mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 17:27:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #901 from esaunders/volatility_module

Browse Source 
Added a new RegRipper plugin to determine processor architecture and mod...
This commit is contained in:
Richard Cordovano 2014-10-16 12:53:42 -04:00
commit b803c20e23
10 changed files with 201 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java
View File

@ -442,6 +442,8 @@ public class BlackboardArtifactNode extends DisplayableItemNode {
return "encrypted-file.png"; //NON-NLS return "encrypted-file.png"; //NON-NLS
case TSK_EXT_MISMATCH_DETECTED: case TSK_EXT_MISMATCH_DETECTED:
return "mismatch-16.png"; //NON-NLS return "mismatch-16.png"; //NON-NLS
case TSK_OS_INFO:
return "computer.png"; //NON-NLS
default: default:
return "artifact-icon.png"; //NON-NLS return "artifact-icon.png"; //NON-NLS
} }

3
Core/src/org/sleuthkit/autopsy/datamodel/ExtractedContent.java
View File

@ -331,6 +331,9 @@ public class ExtractedContent implements AutopsyVisitableItem {
return "encrypted-file.png"; //NON-NLS return "encrypted-file.png"; //NON-NLS
case TSK_EXT_MISMATCH_DETECTED: case TSK_EXT_MISMATCH_DETECTED:
return "mismatch-16.png"; //NON-NLS return "mismatch-16.png"; //NON-NLS
case TSK_OS_INFO:
return "computer.png"; //NON-NLS
} }
return "artifact-icon.png"; //NON-NLS return "artifact-icon.png"; //NON-NLS
} }

BIN
Core/src/org/sleuthkit/autopsy/images/computer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 566 B

3
Core/src/org/sleuthkit/autopsy/report/Bundle.properties
View File

@ -204,3 +204,6 @@ ReportHTML.writeIndex.srcModuleName.text=HTML Report
ReportKML.genReport.srcModuleName.text=KML Report ReportKML.genReport.srcModuleName.text=KML Report
ReportGenerator.artTableColHdr.extension.text=Extension ReportGenerator.artTableColHdr.extension.text=Extension
ReportGenerator.artTableColHdr.mimeType.text=MIME Type ReportGenerator.artTableColHdr.mimeType.text=MIME Type
ReportGenerator.artTableColHdr.processorArchitecture.text=Processor Architecture
ReportGenerator.artTableColHdr.osName.text=Operating System Name
ReportGenerator.artTableColHdr.osInstallDate.text=Install Date

13
Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java
View File

@ -1337,6 +1337,13 @@ import org.sleuthkit.datamodel.TskData;
NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.mimeType.text"), NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.mimeType.text"),
NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.path")})); NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.path")}));
break; break;
case TSK_OS_INFO:
columnHeaders = new ArrayList<>(Arrays.asList(new String[] {
NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.processorArchitecture.text"),
NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.osName.text"),
NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.osInstallDate.text"),
NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")}));
break;
default: default:
return null; return null;
} }
@ -1677,6 +1684,12 @@ import org.sleuthkit.datamodel.TskData;
} }
orderedRowData.add(file.getUniquePath()); orderedRowData.add(file.getUniquePath());
break; break;
case TSK_OS_INFO:
orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID()));
orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID()));
orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID()));
orderedRowData.add(getFileUniquePath(getObjectID()));
break;
} }
orderedRowData.add(makeCommaSeparatedList(getTags())); orderedRowData.add(makeCommaSeparatedList(getTags()));

3
Core/src/org/sleuthkit/autopsy/report/ReportHTML.java
View File

@ -227,6 +227,9 @@ import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM;
case TSK_GPS_SEARCH: case TSK_GPS_SEARCH:
in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/gps-search.png"); //NON-NLS in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/gps-search.png"); //NON-NLS
break; break;
case TSK_OS_INFO:
in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/computer.png"); //NON-NLS
break;
default: default:
logger.log(Level.WARNING, "useDataTypeIcon: unhandled artifact type = " + dataType); //NON-NLS logger.log(Level.WARNING, "useDataTypeIcon: unhandled artifact type = " + dataType); //NON-NLS

BIN
Core/src/org/sleuthkit/autopsy/report/images/computer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 566 B

62
RecentActivity/release/rr/plugins/autopsyprocarchitecture.pl Normal file
View File

@ -0,0 +1,62 @@
#-----------------------------------------------------------
# processorarchitecture.pl
#
# Extracts processor architecture and saves in XML file.
#-----------------------------------------------------------
package autopsyprocarchitecture;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Get the processor architecture of the os";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $env_path = "ControlSet00".$current."\\Control\\Session Manager\\Environment";
my $env;
if ($env = $root_key->get_subkey($env_path)) {
eval {
my $arch = $env->get_value("PROCESSOR_ARCHITECTURE")->get_data();
::rptMsg("<ProcessorArchitecture><mtime></mtime><artifacts><architecture mtime=\"\">" . $arch . "</architecture></artifacts></ProcessorArchitecture>");
};
::rptMsg($@) if ($@);
}
else {
::rptMsg($env_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
1;

1
RecentActivity/release/rr/plugins/autopsysystem
View File

@ -3,4 +3,5 @@
#------------------------------------- #-------------------------------------
# system # system
autopsyusb autopsyusb
autopsyprocarchitecture
#autopsyusbdevices #autopsyusbdevices

233
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -67,6 +67,8 @@ class ExtractRegistry extends Extract {
private Content dataSource; private Content dataSource;
private IngestJobContext context; private IngestJobContext context;
final private static UsbDeviceIdMapper usbMapper = new UsbDeviceIdMapper();
//hide public constructor to prevent from instantiation by ingest module loader //hide public constructor to prevent from instantiation by ingest module loader
ExtractRegistry() { ExtractRegistry() {
moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text"); moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text");
@ -151,8 +153,6 @@ class ExtractRegistry extends Extract {
logger.log(Level.SEVERE, null, ex); logger.log(Level.SEVERE, null, ex);
} }
UsbDeviceIdMapper usbMapper = new UsbDeviceIdMapper();
int j = 0; int j = 0;
for (AbstractFile regFile : allRegistryFiles) { for (AbstractFile regFile : allRegistryFiles) {
String regFileName = regFile.getName(); String regFileName = regFile.getName();
@ -191,7 +191,7 @@ class ExtractRegistry extends Extract {
// parse the autopsy-specific output // parse the autopsy-specific output
if (regOutputFiles.autopsyPlugins.isEmpty() == false) { if (regOutputFiles.autopsyPlugins.isEmpty() == false) {
if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile, usbMapper) == false) { if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) {
this.addErrorMessage( this.addErrorMessage(
NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults", NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
this.getName(), regFileName)); this.getName(), regFileName));
@ -373,18 +373,17 @@ class ExtractRegistry extends Extract {
// @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT // @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT
/** /**
* *
* @param regRecord * @param regFilePath Path to the output file produced by RegRipper.
* @param regFile File object for registry that we are parsing (to make blackboard artifacts with) * @param regFile File object for registry that we are parsing (to make blackboard artifacts with)
* @param extrctr
* @return * @return
*/ */
private boolean parseAutopsyPluginOutput(String regRecord, AbstractFile regFile, UsbDeviceIdMapper extrctr) { private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
FileInputStream fstream = null; FileInputStream fstream = null;
try { try {
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
// Read the file in and create a Document and elements // Read the file in and create a Document and elements
File regfile = new File(regRecord); File regfile = new File(regFilePath);
fstream = new FileInputStream(regfile); fstream = new FileInputStream(regfile);
String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS
@ -415,7 +414,7 @@ class ExtractRegistry extends Extract {
String etime = timenode.getTextContent(); String etime = timenode.getTextContent();
try { try {
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime(); Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime();
mtime = epochtime.longValue(); mtime = epochtime;
String Tempdate = mtime.toString(); String Tempdate = mtime.toString();
mtime = Long.valueOf(Tempdate) / 1000; mtime = Long.valueOf(Tempdate) / 1000;
} catch (ParseException ex) { } catch (ParseException ex) {
@ -431,7 +430,9 @@ class ExtractRegistry extends Extract {
Element artroot = (Element) artroots.item(0); Element artroot = (Element) artroots.item(0);
NodeList myartlist = artroot.getChildNodes(); NodeList myartlist = artroot.getChildNodes();
String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace");
String winver = ""; String winver = "";
for (int j = 0; j < myartlist.getLength(); j++) { for (int j = 0; j < myartlist.getLength(); j++) {
Node artchild = myartlist.item(j); Node artchild = myartlist.item(j);
// If it has attributes, then it is an Element (based off API) // If it has attributes, then it is an Element (based off API)
@ -439,131 +440,125 @@ class ExtractRegistry extends Extract {
Element artnode = (Element) artchild; Element artnode = (Element) artchild;
String value = artnode.getTextContent().trim(); String value = artnode.getTextContent().trim();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
if ("recentdocs".equals(dataType)) { //NON-NLS switch (dataType) {
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); case "recentdocs": //NON-NLS
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime)); // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem));
// bbart.addAttributes(bbattributes); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value));
// @@@ BC: Why are we ignoring this... // bbart.addAttributes(bbattributes);
} // @@@ BC: Why are we ignoring this...
else if ("usb".equals(dataType)) { //NON-NLS break;
try { case "usb": //NON-NLS
Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS try {
usbMtime = Long.valueOf(usbMtime.toString()); Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS
usbMtime = Long.valueOf(usbMtime.toString());
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, usbMtime));
NbBundle.getMessage(this.getClass(), String dev = artnode.getAttribute("dev"); //NON-NLS
"ExtractRegistry.parentModuleName.noSpace"), usbMtime)); String make = "";
String dev = artnode.getAttribute("dev"); //NON-NLS String model = dev;
String make = ""; if (dev.toLowerCase().contains("vid")) { //NON-NLS
String model = dev; USBInfo info = usbMapper.parseAndLookup(dev);
if (dev.toLowerCase().contains("vid")) { //NON-NLS if (info.getVendor() != null) {
USBInfo info = extrctr.parseAndLookup(dev); make = info.getVendor();
if (info.getVendor() != null) { }
make = info.getVendor(); if (info.getProduct() != null) {
} model = info.getProduct();
if (info.getProduct() != null) { }
model = info.getProduct();
} }
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE.getTypeID(), parentModuleName, make));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), parentModuleName, model));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), parentModuleName, value));
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS
} }
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE.getTypeID(), break;
NbBundle.getMessage(this.getClass(), case "uninstall": //NON-NLS
"ExtractRegistry.parentModuleName.noSpace"), make)); Long itemMtime = null;
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(),
NbBundle.getMessage(this.getClass(),
"ExtractRegistry.parentModuleName.noSpace"), model));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(),
NbBundle.getMessage(this.getClass(),
"ExtractRegistry.parentModuleName.noSpace"), value));
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS
}
}
else if ("uninstall".equals(dataType)) { //NON-NLS
Long itemMtime = null;
try {
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS
itemMtime = epochtime.longValue();
itemMtime = itemMtime / 1000;
} catch (ParseException e) {
logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS
}
try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(),
"ExtractRegistry.parentModuleName.noSpace"), value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),
NbBundle.getMessage(this.getClass(),
"ExtractRegistry.parentModuleName.noSpace"), itemMtime));
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
}
}
else if ("WinVersion".equals(dataType)) { //NON-NLS
String name = artnode.getAttribute("name"); //NON-NLS
if (name.contains("ProductName")) { //NON-NLS
winver = value;
}
if (name.contains("CSDVersion")) { //NON-NLS
winver = winver + " " + value;
}
if (name.contains("InstallDate")) { //NON-NLS
Long installtime = null;
try { try {
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime(); Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS
installtime = epochtime.longValue(); itemMtime = epochtime;
String Tempdate = installtime.toString(); itemMtime = itemMtime / 1000;
installtime = Long.valueOf(Tempdate) / 1000;
} catch (ParseException e) { } catch (ParseException e) {
logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS
} }
try { try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, value));
NbBundle.getMessage(this.getClass(), bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),parentModuleName, itemMtime));
"ExtractRegistry.parentModuleName.noSpace"), winver));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),
NbBundle.getMessage(this.getClass(),
"ExtractRegistry.parentModuleName.noSpace"), installtime));
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
} }
} break;
} case "WinVersion": //NON-NLS
else if ("office".equals(dataType)) { //NON-NLS String name = artnode.getAttribute("name"); //NON-NLS
String name = artnode.getAttribute("name"); //NON-NLS
if (name.contains("ProductName")) { //NON-NLS
try { winver = value;
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
if (mtime != null) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(),
NbBundle.getMessage(this.getClass(),
"ExtractRegistry.parentModuleName.noSpace"), mtime));
} }
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), if (name.contains("CSDVersion")) { //NON-NLS
NbBundle.getMessage(this.getClass(), winver = winver + " " + value;
"ExtractRegistry.parentModuleName.noSpace"), name)); }
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), if (name.contains("InstallDate")) { //NON-NLS
NbBundle.getMessage(this.getClass(), Long installtime = null;
"ExtractRegistry.parentModuleName.noSpace"), value)); try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime();
NbBundle.getMessage(this.getClass(), installtime = epochtime;
"ExtractRegistry.parentModuleName.noSpace"), artnode.getNodeName())); String Tempdate = installtime.toString();
bbart.addAttributes(bbattributes); installtime = Long.valueOf(Tempdate) / 1000;
} catch (TskCoreException ex) { } catch (ParseException e) {
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS
} }
try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, winver));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, installtime));
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
}
}
break;
case "office": //NON-NLS
String officeName = artnode.getAttribute("name"); //NON-NLS
try {
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
if (mtime != null) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), parentModuleName, mtime));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), parentModuleName, officeName));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), parentModuleName, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, artnode.getNodeName()));
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS
}
break;
case "ProcessorArchitecture": //NON-NLS
try {
String processorArchitecture = value;
if (processorArchitecture.equals("AMD64"))
processorArchitecture = "x86-64";
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, processorArchitecture));
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
}
break;
default:
logger.log(Level.WARNING, "Unercognized node name: " + dataType);
break;
} }
} }
} }