From b9c55cb1aa4169587d34e538a9277ca2a60d8505 Mon Sep 17 00:00:00 2001 From: Alex Ebadirad Date: Tue, 20 Mar 2012 17:27:10 -0700 Subject: [PATCH] Reordered tables on report, added new method to get keyword hits grouped by keyword, and modified recent document extraction Signed-off-by: Alex Ebadirad --- .../autopsy/recentactivity/ExtractAll.java | 2 +- .../recentactivity/ExtractRegistry.java | 40 ++++- .../recentactivity/RAImageIngestService.java | 23 ++- .../org/sleuthkit/autopsy/report/report.java | 57 +++++- .../sleuthkit/autopsy/report/reportHTML.java | 164 ++++++++++++++---- .../autopsy/report/reportInterface.java | 1 + .../sleuthkit/autopsy/report/reportXML.java | 10 ++ 7 files changed, 249 insertions(+), 48 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java index 84c0333456..6cc7779ff5 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java @@ -14,7 +14,7 @@ import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; public class ExtractAll { void ExtractAll(){ - + } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index e9fa80a8a9..366382e6b8 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -42,7 +42,7 @@ public class ExtractRegistry { public Logger logger = Logger.getLogger(this.getClass().getName()); private String RR_PATH; boolean rrFound = false; - + private int sysid; ExtractRegistry(){ final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); if (rrRoot == null) { @@ -53,7 +53,18 @@ public class ExtractRegistry { else { rrFound = true; } - + try{ + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); + + while (artset.next()){ + sysid = artset.getInt("artifact_type_id"); + } + } + catch(Exception e){ + + } final String rrHome = rrRoot.getAbsolutePath(); logger.log(Level.INFO, "RegRipper home: " + rrHome); @@ -175,7 +186,9 @@ public void getregistryfiles(List image, IngestImageWorkerController con { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try { + String regString = new Scanner(new File(regRecord)).useDelimiter("\\Z").next(); String startdoc = ""; String result = regString.replaceAll("----------------------------------------",""); @@ -199,7 +212,7 @@ public void getregistryfiles(List image, IngestImageWorkerController con Element artroot = tempnode.getChild("artifacts"); List artlist = artroot.getChildren(); - BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); Iterator aiterator = artlist.iterator(); @@ -210,16 +223,27 @@ public void getregistryfiles(List image, IngestImageWorkerController con bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); } - - - - + if("recentdocs".equals(context)){ + BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); bbart.addAttributes(bbattributes); + } + else if("runMRU".equals(context)){ + BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + bbart.addAttributes(bbattributes); + + } + else + { + + BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid); + bbart.addAttributes(bbattributes); + } + } } catch (Exception ex) { - String hi = ""; + logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java index 9e9332bf8e..5967b9f558 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java @@ -18,12 +18,12 @@ */ package org.sleuthkit.autopsy.recentactivity; +import java.sql.ResultSet; import java.util.Collection; import java.util.LinkedList; import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; -import javax.swing.JPanel; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestManager; @@ -80,7 +80,28 @@ public final class RAImageIngestService implements IngestServiceImage { try { //do the work for(FileSystem img : imageFS ) + try{ + ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); + int artcount = 0; + while (artset.next()){ + artcount++; + } + + // artset.beforeFirst(); + if(artcount > 0) + { + } + else + { + int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information"); + } + + } + catch(Exception e) + { + + } ext.extractToBlackboard(controller, fsIds); diff --git a/Report/src/org/sleuthkit/autopsy/report/report.java b/Report/src/org/sleuthkit/autopsy/report/report.java index 5dadd47220..ae8c5a2a57 100644 --- a/Report/src/org/sleuthkit/autopsy/report/report.java +++ b/Report/src/org/sleuthkit/autopsy/report/report.java @@ -5,16 +5,14 @@ package org.sleuthkit.autopsy.report; import java.sql.ResultSet; -import java.sql.SQLException; import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; -import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; -import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; /** @@ -199,4 +197,57 @@ public HashMap> getHashHit() { return reportMap; } +@Override +public String getGroupedKeywordHit() { + StringBuilder table = new StringBuilder(); + HashMap> reportMap = new HashMap(); + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try + { + ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC"); + while(uniqueresults.next()) + { + table.append("").append(uniqueresults.getString("value_text")).append(""); + table.append(""); + ArrayList artlist = new ArrayList(); + ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") +"'"); + while(tempresults.next()) + { + artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id"))); + } + for(BlackboardArtifact art : artlist) + { + String filename = tempDb.getFsContentById(art.getObjectID()).getName(); + String preview = ""; + String set = ""; + table.append(""); + ArrayList tempatts = art.getAttributes(); + for(BlackboardAttribute att : tempatts) + { + if(att.getAttributeTypeID() == 12) + { + preview = ""; + } + if(att.getAttributeTypeID() == 13) + { + set = ""; + } + } + table.append(preview).append(set).append(""); + } + + + table.append("
").append("File Name").append("PreviewKeyword List
").append(filename).append("" + att.getValueString() + "" + att.getValueString() + "


