons-collections-3.1.jar new file mode 100644 index 0000000000..41e230feea Binary files /dev/null and b/RecentActivity/release/pasco2/commons-collections-3.1.jar differ diff --git a/RecentActivity/release/pasco2/ctypes4j.dll b/RecentActivity/release/pasco2/ctypes4j.dll new file mode 100644 index 0000000000..3455ad1771 Binary files /dev/null and b/RecentActivity/release/pasco2/ctypes4j.dll differ diff --git a/RecentActivity/release/pasco2/ctypes4j.jar b/RecentActivity/release/pasco2/ctypes4j.jar new file mode 100644 index 0000000000..a6c6f3c3b0 Binary files /dev/null and b/RecentActivity/release/pasco2/ctypes4j.jar differ diff --git a/RecentActivity/release/pasco2/ctypes4j.zip b/RecentActivity/release/pasco2/ctypes4j.zip new file mode 100644 index 0000000000..84d28c2dba Binary files /dev/null and b/RecentActivity/release/pasco2/ctypes4j.zip differ diff --git a/RecentActivity/release/pasco2/pasco2.jar b/RecentActivity/release/pasco2/pasco2.jar new file mode 100644 index 0000000000..1f07a5e960 Binary files /dev/null and b/RecentActivity/release/pasco2/pasco2.jar differ diff --git a/RecentActivity/release/pasco2/trove-1.0.2.jar b/RecentActivity/release/pasco2/trove-1.0.2.jar new file mode 100644 index 0000000000..ac62eb35cd Binary files /dev/null and b/RecentActivity/release/pasco2/trove-1.0.2.jar differ diff --git a/RecentActivity/release/pasco2/trove-3.0.2.jar b/RecentActivity/release/pasco2/trove-3.0.2.jar new file mode 100644 index 0000000000..12fb57681f Binary files /dev/null and b/RecentActivity/release/pasco2/trove-3.0.2.jar differ diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index ad903b44d6..c912a5056c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -1,6 +1,25 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2011 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.sleuthkit.autopsy.recentactivity; //IO imports +import com.sun.corba.se.spi.activation.Server; import java.io.File; import java.io.FileInputStream; import java.io.IOException; @@ -21,6 +40,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; // TSK Imports +import org.openide.modules.InstalledFileLocator; import org.openide.util.Exceptions; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.datamodel.ContentUtils; @@ -32,97 +52,111 @@ import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskException; - public class ExtractIE { // implements BrowserActivity { - //Constants region - private final String indexDatQueryStr = "select * from tsk_files where name LIKE '%index.dat%'"; + private static final Logger logger = Logger.getLogger(ExtractIE.class.getName()); + private final String indexDatQueryStr = "select * from tsk_files where name LIKE '%index.dat%'"; + + //sleauthkit db handle + SleuthkitCase tempDb; + + //paths set in init() + private String PASCO_RESULTS_PATH; + private String PASCO_LIB_PATH; + + //Results List to be referenced/used outside the class + public ArrayList> PASCO_RESULTS_LIST = new ArrayList>(); + //Look Up Table that holds Pasco2 results + private HashMap PASCO_RESULTS_LUT; + private KeyValueThing IE_PASCO_LUT = new KeyValueThing(BrowserType.IE.name(), BrowserType.IE.getType()); + public LinkedHashMap IE_OBJ; - private final String PASCO_HOME = System.getenv("PASCO_HOME"); - private final String PASCO_RESULTS_PATH = PASCO_HOME + "\\results"; - private final String PASCO_LIB_PATH = PASCO_HOME + "\\pasco2.jar;" - + PASCO_HOME + "\\lib\\*"; + + boolean pascoFound = false; - //Results List to be referenced/used outside the class - public ArrayList> PASCO_RESULTS_LIST = new ArrayList>(); - //Look Up Table that holds Pasco2 results - private HashMap PASCO_RESULTS_LUT ; + public ExtractIE() { + init(); + } - private KeyValueThing IE_PASCO_LUT = new KeyValueThing(BrowserType.IE.name(), BrowserType.IE.getType()); + //@Override + public KeyValueThing getRecentActivity() { + return IE_PASCO_LUT; + } - public LinkedHashMap IE_OBJ; + private void init() { + final Case currentCase = Case.getCurrentCase(); + final String caseDir = Case.getCurrentCase().getCaseDirectory(); + PASCO_RESULTS_PATH = caseDir + File.separator + "recentactivity" + File.separator + "results"; - //Get this case - private Case currentCase = Case.getCurrentCase(); - private SleuthkitCase tempDb = currentCase.getSleuthkitCase(); - - //Singleton logger object. - private final Logger logger = Logger.getLogger(this.getClass().getName()); - - public ExtractIE(){ - init(); - } - - //@Override - public KeyValueThing getRecentActivity() - { - return IE_PASCO_LUT; - } - - void init() - { - try - { - Collection FsContentCollection; - ResultSet rs = tempDb.runQuery(indexDatQueryStr); - FsContentCollection = tempDb.resultSetToFsContents(rs); - - String temps; - String indexFileName; - int index = 0; - - for(FsContent fsc : FsContentCollection) - { - // Since each result represent an index.dat file, - // just create these files with the following notation: - // index.dat (i.e. index0.dat, index1.dat,..., indexN.dat) - // Write each index.dat file to a temp directory. - BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); - //indexFileName = "index" + Integer.toString(index) + ".dat"; - indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat"; - temps = currentCase.getTempDirectory() + "\\" + indexFileName; - File datFile = new File(temps); - ContentUtils.writeToFile(fsc, datFile); - - boolean bPascProcSuccess = executePasco(temps, index, bbart.getArtifactID()); - - //At this point pasco2 proccessed the index files. - //Now fetch the results, parse them and the delete the files. - if(bPascProcSuccess) - { - - //Delete index.dat file since it was succcessfully by Pasco - datFile.delete(); - } - ++index; + logger.log(Level.INFO, "Pasco results path: " + PASCO_RESULTS_PATH); + + final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); + if (pascoRoot == null) { + logger.log(Level.SEVERE, "Pasco2 not found"); + pascoFound = false; + return; } - } - catch(Exception ioex) - { - logger.log(Level.SEVERE, "Error while trying to write index.dat files.", ioex); - } - } + else { + pascoFound = true; + } + + final String pascoHome = pascoRoot.getAbsolutePath(); + logger.log(Level.INFO, "Pasco2 home: " + pascoHome); + + PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator + + pascoHome + File.separator + "*"; + try { + File resultsDir = new File(PASCO_RESULTS_PATH); + resultsDir.mkdirs(); + + Collection FsContentCollection; + + tempDb = currentCase.getSleuthkitCase(); + ResultSet rs = tempDb.runQuery(indexDatQueryStr); + FsContentCollection = tempDb.resultSetToFsContents(rs); + + String temps; + String indexFileName; + int index = 0; + + for (FsContent fsc : FsContentCollection) { + // Since each result represent an index.dat file, + // just create these files with the following notation: + // index.dat (i.e. index0.dat, index1.dat,..., indexN.dat) + // Write each index.dat file to a temp directory. + BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); + //indexFileName = "index" + Integer.toString(index) + ".dat"; + indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat"; + temps = currentCase.getTempDirectory() + File.separator + indexFileName; + File datFile = new File(temps); + ContentUtils.writeToFile(fsc, datFile); + + boolean bPascProcSuccess = executePasco(temps, index, bbart.getArtifactID()); + + //At