mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 10:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Reordered tables on report, added new method to get keyword hits grouped by keyword, and modified recent document extraction

Browse Source 
Signed-off-by: Alex Ebadirad <aebadirad@42six.com>
This commit is contained in:
Alex Ebadirad 2012-03-20 17:27:10 -07:00
parent c80496fb36
commit b9c55cb1aa
7 changed files with 249 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java
View File

@ -14,7 +14,7 @@ import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
public class ExtractAll {
void ExtractAll(){
}

40
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -42,7 +42,7 @@ public class ExtractRegistry {
public Logger logger = Logger.getLogger(this.getClass().getName());
private String RR_PATH;
boolean rrFound = false;
private int sysid;
ExtractRegistry(){
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false);
if (rrRoot == null) {
@ -53,7 +53,18 @@ public class ExtractRegistry {
else {
rrFound = true;
}
try{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
while (artset.next()){
sysid = artset.getInt("artifact_type_id");
}
}
catch(Exception e){
}
final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome);
@ -175,7 +186,9 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
String regString = new Scanner(new File(regRecord)).useDelimiter("\\Z").next();
String startdoc = "<document>";
String result = regString.replaceAll("----------------------------------------","");
@ -199,7 +212,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
Element artroot = tempnode.getChild("artifacts");
List artlist = artroot.getChildren();
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
Iterator aiterator = artlist.iterator();
@ -210,16 +223,27 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
}
if("recentdocs".equals(context)){
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
bbart.addAttributes(bbattributes);
}
else if("runMRU".equals(context)){
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
bbart.addAttributes(bbattributes);
}
else
{
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes);
}
}
}
catch (Exception ex)
{
String hi = "";
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex);
}

23
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java
View File

@ -18,12 +18,12 @@
*/
package org.sleuthkit.autopsy.recentactivity;
import java.sql.ResultSet;
import java.util.Collection;
import java.util.LinkedList;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.JPanel;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.autopsy.ingest.IngestManager;
@ -80,7 +80,28 @@ public final class RAImageIngestService implements IngestServiceImage {
try {
//do the work for(FileSystem img : imageFS )
try{
ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
int artcount = 0;
while (artset.next()){
artcount++;
}
// artset.beforeFirst();
if(artcount > 0)
{
}
else
{
int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information");
}
}
catch(Exception e)
{
}
ext.extractToBlackboard(controller, fsIds);

57
Report/src/org/sleuthkit/autopsy/report/report.java
View File

@ -5,16 +5,14 @@
package org.sleuthkit.autopsy.report;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
@ -199,4 +197,57 @@ public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getHashHit() {
return reportMap;
}
@Override
public String getGroupedKeywordHit() {
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC");
while(uniqueresults.next())
{
table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>();
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") +"'");
while(tempresults.next())
{
artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id")));
}
for(BlackboardArtifact art : artlist)
{
String filename = tempDb.getFsContentById(art.getObjectID()).getName();
String preview = "";
String set = "";
table.append("<tr><td>").append(filename).append("</td>");
ArrayList<BlackboardAttribute> tempatts = art.getAttributes();
for(BlackboardAttribute att : tempatts)
{
if(att.getAttributeTypeID() == 12)
{
preview = "<td>" + att.getValueString() + "</td>";
}
if(att.getAttributeTypeID() == 13)
{
set = "<td>" + att.getValueString() + "</td>";
}
}
table.append(preview).append(set).append("</tr>");
}
table.append("</tbody></table><br /><br />");
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e);
}
String result = table.toString();
return result;
}
}

