From 885369982448bbe36eeb9a2185734241bab3887a Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Fri, 12 Jul 2019 10:18:51 -0400 Subject: [PATCH 1/3] Inital code for adding new web event types --- .../autopsy/modules/exif/Bundle.properties-MERGED | 2 +- .../autopsy/timeline/images/artifact-icon.png | Bin 0 -> 697 bytes .../autopsy/timeline/ui/EventTypeUtils.java | 6 +++++- .../recentactivity/Bundle.properties-MERGED | 3 +-- .../autopsy/recentactivity/ExtractRegistry.java | 9 +++------ 5 files changed, 10 insertions(+), 10 deletions(-) create mode 100755 Core/src/org/sleuthkit/autopsy/timeline/images/artifact-icon.png diff --git a/Core/src/org/sleuthkit/autopsy/modules/exif/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/modules/exif/Bundle.properties-MERGED index 9905159d99..5971ab0d82 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/exif/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/modules/exif/Bundle.properties-MERGED @@ -1,5 +1,5 @@ CannotRunFileTypeDetection=Cannot run file type detection. -ExifParserFileIngestModule.indexError.message=Failed to index EXIF Metadata artifact for keyword search. +ExifParserFileIngestModule.indexError.message=Failed to post EXIF Metadata artifact(s). OpenIDE-Module-Display-Category=Ingest Module OpenIDE-Module-Long-Description=\ Exif metadata ingest module. \n\n\ diff --git a/Core/src/org/sleuthkit/autopsy/timeline/images/artifact-icon.png b/Core/src/org/sleuthkit/autopsy/timeline/images/artifact-icon.png new file mode 100755 index 0000000000000000000000000000000000000000..5b0c461f5c3e4e50bf0c345370441bcaaf4f628b GIT binary patch literal 697 zcmV;q0!ICbP)@BfGrbE+!@xCMG7v z|AO3XM|by^+uzu|=08pYVip{<77!AO{qgPFs!v~ke*4SHeUyobnGp#7GchtOI5ndt z<=&yq*bPu}3Su;jE86qr#~%kC4mJiZ4vwE6zy0K3Vq|7uW@g&_vt|1&THZDjzu8;Y43csSVK2yrqcUpu&c`=QA-e=rQ-kyT}MteM*O?(>f_ zkcSx=nHZsl0G-bCALxQJob0TBgm}57m>K^U%?>eIk79sESQeXvh5P-lKYvRAH8U_V zLTqPd0<(|3y>iTnnTeT2%)oXhD>KvDZJACJQ4DbGSQhy1`@b~|j7&cm{`^e%{`B5; zekCniCRX+uhQGfn&b6m6`Tga?e+D!FH^97Q>Ech{e?_t|GaY)rZ>7tVBisIQh)Of6 zCDl1{aBy&*@6Frx`^!h%2B>6r8?*2UR&jH%EBrjM$>hrR)&GUe-5DjF!&2pCBx6~A zeQ#i8_{)Cv+j!> zpRb>hzq7pmGr^Py0y5zR52 zqZp8x{QvLoB{w_M9}$%oz%B^OXW>!SlLNXy66gXJpbMVfXivUFv;n{{-~on#1SmbQ zv9dD!`}gnfx0`1l+*vUJyB9Pn<}kCeFtJ>2N%{#B)2^Jut|%wN%>Mi9AI9H57_OW= f`uoPJX>bDo^qb`ob(6FR00000NkvXXu0mjf|Djc; literal 0 HcmV?d00001 diff --git a/Core/src/org/sleuthkit/autopsy/timeline/ui/EventTypeUtils.java b/Core/src/org/sleuthkit/autopsy/timeline/ui/EventTypeUtils.java index 379cf6b5ad..5c935916e3 100755 --- a/Core/src/org/sleuthkit/autopsy/timeline/ui/EventTypeUtils.java +++ b/Core/src/org/sleuthkit/autopsy/timeline/ui/EventTypeUtils.java @@ -91,7 +91,11 @@ final public class EventTypeUtils { imageFileName = "raw_access_logs.png"; } else if (typeID == EventType.USER_CREATED.getTypeID()) { imageFileName = "hand_point.png"; - } else { + } else if (typeID == EventType.WEB_FORM_AUTOFILL.getTypeID()) { + imageFileName = "artifact-icon.png"; + } else if (typeID == EventType.WEB_FORM_ADDRESSES.getTypeID()) { + imageFileName = "artifact-icon.png"; + }else { imageFileName = "timeline_marker.png"; } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED index 6137de4747..5e11018086 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED @@ -1,7 +1,6 @@ cannotBuildXmlParser=Unable to build XML parser: cannotLoadSEUQA=Unable to load Search Engine URL Query Analyzer settings file, SEUQAMappings.xml: cannotParseXml=Unable to parse XML file: -Chrome.getBookmark.errMsg.errAnalyzeFile={0}: Error while trying to analyze file: {1} ChromeCacheExtractor.moduleName=ChromeCacheExtractor # {0} - module name # {1} - row number @@ -65,7 +64,7 @@ ExtractZone_progress_Msg=Extracting :Zone.Identifer files ExtractZone_Restricted=Restricted Sites Zone ExtractZone_Trusted=Trusted Sites Zone OpenIDE-Module-Display-Category=Ingest Module -OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\nThe module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web activity (sites visited, stored cookies, book marked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy. +OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\n\The module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web activity (sites visited, stored cookies, book marked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy. OpenIDE-Module-Name=RecentActivity OpenIDE-Module-Short-Description=Recent Activity finder ingest module Chrome.moduleName=Chrome diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index d2e866404f..63ac3b6ee6 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -818,12 +818,9 @@ class ExtractRegistry extends Extract { break; } } // for - if (!usbBBartifacts.isEmpty()) { - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, usbBBartifacts)); - } - if (!wifiBBartifacts.isEmpty()) { - IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_WIFI_NETWORK, wifiBBartifacts)); - } + + postArtifacts(usbBBartifacts); + postArtifacts(wifiBBartifacts); return true; } catch (FileNotFoundException ex) { logger.log(Level.SEVERE, "Error finding the registry file.", ex); //NON-NLS From a30b1b51f6de0ea9e1178d5ef0f65c1182f2ad28 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Fri, 12 Jul 2019 13:42:34 -0400 Subject: [PATCH 2/3] added missing postArtifact calls for Safari and moved call in chrome --- .../autopsy/recentactivity/Chrome.java | 3 +- .../autopsy/recentactivity/ExtractSafari.java | 31 ++++--------------- 2 files changed, 7 insertions(+), 27 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 64cef67fd2..7d21ea94e5 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -364,8 +364,6 @@ class Chrome extends Extract { RecentActivityExtracterModuleFactory.getModuleName(), domain)); bbart.addAttributes(bbattributes); - // index the artifact for keyword search - postArtifact(bbart); bbartifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS @@ -374,6 +372,7 @@ class Chrome extends Extract { this.getName(), bookmarkFile.getName())); } } + postArtifact(bbartifacts); dbFile.delete(); } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java index 164bbe1391..77eb2b2dbe 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java @@ -291,12 +291,7 @@ final class ExtractSafari extends Extract { } try { - Collection bbartifacts = getHistoryArtifacts(historyFile, tempHistoryFile.toPath(), context); - if (!bbartifacts.isEmpty()) { - services.fireModuleDataEvent(new ModuleDataEvent( - RecentActivityExtracterModuleFactory.getModuleName(), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts)); - } + postArtifact(getHistoryArtifacts(historyFile, tempHistoryFile.toPath(), context)); } finally { tempHistoryFile.delete(); } @@ -323,12 +318,7 @@ final class ExtractSafari extends Extract { File tempFile = createTemporaryFile(context, file); try { - Collection bbartifacts = getBookmarkArtifacts(file, tempFile, context); - if (!bbartifacts.isEmpty()) { - services.fireModuleDataEvent(new ModuleDataEvent( - RecentActivityExtracterModuleFactory.getModuleName(), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts)); - } + postArtifact( getBookmarkArtifacts(file, tempFile, context)); } finally { tempFile.delete(); } @@ -356,12 +346,8 @@ final class ExtractSafari extends Extract { File tempFile = createTemporaryFile(context, file); try { - Collection bbartifacts = getDownloadArtifacts(dataSource, file, tempFile); - if (!bbartifacts.isEmpty()) { - services.fireModuleDataEvent(new ModuleDataEvent( - RecentActivityExtracterModuleFactory.getModuleName(), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts)); - } + postArtifacts(getDownloadArtifacts(dataSource, file, tempFile)); + } finally { if (tempFile != null) { tempFile.delete(); @@ -389,13 +375,8 @@ final class ExtractSafari extends Extract { try { tempFile = createTemporaryFile(context, file); - Collection bbartifacts = getCookieArtifacts(file, tempFile, context); - - if (!bbartifacts.isEmpty()) { - services.fireModuleDataEvent(new ModuleDataEvent( - RecentActivityExtracterModuleFactory.getModuleName(), - BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts)); - } + postArtifacts(getCookieArtifacts(file, tempFile, context)); + } finally { if (tempFile != null) { tempFile.delete(); From 2caa0b554c4d5d77fe8e9cd669b0e4184dfd51c9 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 16 Jul 2019 07:45:02 -0400 Subject: [PATCH 3/3] changed postArtifact to postArtifacts --- .../src/org/sleuthkit/autopsy/recentactivity/Chrome.java | 2 +- .../org/sleuthkit/autopsy/recentactivity/ExtractSafari.java | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 7d21ea94e5..f75132c610 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -372,7 +372,7 @@ class Chrome extends Extract { this.getName(), bookmarkFile.getName())); } } - postArtifact(bbartifacts); + postArtifacts(bbartifacts); dbFile.delete(); } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java index 77eb2b2dbe..704826047f 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractSafari.java @@ -291,7 +291,7 @@ final class ExtractSafari extends Extract { } try { - postArtifact(getHistoryArtifacts(historyFile, tempHistoryFile.toPath(), context)); + postArtifacts(getHistoryArtifacts(historyFile, tempHistoryFile.toPath(), context)); } finally { tempHistoryFile.delete(); } @@ -318,7 +318,7 @@ final class ExtractSafari extends Extract { File tempFile = createTemporaryFile(context, file); try { - postArtifact( getBookmarkArtifacts(file, tempFile, context)); + postArtifacts(getBookmarkArtifacts(file, tempFile, context)); } finally { tempFile.delete(); }