mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-15 09:17:42 +00:00
Changed web artifact created to data artifacts
This commit is contained in:
Kelly Kelly
parent
b6e421f58a
commit
a3c6d57a4e
@ -55,9 +55,11 @@ import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_CACHE;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.DerivedFile;
|
||||
import org.sleuthkit.datamodel.OsAccount;
|
||||
import org.sleuthkit.datamodel.TimeUtilities;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
@ -521,33 +523,32 @@ final class ChromeCacheExtractor {
|
||||
private void addArtifacts(CacheEntry cacheEntry, AbstractFile cacheEntryFile, AbstractFile cachedItemFile, Collection<BlackboardArtifact> artifactsAdded) throws TskCoreException {
|
||||
|
||||
// Create a TSK_WEB_CACHE entry with the parent as data_X file that had the cache entry
|
||||
BlackboardArtifact webCacheArtifact = cacheEntryFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_CACHE);
|
||||
if (webCacheArtifact != null) {
|
||||
Collection<BlackboardAttribute> webAttr = new ArrayList<>();
|
||||
String url = cacheEntry.getKey() != null ? cacheEntry.getKey() : "";
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL,
|
||||
moduleName, url));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
moduleName, NetworkUtils.extractDomain(url)));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
|
||||
moduleName, cacheEntry.getCreationTime()));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HEADERS,
|
||||
moduleName, cacheEntry.getHTTPHeaders()));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH,
|
||||
moduleName, cachedItemFile.getUniquePath()));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID,
|
||||
moduleName, cachedItemFile.getId()));
|
||||
webCacheArtifact.addAttributes(webAttr);
|
||||
artifactsAdded.add(webCacheArtifact);
|
||||
Collection<BlackboardAttribute> webAttr = new ArrayList<>();
|
||||
String url = cacheEntry.getKey() != null ? cacheEntry.getKey() : "";
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL,
|
||||
moduleName, url));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
moduleName, NetworkUtils.extractDomain(url)));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
|
||||
moduleName, cacheEntry.getCreationTime()));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HEADERS,
|
||||
moduleName, cacheEntry.getHTTPHeaders()));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH,
|
||||
moduleName, cachedItemFile.getUniquePath()));
|
||||
webAttr.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID,
|
||||
moduleName, cachedItemFile.getId()));
|
||||
|
||||
// Create a TSK_ASSOCIATED_OBJECT on the f_XXX or derived file file back to the CACHE entry
|
||||
BlackboardArtifact associatedObjectArtifact = cachedItemFile.newArtifact(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT);
|
||||
if (associatedObjectArtifact != null) {
|
||||
associatedObjectArtifact.addAttribute(
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
|
||||
moduleName, webCacheArtifact.getArtifactID()));
|
||||
artifactsAdded.add(associatedObjectArtifact);
|
||||
}
|
||||
Optional<OsAccount> optional = cacheEntryFile.getOsAccount();
|
||||
BlackboardArtifact webCacheArtifact = cacheEntryFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_WEB_CACHE), webAttr, optional.isPresent() ? optional.get() : null);
|
||||
artifactsAdded.add(webCacheArtifact);
|
||||
|
||||
// Create a TSK_ASSOCIATED_OBJECT on the f_XXX or derived file file back to the CACHE entry
|
||||
BlackboardArtifact associatedObjectArtifact = cachedItemFile.newArtifact(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT);
|
||||
if (associatedObjectArtifact != null) {
|
||||
associatedObjectArtifact.addAttribute(
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
|
||||
moduleName, webCacheArtifact.getArtifactID()));
|
||||
artifactsAdded.add(associatedObjectArtifact);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -41,6 +41,7 @@ import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.HashMap;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Optional;
|
||||
import org.apache.commons.io.FilenameUtils;
|
||||
import org.openide.util.NbBundle.Messages;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
@ -54,9 +55,12 @@ import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.OsAccount;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
@ -264,7 +268,7 @@ class Chromium extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(),
|
||||
(NetworkUtils.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
|
||||
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
@ -390,29 +394,21 @@ class Chromium extends Extract {
|
||||
date = Long.valueOf(0);
|
||||
}
|
||||
String domain = NetworkUtils.extractDomain(url);
|
||||
try {
|
||||
BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
//TODO Revisit usage of deprecated constructor as per TSK-583
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), url));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), name));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), (date / 1000000) - Long.valueOf("11644473600")));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), browser));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
bbart.addAttributes(bbattributes);
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
//TODO Revisit usage of deprecated constructor as per TSK-583
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), url));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), name));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), (date / 1000000) - Long.valueOf("11644473600")));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), browser));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
|
||||
bbartifacts.add(bbart);
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS
|
||||
this.addErrorMessage(
|
||||
NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4",
|
||||
this.getName(), bookmarkFile.getName()));
|
||||
}
|
||||
bbartifacts.add(createDataArtifactWithAttributes(TSK_WEB_BOOKMARK, bookmarkFile, bbattributes));
|
||||
|
||||
}
|
||||
|
||||
if(!context.dataSourceIngestIsCancelled()) {
|
||||
@ -504,7 +500,7 @@ class Chromium extends Extract {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
@ -610,7 +606,7 @@ class Chromium extends Extract {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), browser));
|
||||
|
||||
BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);
|
||||
BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);
|
||||
if (webDownloadArtifact != null) {
|
||||
bbartifacts.add(webDownloadArtifact);
|
||||
|
||||
@ -618,7 +614,8 @@ class Chromium extends Extract {
|
||||
try {
|
||||
String normalizedFullPath = FilenameUtils.normalize(fullPath, true);
|
||||
for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(normalizedFullPath), FilenameUtils.getPath(normalizedFullPath))) {
|
||||
BlackboardArtifact associatedObjectArtifact = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT);
|
||||
BlackboardArtifact associatedObjectArtifact =
|
||||
downloadedFile.newArtifact(TSK_ASSOCIATED_OBJECT);
|
||||
associatedObjectArtifact.addAttribute(
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), webDownloadArtifact.getArtifactID()));
|
||||
@ -870,7 +867,7 @@ class Chromium extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), browser));
|
||||
|
||||
// Add an artifact
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, webDataFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, webDataFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
|
||||
@ -422,7 +422,7 @@ class DomainCategoryRunner extends Extract {
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HOST, moduleName, artHost.getHost()),
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, moduleName, domainCategory)
|
||||
);
|
||||
postArtifact(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_CATEGORIZATION, artHost.getAbstractFile(), bbattributes));
|
||||
postArtifact(createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_CATEGORIZATION, artHost.getAbstractFile(), bbattributes));
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@ -34,6 +34,7 @@ import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
import java.util.logging.Level;
|
||||
import org.openide.util.NbBundle.Messages;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
@ -49,6 +50,8 @@ import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.DataArtifact;
|
||||
import org.sleuthkit.datamodel.OsAccount;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskException;
|
||||
@ -132,6 +135,17 @@ abstract class Extract {
|
||||
return null;
|
||||
}
|
||||
|
||||
DataArtifact createDataArtifactWithAttributes(BlackboardArtifact.ARTIFACT_TYPE type, AbstractFile file, Collection<BlackboardAttribute> attributes) {
|
||||
try {
|
||||
Optional<OsAccount> optional = file.getOsAccount();
|
||||
DataArtifact bbart = file.newDataArtifact(new BlackboardArtifact.Type(type), attributes, optional.isPresent() ? optional.get() : null);
|
||||
return bbart;
|
||||
} catch (TskException ex) {
|
||||
logger.log(Level.WARNING, String.format("Error while trying to add an artifact (%s) for abstractFile %d", type.getDisplayName(), file.getId()), ex); //NON-NLS
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* Method to post a blackboard artifact to the blackboard.
|
||||
*
|
||||
|
||||
@ -53,6 +53,9 @@ import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
|
||||
import org.sleuthkit.autopsy.ingest.IngestJobContext;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
@ -628,14 +631,10 @@ final class ExtractEdge extends Extract {
|
||||
String accessTime = rowSplit[index].trim();
|
||||
Long ftime = parseTimestamp(accessTime);
|
||||
|
||||
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY);
|
||||
|
||||
bbart.addAttributes(createHistoryAttribute(url, ftime,
|
||||
return createDataArtifactWithAttributes(TSK_WEB_HISTORY, origFile, createHistoryAttribute(url, ftime,
|
||||
null, null,
|
||||
this.getName(),
|
||||
NetworkUtils.extractDomain(url), user));
|
||||
|
||||
return bbart;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -658,9 +657,7 @@ final class ExtractEdge extends Extract {
|
||||
String value = hexToChar(lineSplit[headers.indexOf(EDGE_HEAD_VALUE)].trim());
|
||||
String url = flipDomain(domain);
|
||||
|
||||
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE);
|
||||
bbart.addAttributes(createCookieAttributes(url, null, ftime, null, name, value, this.getName(), NetworkUtils.extractDomain(url)));
|
||||
return bbart;
|
||||
return createDataArtifactWithAttributes(TSK_WEB_COOKIE, origFile, createCookieAttributes(url, null, ftime, null, name, value, this.getName(), NetworkUtils.extractDomain(url)));
|
||||
}
|
||||
|
||||
/**
|
||||
@ -707,11 +704,9 @@ final class ExtractEdge extends Extract {
|
||||
if (url.isEmpty()) {
|
||||
return null;
|
||||
}
|
||||
|
||||
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
||||
bbart.addAttributes(createBookmarkAttributes(url, title, null,
|
||||
|
||||
return createDataArtifactWithAttributes(TSK_WEB_BOOKMARK, origFile, createBookmarkAttributes(url, title, null,
|
||||
this.getName(), NetworkUtils.extractDomain(url)));
|
||||
return bbart;
|
||||
}
|
||||
|
||||
|
||||
|
||||
@ -56,6 +56,7 @@ import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator;
|
||||
import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
|
||||
import org.sleuthkit.autopsy.ingest.IngestJobContext;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
@ -168,7 +169,7 @@ class ExtractIE extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
}
|
||||
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
@ -280,7 +281,7 @@ class ExtractIE extends Extract {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
}
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
@ -558,34 +559,28 @@ class ExtractIE extends Extract {
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), realurl));
|
||||
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), realurl));
|
||||
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
|
||||
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), ftime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), ""));
|
||||
// @@@ NOte that other browser modules are adding TITLE in hre for the title
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.moduleName.text")));
|
||||
if (domain != null && domain.isEmpty() == false) {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
}
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), user));
|
||||
bbart.addAttributes(bbattributes);
|
||||
|
||||
bbartifacts.add(bbart);
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard. Pasco results will be incomplete", ex); //NON-NLS
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), ftime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), ""));
|
||||
// @@@ NOte that other browser modules are adding TITLE in hre for the title
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractIE.moduleName.text")));
|
||||
if (domain != null && domain.isEmpty() == false) {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
}
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), user));
|
||||
|
||||
bbartifacts.add(createDataArtifactWithAttributes(TSK_WEB_HISTORY, origFile, bbattributes));
|
||||
}
|
||||
fileScanner.close();
|
||||
return bbartifacts;
|
||||
|
||||
@ -49,6 +49,10 @@ import org.sleuthkit.autopsy.ingest.IngestServices;
|
||||
import org.sleuthkit.autopsy.recentactivity.BinaryCookieReader.Cookie;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
@ -430,10 +434,12 @@ final class ExtractSafari extends Extract {
|
||||
String title = row.get(HEAD_TITLE).toString();
|
||||
Long time = (Double.valueOf(row.get(HEAD_TIME).toString())).longValue();
|
||||
|
||||
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY);
|
||||
bbart.addAttributes(createHistoryAttribute(url, time, null, title,
|
||||
this.getName(), NetworkUtils.extractDomain(url), null));
|
||||
bbartifacts.add(bbart);
|
||||
bbartifacts.add(
|
||||
createDataArtifactWithAttributes(
|
||||
TSK_WEB_HISTORY,
|
||||
origFile,
|
||||
createHistoryAttribute(url, time, null, title,
|
||||
this.getName(), NetworkUtils.extractDomain(url), null)));
|
||||
}
|
||||
|
||||
return bbartifacts;
|
||||
@ -564,10 +570,19 @@ final class ExtractSafari extends Extract {
|
||||
}
|
||||
|
||||
Cookie cookie = iter.next();