164
Report/src/org/sleuthkit/autopsy/report/reportHTML.java
View File

@ -5,7 +5,6 @@
package org.sleuthkit.autopsy.report;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
@ -13,13 +12,16 @@ import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Map.Entry;
import java.util.TreeMap;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
/**
*
@ -31,16 +33,65 @@ public class reportHTML {
public static StringBuilder formatted_Report = new StringBuilder();
public static String htmlPath = "";
public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
//This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones.
//Unlike the XML report, which is dynamic, this is formatted and needs to be redone later instead of being hardcoded.
int countGen = 0;
int countWebBookmark = 0;
int countWebCookie = 0;
int countWebHistory = 0;
int countWebDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){
countGen++;
}
if(entry.getKey().getArtifactTypeID() == 2){
countWebBookmark++;
}
if(entry.getKey().getArtifactTypeID() == 3){
countWebCookie++;
}
if(entry.getKey().getArtifactTypeID() == 4){
countWebHistory++;
}
if(entry.getKey().getArtifactTypeID() == 5){
countWebDownload++;
}
if(entry.getKey().getArtifactTypeID() == 6){
countRecentObjects++;
}
if(entry.getKey().getArtifactTypeID() == 7){
countTrackPoint++;
}
if(entry.getKey().getArtifactTypeID() == 8){
countInstalled++;
}
if(entry.getKey().getArtifactTypeID() == 9){
countKeyword++;
}
if(entry.getKey().getArtifactTypeID() == 10){
countHash++;
}
}
try{
String ingestwarning = "<h2 style=\"color: red;\">Warning, this report was run before ingest services completed!</h2>";
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
String rrpath = System.getProperty("user.dir");
rrpath = rrpath.substring(0, rrpath.length()-14);
rrpath = rrpath + "autopsy\\thirdparty\\";
Integer imagecount = currentCase.getImageIDs().length;
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
int reportsize = report.size();
Integer filesystemcount = currentCase.getRootObjectsCount();
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy");
@ -68,20 +119,27 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
// Add summary information now
formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>");
if(IngestManager.getDefault().isIngestRunning())
{
formatted_Report.append(ingestwarning);
}
formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<br /><ul>");
formatted_Report.append("<li># of Images: ").append(imagecount).append("</li>");
formatted_Report.append("<li>FileSystems: ").append(filesystemcount).append("</li>");
String tableHeader = "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>";
StringBuilder nodeGen = new StringBuilder("<h3>General Information</h3>" + tableHeader);
StringBuilder nodeWebBookmark = new StringBuilder("<h3>Web Bookmarks</h3>" + tableHeader);
StringBuilder nodeWebCookie = new StringBuilder("<h3>Web Cookies</h3>" + tableHeader);
StringBuilder nodeWebHistory = new StringBuilder("<h3>Web History</h3>" + tableHeader);
StringBuilder nodeWebDownload = new StringBuilder("<h3>Web Downloads</h3>" + tableHeader);
StringBuilder nodeRecentObjects = new StringBuilder("<h3>Recent Documents</h3>" + tableHeader);
StringBuilder nodeTrackPoint = new StringBuilder("<h3>Track Points</h3>" + tableHeader);
StringBuilder nodeInstalled = new StringBuilder("<h3>Installed Programs</h3>" + tableHeader);
StringBuilder nodeKeyword = new StringBuilder("<h3>Keyword Search Hits</h3>" + tableHeader);
StringBuilder nodeHash = new StringBuilder("<h3>Hashset Hits</h3>" + tableHeader);
formatted_Report.append("<li># of Files: ").append(totalfiles.toString()).append("</li>");
formatted_Report.append("<li># of Dirs: ").append(totaldirs.toString()).append("</li>");
formatted_Report.append("<li># of Artifacts: ").append(reportsize).append("</li>");
String tableHeader = "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>";
StringBuilder nodeGen = new StringBuilder("<h3>General Information (").append(countGen).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeWebBookmark = new StringBuilder("<h3>Web Bookmarks (").append(countWebBookmark).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebCookie = new StringBuilder("<h3>Web Cookies (").append(countWebCookie).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Name</th><th>Value</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebHistory = new StringBuilder("<h3>Web History (").append(countWebHistory).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Referrer</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebDownload = new StringBuilder("<h3>Web Downloads (").append(countWebDownload).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeRecentObjects = new StringBuilder("<h3>Recent Documents (").append(countRecentObjects).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Path</th></tr></thead><tbody>");
StringBuilder nodeTrackPoint = new StringBuilder("<h3>Track Points (").append(countTrackPoint).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeInstalled = new StringBuilder("<h3>Installed Programs (").append(countInstalled).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeKeyword = new StringBuilder("<h3>Keyword Search Hits (").append(countKeyword).append(")</h3>");
StringBuilder nodeHash = new StringBuilder("<h3>Hashset Hits (").append(countHash).append(")</h3>").append(tableHeader).append("<th>File Name</th><th>Hashset Name</th></tr></thead><tbody>");
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
@ -94,57 +152,87 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize();
// Get all the attributes for this guy
artifact.append("<tr><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
TreeMap<Integer, String> attributes = new TreeMap<Integer,String>();
// Get all the attributes, line them up to be added.
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
if(reportFilter.cancel == true){
break;
}
artifact.append("<tr><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
//artifact.append("Path: ").append(file.getParentPath());
artifact.append("<td>").append(filesize.toString()).append("</td>");
StringBuilder attribute = new StringBuilder("<td>").append(tempatt.getAttributeTypeDisplayName()).append("</td>");
attribute.append("<td>").append(tempatt.getValueString()).append("</td></tr>");
//attribute.append("<li style=\"list-style-type: none;\"> Context: ").append(tempatt.getContext()).append("</li>");
artifact.append(attribute);
int type = tempatt.getAttributeTypeID();
String value = tempatt.getValueString();
attributes.put(type, value);
cc++;
}
//artifact.append("</tr>");
if(entry.getKey().getArtifactTypeID() == 1){
artifact.append("</tr>");
nodeGen.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 2){
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebBookmark.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 3){
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(6)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebCookie.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 4){
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("<td>").append(attributes.get(32)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebHistory.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 5){
artifact.append("</tr>");
nodeWebDownload.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 6){
artifact.append("</tr>");
nodeRecentObjects.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 7){
artifact.append("</tr>");
nodeTrackPoint.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
artifact.append("</tr>");
nodeInstalled.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 9){
nodeKeyword.append(artifact);
// artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>");
// artifact.append("</tr></table>");
// nodeKeyword.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 10){
artifact.append("<td>").append(attributes.get(31)).append("</td>");
artifact.append("<td>").append(attributes.get(30)).append("</td>");
artifact.append("</tr>");
nodeHash.append(artifact);
}
cc++;
@ -166,9 +254,15 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
formatted_Report.append(nodeTrackPoint);
formatted_Report.append("</tbody></table>");
formatted_Report.append(nodeInstalled);
formatted_Report.append("</tbody></table>");
formatted_Report.append("</tbody></table>");
formatted_Report.append(nodeKeyword);
formatted_Report.append("</tbody></table>");
if(countKeyword > 0){
report keywords = new report();
formatted_Report.append(keywords.getGroupedKeywordHit());
// "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>
// formatted_Report.append("</tbody></table>");
}
formatted_Report.append(nodeHash);
formatted_Report.append("</tbody></table>");
//end of master loop

1
Report/src/org/sleuthkit/autopsy/report/reportInterface.java
View File

@ -22,4 +22,5 @@ public interface reportInterface{
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getRecentObject();
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getHashHit();
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getKeywordHit();
public String getGroupedKeywordHit();
}

10
Report/src/org/sleuthkit/autopsy/report/reportXML.java
View File

@ -19,6 +19,7 @@ import org.jdom.Document.*;
import org.jdom.Element;
import org.jdom.output.XMLOutputter;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content;
@ -27,6 +28,7 @@ import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
public class reportXML {
public static Document xmldoc = new Document();
public reportXML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
@ -36,6 +38,8 @@ public class reportXML {
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
Element root = new Element("Case");
xmldoc = new Document(root);
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
@ -47,9 +51,15 @@ public class reportXML {
root.addContent(comment);
//Create summary node involving how many of each type
Element summary = new Element("Summary");
if(IngestManager.getDefault().isIngestRunning())
{
summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!"));
}
summary.addContent(new Element("Name").setText(caseName));
summary.addContent(new Element("Total-Images").setText(imagecount.toString()));
summary.addContent(new Element("Total-FileSystems").setText(filesystemcount.toString()));
summary.addContent(new Element("Total-Files").setText(totalfiles.toString()));
summary.addContent(new Element("Total-Directories").setText(totaldirs.toString()));
root.addContent(summary);
//generate the nodes for each of the types so we can use them later
Element nodeGen = new Element("General-Information");