"); + } + } + catch (Exception e) + { + Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e); + } + + String result = table.toString(); + return result; +} + } \ No newline at end of file diff --git a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java index dabb012930..a587ad6e24 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java @@ -5,7 +5,6 @@ package org.sleuthkit.autopsy.report; import java.io.BufferedWriter; -import java.io.File; import java.io.FileWriter; import java.text.DateFormat; import java.text.SimpleDateFormat; @@ -13,13 +12,16 @@ import java.util.ArrayList; import java.util.Date; import java.util.HashMap; import java.util.Map.Entry; +import java.util.TreeMap; import java.util.logging.Level; import java.util.logging.Logger; import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskData; /** * @@ -31,16 +33,65 @@ public class reportHTML { public static StringBuilder formatted_Report = new StringBuilder(); public static String htmlPath = ""; public reportHTML (HashMap> report, reportFilter rr){ - + + //This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones. + //Unlike the XML report, which is dynamic, this is formatted and needs to be redone later instead of being hardcoded. + + int countGen = 0; + int countWebBookmark = 0; + int countWebCookie = 0; + int countWebHistory = 0; + int countWebDownload = 0; + int countRecentObjects = 0; + int countTrackPoint = 0; + int countInstalled = 0; + int countKeyword = 0; + int countHash = 0; + for (Entry> entry : report.entrySet()) { + if(entry.getKey().getArtifactTypeID() == 1){ + countGen++; + } + if(entry.getKey().getArtifactTypeID() == 2){ + countWebBookmark++; + } + if(entry.getKey().getArtifactTypeID() == 3){ + + countWebCookie++; + } + if(entry.getKey().getArtifactTypeID() == 4){ + + countWebHistory++; + } + if(entry.getKey().getArtifactTypeID() == 5){ + countWebDownload++; + } + if(entry.getKey().getArtifactTypeID() == 6){ + countRecentObjects++; + } + if(entry.getKey().getArtifactTypeID() == 7){ + countTrackPoint++; + } + if(entry.getKey().getArtifactTypeID() == 8){ + countInstalled++; + } + if(entry.getKey().getArtifactTypeID() == 9){ + countKeyword++; + } + if(entry.getKey().getArtifactTypeID() == 10){ + countHash++; + } + } try{ + + String ingestwarning = "

Warning, this report was run before ingest services completed!

"; Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase skCase = currentCase.getSleuthkitCase(); String caseName = currentCase.getName(); - String rrpath = System.getProperty("user.dir"); - rrpath = rrpath.substring(0, rrpath.length()-14); - rrpath = rrpath + "autopsy\\thirdparty\\"; Integer imagecount = currentCase.getImageIDs().length; + Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG); + Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR); + int reportsize = report.size(); Integer filesystemcount = currentCase.getRootObjectsCount(); DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy"); @@ -68,20 +119,27 @@ public reportHTML (HashMap> re // Add summary information now formatted_Report.append("

Report for Case: ").append(caseName).append("

"); + if(IngestManager.getDefault().isIngestRunning()) + { + formatted_Report.append(ingestwarning); + } formatted_Report.append("

Case Summary

HTML Report Generated by Autopsy 3 on ").append(datetime).append("

    "); formatted_Report.append("
  • # of Images: ").append(imagecount).append("
    • "); formatted_Report.append("
  • FileSystems: ").append(filesystemcount).append("
    • "); - String tableHeader = ""; - StringBuilder nodeGen = new StringBuilder("

    General Information

    " + tableHeader); - StringBuilder nodeWebBookmark = new StringBuilder("

    Web Bookmarks

    " + tableHeader); - StringBuilder nodeWebCookie = new StringBuilder("

    Web Cookies

    " + tableHeader); - StringBuilder nodeWebHistory = new StringBuilder("

    Web History

    " + tableHeader); - StringBuilder nodeWebDownload = new StringBuilder("

    Web Downloads

    " + tableHeader); - StringBuilder nodeRecentObjects = new StringBuilder("

    Recent Documents

    " + tableHeader); - StringBuilder nodeTrackPoint = new StringBuilder("

    Track Points

    " + tableHeader); - StringBuilder nodeInstalled = new StringBuilder("

    Installed Programs

    " + tableHeader); - StringBuilder nodeKeyword = new StringBuilder("

    Keyword Search Hits

    " + tableHeader); - StringBuilder nodeHash = new StringBuilder("

    Hashset Hits

    " + tableHeader); + formatted_Report.append("
  • # of Files: ").append(totalfiles.toString()).append("
    • "); + formatted_Report.append("
  • # of Dirs: ").append(totaldirs.toString()).append("
    • "); + formatted_Report.append("
  • # of Artifacts: ").append(reportsize).append("
    • "); + String tableHeader = "
    Artifact IDNameSizeAttributeValue
    "; + StringBuilder nodeGen = new StringBuilder("

    General Information (").append(countGen).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeWebBookmark = new StringBuilder("

    Web Bookmarks (").append(countWebBookmark).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeWebCookie = new StringBuilder("

    Web Cookies (").append(countWebCookie).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeWebHistory = new StringBuilder("

    Web History (").append(countWebHistory).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeWebDownload = new StringBuilder("

    Web Downloads (").append(countWebDownload).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeRecentObjects = new StringBuilder("

    Recent Documents (").append(countRecentObjects).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeTrackPoint = new StringBuilder("

    Track Points (").append(countTrackPoint).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeInstalled = new StringBuilder("

    Installed Programs (").append(countInstalled).append(")

    ").append(tableHeader).append(""); + StringBuilder nodeKeyword = new StringBuilder("

    Keyword Search Hits (").append(countKeyword).append(")

    "); + StringBuilder nodeHash = new StringBuilder("

    Hashset Hits (").append(countHash).append(")

    ").append(tableHeader).append(""); for (Entry> entry : report.entrySet()) { if(reportFilter.cancel == true){ @@ -94,57 +152,87 @@ public reportHTML (HashMap> re FsContent file = skCase.getFsContentById(objId); Long filesize = file.getSize(); - - - - // Get all the attributes for this guy + artifact.append(""); + artifact.append(""); + + TreeMap attributes = new TreeMap(); + // Get all the attributes, line them up to be added. for (BlackboardAttribute tempatt : entry.getValue()) { - if(reportFilter.cancel == true){ + if(reportFilter.cancel == true){ break; } - artifact.append(""); - //artifact.append("Path: ").append(file.getParentPath()); - artifact.append(""); - StringBuilder attribute = new StringBuilder(""); - attribute.append(""); - //attribute.append("
  • Context: ").append(tempatt.getContext()).append("
    • "); - artifact.append(attribute); + int type = tempatt.getAttributeTypeID(); + String value = tempatt.getValueString(); + attributes.put(type, value); cc++; } - //artifact.append(""); + + if(entry.getKey().getArtifactTypeID() == 1){ + + artifact.append(""); nodeGen.append(artifact); } if(entry.getKey().getArtifactTypeID() == 2){ + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); nodeWebBookmark.append(artifact); } if(entry.getKey().getArtifactTypeID() == 3){ - + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); nodeWebCookie.append(artifact); } if(entry.getKey().getArtifactTypeID() == 4){ - + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); nodeWebHistory.append(artifact); } if(entry.getKey().getArtifactTypeID() == 5){ + + artifact.append(""); nodeWebDownload.append(artifact); } if(entry.getKey().getArtifactTypeID() == 6){ + + artifact.append(""); nodeRecentObjects.append(artifact); } if(entry.getKey().getArtifactTypeID() == 7){ + + artifact.append(""); nodeTrackPoint.append(artifact); } if(entry.getKey().getArtifactTypeID() == 8){ + + artifact.append(""); nodeInstalled.append(artifact); } if(entry.getKey().getArtifactTypeID() == 9){ - nodeKeyword.append(artifact); + + // artifact.append("
    Artifact IDNameSizeAttributeValue
    URLTitleProgram
    URLDateNameValueProgram
    URLDateReferrerTitleProgram
    AttributeValue
    NamePath
    AttributeValue
    AttributeValue
    File NameHashset Name
    ").append(objId.toString()); + artifact.append("").append(file.getName().toString()).append("").append(filesize.toString()).append("
    ").append(objId.toString()); - artifact.append("").append(file.getName().toString()).append("").append(filesize.toString()).append("").append(tempatt.getAttributeTypeDisplayName()).append("").append(tempatt.getValueString()).append("
    ").append(attributes.get(1)).append("").append(attributes.get(3)).append("").append(attributes.get(4)).append("
    ").append(attributes.get(1)).append("").append(attributes.get(2)).append("").append(attributes.get(3)).append("").append(attributes.get(6)).append("").append(attributes.get(4)).append("
    ").append(attributes.get(1)).append("").append(attributes.get(2)).append("").append(attributes.get(32)).append("").append(attributes.get(3)).append("").append(attributes.get(4)).append("
    "); + + // artifact.append("
    Artifact IDNameSize
    "); + // nodeKeyword.append(artifact); } if(entry.getKey().getArtifactTypeID() == 10){ + + artifact.append("").append(attributes.get(31)).append(""); + artifact.append("").append(attributes.get(30)).append(""); + artifact.append(""); nodeHash.append(artifact); } cc++; @@ -166,9 +254,15 @@ public reportHTML (HashMap> re formatted_Report.append(nodeTrackPoint); formatted_Report.append(""); formatted_Report.append(nodeInstalled); - formatted_Report.append(""); + formatted_Report.append(""); formatted_Report.append(nodeKeyword); - formatted_Report.append(""); + if(countKeyword > 0){ + report keywords = new report(); + formatted_Report.append(keywords.getGroupedKeywordHit()); + // " + // formatted_Report.append("
    Artifact IDNameSize
    "); + } + formatted_Report.append(nodeHash); formatted_Report.append(""); //end of master loop diff --git a/Report/src/org/sleuthkit/autopsy/report/reportInterface.java b/Report/src/org/sleuthkit/autopsy/report/reportInterface.java index d94b62e943..ba8f3ef6f1 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportInterface.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportInterface.java @@ -22,4 +22,5 @@ public interface reportInterface{ public HashMap> getRecentObject(); public HashMap> getHashHit(); public HashMap> getKeywordHit(); + public String getGroupedKeywordHit(); } diff --git a/Report/src/org/sleuthkit/autopsy/report/reportXML.java b/Report/src/org/sleuthkit/autopsy/report/reportXML.java index 061c8bc0c5..6a25b35ba8 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportXML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportXML.java @@ -19,6 +19,7 @@ import org.jdom.Document.*; import org.jdom.Element; import org.jdom.output.XMLOutputter; import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; @@ -27,6 +28,7 @@ import org.sleuthkit.datamodel.Directory; import org.sleuthkit.datamodel.File; import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskData; public class reportXML { public static Document xmldoc = new Document(); public reportXML (HashMap> report, reportFilter rr){ @@ -36,6 +38,8 @@ public class reportXML { String caseName = currentCase.getName(); Integer imagecount = currentCase.getImageIDs().length; Integer filesystemcount = currentCase.getRootObjectsCount(); + Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG); + Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR); Element root = new Element("Case"); xmldoc = new Document(root); DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); @@ -47,9 +51,15 @@ public class reportXML { root.addContent(comment); //Create summary node involving how many of each type Element summary = new Element("Summary"); + if(IngestManager.getDefault().isIngestRunning()) + { + summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!")); + } summary.addContent(new Element("Name").setText(caseName)); summary.addContent(new Element("Total-Images").setText(imagecount.toString())); summary.addContent(new Element("Total-FileSystems").setText(filesystemcount.toString())); + summary.addContent(new Element("Total-Files").setText(totalfiles.toString())); + summary.addContent(new Element("Total-Directories").setText(totaldirs.toString())); root.addContent(summary); //generate the nodes for each of the types so we can use them later Element nodeGen = new Element("General-Information");