diff --git a/CoreComponents/nbproject/genfiles.properties b/CoreComponents/nbproject/genfiles.properties
index 058b7f5a5d..8ae512bd79 100644
--- a/CoreComponents/nbproject/genfiles.properties
+++ b/CoreComponents/nbproject/genfiles.properties
@@ -1,8 +1,8 @@
-build.xml.data.CRC32=f7f11023
+build.xml.data.CRC32=29b5838d
build.xml.script.CRC32=d7506201
-build.xml.stylesheet.CRC32=a56c6a5b@1.46.2
+build.xml.stylesheet.CRC32=a56c6a5b@1.46.1
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
-nbproject/build-impl.xml.data.CRC32=f7f11023
+nbproject/build-impl.xml.data.CRC32=29b5838d
nbproject/build-impl.xml.script.CRC32=c3845be2
-nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.2
+nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1
diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchEditListPanel.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchEditListPanel.java
index c9228d544a..6fe110bd4b 100644
--- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchEditListPanel.java
+++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchEditListPanel.java
@@ -59,6 +59,8 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
private static Logger logger = Logger.getLogger(KeywordSearchEditListPanel.class.getName());
private KeywordTableModel tableModel;
private String currentKeywordList;
+
+
private boolean ingestRunning;
private boolean locked;
private static KeywordSearchEditListPanel instance = null;
@@ -76,6 +78,7 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
}
return instance;
}
+
private void customizeComponents() {
locked = false;
@@ -109,7 +112,7 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
final ListSelectionModel lsm = keywordTable.getSelectionModel();
lsm.addListSelectionListener(new ListSelectionListener() {
-
+
@Override
public void valueChanged(ListSelectionEvent e) {
if (lsm.isSelectionEmpty() || locked) {
@@ -148,6 +151,7 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
});
//loadDefaultKeywords();
+
initButtons();
@@ -649,7 +653,7 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
@Override
public void valueChanged(ListSelectionEvent e) {
-
+ //respond to list selection changes in KeywordSearchListManagementPanel
ListSelectionModel listSelectionModel = (ListSelectionModel) e.getSource();
if (!listSelectionModel.isSelectionEmpty()) {
int index = listSelectionModel.getMinSelectionIndex();
@@ -667,7 +671,6 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
tableModel.resync(currentKeywordList);
initButtons();
} else {
- currentKeywordList = null;
tableModel.deleteAll();
initButtons();
}
diff --git a/RecentActivity/release/rr/plugins/arunmru.pl b/RecentActivity/release/rr/plugins/arunmru.pl
index 7370685b45..8edea6e515 100644
--- a/RecentActivity/release/rr/plugins/arunmru.pl
+++ b/RecentActivity/release/rr/plugins/arunmru.pl
@@ -66,12 +66,13 @@ sub pluginmain {
#::logMsg($key_path." has no values.");
}
::rptMsg("");
+ ::rptMsg("");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
- ::rptMsg("");
+
}
1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl b/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl
index 34e3bf1034..538555ef8d 100644
--- a/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl
+++ b/RecentActivity/release/rr/plugins/autopsyrecentdocs.pl
@@ -66,7 +66,7 @@ sub pluginmain {
my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) {
- ::rptMsg("".$i." = ".$rdvals{$i} . "");
+ ::rptMsg("".$rdvals{$i} . "");
}
}
@@ -79,8 +79,8 @@ sub pluginmain {
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
- ::rptMsg($key_path."\\".$s->get_name());
- ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
+ #::rptMsg($key_path."\\".$s->get_name());
+ #::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
my %rdvals = getRDValues($s);
if (%rdvals) {
@@ -96,12 +96,12 @@ sub pluginmain {
}
my @list = split(/,/,$rdvals{$tag});
- ::rptMsg($tag." = ".$rdvals{$tag});
+ #::rptMsg($tag." = ".$rdvals{$tag});
foreach my $i (@list) {
- ::rptMsg(" ".$i." = ".$rdvals{$i});
+ #::rptMsg("".$rdvals{$i});
}
- ::rptMsg("");
+ #::rptMsg("");
}
else {
#::rptMsg($key_path." has no values.");
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
index 5c64650aaa..e16b581e46 100755
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
@@ -3,6 +3,7 @@
* and open the template in the editor.
*/
package org.sleuthkit.autopsy.recentactivity;
+import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
@@ -210,61 +211,33 @@ public class Chrome {
dbFile.delete();
break;
}
- try
+ try
{
final JsonParser parser = new JsonParser();
JsonElement jsonElement = parser.parse(new FileReader(temps));
- JsonObject jsonBookmarks = jsonElement.getAsJsonObject();
+ JsonObject test = jsonElement.getAsJsonObject();
+ JsonObject whatever = test.get("roots").getAsJsonObject();
+ JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject();
+ JsonArray whatever3 = whatever2.getAsJsonArray("children");
+
+ // JsonArray results = parser.parse(new FileReader(temps)).getAsJsonObject().getAsJsonArray("roots").getAsJsonObject().getAsJsonArray("bookmark_bar").get(0).getAsJsonObject().getAsJsonArray("children");
+ for (JsonElement result : whatever3) {
+
+ JsonObject address = result.getAsJsonObject();
+ String url = address.get("url").getAsString();
+ String name = address.get("name").getAsString();
+ String date = address.get("date_added").getAsString();
- for ( Entry entry : jsonBookmarks.entrySet()) {
- String key = entry.getKey();
- JsonElement value = entry.getValue();
- if(key.contains("roots"))
- {
- JsonObject jsonRoots = value.getAsJsonObject();
- for ( Entry roots : jsonRoots.entrySet()) {
- if(roots.getKey().contains("bookmark_bar")){
- JsonObject jsonChildren = roots.getValue().getAsJsonObject();
- for ( Entry children : jsonChildren.entrySet()) {
- JsonObject bookmarks = children.getValue().getAsJsonObject();
- for (Entry recs : bookmarks.entrySet()) {
- JsonObject rec = recs.getValue().getAsJsonObject();
-
- String url = rec.get("url").getAsString();
- String name = rec.get("name").getAsString();
- String date = rec.get("date_added").getAsString();
- }
- }
-
- }
-
- }
-
-// BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
-// Collection bbattributes = new ArrayList();
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",""));
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",""));
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",""));
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
-// bbart.addAttributes(bbattributes);
- }
+ BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
+ Collection bbattributes = new ArrayList();
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",date));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
+ bbart.addAttributes(bbattributes);
}
-// dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
-// ResultSet temprs = tempdbconnect.executeQry(chbookmarkquery);
-// while(temprs.next())
-// {
-// BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
-// Collection bbattributes = new ArrayList();
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("last_visit_time")));
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
-// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
-// bbart.addAttributes(bbattributes);
-//
-// }
-// tempdbconnect.closeConnection();
-// temprs.close();
+
}
catch (Exception ex)
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
index bf6f93ada0..fdf7d76cc7 100755
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
@@ -46,11 +46,11 @@ import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.datamodel.KeyValue;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
-import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
+import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException;
@@ -59,7 +59,9 @@ public class ExtractIE { // implements BrowserActivity {
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
private String indexDatQueryStr = "select * from tsk_files where name LIKE '%index.dat%'";
-
+ private String favoriteQuery = "select * from `tsk_files` where parent_path LIKE '%/Favorites%' and name LIKE '%.url'";
+ private String cookiesQuery = "select * from `tsk_files` where parent_path LIKE '%/Cookies%' and name LIKE '%.txt'";
+ private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'";
//sleauthkit db handle
SleuthkitCase tempDb;
@@ -79,6 +81,117 @@ public class ExtractIE { // implements BrowserActivity {
public ExtractIE(List image, IngestImageWorkerController controller) {
init(image, controller);
+
+ //Favorites section
+ // This gets the favorite info
+ try
+ {
+ Case currentCase = Case.getCurrentCase(); // get the most updated case
+ SleuthkitCase tempDb = currentCase.getSleuthkitCase();
+ String allFS = new String();
+ for(String img : image)
+ {
+ allFS += " AND fs_obj_id = '" + img + "'";
+ }
+ List FavoriteList;
+
+ ResultSet rs = tempDb.runQuery(favoriteQuery + allFS);
+ FavoriteList = tempDb.resultSetToFsContents(rs);
+ rs.close();
+ rs.getStatement().close();
+
+ for(FsContent Favorite : FavoriteList)
+ {
+ if (controller.isCancelled() ) {
+ break;
+ }
+ Content fav = Favorite;
+ byte[] t = fav.read(0, fav.getSize());
+ String bookmarkString = new String(t);
+ String re1=".*?"; // Non-greedy match on filler
+ String re2="((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1
+ String url = "";
+ Pattern p = Pattern.compile(re1+re2,Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
+ Matcher m = p.matcher(bookmarkString);
+ if (m.find())
+ {