|
||||
|
||||
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE);
|
||||
bbart.addAttributes(createCookieAttributes(cookie.getURL(), cookie.getCreationDate(), null, cookie.getExpirationDate(), cookie.getName(), cookie.getValue(), this.getName(), NetworkUtils.extractDomain(cookie.getURL())));
|
||||
bbartifacts.add(bbart);
|
||||
|
||||
bbartifacts.add(
|
||||
createDataArtifactWithAttributes(
|
||||
TSK_WEB_COOKIE,
|
||||
origFile,
|
||||
createCookieAttributes(
|
||||
cookie.getURL(),
|
||||
cookie.getCreationDate(),
|
||||
null,
|
||||
cookie.getExpirationDate(),
|
||||
cookie.getName(), cookie.getValue(),
|
||||
this.getName(),
|
||||
NetworkUtils.extractDomain(cookie.getURL()))));
|
||||
}
|
||||
}
|
||||
|
||||
@ -615,9 +630,12 @@ final class ExtractSafari extends Extract {
|
||||
}
|
||||
|
||||
if (url != null || title != null) {
|
||||
BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
||||
bbart.addAttributes(createBookmarkAttributes(url, title, null, getName(), NetworkUtils.extractDomain(url)));
|
||||
bbartifacts.add(bbart);
|
||||
bbartifacts.add(createDataArtifactWithAttributes(TSK_WEB_BOOKMARK, origFile,
|
||||
createBookmarkAttributes(url,
|
||||
title,
|
||||
null,
|
||||
getName(),
|
||||
NetworkUtils.extractDomain(url))));
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -656,8 +674,7 @@ final class ExtractSafari extends Extract {
|
||||
time = date.getDate().getTime();
|
||||
}
|
||||
|
||||
BlackboardArtifact webDownloadArtifact = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
|
||||
webDownloadArtifact.addAttributes(this.createDownloadAttributes(path, pathID, url, time, NetworkUtils.extractDomain(url), getName()));
|
||||
BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(TSK_WEB_DOWNLOAD, origFile, createDownloadAttributes(path, pathID, url, time, NetworkUtils.extractDomain(url), getName()));
|
||||
bbartifacts.add(webDownloadArtifact);
|
||||
|
||||
// find the downloaded file and create a TSK_ASSOCIATED_OBJECT for it, associating it with the TSK_WEB_DOWNLOAD artifact.
|
||||
|
||||
@ -298,7 +298,7 @@ class ExtractWebAccountType extends Extract {
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ExtractWebAccountType.parentModuleName"), role.getUrl()));
|
||||
|
||||
artifactList.add(createArtifactWithAttributes(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_ACCOUNT_TYPE, file, bbattributes));
|
||||
artifactList.add(createDataArtifactWithAttributes(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_ACCOUNT_TYPE, file, bbattributes));
|
||||
}
|
||||
|
||||
if (!context.dataSourceIngestIsCancelled()) {
|
||||
|
||||
@ -247,7 +247,7 @@ final class ExtractZoneIdentifier extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(),
|
||||
zoneInfo.getZoneIdAsString()));
|
||||
}
|
||||
return createArtifactWithAttributes(TSK_WEB_DOWNLOAD, zoneFile, bbattributes);
|
||||
return createDataArtifactWithAttributes(TSK_WEB_DOWNLOAD, zoneFile, bbattributes);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -236,7 +236,7 @@ class Firefox extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS
|
||||
|
||||
}
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
@ -332,7 +332,7 @@ class Firefox extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS
|
||||
}
|
||||
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
@ -448,7 +448,7 @@ class Firefox extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain));
|
||||
}
|
||||
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
@ -575,7 +575,7 @@ class Firefox extends Extract {
|
||||
domain)); //NON-NLS
|
||||
}
|
||||
|
||||
BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
|
||||
BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
|
||||
if (webDownloadArtifact != null) {
|
||||
bbartifacts.add(webDownloadArtifact);
|
||||
|
||||
@ -717,7 +717,7 @@ class Firefox extends Extract {
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), domain)); //NON-NLS
|
||||
}
|
||||
|
||||
BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
|
||||
BlackboardArtifact webDownloadArtifact = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
|
||||
if (webDownloadArtifact != null) {
|
||||
bbartifacts.add(webDownloadArtifact);
|
||||
|
||||
@ -857,7 +857,7 @@ class Firefox extends Extract {
|
||||
|
||||
}
|
||||
// Add artifact
|
||||
BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, formHistoryFile, bbattributes);
|
||||
BlackboardArtifact bbart = createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, formHistoryFile, bbattributes);
|
||||
if (bbart != null) {
|
||||
bbartifacts.add(bbart);
|
||||
}
|
||||
|
||||
@ -382,7 +382,7 @@ class SearchEngineURLQueryAnalyzer extends Extract {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"SearchEngineURLQueryAnalyzer.parentModuleName"), last_accessed));
|
||||
postArtifact(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY, file, bbattributes));
|
||||
postArtifact(createDataArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY, file, bbattributes));
|
||||
++totalQueries;
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user