mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 09:17:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Changed web artifact created to data artifacts

Browse Source
This commit is contained in:
Kelly Kelly 2021-03-01 16:08:35 -05:00
parent b6e421f58a
commit a3c6d57a4e
11 changed files with 135 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java
View File

@ -55,9 +55,11 @@ import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.Blackboard;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_CACHE;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.DerivedFile; import org.sleuthkit.datamodel.DerivedFile;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.TimeUtilities; import org.sleuthkit.datamodel.TimeUtilities;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskData;
@ -521,33 +523,32 @@ final class ChromeCacheExtractor {
private void addArtifacts(CacheEntry cacheEntry, AbstractFile cacheEntryFile, AbstractFile cachedItemFile, Collection<BlackboardArtifact> artifactsAdded) throws TskCoreException { private void addArtifacts(CacheEntry cacheEntry, AbstractFile cacheEntryFile, AbstractFile cachedItemFile, Collection<BlackboardArtifact> artifactsAdded) throws TskCoreException {
// Create a TSK_WEB_CACHE entry with the parent as data_X file that had the cache entry // Create a TSK_WEB_CACHE entry with the parent as data_X file that had the cache entry
BlackboardArtifact webCacheArtifact = cacheEntryFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_CACHE); Collection<BlackboardAttribute> webAttr = new ArrayList<>();
if (webCacheArtifact != null) { String url = cacheEntry.getKey() != null ? cacheEntry.getKey() : "";
Collection<BlackboardAttribute> webAttr = new ArrayList<>(); webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL,
String url = cacheEntry.getKey() != null ? cacheEntry.getKey() : ""; moduleName, url));
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN,
moduleName, url)); moduleName, NetworkUtils.extractDomain(url)));
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
moduleName, NetworkUtils.extractDomain(url))); moduleName, cacheEntry.getCreationTime()));
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HEADERS,
moduleName, cacheEntry.getCreationTime())); moduleName, cacheEntry.getHTTPHeaders()));
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HEADERS, webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH,
moduleName, cacheEntry.getHTTPHeaders())); moduleName, cachedItemFile.getUniquePath()));
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID,
moduleName, cachedItemFile.getUniquePath())); moduleName, cachedItemFile.getId()));
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID,
moduleName, cachedItemFile.getId()));
webCacheArtifact.addAttributes(webAttr);
artifactsAdded.add(webCacheArtifact);
// Create a TSK_ASSOCIATED_OBJECT on the f_XXX or derived file file back to the CACHE entry Optional<OsAccount> optional = cacheEntryFile.getOsAccount();
BlackboardArtifact associatedObjectArtifact = cachedItemFile.newArtifact(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT); BlackboardArtifact webCacheArtifact = cacheEntryFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_WEB_CACHE), webAttr, optional.isPresent() ? optional.get() : null);
if (associatedObjectArtifact != null) { artifactsAdded.add(webCacheArtifact);
associatedObjectArtifact.addAttribute(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, // Create a TSK_ASSOCIATED_OBJECT on the f_XXX or derived file file back to the CACHE entry
moduleName, webCacheArtifact.getArtifactID())); BlackboardArtifact associatedObjectArtifact = cachedItemFile.newArtifact(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT);
artifactsAdded.add(associatedObjectArtifact); if (associatedObjectArtifact != null) {
} associatedObjectArtifact.addAttribute(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
moduleName, webCacheArtifact.getArtifactID()));
artifactsAdded.add(associatedObjectArtifact);
} }
} }