+ url = m.group(1);
+ }
+ String name = Favorite.getName();
+ String datetime = Favorite.getCrtimeAsDate();
+
+ BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
+ Collection bbattributes = new ArrayList();
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
+ bbart.addAttributes(bbattributes);
+
+ }
+ }
+ catch(TskException ex)
+ {
+ logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
+ }
+ catch(SQLException ioex)
+ {
+ logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
+ }
+
+ //Cookies section
+ // This gets the cookies info
+ try
+ {
+ Case currentCase = Case.getCurrentCase(); // get the most updated case
+ SleuthkitCase tempDb = currentCase.getSleuthkitCase();
+ String allFS = new String();
+ for(String img : image)
+ {
+ allFS += " AND fs_obj_id = '" + img + "'";
+ }
+ List CookiesList;
+
+ ResultSet rs = tempDb.runQuery(cookiesQuery + allFS);
+ CookiesList = tempDb.resultSetToFsContents(rs);
+ rs.close();
+ rs.getStatement().close();
+
+ for(FsContent Cookie : CookiesList)
+ {
+ if (controller.isCancelled() ) {
+ break;
+ }
+ Content fav = Cookie;
+ byte[] t = fav.read(0, fav.getSize());
+ String cookieString = new String(t);
+
+ String[] values = cookieString.split("\n");
+ String url = values[2];
+ String value = values[1];
+ String name = values[0];
+ String datetime = Cookie.getCrtimeAsDate();
+
+ BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
+ Collection bbattributes = new ArrayList();
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",datetime));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : ""));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
+ bbart.addAttributes(bbattributes);
+
+ }
+ }
+ catch(TskException ex)
+ {
+ logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
+ }
+ catch(SQLException ioex)
+ {
+ logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
+ }
+
}
//@Override
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
index 26010cf9c8..179d40a7f1 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
@@ -4,9 +4,14 @@
*/
package org.sleuthkit.autopsy.recentactivity;
+import java.io.BufferedReader;
import java.io.File;
+import java.io.FileInputStream;
import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
import java.io.StringReader;
+import java.nio.charset.Charset;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
@@ -111,8 +116,8 @@ public void getregistryfiles(List image, IngestImageWorkerController con
//Now fetch the results, parse them and the delete the files.
if(Success)
{
- //Delete dat file since it was succcessfully by Pasco
- regFile.delete();
+ //Delete dat file since it was succcessful
+ regFile.delete();
}
j++;
@@ -144,11 +149,11 @@ public void getregistryfiles(List image, IngestImageWorkerController con
if(regFilePath.toLowerCase().contains("system"))
{
- type = "system";
+ type = "1system";
}
if(regFilePath.toLowerCase().contains("software"))
{
- type = "software";
+ type = "1software";
}
if(regFilePath.toLowerCase().contains("ntuser"))
{
@@ -156,15 +161,15 @@ public void getregistryfiles(List image, IngestImageWorkerController con
}
if(regFilePath.toLowerCase().contains("default"))
{
- type = "default";
+ type = "1default";
}
if(regFilePath.toLowerCase().contains("sam"))
{
- type = "sam";
+ type = "1sam";
}
if(regFilePath.toLowerCase().contains("security"))
{
- type = "security";
+ type = "1security";
}
String command = RR_PATH + " -r " + regFilePath +" -f " + type + "> " + txtPath;
@@ -188,8 +193,10 @@ public void getregistryfiles(List image, IngestImageWorkerController con
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
-
- String regString = new Scanner(new File(regRecord)).useDelimiter("\\Z").next();
+ File regfile = new File(regRecord);
+
+ BufferedReader input = new BufferedReader(new InputStreamReader(new FileInputStream(regfile)));
+ String regString = new Scanner(input).useDelimiter("\\Z").next();
String startdoc = "";
String result = regString.replaceAll("----------------------------------------","");
String enddoc = "";
@@ -212,18 +219,21 @@ public void getregistryfiles(List image, IngestImageWorkerController con
Element artroot = tempnode.getChild("artifacts");
List artlist = artroot.getChildren();
-
- Collection bbattributes = new ArrayList();
- bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
+ if(artlist.isEmpty()){
+ }
+ else{
+
Iterator aiterator = artlist.iterator();
while (aiterator.hasNext()) {
Element artnode = (Element) aiterator.next();
String name = artnode.getAttributeValue("name");
String value = artnode.getTextTrim();
+ Collection bbattributes = new ArrayList();
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
+
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
- }
- if("recentdocs".equals(context)){
+ if("recentdocs".equals(context)){
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
bbart.addAttributes(bbattributes);
}
@@ -238,13 +248,16 @@ public void getregistryfiles(List image, IngestImageWorkerController con
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes);
}
+ }
+
+ }
}
}
catch (Exception ex)
{
- logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex);
+ logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
}