From d276f54077fa49af0f878f29c58dbc1d35c558d9 Mon Sep 17 00:00:00 2001 From: Eamonn Saunders Date: Tue, 14 Oct 2014 13:18:12 -0400 Subject: [PATCH 1/2] Added a new RegRipper plugin to determine processor architecture and modified ExtractRegistry.java to create a new TSK_OS_INFO artifact with a single TSK_PROCESSOR_ARCHITECTURE attribute. --- .../rr/plugins/autopsyprocarchitecture.pl | 62 +++++ .../release/rr/plugins/autopsysystem | 1 + .../recentactivity/ExtractRegistry.java | 235 +++++++++--------- 3 files changed, 178 insertions(+), 120 deletions(-) create mode 100644 RecentActivity/release/rr/plugins/autopsyprocarchitecture.pl diff --git a/RecentActivity/release/rr/plugins/autopsyprocarchitecture.pl b/RecentActivity/release/rr/plugins/autopsyprocarchitecture.pl new file mode 100644 index 0000000000..a03a53f470 --- /dev/null +++ b/RecentActivity/release/rr/plugins/autopsyprocarchitecture.pl @@ -0,0 +1,62 @@ +#----------------------------------------------------------- +# processorarchitecture.pl +# +# Extracts processor architecture and saves in XML file. +#----------------------------------------------------------- +package autopsyprocarchitecture; +use strict; + +my %config = (hive => "System", + osmask => 22, + hasShortDescr => 1, + hasDescr => 0, + hasRefs => 0, + version => 20081212); + +sub getConfig{return %config} + +sub getShortDescr { + return "Get the processor architecture of the os"; +} +sub getDescr{} +sub getRefs {} +sub getHive {return $config{hive};} +sub getVersion {return $config{version};} + +my $VERSION = getVersion(); + +sub pluginmain { + my $class = shift; + my $hive = shift; + + my $reg = Parse::Win32Registry->new($hive); + my $root_key = $reg->get_root_key; + +# Code for System file, getting CurrentControlSet + my $current; + my $key_path = 'Select'; + my $key; + if ($key = $root_key->get_subkey($key_path)) { + $current = $key->get_value("Current")->get_data(); + + my $env_path = "ControlSet00".$current."\\Control\\Session Manager\\Environment"; + my $env; + if ($env = $root_key->get_subkey($env_path)) { + + eval { + my $arch = $env->get_value("PROCESSOR_ARCHITECTURE")->get_data(); + ::rptMsg("" . $arch . ""); + }; + ::rptMsg($@) if ($@); + + } + else { + ::rptMsg($env_path." not found."); + } + } + else { + ::rptMsg($key_path." not found."); + #::logMsg($key_path." not found."); + } +} +1; diff --git a/RecentActivity/release/rr/plugins/autopsysystem b/RecentActivity/release/rr/plugins/autopsysystem index eebd89d7e9..5dc2c91f87 100644 --- a/RecentActivity/release/rr/plugins/autopsysystem +++ b/RecentActivity/release/rr/plugins/autopsysystem @@ -3,4 +3,5 @@ #------------------------------------- # system autopsyusb +autopsyprocarchitecture #autopsyusbdevices \ No newline at end of file diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 0a55c1e42f..686d410cd3 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -67,6 +67,8 @@ class ExtractRegistry extends Extract { private Content dataSource; private IngestJobContext context; + final private static UsbDeviceIdMapper usbMapper = new UsbDeviceIdMapper(); + //hide public constructor to prevent from instantiation by ingest module loader ExtractRegistry() { moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text"); @@ -151,8 +153,6 @@ class ExtractRegistry extends Extract { logger.log(Level.SEVERE, null, ex); } - UsbDeviceIdMapper usbMapper = new UsbDeviceIdMapper(); - int j = 0; for (AbstractFile regFile : allRegistryFiles) { String regFileName = regFile.getName(); @@ -191,7 +191,7 @@ class ExtractRegistry extends Extract { // parse the autopsy-specific output if (regOutputFiles.autopsyPlugins.isEmpty() == false) { - if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile, usbMapper) == false) { + if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) { this.addErrorMessage( NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", this.getName(), regFileName)); @@ -373,18 +373,17 @@ class ExtractRegistry extends Extract { // @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT /** * - * @param regRecord + * @param regFilePath Path to the output file produced by RegRipper. * @param regFile File object for registry that we are parsing (to make blackboard artifacts with) - * @param extrctr * @return */ - private boolean parseAutopsyPluginOutput(String regRecord, AbstractFile regFile, UsbDeviceIdMapper extrctr) { + private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) { FileInputStream fstream = null; try { SleuthkitCase tempDb = currentCase.getSleuthkitCase(); // Read the file in and create a Document and elements - File regfile = new File(regRecord); + File regfile = new File(regFilePath); fstream = new FileInputStream(regfile); String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS @@ -415,7 +414,7 @@ class ExtractRegistry extends Extract { String etime = timenode.getTextContent(); try { Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime(); - mtime = epochtime.longValue(); + mtime = epochtime; String Tempdate = mtime.toString(); mtime = Long.valueOf(Tempdate) / 1000; } catch (ParseException ex) { @@ -431,7 +430,8 @@ class ExtractRegistry extends Extract { Element artroot = (Element) artroots.item(0); NodeList myartlist = artroot.getChildNodes(); - String winver = ""; + String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"); + for (int j = 0; j < myartlist.getLength(); j++) { Node artchild = myartlist.item(j); // If it has attributes, then it is an Element (based off API) @@ -439,131 +439,126 @@ class ExtractRegistry extends Extract { Element artnode = (Element) artchild; String value = artnode.getTextContent().trim(); - Collection bbattributes = new ArrayList(); + Collection bbattributes = new ArrayList<>(); - if ("recentdocs".equals(dataType)) { //NON-NLS - // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime)); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem)); - // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value)); - // bbart.addAttributes(bbattributes); - // @@@ BC: Why are we ignoring this... - } - else if ("usb".equals(dataType)) { //NON-NLS - try { - Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS - usbMtime = Long.valueOf(usbMtime.toString()); + switch (dataType) { + case "recentdocs": //NON-NLS + // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime)); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem)); + // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value)); + // bbart.addAttributes(bbattributes); + // @@@ BC: Why are we ignoring this... + break; + case "usb": //NON-NLS + try { + Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS + usbMtime = Long.valueOf(usbMtime.toString()); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), usbMtime)); - String dev = artnode.getAttribute("dev"); //NON-NLS - String make = ""; - String model = dev; - if (dev.toLowerCase().contains("vid")) { //NON-NLS - USBInfo info = extrctr.parseAndLookup(dev); - if (info.getVendor() != null) { - make = info.getVendor(); - } - if (info.getProduct() != null) { - model = info.getProduct(); + BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, usbMtime)); + String dev = artnode.getAttribute("dev"); //NON-NLS + String make = ""; + String model = dev; + if (dev.toLowerCase().contains("vid")) { //NON-NLS + USBInfo info = usbMapper.parseAndLookup(dev); + if (info.getVendor() != null) { + make = info.getVendor(); + } + if (info.getProduct() != null) { + model = info.getProduct(); + } } + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE.getTypeID(), parentModuleName, make)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), parentModuleName, model)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), parentModuleName, value)); + bbart.addAttributes(bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), make)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), model)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), value)); - bbart.addAttributes(bbattributes); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS - } - } - else if ("uninstall".equals(dataType)) { //NON-NLS - Long itemMtime = null; - try { - Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS - itemMtime = epochtime.longValue(); - itemMtime = itemMtime / 1000; - } catch (ParseException e) { - logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS - } - - try { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), value)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), itemMtime)); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); - bbart.addAttributes(bbattributes); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS - } - } - else if ("WinVersion".equals(dataType)) { //NON-NLS - String name = artnode.getAttribute("name"); //NON-NLS - - if (name.contains("ProductName")) { //NON-NLS - winver = value; - } - if (name.contains("CSDVersion")) { //NON-NLS - winver = winver + " " + value; - } - if (name.contains("InstallDate")) { //NON-NLS - Long installtime = null; + break; + case "uninstall": //NON-NLS + Long itemMtime = null; try { - Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime(); - installtime = epochtime.longValue(); - String Tempdate = installtime.toString(); - installtime = Long.valueOf(Tempdate) / 1000; + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS + itemMtime = epochtime; + itemMtime = itemMtime / 1000; } catch (ParseException e) { - logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS + logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS } + try { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), winver)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), installtime)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, value)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),parentModuleName, itemMtime)); BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS } - } - } - else if ("office".equals(dataType)) { //NON-NLS - String name = artnode.getAttribute("name"); //NON-NLS - - try { - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item - if (mtime != null) { - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), mtime)); + break; + case "WinVersion": //NON-NLS + String winver = ""; + String name = artnode.getAttribute("name"); //NON-NLS + + if (name.contains("ProductName")) { //NON-NLS + winver = value; } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), name)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), value)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), - NbBundle.getMessage(this.getClass(), - "ExtractRegistry.parentModuleName.noSpace"), artnode.getNodeName())); - bbart.addAttributes(bbattributes); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS - } + if (name.contains("CSDVersion")) { //NON-NLS + winver = winver + " " + value; + } + if (name.contains("InstallDate")) { //NON-NLS + Long installtime = null; + try { + Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime(); + installtime = epochtime; + String Tempdate = installtime.toString(); + installtime = Long.valueOf(Tempdate) / 1000; + } catch (ParseException e) { + logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS + } + try { + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, winver)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, installtime)); + BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); + bbart.addAttributes(bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS + } + } + break; + case "office": //NON-NLS + String officeName = artnode.getAttribute("name"); //NON-NLS + + try { + BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item + if (mtime != null) { + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), parentModuleName, mtime)); + } + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), parentModuleName, officeName)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), parentModuleName, value)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, artnode.getNodeName())); + bbart.addAttributes(bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS + } + break; + case "ProcessorArchitecture": //NON-NLS + try { + String processorArchitecture = value; + if (processorArchitecture.equals("AMD64")) + processorArchitecture = "x86-64"; + + BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, processorArchitecture)); + bbart.addAttributes(bbattributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS + } + break; + default: + logger.log(Level.WARNING, "Unercognized node name: " + dataType); + break; } } } From 780d40971daa6a8cc9e2bfebb6c155738b9f02cf Mon Sep 17 00:00:00 2001 From: Eamonn Saunders Date: Wed, 15 Oct 2014 16:31:12 -0400 Subject: [PATCH 2/2] - Modified ExtractRegistry.java to attach Windows version info to TSK_OS_INFO artifact instead of TSK_INSTALLED_PROGRAM. - Added new icon for "Operating System Information" to UI and Report. - Added TSK_OS_INFO artifact to report. --- .../autopsy/datamodel/BlackboardArtifactNode.java | 2 ++ .../autopsy/datamodel/ExtractedContent.java | 3 +++ .../src/org/sleuthkit/autopsy/images/computer.png | Bin 0 -> 566 bytes .../sleuthkit/autopsy/report/Bundle.properties | 3 +++ .../sleuthkit/autopsy/report/ReportGenerator.java | 13 +++++++++++++ .../org/sleuthkit/autopsy/report/ReportHTML.java | 3 +++ .../sleuthkit/autopsy/report/images/computer.png | Bin 0 -> 566 bytes .../autopsy/recentactivity/ExtractRegistry.java | 4 ++-- 8 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 Core/src/org/sleuthkit/autopsy/images/computer.png create mode 100644 Core/src/org/sleuthkit/autopsy/report/images/computer.png diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index 83fe7c487e..37f877b167 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -442,6 +442,8 @@ public class BlackboardArtifactNode extends DisplayableItemNode { return "encrypted-file.png"; //NON-NLS case TSK_EXT_MISMATCH_DETECTED: return "mismatch-16.png"; //NON-NLS + case TSK_OS_INFO: + return "computer.png"; //NON-NLS default: return "artifact-icon.png"; //NON-NLS } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java index 903504b96e..7be1f68965 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java @@ -331,6 +331,9 @@ public class ExtractedContent implements AutopsyVisitableItem { return "encrypted-file.png"; //NON-NLS case TSK_EXT_MISMATCH_DETECTED: return "mismatch-16.png"; //NON-NLS + case TSK_OS_INFO: + return "computer.png"; //NON-NLS + } return "artifact-icon.png"; //NON-NLS } diff --git a/Core/src/org/sleuthkit/autopsy/images/computer.png b/Core/src/org/sleuthkit/autopsy/images/computer.png new file mode 100644 index 0000000000000000000000000000000000000000..887d6b50686de3cc52b86c38d3ccb296896eff47 GIT binary patch literal 566 zcmV-60?GY}P)WxZs1|?