this point pasco2 proccessed the index files. + //Now fetch the results, parse them and the delete the files. + if (bPascProcSuccess) { + + //Delete index.dat file since it was succcessfully by Pasco + datFile.delete(); + } + ++index; + } + } catch (Exception ioex) { + logger.log(Level.SEVERE, "Error while trying to write index.dat files.", ioex); + } + } //Simple wrapper to JavaSystemCaller.Exec() to execute pasco2 jar // TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath // I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now. - private boolean executePasco(String indexFilePath, int fileIndex, long bbId) - { - boolean success = true; + private boolean executePasco(String indexFilePath, int fileIndex, long bbId) { + if (pascoFound == false) + return false; + boolean success = true; - try - { + try { List command = new ArrayList(); command.add("-cp"); @@ -131,115 +165,103 @@ public class ExtractIE { // implements BrowserActivity { command.add(" -T history"); command.add(indexFilePath); //command.add(" > " + PASCO_RESULTS_PATH + "\\pasco2Result" + Integer.toString(fileIndex) + ".txt"); - command.add(" > " + PASCO_RESULTS_PATH + "\\" + Long.toString(bbId)); + command.add(" > " + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId)); String[] cmd = command.toArray(new String[0]); JavaSystemCaller.Exec.execute("java", cmd); - } - catch(Exception e) - { - success = false; - logger.log(Level.SEVERE, "ExtractIE::executePasco() -> " ,e.getMessage() ); - } + } catch (Exception e) { + success = false; + logger.log(Level.SEVERE, "ExtractIE::executePasco() -> ", e.getMessage()); + } - return success; + return success; } - public void parsePascoResults() - { - // First thing we want to do is check to make sure the results directory - // is not empty. - File rFile = new File(PASCO_RESULTS_PATH); + public void parsePascoResults() { + if (pascoFound == false) + return; + // First thing we want to do is check to make sure the results directory + // is not empty. + File rFile = new File(PASCO_RESULTS_PATH); - - //Let's make sure our list and lut are empty. - //PASCO_RESULTS_LIST.clear(); - if(rFile.exists()) - { - //Give me a list of pasco results in that directory - File[] pascoFiles = rFile.listFiles(); + //Let's make sure our list and lut are empty. + //PASCO_RESULTS_LIST.clear(); - if(pascoFiles.length > 0) - { - try - { - for (File file : pascoFiles) - { - String bbartname = file.getName(); - //bbartname = bbartname.substring(0, 4); - long bbartId = Long.parseLong(bbartname); - - // Make sure the file the is not empty or the Scanner will - // throw a "No Line found" Exception - if (file != null && file.length() > 0 ) - { - Scanner fileScanner = new Scanner(new FileInputStream(file.toString())); - //Skip the first three lines - fileScanner.nextLine(); - fileScanner.nextLine(); - fileScanner.nextLine(); + if (rFile.exists()) { + //Give me a list of pasco results in that directory + File[] pascoFiles = rFile.listFiles(); - while (fileScanner.hasNext()) - { - - - String line = fileScanner.nextLine(); - - //Need to change this pattern a bit because there might - //be instances were "V" might not apply. - String pattern = "(?)URL(\\s)(V|\\:)"; - Pattern p = Pattern.compile(pattern); - Matcher m = p.matcher(line); - if(m.find()) - { - try { - String[] lineBuff = line.split("\\t"); - PASCO_RESULTS_LUT = new HashMap(); - PASCO_RESULTS_LUT.put(BrowserActivityType.Url.name(), lineBuff[1]); - PASCO_RESULTS_LUT.put("Title", lineBuff[2]); - PASCO_RESULTS_LUT.put("Count", lineBuff[0]); - PASCO_RESULTS_LUT.put("Last Accessed", lineBuff[3]); - PASCO_RESULTS_LUT.put("Reference", "None"); - - BlackboardArtifact