Merge pull request #17 from aebadirad42six/master

bug fixes and moving regripper

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java

@@ -143,7 +143,7 @@ public class Chrome {
                       Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
                      bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host")));
                      bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",temprs.getString("access_utc")));
-                     bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(),"RecentActivity", "",temprs.getString("value")));
+                     bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value")));
                      bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "No name")));
                      bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
                      bbart.addAttributes(bbattributes);

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java

@@ -19,6 +19,7 @@ import java.util.logging.Logger;
 import org.jdom.Document;
 import org.jdom.Element;
 import org.jdom.input.SAXBuilder;
+import org.openide.modules.InstalledFileLocator;
 import org.sleuthkit.autopsy.casemodule.Case;
 import org.sleuthkit.autopsy.datamodel.ContentUtils;
 import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@@ -39,8 +40,24 @@ import org.sleuthkit.datamodel.SleuthkitCase;
 public class ExtractRegistry {
 
       public Logger logger = Logger.getLogger(this.getClass().getName());
+     private String RR_PATH;
+     boolean rrFound = false;
      
     ExtractRegistry(){
+        final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false);
+         if (rrRoot == null) {
+             logger.log(Level.SEVERE, "RegRipper not found");
+             rrFound = false;
+             return;
+         }
+         else {
+             rrFound = true;
+         }
+         
+        final String rrHome = rrRoot.getAbsolutePath();
+        logger.log(Level.INFO, "RegRipper home: " + rrHome);
+             
+        RR_PATH  = rrHome + File.separator + "rip.exe";
     }
     
     
@@ -113,9 +130,6 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
 
        try
        {
-           String rrpath = System.getProperty("user.dir");
-                rrpath = rrpath.substring(0, rrpath.length()-14);
-                rrpath = rrpath + "thirdparty\\rr\\";
                 
             if(regFilePath.toLowerCase().contains("system"))
                 {
@@ -142,7 +156,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
                     type = "security";
                 }
 
-                String command = rrpath + "rip.exe -r " + regFilePath +" -f " + type + "> " + txtPath;
+                String command = RR_PATH + " -r " + regFilePath +" -f " + type + "> " + txtPath;
                 JavaSystemCaller.Exec.execute(command);
                
 

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java

@@ -167,7 +167,7 @@ public class Firefox {
                       Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
                       bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host")));
                       bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getString("lastAccessed")));
-                      bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEXT.getTypeID(), "RecentActivity", "", temprs.getString("value")));
+                      bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
                       bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "No name")));
                       bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
                        bbart.addAttributes(bbattributes);

Report/src/org/sleuthkit/autopsy/report/reportAction.java

@@ -9,12 +9,12 @@ import java.awt.Dimension;
 import java.awt.Toolkit;
 import java.awt.event.ActionEvent;
 import java.awt.event.ActionListener;
-import java.util.List;
+import java.beans.PropertyChangeEvent;
-import java.util.logging.Level;
+import java.beans.PropertyChangeListener;
+import java.io.File;
 import javax.swing.JButton;
 import javax.swing.JDialog;
 import javax.swing.JFrame;
-import javax.swing.SwingWorker;
 import org.openide.awt.ActionRegistration;
 import org.openide.awt.ActionReference;
 import org.openide.awt.ActionReferences;
@@ -23,7 +23,10 @@ import org.openide.util.HelpCtx;
 import org.openide.util.NbBundle.Messages;
 import org.openide.util.actions.CallableSystemAction;
 import org.openide.util.actions.Presenter;
+import org.sleuthkit.autopsy.casemodule.Case;
 import org.sleuthkit.autopsy.coreutils.Log;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 
 @ActionID(category = "Tools",
 id = "org.sleuthkit.autopsy.report.reportAction")
@@ -35,9 +38,50 @@ id = "org.sleuthkit.autopsy.report.reportAction")
 public final class reportAction extends CallableSystemAction implements Presenter.Toolbar{
     
     private JButton toolbarButton = new JButton();
-    private static final String ACTION_NAME = "Report Filter";
+    private static final String ACTION_NAME = "Report";
+     Logger logger = Logger.getLogger(reportAction.class.getName());
     
     public reportAction() {
+        setEnabled(false);
+        Case.addPropertyChangeListener(new PropertyChangeListener() {
+
+            @Override
+            public void propertyChange(PropertyChangeEvent evt) {
+                if(evt.getPropertyName().equals(Case.CASE_CURRENT_CASE)){
+                    setEnabled(evt.getNewValue() != null);
+                }
+            }
+            
+        });
+        //attempt to create a report folder if a case is active
+        Case.addPropertyChangeListener(new PropertyChangeListener () {
+
+        @Override
+        public void propertyChange(PropertyChangeEvent evt) {
+            String changed = evt.getPropertyName();
+
+            //case has been changed
+            if (changed.equals(Case.CASE_CURRENT_CASE)) {
+            Case newCase = (Case)evt.getNewValue();
+
+                if (newCase != null) {
+                    boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists();
+                    if (exists) {
+                        // report directory exists -- don't need to do anything
+                        
+                    } else {
+                        // report directory does not exist -- create it
+                        boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs();
+                        if(!reportCreate){
+                            logger.log(Level.WARNING, "Could not create Reports directory for case. It does not exist.");
+                        }
+                    }
+                } 
+            }
+        }
+
+});
+        
         // set action of the toolbar button
         toolbarButton.addActionListener(new ActionListener() {
 