51
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
View File

@ -41,6 +41,7 @@ import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.HashMap; import java.util.HashMap;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Optional;
import org.apache.commons.io.FilenameUtils; import org.apache.commons.io.FilenameUtils;
import org.openide.util.NbBundle.Messages; import org.openide.util.NbBundle.Messages;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
@ -54,9 +55,12 @@ import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.Blackboard;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException; import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskData;
@ -264,7 +268,7 @@ class Chromium extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), RecentActivityExtracterModuleFactory.getModuleName(),
(NetworkUtils.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS (NetworkUtils.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }
@ -390,29 +394,21 @@ class Chromium extends Extract {
date = Long.valueOf(0); date = Long.valueOf(0);
} }
String domain = NetworkUtils.extractDomain(url); String domain = NetworkUtils.extractDomain(url);
try { Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); //TODO Revisit usage of deprecated constructor as per TSK-583
Collection<BlackboardAttribute> bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
//TODO Revisit usage of deprecated constructor as per TSK-583 RecentActivityExtracterModuleFactory.getModuleName(), url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
RecentActivityExtracterModuleFactory.getModuleName(), url)); RecentActivityExtracterModuleFactory.getModuleName(), name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
RecentActivityExtracterModuleFactory.getModuleName(), name)); RecentActivityExtracterModuleFactory.getModuleName(), (date / 1000000) - Long.valueOf("11644473600")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
RecentActivityExtracterModuleFactory.getModuleName(), (date / 1000000) - Long.valueOf("11644473600"))); RecentActivityExtracterModuleFactory.getModuleName(), browser));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
RecentActivityExtracterModuleFactory.getModuleName(), browser)); RecentActivityExtracterModuleFactory.getModuleName(), domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
RecentActivityExtracterModuleFactory.getModuleName(), domain));
bbart.addAttributes(bbattributes);
bbartifacts.add(bbart); bbartifacts.add(createDataArtifactWithAttributes(TSK_WEB_BOOKMARK, bookmarkFile, bbattributes));
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS
this.addErrorMessage(
NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4",
this.getName(), bookmarkFile.getName()));
}
} }
if(!context.dataSourceIngestIsCancelled()) { if(!context.dataSourceIngestIsCancelled()) {
@ -504,7 +500,7 @@ class Chromium extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
RecentActivityExtracterModuleFactory.getModuleName(), domain)); RecentActivityExtracterModuleFactory.getModuleName(), domain));
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }
@ -610,7 +606,7 @@ class Chromium extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
RecentActivityExtracterModuleFactory.getModuleName(), browser)); RecentActivityExtracterModuleFactory.getModuleName(), browser));
BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes); BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);
if (webDownloadArtifact != null) { if (webDownloadArtifact != null) {
bbartifacts.add(webDownloadArtifact); bbartifacts.add(webDownloadArtifact);
@ -618,7 +614,8 @@ class Chromium extends Extract {
try { try {
String normalizedFullPath = FilenameUtils.normalize(fullPath, true); String normalizedFullPath = FilenameUtils.normalize(fullPath, true);
for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(normalizedFullPath), FilenameUtils.getPath(normalizedFullPath))) { for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(normalizedFullPath), FilenameUtils.getPath(normalizedFullPath))) {
BlackboardArtifact associatedObjectArtifact = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT); BlackboardArtifact associatedObjectArtifact =
downloadedFile.newArtifact(TSK_ASSOCIATED_OBJECT);
associatedObjectArtifact.addAttribute( associatedObjectArtifact.addAttribute(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
RecentActivityExtracterModuleFactory.getModuleName(), webDownloadArtifact.getArtifactID())); RecentActivityExtracterModuleFactory.getModuleName(), webDownloadArtifact.getArtifactID()));
@ -870,7 +867,7 @@ class Chromium extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), browser)); RecentActivityExtracterModuleFactory.getModuleName(), browser));
// Add an artifact // Add an artifact
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, webDataFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, webDataFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DomainCategoryRunner.java
View File

@ -422,7 +422,7 @@ class DomainCategoryRunner extends Extract {
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HOST, moduleName, artHost.getHost()), new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HOST, moduleName, artHost.getHost()),
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, moduleName, domainCategory) new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, moduleName, domainCategory)
); );
postArtifact(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_CATEGORIZATION, artHost.getAbstractFile(), bbattributes)); postArtifact(createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_CATEGORIZATION, artHost.getAbstractFile(), bbattributes));
} }
@Override @Override

14
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java
View File

@ -34,6 +34,7 @@ import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Optional;
import java.util.logging.Level; import java.util.logging.Level;
import org.openide.util.NbBundle.Messages; import org.openide.util.NbBundle.Messages;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
@ -49,6 +50,8 @@ import org.sleuthkit.datamodel.Blackboard;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.DataArtifact;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskException; import org.sleuthkit.datamodel.TskException;
@ -132,6 +135,17 @@ abstract class Extract {
return null; return null;
} }
DataArtifact createDataArtifactWithAttributes(BlackboardArtifact.ARTIFACT_TYPE type, AbstractFile file, Collection<BlackboardAttribute> attributes) {
try {
Optional<OsAccount> optional = file.getOsAccount();
DataArtifact bbart = file.newDataArtifact(new BlackboardArtifact.Type(type), attributes, optional.isPresent() ? optional.get() : null);
return bbart;
} catch (TskException ex) {
logger.log(Level.WARNING, String.format("Error while trying to add an artifact (%s) for abstractFile %d", type.getDisplayName(), file.getId()), ex); //NON-NLS
}
return null;
}
/** /**
* Method to post a blackboard artifact to the blackboard. * Method to post a blackboard artifact to the blackboard.
* *

19
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractEdge.java
View File

@ -53,6 +53,9 @@ import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestJobContext;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
@ -628,14 +631,10 @@ final class ExtractEdge extends Extract {
String accessTime = rowSplit[index].trim(); String accessTime = rowSplit[index].trim();
Long ftime = parseTimestamp(accessTime); Long ftime = parseTimestamp(accessTime);
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY); return createDataArtifactWithAttributes(TSK_WEB_HISTORY, origFile, createHistoryAttribute(url, ftime,
bbart.addAttributes(createHistoryAttribute(url, ftime,
null, null, null, null,
this.getName(), this.getName(),
NetworkUtils.extractDomain(url), user)); NetworkUtils.extractDomain(url), user));
return bbart;
} }
/** /**
@ -658,9 +657,7 @@ final class ExtractEdge extends Extract {
String value = hexToChar(lineSplit[headers.indexOf(EDGE_HEAD_VALUE)].trim()); String value = hexToChar(lineSplit[headers.indexOf(EDGE_HEAD_VALUE)].trim());
String url = flipDomain(domain); String url = flipDomain(domain);
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE); return createDataArtifactWithAttributes(TSK_WEB_COOKIE, origFile, createCookieAttributes(url, null, ftime, null, name, value, this.getName(), NetworkUtils.extractDomain(url)));
bbart.addAttributes(createCookieAttributes(url, null, ftime, null, name, value, this.getName(), NetworkUtils.extractDomain(url)));
return bbart;
} }
/** /**
@ -707,11 +704,9 @@ final class ExtractEdge extends Extract {
if (url.isEmpty()) { if (url.isEmpty()) {
return null; return null;
} }
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK); return createDataArtifactWithAttributes(TSK_WEB_BOOKMARK, origFile, createBookmarkAttributes(url, title, null,
bbart.addAttributes(createBookmarkAttributes(url, title, null,
this.getName(), NetworkUtils.extractDomain(url))); this.getName(), NetworkUtils.extractDomain(url)));
return bbart;
} }