bbart = tempDb.getBlackboardArtifact(bbartId); - BlackboardAttribute bbatturl = new BlackboardAttribute(1,"RecentActivity","Internet Explorer",lineBuff[1]); - bbart.addAttribute(bbatturl); - BlackboardAttribute bbattdate = new BlackboardAttribute(31,"RecentActivity","Internet Explorer",lineBuff[3]); - bbart.addAttribute(bbattdate); - BlackboardAttribute bbattref = new BlackboardAttribute(32,"RecentActivity","Internet Explorer","No Ref"); - bbart.addAttribute(bbattref); - BlackboardAttribute bbatttitle = new BlackboardAttribute(3,"RecentActivity","Internet Explorer",lineBuff[2]); - bbart.addAttribute(bbatttitle); - - //KeyValueThing - //This will be redundant in terms IE.name() because of - //the way they implemented KeyValueThing - IE_OBJ = new LinkedHashMap(); - IE_OBJ.put(BrowserType.IE.name(), PASCO_RESULTS_LUT); - IE_PASCO_LUT.addMap(IE_OBJ); + if (pascoFiles.length > 0) { + try { + for (File file : pascoFiles) { + String bbartname = file.getName(); + //bbartname = bbartname.substring(0, 4); + long bbartId = Long.parseLong(bbartname); - PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT); - } - catch (TskException ex) { - Exceptions.printStackTrace(ex); + // Make sure the file the is not empty or the Scanner will + // throw a "No Line found" Exception + if (file != null && file.length() > 0) { + Scanner fileScanner = new Scanner(new FileInputStream(file.toString())); + //Skip the first three lines + fileScanner.nextLine(); + fileScanner.nextLine(); + fileScanner.nextLine(); + + while (fileScanner.hasNext()) { + + + String line = fileScanner.nextLine(); + + //Need to change this pattern a bit because there might + //be instances were "V" might not apply. + String pattern = "(?)URL(\\s)(V|\\:)"; + Pattern p = Pattern.compile(pattern); + Matcher m = p.matcher(line); + if (m.find()) { + try { + String[] lineBuff = line.split("\\t"); + PASCO_RESULTS_LUT = new HashMap(); + PASCO_RESULTS_LUT.put(BrowserActivityType.Url.name(), lineBuff[1]); + PASCO_RESULTS_LUT.put("Title", lineBuff[2]); + PASCO_RESULTS_LUT.put("Count", lineBuff[0]); + PASCO_RESULTS_LUT.put("Last Accessed", lineBuff[3]); + PASCO_RESULTS_LUT.put("Reference", "None"); + + BlackboardArtifact bbart = tempDb.getBlackboardArtifact(bbartId); + BlackboardAttribute bbatturl = new BlackboardAttribute(1, "RecentActivity", "Internet Explorer", lineBuff[1]); + bbart.addAttribute(bbatturl); + BlackboardAttribute bbattdate = new BlackboardAttribute(31, "RecentActivity", "Internet Explorer", lineBuff[3]); + bbart.addAttribute(bbattdate); + BlackboardAttribute bbattref = new BlackboardAttribute(32, "RecentActivity", "Internet Explorer", "No Ref"); + bbart.addAttribute(bbattref); + BlackboardAttribute bbatttitle = new BlackboardAttribute(3, "RecentActivity", "Internet Explorer", lineBuff[2]); + bbart.addAttribute(bbatttitle); + + //KeyValueThing + //This will be redundant in terms IE.name() because of + //the way they implemented KeyValueThing + IE_OBJ = new LinkedHashMap(); + IE_OBJ.put(BrowserType.IE.name(), PASCO_RESULTS_LUT); + IE_PASCO_LUT.addMap(IE_OBJ); + + PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT); + } catch (TskException ex) { + Exceptions.printStackTrace(ex); + } + } + + } } - } - - } - } - //TODO: Fix Delete issue - boolean bDelete = file.delete(); + //TODO: Fix Delete issue + boolean bDelete = file.delete(); + } + } catch (IOException ioex) { + logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", ioex.getMessage()); } - } - catch(IOException ioex) - { - logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> " ,ioex.getMessage() ); - } - } - } + } + } } - }