mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-19 02:57:44 +00:00
Merge branch 'master' of github.com:sleuthkit/autopsy
This commit is contained in:
Dick Fickling
commit
c0470f53e0
@ -1,8 +1,8 @@
|
|||||||
build.xml.data.CRC32=f7f11023
|
build.xml.data.CRC32=29b5838d
|
||||||
build.xml.script.CRC32=d7506201
|
build.xml.script.CRC32=d7506201
|
||||||
build.xml.stylesheet.CRC32=a56c6a5b@1.46.2
|
build.xml.stylesheet.CRC32=a56c6a5b@1.46.1
|
||||||
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
|
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
|
||||||
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
|
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
|
||||||
nbproject/build-impl.xml.data.CRC32=f7f11023
|
nbproject/build-impl.xml.data.CRC32=29b5838d
|
||||||
nbproject/build-impl.xml.script.CRC32=c3845be2
|
nbproject/build-impl.xml.script.CRC32=c3845be2
|
||||||
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.2
|
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1
|
||||||
|
|||||||
@ -59,6 +59,8 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
|
|||||||
private static Logger logger = Logger.getLogger(KeywordSearchEditListPanel.class.getName());
|
private static Logger logger = Logger.getLogger(KeywordSearchEditListPanel.class.getName());
|
||||||
private KeywordTableModel tableModel;
|
private KeywordTableModel tableModel;
|
||||||
private String currentKeywordList;
|
private String currentKeywordList;
|
||||||
|
|
||||||
|
|
||||||
private boolean ingestRunning;
|
private boolean ingestRunning;
|
||||||
private boolean locked;
|
private boolean locked;
|
||||||
private static KeywordSearchEditListPanel instance = null;
|
private static KeywordSearchEditListPanel instance = null;
|
||||||
@ -77,6 +79,7 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
|
|||||||
return instance;
|
return instance;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
private void customizeComponents() {
|
private void customizeComponents() {
|
||||||
locked = false;
|
locked = false;
|
||||||
chRegex.setToolTipText("Keyword is a regular expression");
|
chRegex.setToolTipText("Keyword is a regular expression");
|
||||||
@ -149,6 +152,7 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
|
|||||||
|
|
||||||
//loadDefaultKeywords();
|
//loadDefaultKeywords();
|
||||||
|
|
||||||
|
|
||||||
initButtons();
|
initButtons();
|
||||||
|
|
||||||
addWordField.setComponentPopupMenu(rightClickMenu);
|
addWordField.setComponentPopupMenu(rightClickMenu);
|
||||||
@ -649,7 +653,7 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
|
|||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void valueChanged(ListSelectionEvent e) {
|
public void valueChanged(ListSelectionEvent e) {
|
||||||
|
//respond to list selection changes in KeywordSearchListManagementPanel
|
||||||
ListSelectionModel listSelectionModel = (ListSelectionModel) e.getSource();
|
ListSelectionModel listSelectionModel = (ListSelectionModel) e.getSource();
|
||||||
if (!listSelectionModel.isSelectionEmpty()) {
|
if (!listSelectionModel.isSelectionEmpty()) {
|
||||||
int index = listSelectionModel.getMinSelectionIndex();
|
int index = listSelectionModel.getMinSelectionIndex();
|
||||||
@ -667,7 +671,6 @@ class KeywordSearchEditListPanel extends javax.swing.JPanel implements ListSelec
|
|||||||
tableModel.resync(currentKeywordList);
|
tableModel.resync(currentKeywordList);
|
||||||
initButtons();
|
initButtons();
|
||||||
} else {
|
} else {
|
||||||
currentKeywordList = null;
|
|
||||||
tableModel.deleteAll();
|
tableModel.deleteAll();
|
||||||
initButtons();
|
initButtons();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -66,12 +66,13 @@ sub pluginmain {
|
|||||||
#::logMsg($key_path." has no values.");
|
#::logMsg($key_path." has no values.");
|
||||||
}
|
}
|
||||||
::rptMsg("</artifacts>");
|
::rptMsg("</artifacts>");
|
||||||
|