#%oAy_tE;aU9r0IBX~)l}i1WBQpJpzrBCdF9JX73@b97PFb;7e6np@ z?R8y;OeS+F(6C=96c&bcLe7;+1?u&>T9c4Jf{V#y!iU2loIgH;^q8P&ngTf*h5@D_ z;o)>w1w>dOV=d;l+x!{i*_qO|RF3TCE1LSZtPn zXpnJ#I{*#_`}}_J`h2Q?oz8%dRq$Xia1Ra=iGCQtS5V%DwDs(y>qucG?&9~n}p^##A_WKM(NT}z)=s6>H5MNBwOvU5zLpOnC zS%2E?_AfOwoL{edWNbcARM!8A;hIu)#Dr}+&hG*Y0N_IWL<|H~O8@`>07*qoM6N<$ Ef(u3dw*UYD literal 0 HcmV?d00001 diff --git a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties index ff4911234b..99c0582b9f 100644 --- a/Core/src/org/sleuthkit/autopsy/report/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/report/Bundle.properties @@ -204,3 +204,6 @@ ReportHTML.writeIndex.srcModuleName.text=HTML Report ReportKML.genReport.srcModuleName.text=KML Report ReportGenerator.artTableColHdr.extension.text=Extension ReportGenerator.artTableColHdr.mimeType.text=MIME Type +ReportGenerator.artTableColHdr.processorArchitecture.text=Processor Architecture +ReportGenerator.artTableColHdr.osName.text=Operating System Name +ReportGenerator.artTableColHdr.osInstallDate.text=Install Date diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index 62edde285e..e1090e1adb 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -1337,6 +1337,13 @@ import org.sleuthkit.datamodel.TskData; NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.mimeType.text"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.path")})); break; + case TSK_OS_INFO: + columnHeaders = new ArrayList<>(Arrays.asList(new String[] { + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.processorArchitecture.text"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.osName.text"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.osInstallDate.text"), + NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")})); + break; default: return null; } @@ -1677,6 +1684,12 @@ import org.sleuthkit.datamodel.TskData; } orderedRowData.add(file.getUniquePath()); break; + case TSK_OS_INFO: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID())); + orderedRowData.add(getFileUniquePath(getObjectID())); + break; } orderedRowData.add(makeCommaSeparatedList(getTags())); diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java b/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java index 43e269a33b..7fa34d292b 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java @@ -227,6 +227,9 @@ import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; case TSK_GPS_SEARCH: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/gps-search.png"); //NON-NLS break; + case TSK_OS_INFO: + in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/computer.png"); //NON-NLS + break; default: logger.log(Level.WARNING, "useDataTypeIcon: unhandled artifact type = " + dataType); //NON-NLS diff --git a/Core/src/org/sleuthkit/autopsy/report/images/computer.png b/Core/src/org/sleuthkit/autopsy/report/images/computer.png new file mode 100644 index 0000000000000000000000000000000000000000..887d6b50686de3cc52b86c38d3ccb296896eff47 GIT binary patch literal 566 zcmV-60?GY}P)WxZs1|?#%oAy_tE;aU9r0IBX~)l}i1WBQpJpzrBCdF9JX73@b97PFb;7e6np@ z?R8y;OeS+F(6C=96c&bcLe7;+1?u&>T9c4Jf{V#y!iU2loIgH;^q8P&ngTf*h5@D_ z;o)>w1w>dOV=d;l+x!{i*_qO|RF3TCE1LSZtPn zXpnJ#I{*#_`}}_J`h2Q?oz8%dRq$Xia1Ra=iGCQtS5V%DwDs(y>qucG?&9~n}p^##A_WKM(NT}z)=s6>H5MNBwOvU5zLpOnC zS%2E?_AfOwoL{edWNbcARM!8A;hIu)#Dr}+&hG*Y0N_IWL<|H~O8@`>07*qoM6N<$ Ef(u3dw*UYD literal 0 HcmV?d00001 diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 686d410cd3..4256b352d9 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -431,6 +431,7 @@ class ExtractRegistry extends Extract { Element artroot = (Element) artroots.item(0); NodeList myartlist = artroot.getChildNodes(); String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"); + String winver = ""; for (int j = 0; j < myartlist.getLength(); j++) { Node artchild = myartlist.item(j); @@ -497,7 +498,6 @@ class ExtractRegistry extends Extract { } break; case "WinVersion": //NON-NLS - String winver = ""; String name = artnode.getAttribute("name"); //NON-NLS if (name.contains("ProductName")) { //NON-NLS @@ -519,7 +519,7 @@ class ExtractRegistry extends Extract { try { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, winver)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, installtime)); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); + BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO); bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS