Merge pull request #6597 from markmckinnon/7152-aLeapp-Third-Party-Program-wraps-long-text-in-output-and-causes-issues-in-parsing

7152-aLeapp-Third-Party-Program-wraps-long-text-in-output-and-causes-issues-in-parsing

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ALeappAnalyzerIngestModule.java

@@ -318,7 +318,8 @@ public class ALeappAnalyzerIngestModule implements DataSourceIngestModule {
                 "\"" + aLeappExecutable + "\"", //NON-NLS
                 "-t", aLeappFileSystemType, //NON-NLS
                 "-i", sourceFilePath, //NON-NLS
-                "-o", moduleOutputPath.toString()
+                "-o", moduleOutputPath.toString(),
+                "-w"
         );
         processBuilder.redirectError(moduleOutputPath.resolve("aLeapp_err.txt").toFile());  //NON-NLS
         processBuilder.redirectOutput(moduleOutputPath.resolve("aLeapp_out.txt").toFile());  //NON-NLS

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java

@@ -30,7 +30,9 @@ import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.List;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
 import static java.util.Locale.US;
@@ -239,7 +241,6 @@ public final class LeappFileProcessor {
                     Collection<BlackboardAttribute> bbattributes = processReadLine(line, columnNumberToProcess, fileName);
                     if (artifactType == null) {
                         logger.log(Level.SEVERE, "Error trying to process Leapp output files in directory . "); //NON-NLS
-                        
                     }
                     if (!bbattributes.isEmpty() && !blkBoard.artifactExists(dataSource, BlackboardArtifact.ARTIFACT_TYPE.fromID(artifactType.getTypeID()), bbattributes)) {
                         BlackboardArtifact bbartifact = createArtifactWithAttributes(artifactType.getTypeID(), dataSource, bbattributes);
@@ -264,7 +265,17 @@ public final class LeappFileProcessor {
      * @return
      */
     private Collection<BlackboardAttribute> processReadLine(String line, Map<Integer, String> columnNumberToProcess, String fileName) throws IngestModuleException {
-        String[] columnValues = line.split("\\t");
+         
+        String[] columnValues;
+        
+        // Check to see if the 2 values are equal, they may not be equal if there is no corresponding data in the line.
+        // If this happens then adding an empty value(s) for each columnValue where data does not exist
+        Integer maxColumnNumber = Collections.max(columnNumberToProcess.keySet());
+        if (maxColumnNumber > line.split("\\t").length) {
+            columnValues = Arrays.copyOf(line.split("\\t"), maxColumnNumber + 1);
+        } else {
+            columnValues = line.split("\\t");
+        }
 
         Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
 

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleap-artifact-attribute-reference.xml

@@ -225,7 +225,7 @@
     </FileName>
 
     <FileName filename="google play searches.tsv" description="Google Play Searches">
-        <ArtifactName artifactname="TSK_WEB_SEARCH" comment="Google Play Search">
+        <ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="Google Play Search">
             <AttributeName attributename="TSK_DATETIME_ACCESSED" columnName="Timestamp" required="yes" />
             <AttributeName attributename="TSK_PROG_NAME" columnName="Display" required="yes" />
             <AttributeName attributename="TSK_TEXT" columnName="query" required="yes" />
@@ -233,7 +233,7 @@
     </FileName>
 
     <FileName filename="google quick search box.tsv" description="Google quick search box">
-        <ArtifactName artifactname="TSK_WEB_SEARCH" comment="Google Quick Search Search">
+        <ArtifactName artifactname="TSK_WEB_SEARCH_QUERY" comment="Google Quick Search Search">
             <AttributeName attributename="TSK_DATETIME" columnName="File Timestamp" required="yes" />
             <AttributeName attributename="null" columnName="Type" required="no" />
             <AttributeName attributename="TSK_TEXT" columnName="Queries	Response" required="yes" />
@@ -294,8 +294,8 @@
             <AttributeName attributename="TSK_DATETIME" columnName="Date" required="yes"/>
             <AttributeName attributename="null" columnName="MSG ID" required="no"/>
             <AttributeName attributename="TSK_THREAD_ID" columnName="Thread ID" required="yes"/>
-            <AttributeName attributename="null" columnName="Address" required="yes" />
-            <AttributeName attributename="TSK_PHONE_NUMBER_FROM" columnName="Contact ID" required="yes"/>
+            <AttributeName attributename="TSK_PHONE_NUMBER_FROM" columnName="Address" required="yes" />
+            <AttributeName attributename="null" columnName="Contact ID" required="yes"/>
             <AttributeName attributename="TSK_DATETIME_SENT" columnName="Date sent" required="yes"/>
             <AttributeName attributename="TSK_READ_STATUS" columnName="Read" required="yes"/>
             <AttributeName attributename="TSK_TEXT" columnName="Body" required="yes"/>            

docs/doxygen-user/aleapp.dox

@@ -0,0 +1,20 @@
+/*! \page aleapp_page Android Analyzer (aLEAPP)
+
+[TOC]
+
+\section aleapp_overview Overview
+
+The Android Analyzer ingest module runs aLEAPP (https://github.com/abrignoni/aLEAPP) and converts the results into results that can be viewed in Autopsy.
+
+\section aleapp_config Using the Module
+
+Select the checkbox in the Ingest Modules settings screen to enable the Android Analzyer (ALEAPP) module. The module will run on .tar/.zip files found in a \ref ds_log "logical files data source" or a \ref ds_img disk image.
+
+\section aleapp_results Seeing Results
+
+Results from the Android Analyzer module will appear in the \ref tree_viewer_page under Results->Extracted Content.
+
+\image html aleapp_main.jpg
+
+
+*/