::rptMsg("</runMRU>");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#::rptMsg($key_path." not found.");
|
#::rptMsg($key_path." not found.");
|
||||||
#::logMsg($key_path." not found.");
|
#::logMsg($key_path." not found.");
|
||||||
}
|
}
|
||||||
::rptMsg("</runMRU>");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
1;
|
1;
|
||||||
@ -66,7 +66,7 @@ sub pluginmain {
|
|||||||
|
|
||||||
my @list = split(/,/,$rdvals{$tag});
|
my @list = split(/,/,$rdvals{$tag});
|
||||||
foreach my $i (@list) {
|
foreach my $i (@list) {
|
||||||
::rptMsg("<doc>".$i." = ".$rdvals{$i} . "</doc>");
|
::rptMsg("<doc name=\"Windows\">".$rdvals{$i} . "</doc>");
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
@ -79,8 +79,8 @@ sub pluginmain {
|
|||||||
my @subkeys = $key->get_list_of_subkeys();
|
my @subkeys = $key->get_list_of_subkeys();
|
||||||
if (scalar(@subkeys) > 0) {
|
if (scalar(@subkeys) > 0) {
|
||||||
foreach my $s (@subkeys) {
|
foreach my $s (@subkeys) {
|
||||||
::rptMsg($key_path."\\".$s->get_name());
|
#::rptMsg($key_path."\\".$s->get_name());
|
||||||
::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
|
#::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
|
||||||
|
|
||||||
my %rdvals = getRDValues($s);
|
my %rdvals = getRDValues($s);
|
||||||
if (%rdvals) {
|
if (%rdvals) {
|
||||||
@ -96,12 +96,12 @@ sub pluginmain {
|
|||||||
}
|
}
|
||||||
|
|
||||||
my @list = split(/,/,$rdvals{$tag});
|
my @list = split(/,/,$rdvals{$tag});
|
||||||
::rptMsg($tag." = ".$rdvals{$tag});
|
#::rptMsg($tag." = ".$rdvals{$tag});
|
||||||
foreach my $i (@list) {
|
foreach my $i (@list) {
|
||||||
::rptMsg(" ".$i." = ".$rdvals{$i});
|
#::rptMsg("".$rdvals{$i});
|
||||||
}
|
}
|
||||||
|
|
||||||
::rptMsg("");
|
#::rptMsg("");
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
#::rptMsg($key_path." has no values.");
|
#::rptMsg($key_path." has no values.");
|
||||||
|
|||||||
@ -3,6 +3,7 @@
|
|||||||
* and open the template in the editor.
|
* and open the template in the editor.
|
||||||
*/
|
*/
|
||||||
package org.sleuthkit.autopsy.recentactivity;
|
package org.sleuthkit.autopsy.recentactivity;
|
||||||
|
import com.google.gson.JsonArray;
|
||||||
import com.google.gson.JsonElement;
|
import com.google.gson.JsonElement;
|
||||||
import com.google.gson.JsonObject;
|
import com.google.gson.JsonObject;
|
||||||
import com.google.gson.JsonParser;
|
import com.google.gson.JsonParser;
|
||||||
@ -215,56 +216,28 @@ public class Chrome {
|
|||||||
|
|
||||||
final JsonParser parser = new JsonParser();
|
final JsonParser parser = new JsonParser();
|
||||||
JsonElement jsonElement = parser.parse(new FileReader(temps));
|
JsonElement jsonElement = parser.parse(new FileReader(temps));
|
||||||
JsonObject jsonBookmarks = jsonElement.getAsJsonObject();
|
JsonObject test = jsonElement.getAsJsonObject();
|
||||||
|
JsonObject whatever = test.get("roots").getAsJsonObject();
|
||||||
|
JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject();
|
||||||
|
JsonArray whatever3 = whatever2.getAsJsonArray("children");
|
||||||
|
|
||||||
for ( Entry<String, JsonElement> entry : jsonBookmarks.entrySet()) {
|
// JsonArray results = parser.parse(new FileReader(temps)).getAsJsonObject().getAsJsonArray("roots").getAsJsonObject().getAsJsonArray("bookmark_bar").get(0).getAsJsonObject().getAsJsonArray("children");
|
||||||
String key = entry.getKey();
|
for (JsonElement result : whatever3) {
|
||||||
JsonElement value = entry.getValue();
|
|
||||||
if(key.contains("roots"))
|
|
||||||
{
|
|
||||||
JsonObject jsonRoots = value.getAsJsonObject();
|
|
||||||
for ( Entry<String, JsonElement> roots : jsonRoots.entrySet()) {
|
|
||||||
if(roots.getKey().contains("bookmark_bar")){
|
|
||||||
JsonObject jsonChildren = roots.getValue().getAsJsonObject();
|
|
||||||
for ( Entry<String, JsonElement> children : jsonChildren.entrySet()) {
|
|
||||||