thirdparty/rr/plugins/autopsysoftware

@@ -2,4 +2,5 @@
 
 #-------------------------------------
 # SOFTWARE
+autopsywinver
 autopsyuninstall

thirdparty/rr/plugins/autopsyuninstall.pl

@@ -50,7 +50,9 @@ sub pluginmain {
 		#::rptMsg("Uninstall");
 		#::rptMsg($key_path);
 		#::rptMsg("");
-		
+		::rptMsg("<uninstall>");
+		::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
+		::rptMsg("<artifacts>");
 		my %uninst;
 		my @subkeys = $key->get_list_of_subkeys();
 	 	if (scalar(@subkeys) > 0) {
@@ -71,11 +73,11 @@ sub pluginmain {
 	 			push(@{$uninst{$lastwrite}},$display);
 	 		}
 	 		foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
-				::rptMsg(gmtime($t)." (UTC)");
+				::rptMsg("<item name=\"". gmtime($t).">");
 				foreach my $item (@{$uninst{$t}}) {
-					::rptMsg("\t$item");
+					::rptMsg($item."</item>");
 				}
-				::rptMsg("");
+				#::rptMsg("");
 			}
 	 	}
 	 	else {
@@ -85,5 +87,6 @@ sub pluginmain {
 	else {
 		#::rptMsg($key_path." not found.");
 	}
+	::rptMsg("</artifacts></uninstall>");
 }
 1;

thirdparty/rr/plugins/autopsywinver.pl

@@ -0,0 +1,109 @@
+#-----------------------------------------------------------
+# winver.pl
+#
+# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package autopsywinver;
+use strict;
+
+my %config = (hive          => "Software",
+              osmask        => 22,
+              hasShortDescr => 1,
+              hasDescr      => 0,
+              hasRefs       => 0,
+              version       => 20081210);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+	return "Get Windows version";	
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+
+sub pluginmain {
+	my $class = shift;
+	my $hive = shift;
+	#::logMsg("Launching winver v.".$VERSION);
+	my $reg = Parse::Win32Registry->new($hive);
+	my $root_key = $reg->get_root_key;
+		::rptMsg("<WinVersion>");
+		::rptMsg("<time>Not Available</time>");
+		::rptMsg("<artifacts>");
+	my $key_path = "Microsoft\\Windows NT\\CurrentVersion";
+	my $key;
+	if ($key = $root_key->get_subkey($key_path)) {
+#		::rptMsg("{name}");
+#		::rptMsg($key_path);
+#		::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
+		
+		my $prod;
+		eval {
+			$prod = $key->get_value("ProductName")->get_data();
+		};
+		if ($@) {
+#			::rptMsg("ProductName value not found.");
+		}
+		else {
+			::rptMsg("<winver name=\"ProductName\">".$prod ."</winver>");
+		}
+		
+		my $csd;
+		eval {
+			$csd = $key->get_value("CSDVersion")->get_data();
+		};
+		if ($@) {
+#			::rptMsg("CSDVersion value not found.");
+		}
+		else {
+			::rptMsg("<winver name=\"CSDVersion\">".$csd."</winver>");
+		}
+		
+		
+		my $build;
+		eval {
+			$build = $key->get_value("BuildName")->get_data();
+		};
+		if ($@) {
+#			::rptMsg("BuildName value not found.");
+		}
+		else {
+			::rptMsg("<winver name=\"BuildName\">".$build."</winver>");
+		}
+		
+		my $buildex;
+		eval {
+			$buildex = $key->get_value("BuildNameEx")->get_data();
+		};
+		if ($@) {
+#			::rptMsg("BuildName value not found.");
+		}
+		else {
+			::rptMsg("<winver name=\"BuildNameEx\">".$buildex."</winver>");
+		}
+		
+		
+		my $install;
+		eval {
+			$install = $key->get_value("InstallDate")->get_data();
+		};
+		if ($@) {
+#			::rptMsg("InstallDate value not found.");
+		}
+		else {
+			::rptMsg("<winver name=\"InstallDate\">".gmtime($install)."</winver>");
+		}
+		
+		
+	}
+	else {
+		#::rptMsg($key_path." not found.");
+		#::logMsg($key_path." not found.");
+	}
+	::rptMsg("</artifacts></shellfolders>");
+}
+1;