mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 09:17:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

more error messages, remove test code, cleanup

Browse Source
This commit is contained in:
Brian Carrier 2018-03-14 17:03:53 -04:00
parent 77f939b369
commit b51cfd3ecb
2 changed files with 145 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
Core/src/org/sleuthkit/autopsy/datasourceprocessors/AddMemoryImageTask.java
View File

@ -84,9 +84,17 @@ final class AddMemoryImageTask implements Runnable {
*/ */
progressMonitor.setIndeterminate(true); progressMonitor.setIndeterminate(true);
progressMonitor.setProgress(0); progressMonitor.setProgress(0);
List<Content> newDataSources = new ArrayList<>();
List<String> errorMessages = new ArrayList<>(); List<String> errorMessages = new ArrayList<>();
addImageToCase(newDataSources, errorMessages); Image dataSource = addImageToCase(errorMessages);
/* call Volatility to process the image */
if (dataSource != null) {
volatilityProcessor = new VolatilityProcessor(imageFilePath, PluginsToRun, dataSource, progressMonitor);
// @@@ run() needs a way to return if a critical eror occured.
volatilityProcessor.run();
List<String> volErrorMsgs = volatilityProcessor.getErrorMessages();
errorMessages.addAll(volErrorMsgs);
}
progressMonitor.setProgress(100); progressMonitor.setProgress(100);
@ -101,6 +109,9 @@ final class AddMemoryImageTask implements Runnable {
} else { } else {
result = DataSourceProcessorCallback.DataSourceProcessorResult.NO_ERRORS; result = DataSourceProcessorCallback.DataSourceProcessorResult.NO_ERRORS;
} }
List <Content> newDataSources = new ArrayList();
newDataSources.add(dataSource);
callback.done(result, errorMessages, newDataSources); callback.done(result, errorMessages, newDataSources);
criticalErrorOccurred = false; criticalErrorOccurred = false;
} }
@ -108,54 +119,45 @@ final class AddMemoryImageTask implements Runnable {
/** /**
* Attempts to add the input image to the case. * Attempts to add the input image to the case.
* *
* @param newDataSources If the image is added, a data source is added to
* this list for eventual return to the caller via the
* callback.
* @param errorMessages If there are any error messages, the error messages * @param errorMessages If there are any error messages, the error messages
* are added to this list for eventual return to the * are added to this list for eventual return to the
* caller via the callback. * caller via the callback.
* @returns Image that was added to DB or null on error
*/ */
@Messages({"AddMemoryImageTask.progress.add.text=Adding memory image: ", @Messages({"AddMemoryImageTask.progress.add.text=Adding memory image: ",
"AddMemoryImageTask.image.critical.error.adding=Critical error adding ", "AddMemoryImageTask.image.critical.error.adding=Critical error adding ",
"AddMemoryImageTask.for.device=for device ", "AddMemoryImageTask.for.device=for device ",
"AddMemoryImageTask.image.notExisting=is not existing.", "AddMemoryImageTask.image.notExisting=is not existing.",
"AddMemoryImageTask.image.noncritical.error.adding=Non-critical error adding "}) "AddMemoryImageTask.image.noncritical.error.adding=Non-critical error adding "})
private void addImageToCase(List<Content> dataSources, List<String> errorMessages) { private Image addImageToCase(List<String> errorMessages) {
progressMonitor.setProgressText(Bundle.AddMemoryImageTask_progress_add_text() + imageFilePath); progressMonitor.setProgressText(Bundle.AddMemoryImageTask_progress_add_text() + imageFilePath);
List<String> imageFilePaths = new ArrayList<>();
SleuthkitCase caseDatabase = Case.getCurrentCase().getSleuthkitCase(); SleuthkitCase caseDatabase = Case.getCurrentCase().getSleuthkitCase();
caseDatabase.acquireExclusiveLock(); caseDatabase.acquireExclusiveLock();
// verify it exists
File imageFile = Paths.get(imageFilePath).toFile(); File imageFile = Paths.get(imageFilePath).toFile();
if (!imageFile.exists()) { if (!imageFile.exists()) {
errorMessages.add(Bundle.AddMemoryImageTask_image_critical_error_adding() + imageFilePath + Bundle.AddMemoryImageTask_for_device() errorMessages.add(Bundle.AddMemoryImageTask_image_critical_error_adding() + imageFilePath + Bundle.AddMemoryImageTask_for_device()
+ deviceId + Bundle.AddMemoryImageTask_image_notExisting()); + deviceId + Bundle.AddMemoryImageTask_image_notExisting());
criticalErrorOccurred = true; criticalErrorOccurred = true;
return; return null;
} }
imageFilePaths.add(imageFilePath);
try { try {
/* // add it to the DB
* Get Image that will be added to case List<String> imageFilePaths = new ArrayList<>();
*/ imageFilePaths.add(imageFilePath);
Image dataSource = caseDatabase.addImageInfo(0, imageFilePaths, timeZone); //TODO: change hard coded deviceId. Image dataSource = caseDatabase.addImageInfo(0, imageFilePaths, timeZone); //TODO: change hard coded deviceId.
dataSources.add(dataSource); return dataSource;
if (isCancelled)
return;
/* call Volatility to process the image **/
volatilityProcessor = new VolatilityProcessor(imageFilePath, PluginsToRun, dataSource, progressMonitor);
volatilityProcessor.run();
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
errorMessages.add(Bundle.AddMemoryImageTask_image_critical_error_adding() + imageFilePaths + Bundle.AddMemoryImageTask_for_device() + deviceId + ":" + ex.getLocalizedMessage()); errorMessages.add(Bundle.AddMemoryImageTask_image_critical_error_adding() + imageFilePath + Bundle.AddMemoryImageTask_for_device() + deviceId + ":" + ex.getLocalizedMessage());
criticalErrorOccurred = true; criticalErrorOccurred = true;
return null;
} finally { } finally {
caseDatabase.releaseExclusiveLock(); caseDatabase.releaseExclusiveLock();
} }
} }
void cancelTask() { void cancelTask() {
if (volatilityProcessor != null) { if (volatilityProcessor != null) {

218
Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java
View File

@ -37,37 +37,35 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import org.openide.modules.InstalledFileLocator; import org.openide.modules.InstalledFileLocator;
import org.openide.util.Exceptions; import org.openide.util.Exceptions;
import org.openide.util.Lookup;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.services.Blackboard; import org.sleuthkit.autopsy.casemodule.services.Blackboard;
import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor; import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor;
import org.sleuthkit.autopsy.coreutils.ExecUtil;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.coreutils.PlatformUtil;
import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.autopsy.ingest.IngestServices;
import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
import org.sleuthkit.autopsy.keywordsearchservice.KeywordSearchService;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.Report;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM;
//@NbBundle.Messages({
// "VolatilityProcessor.PermissionsNotSufficient=Insufficient permissions accessing",
// "VolatilityProcessor.PermissionsNotSufficientSeeReference=See 'Shared Drive Authentication' in Autopsy help.",
// "# {0} - output directory name", "cannotCreateOutputDir.message=Unable to create output directory: {0}.",
// "unsupportedOS.message=PhotoRec module is supported on Windows platforms only.",
// "missingExecutable.message=Unable to locate PhotoRec executable.",
// "cannotRunExecutable.message=Unable to execute PhotoRec."
//})
/** /**
* *
*/ */
class VolatilityProcessor implements Runnable{ class VolatilityProcessor {
private static final String VOLATILITY_DIRECTORY = "Volatility"; //NON-NLS private static final String VOLATILITY_DIRECTORY = "Volatility"; //NON-NLS
private static final String VOLATILITY_EXECUTABLE = "volatility_2.6_win64_standalone.exe"; //NON-NLS private static final String VOLATILITY_EXECUTABLE = "volatility_2.6_win64_standalone.exe"; //NON-NLS
private final String memoryImagePath; private final String memoryImagePath;
private final List<String> PluginsToRun; private final List<String> pluginsToRun;
private final Image dataSource; private final Image dataSource;
private static final String SEP = System.getProperty("line.separator"); private static final String SEP = System.getProperty("line.separator");
private static final Logger logger = Logger.getLogger(VolatilityProcessor.class.getName()); private static final Logger logger = Logger.getLogger(VolatilityProcessor.class.getName());
@ -77,15 +75,15 @@ class VolatilityProcessor implements Runnable{
private final DataSourceProcessorProgressMonitor progressMonitor; private final DataSourceProcessorProgressMonitor progressMonitor;
private boolean isCancelled; private boolean isCancelled;
private FileManager fileManager; private FileManager fileManager;