51
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -56,6 +56,7 @@ import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator;
import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress; import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
import org.sleuthkit.autopsy.ingest.IngestJobContext; import org.sleuthkit.autopsy.ingest.IngestJobContext;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY;
import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.ReadContentInputStream;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
@ -168,7 +169,7 @@ class ExtractIE extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), domain)); RecentActivityExtracterModuleFactory.getModuleName(), domain));
} }
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }
@ -280,7 +281,7 @@ class ExtractIE extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
RecentActivityExtracterModuleFactory.getModuleName(), domain)); RecentActivityExtracterModuleFactory.getModuleName(), domain));
} }
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }
@ -558,34 +559,28 @@ class ExtractIE extends Extract {
} }
} }
try { Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
Collection<BlackboardAttribute> bbattributes = new ArrayList<>(); RecentActivityExtracterModuleFactory.getModuleName(), realurl));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
RecentActivityExtracterModuleFactory.getModuleName(), realurl));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
RecentActivityExtracterModuleFactory.getModuleName(), ftime)); RecentActivityExtracterModuleFactory.getModuleName(), ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
RecentActivityExtracterModuleFactory.getModuleName(), "")); RecentActivityExtracterModuleFactory.getModuleName(), ""));
// @@@ NOte that other browser modules are adding TITLE in hre for the title // @@@ NOte that other browser modules are adding TITLE in hre for the title
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
RecentActivityExtracterModuleFactory.getModuleName(), RecentActivityExtracterModuleFactory.getModuleName(),
NbBundle.getMessage(this.getClass(), NbBundle.getMessage(this.getClass(),
"ExtractIE.moduleName.text"))); "ExtractIE.moduleName.text")));
if (domain != null && domain.isEmpty() == false) { if (domain != null && domain.isEmpty() == false) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
RecentActivityExtracterModuleFactory.getModuleName(), domain)); RecentActivityExtracterModuleFactory.getModuleName(), domain));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
RecentActivityExtracterModuleFactory.getModuleName(), user));
bbart.addAttributes(bbattributes);
bbartifacts.add(bbart);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard. Pasco results will be incomplete", ex); //NON-NLS
} }
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
RecentActivityExtracterModuleFactory.getModuleName(), user));
bbartifacts.add(createDataArtifactWithAttributes(TSK_WEB_HISTORY, origFile, bbattributes));
} }
fileScanner.close(); fileScanner.close();
return bbartifacts; return bbartifacts;

43
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java
View File

@ -49,6 +49,10 @@ import org.sleuthkit.autopsy.ingest.IngestServices;
import org.sleuthkit.autopsy.recentactivity.BinaryCookieReader.Cookie; import org.sleuthkit.autopsy.recentactivity.BinaryCookieReader.Cookie;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD;
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
@ -430,10 +434,12 @@ final class ExtractSafari extends Extract {
String title = row.get(HEAD_TITLE).toString(); String title = row.get(HEAD_TITLE).toString();
Long time = (Double.valueOf(row.get(HEAD_TIME).toString())).longValue(); Long time = (Double.valueOf(row.get(HEAD_TIME).toString())).longValue();
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY); bbartifacts.add(
bbart.addAttributes(createHistoryAttribute(url, time, null, title, createDataArtifactWithAttributes(
this.getName(), NetworkUtils.extractDomain(url), null)); TSK_WEB_HISTORY,
bbartifacts.add(bbart); origFile,
createHistoryAttribute(url, time, null, title,
this.getName(), NetworkUtils.extractDomain(url), null)));
} }
return bbartifacts; return bbartifacts;
@ -564,10 +570,19 @@ final class ExtractSafari extends Extract {
} }
Cookie cookie = iter.next(); Cookie cookie = iter.next();
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE); bbartifacts.add(
bbart.addAttributes(createCookieAttributes(cookie.getURL(), cookie.getCreationDate(), null, cookie.getExpirationDate(), cookie.getName(), cookie.getValue(), this.getName(), NetworkUtils.extractDomain(cookie.getURL()))); createDataArtifactWithAttributes(
bbartifacts.add(bbart); TSK_WEB_COOKIE,
origFile,
createCookieAttributes(
cookie.getURL(),
cookie.getCreationDate(),
null,
cookie.getExpirationDate(),
cookie.getName(), cookie.getValue(),
this.getName(),
NetworkUtils.extractDomain(cookie.getURL()))));
} }
} }
@ -615,9 +630,12 @@ final class ExtractSafari extends Extract {
} }
if (url != null || title != null) { if (url != null || title != null) {
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK); bbartifacts.add(createDataArtifactWithAttributes(TSK_WEB_BOOKMARK, origFile,
bbart.addAttributes(createBookmarkAttributes(url, title, null, getName(), NetworkUtils.extractDomain(url))); createBookmarkAttributes(url,
bbartifacts.add(bbart); title,
null,
getName(),
NetworkUtils.extractDomain(url))));
} }
} }
} }
@ -656,8 +674,7 @@ final class ExtractSafari extends Extract {
time = date.getDate().getTime(); time = date.getDate().getTime();
} }
BlackboardArtifact webDownloadArtifact = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(TSK_WEB_DOWNLOAD, origFile, createDownloadAttributes(path, pathID, url, time, NetworkUtils.extractDomain(url), getName()));
webDownloadArtifact.addAttributes(this.createDownloadAttributes(path, pathID, url, time, NetworkUtils.extractDomain(url), getName()));
bbartifacts.add(webDownloadArtifact); bbartifacts.add(webDownloadArtifact);
// find the downloaded file and create a TSK_ASSOCIATED_OBJECT for it, associating it with the TSK_WEB_DOWNLOAD artifact. // find the downloaded file and create a TSK_ASSOCIATED_OBJECT for it, associating it with the TSK_WEB_DOWNLOAD artifact.

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractWebAccountType.java
View File

@ -298,7 +298,7 @@ class ExtractWebAccountType extends Extract {
NbBundle.getMessage(this.getClass(), NbBundle.getMessage(this.getClass(),
"ExtractWebAccountType.parentModuleName"), role.getUrl())); "ExtractWebAccountType.parentModuleName"), role.getUrl()));
artifactList.add(createArtifactWithAttributes(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_ACCOUNT_TYPE, file, bbattributes)); artifactList.add(createDataArtifactWithAttributes(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_ACCOUNT_TYPE, file, bbattributes));
} }
if (!context.dataSourceIngestIsCancelled()) { if (!context.dataSourceIngestIsCancelled()) {

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractZoneIdentifier.java
View File

@ -247,7 +247,7 @@ final class ExtractZoneIdentifier extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), RecentActivityExtracterModuleFactory.getModuleName(),
zoneInfo.getZoneIdAsString())); zoneInfo.getZoneIdAsString()));
} }
return createArtifactWithAttributes(TSK_WEB_DOWNLOAD, zoneFile, bbattributes); return createDataArtifactWithAttributes(TSK_WEB_DOWNLOAD, zoneFile, bbattributes);
} }
/** /**

12
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -236,7 +236,7 @@ class Firefox extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS
} }
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }
@ -332,7 +332,7 @@ class Firefox extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS
} }
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }
@ -448,7 +448,7 @@ class Firefox extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), domain)); RecentActivityExtracterModuleFactory.getModuleName(), domain));
} }
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }
@ -575,7 +575,7 @@ class Firefox extends Extract {
domain)); //NON-NLS domain)); //NON-NLS
} }
BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes); BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
if (webDownloadArtifact != null) { if (webDownloadArtifact != null) {
bbartifacts.add(webDownloadArtifact); bbartifacts.add(webDownloadArtifact);
@ -717,7 +717,7 @@ class Firefox extends Extract {
RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS
} }
BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes); BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
if (webDownloadArtifact != null) { if (webDownloadArtifact != null) {
bbartifacts.add(webDownloadArtifact); bbartifacts.add(webDownloadArtifact);
@ -857,7 +857,7 @@ class Firefox extends Extract {
} }
// Add artifact // Add artifact
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, formHistoryFile, bbattributes); BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, formHistoryFile, bbattributes);
if (bbart != null) { if (bbart != null) {
bbartifacts.add(bbart); bbartifacts.add(bbart);
} }

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/SearchEngineURLQueryAnalyzer.java
View File

@ -382,7 +382,7 @@ class SearchEngineURLQueryAnalyzer extends Extract {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
NbBundle.getMessage(this.getClass(), NbBundle.getMessage(this.getClass(),
"SearchEngineURLQueryAnalyzer.parentModuleName"), last_accessed)); "SearchEngineURLQueryAnalyzer.parentModuleName"), last_accessed));
postArtifact(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY, file, bbattributes)); postArtifact(createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY, file, bbattributes));
++totalQueries; ++totalQueries;
} }
} }