private final List <String> errorMsgs = new ArrayList<>();
public VolatilityProcessor(String ImagePath, List<String> PlugInToRuns, Image dataSource, DataSourceProcessorProgressMonitor progressMonitor) { public VolatilityProcessor(String ImagePath, List<String> plugInToRuns, Image dataSource, DataSourceProcessorProgressMonitor progressMonitor) {
this.memoryImagePath = ImagePath; this.memoryImagePath = ImagePath;
this.PluginsToRun = PlugInToRuns; this.pluginsToRun = plugInToRuns;
this.dataSource = dataSource; this.dataSource = dataSource;
this.progressMonitor = progressMonitor; this.progressMonitor = progressMonitor;
} }
@Override
public void run() { public void run() {
Path execName = Paths.get(VOLATILITY_DIRECTORY, VOLATILITY_EXECUTABLE); Path execName = Paths.get(VOLATILITY_DIRECTORY, VOLATILITY_EXECUTABLE);
executableFile = locateExecutable(execName.toString()); executableFile = locateExecutable(execName.toString());
@ -97,27 +95,30 @@ class VolatilityProcessor implements Runnable{
fileManager = currentCase.getServices().getFileManager(); fileManager = currentCase.getServices().getFileManager();
// make a unique folder for this image // make a unique folder for this image
moduleOutputPath = currentCase.getModulesOutputDirAbsPath() + File.separator + "Volatility" + File.separator + "1"; // @@@ TESTING ONLY moduleOutputPath = currentCase.getModulesOutputDirAbsPath() + File.separator + "Volatility" + File.separator + dataSource.getId(); File directory = new File(String.valueOf(moduleOutputPath));
File directory = new File(String.valueOf(moduleOutputPath));
if(!directory.exists()){ if(!directory.exists()){
directory.mkdirs(); directory.mkdirs();
progressMonitor.setProgressText("Running imageinfo"); progressMonitor.setProgressText("Running imageinfo");
executeVolatility("imageinfo"); executeAndParseVolatility("imageinfo");
} }
progressMonitor.setIndeterminate(false); progressMonitor.setIndeterminate(false);
for (int i = 0; i < PluginsToRun.size(); i++) { for (int i = 0; i < pluginsToRun.size(); i++) {
if (isCancelled) if (isCancelled)
break; break;
String pluginToRun = PluginsToRun.get(i); String pluginToRun = pluginsToRun.get(i);
progressMonitor.setProgressText("Processing " + pluginToRun + " module"); progressMonitor.setProgressText("Processing " + pluginToRun + " module");
executeVolatility(pluginToRun); executeAndParseVolatility(pluginToRun);
progressMonitor.setProgress(i / PluginsToRun.size() * 100); progressMonitor.setProgress(i / pluginsToRun.size() * 100);
} }
// @@@ NEed to report back here if there were errors // @@@ NEed to report back here if there were errors
} }
List<String> getErrorMessages() {
return errorMsgs;
}
private void executeVolatility(String pluginToRun) { private void executeAndParseVolatility(String pluginToRun) {
try { try {
List<String> commandLine = new ArrayList<>(); List<String> commandLine = new ArrayList<>();
commandLine.add("\"" + executableFile + "\""); commandLine.add("\"" + executableFile + "\"");
@ -136,29 +137,36 @@ class VolatilityProcessor implements Runnable{
commandLine.add(pluginToRun); //NON-NLS commandLine.add(pluginToRun); //NON-NLS
String outputFile = moduleOutputPath + "\\" + pluginToRun + ".txt";
ProcessBuilder processBuilder = new ProcessBuilder(commandLine); ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
// Add environment variable to force Volatility to run with the same permissions Autopsy uses // Add environment variable to force Volatility to run with the same permissions Autopsy uses
processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS processBuilder.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS
processBuilder.redirectOutput(new File(moduleOutputPath + "\\" + pluginToRun + ".txt")); processBuilder.redirectOutput(new File(outputFile));
processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err")); processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err"));
processBuilder.directory(new File(memoryImage.getParent())); processBuilder.directory(new File(memoryImage.getParent()));
// @@@ TESTING ONLY int exitVal = ExecUtil.execute(processBuilder);
//int exitVal = ExecUtil.execute(processBuilder); if (exitVal != 0) {
//if (exitVal != 0) { logger.log(Level.SEVERE, "Volatility non-0 exit value for module: " + pluginToRun);
// logger.log(Level.SEVERE, "Volatility non-0 exit value for module: " + pluginToRun); return;
// return; }
//}
if (isCancelled) if (isCancelled)
return; return;
if (pluginToRun.matches("dlllist") || pluginToRun.matches("handles") || pluginToRun.matches("cmdline") || pluginToRun.matches("psxview") || final Case currentCase = Case.getCurrentCase();
pluginToRun.matches("pslist") || pluginToRun.matches("psscan") || pluginToRun.matches("pstree") || pluginToRun.matches("svcscan") ||
pluginToRun.matches("filescan") || pluginToRun.matches("shimcache")) { Report report = currentCase.getSleuthkitCase().addReport(outputFile, "Volatility", "Volatility " + pluginToRun + " Module", dataSource);
scanOutputFile(pluginToRun, new File(moduleOutputPath + "\\" + pluginToRun + ".txt")); KeywordSearchService searchService = Lookup.getDefault().lookup(KeywordSearchService.class);
} if (null == searchService) {
} catch (Exception ex) { logger.log(Level.WARNING, "Keyword search service not found. Report will not be indexed");
} else {
searchService.index(report);
}
scanOutputFile(pluginToRun, new File(outputFile));
} catch (IOException | SecurityException | TskCoreException ex) {
logger.log(Level.SEVERE, "Unable to run Volatility", ex); //NON-NLS logger.log(Level.SEVERE, "Unable to run Volatility", ex); //NON-NLS
//this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName())); //this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
} }
@ -190,24 +198,30 @@ class VolatilityProcessor implements Runnable{
} }
private String parseImageInfoOutput(File imageOutputFile) throws FileNotFoundException { private String parseImageInfoOutput(File imageOutputFile) throws FileNotFoundException {
// create a Buffered Reader object instance with a FileReader // create a Buffered Reader object instance with a FileReader
try ( try (
BufferedReader br = new BufferedReader(new FileReader(imageOutputFile))) { BufferedReader br = new BufferedReader(new FileReader(imageOutputFile))) {
// read the first line from the text file // read the first line from the text file
String fileRead = br.readLine(); String fileRead = br.readLine();
br.close(); br.close();
String[] profileLine = fileRead.split(":"); String[] profileLine = fileRead.split(":");
String[] memProfile = profileLine[1].split(",|\\("); String[] memProfile = profileLine[1].split(",|\\(");
return memProfile[0].replaceAll("\\s+",""); return memProfile[0].replaceAll("\\s+","");
} catch (IOException ex) { } catch (IOException ex) {
Exceptions.printStackTrace(ex); Exceptions.printStackTrace(ex);
// @@@ Need to log this or rethrow it // @@@ Need to log this or rethrow it
} }
return null; return null;
} }
private void lookupFiles(Set<String> fileSet, String pluginName) { /**
* Lookup the set of files and add INTERESTING_ITEM artifacts for them.
*
* @param fileSet
* @param pluginName
*/
private void flagFiles(Set<String> fileSet, String pluginName) {
Blackboard blackboard; Blackboard blackboard;
try { try {
@ -239,23 +253,33 @@ class VolatilityProcessor implements Runnable{
String filePath = volfile.getParent(); String filePath = volfile.getParent();
try { try {
List<AbstractFile> resolvedFiles; List<AbstractFile> resolvedFiles;
if (filePath == null) { if (filePath == null) {
resolvedFiles = fileManager.findFiles(fileName); //NON-NLS resolvedFiles = fileManager.findFiles(fileName); //NON-NLS
} else { } else {
// File changed the slashes back to \ on us...
filePath = filePath.replaceAll("\\\\", "/");
resolvedFiles = fileManager.findFiles(fileName, filePath); //NON-NLS resolvedFiles = fileManager.findFiles(fileName, filePath); //NON-NLS
} }
if (resolvedFiles.isEmpty()) {
logger.log(Level.SEVERE, "File not found in lookup: " + filePath + "/" + fileName);
errorMsgs.add("File not found in lookup: " + filePath + "/" + fileName);
continue;
}
resolvedFiles.forEach((resolvedFile) -> { resolvedFiles.forEach((resolvedFile) -> {
if (resolvedFile.getType() == TSK_DB_FILES_TYPE_ENUM.SLACK) {
return; // equivalent to continue in non-lambda world
}
try { try {
String MODULE_NAME = "VOLATILITY"; String MODULE_NAME = "Volatility";
BlackboardArtifact volArtifact = resolvedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); BlackboardArtifact volArtifact = resolvedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
BlackboardAttribute att1 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, BlackboardAttribute att1 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
"Volatility Plugin " + pluginName); "Volatility Plugin " + pluginName);
BlackboardAttribute att2 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
"Volatility Plugin " + pluginName);
volArtifact.addAttribute(att1); volArtifact.addAttribute(att1);
volArtifact.addAttribute(att2);
try { try {
// index the artifact for keyword search // index the artifact for keyword search
@ -274,7 +298,7 @@ class VolatilityProcessor implements Runnable{
}); });
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
//String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles"); //String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
logger.log(Level.SEVERE, "Error in Finding FIles", ex); logger.log(Level.SEVERE, "Error in Finding Files", ex);
return; return;
} }
} }
@ -282,43 +306,38 @@ class VolatilityProcessor implements Runnable{
private void scanOutputFile(String pluginName, File PluginOutput) { private void scanOutputFile(String pluginName, File PluginOutput) {
try { if (pluginName.matches("dlllist")) {
if (pluginName.matches("dlllist")) { Set<String> fileSet = parse_DllList(PluginOutput);
Set<String> fileSet = parse_DllList(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("handles")) {
} else if (pluginName.matches("handles")) { Set<String> fileSet = parseHandles(PluginOutput);
Set<String> fileSet = Parse_Handles(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("cmdline")) {
} else if (pluginName.matches("cmdline")) { Set<String> fileSet = parse_Cmdline(PluginOutput);
Set<String> fileSet = parse_Cmdline(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("psxview")){
} else if (pluginName.matches("psxview")){ Set<String> fileSet = parse_Psxview(PluginOutput);
Set<String> fileSet = Parse_Psxview(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("pslist")) {
} else if (pluginName.matches("pslist")) { Set<String> fileSet = parse_Pslist(PluginOutput);
Set<String> fileSet = Parse_Pslist(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("psscan")) {
} else if (pluginName.matches("psscan")) { Set<String> fileSet = parse_Psscan(PluginOutput);
Set<String> fileSet = Parse_Psscan(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("pstree")) {
} else if (pluginName.matches("pstree")) { Set<String> fileSet = parse_Pstree(PluginOutput);
Set<String> fileSet = Parse_Pstree(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("svcscan")) {
} else if (pluginName.matches("svcscan")) { Set<String> fileSet = parse_Svcscan(PluginOutput);
Set<String> fileSet = Parse_Svcscan(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); } else if (pluginName.matches("filescan")) {
} else if (pluginName.matches("filescan")) { // BC: Commented out. Too many hits to flag
// BC: Commented out. Too many hits to flag //Set<String> fileSet = Parse_Filescan(PluginOutput);
//Set<String> fileSet = Parse_Filescan(PluginOutput); //lookupFiles(fileSet, pluginName);
//lookupFiles(fileSet, pluginName); } else if (pluginName.matches("shimcache")) {
} else { Set<String> fileSet = parse_Shimcache(PluginOutput);
Set<String> fileSet = Parse_Shimcache(PluginOutput); flagFiles(fileSet, pluginName);
lookupFiles(fileSet, pluginName); }
}
} catch (Exception ex) {
logger.log(Level.SEVERE, "Unable to parse files " + PluginOutput, ex); //NON-NLS
//this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
}
} }
private String normalizePath(String filePath) { private String normalizePath(String filePath) {
@ -338,11 +357,14 @@ class VolatilityProcessor implements Runnable{
filePath = filePath.replaceAll("/systemroot/", "/windows/"); filePath = filePath.replaceAll("/systemroot/", "/windows/");
filePath = filePath.replaceAll("device/",""); filePath = filePath.replaceAll("device/","");
filePath = filePath.replaceAll("harddiskvolume[0-9]/", ""); filePath = filePath.replaceAll("harddiskvolume[0-9]/", "");
// no point returning these. We won't map to them
if (filePath.startsWith("/namedpipe/"))
return "";
return filePath; return filePath;
} }
private Set<String> Parse_Handles(File PluginFile) { private Set<String> parseHandles(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {
@ -425,7 +447,7 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Filescan(File PluginFile) { private Set<String> parse_Filescan(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {
@ -488,7 +510,7 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Shimcache(File PluginFile) { private Set<String> parse_Shimcache(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {
@ -518,7 +540,7 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Psscan(File PluginFile) { private Set<String> parse_Psscan(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {
@ -545,7 +567,7 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Pslist(File PluginFile) { private Set<String> parse_Pslist(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {
@ -572,7 +594,7 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Psxview(File PluginFile) { private Set<String> parse_Psxview(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {
@ -599,7 +621,7 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Pstree(File PluginFile) { private Set<String> parse_Pstree(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {
@ -626,7 +648,7 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Svcscan(File PluginFile) { private Set<String> parse_Svcscan(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
try { try {