JsonObject bookmarks = children.getValue().getAsJsonObject();
|
|
||||||
for (Entry<String, JsonElement> recs : bookmarks.entrySet()) {
|
|
||||||
JsonObject rec = recs.getValue().getAsJsonObject();
|
|
||||||
|
|
||||||
String url = rec.get("url").getAsString();
|
JsonObject address = result.getAsJsonObject();
|
||||||
String name = rec.get("name").getAsString();
|
String url = address.get("url").getAsString();
|
||||||
String date = rec.get("date_added").getAsString();
|
String name = address.get("name").getAsString();
|
||||||
}
|
String date = address.get("date_added").getAsString();
|
||||||
|
|
||||||
|
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
||||||
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",date));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
|
||||||
|
bbart.addAttributes(bbattributes);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
// BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
|
||||||
// Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",""));
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",""));
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",""));
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
|
|
||||||
// bbart.addAttributes(bbattributes);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
// dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
|
|
||||||
// ResultSet temprs = tempdbconnect.executeQry(chbookmarkquery);
|
|
||||||
// while(temprs.next())
|
|
||||||
// {
|
|
||||||
// BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
|
||||||
// Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("last_visit_time")));
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
|
|
||||||
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
|
|
||||||
// bbart.addAttributes(bbattributes);
|
|
||||||
//
|
|
||||||
// }
|
|
||||||
// tempdbconnect.closeConnection();
|
|
||||||
// temprs.close();
|
|
||||||
|
|
||||||
}
|
}
|
||||||
catch (Exception ex)
|
catch (Exception ex)
|
||||||
|
|||||||
@ -46,11 +46,11 @@ import org.sleuthkit.autopsy.casemodule.Case;
|
|||||||
import org.sleuthkit.autopsy.datamodel.ContentUtils;
|
import org.sleuthkit.autopsy.datamodel.ContentUtils;
|
||||||
import org.sleuthkit.autopsy.datamodel.KeyValue;
|
import org.sleuthkit.autopsy.datamodel.KeyValue;
|
||||||
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
|
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
|
||||||
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
|
|
||||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||||
|
import org.sleuthkit.datamodel.Content;
|
||||||
import org.sleuthkit.datamodel.FsContent;
|
import org.sleuthkit.datamodel.FsContent;
|
||||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||||
import org.sleuthkit.datamodel.TskException;
|
import org.sleuthkit.datamodel.TskException;
|
||||||
@ -59,7 +59,9 @@ public class ExtractIE { // implements BrowserActivity {
|
|||||||
|
|
||||||
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
|
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
|
||||||
private String indexDatQueryStr = "select * from tsk_files where name LIKE '%index.dat%'";
|
private String indexDatQueryStr = "select * from tsk_files where name LIKE '%index.dat%'";
|
||||||
|
private String favoriteQuery = "select * from `tsk_files` where parent_path LIKE '%/Favorites%' and name LIKE '%.url'";
|
||||||
|
private String cookiesQuery = "select * from `tsk_files` where parent_path LIKE '%/Cookies%' and name LIKE '%.txt'";
|
||||||
|
private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'";
|
||||||
//sleauthkit db handle
|
//sleauthkit db handle
|
||||||
SleuthkitCase tempDb;
|
SleuthkitCase tempDb;
|
||||||
|
|
||||||
@ -79,6 +81,117 @@ public class ExtractIE { // implements BrowserActivity {
|
|||||||
|
|
||||||
public ExtractIE(List<String> image, IngestImageWorkerController controller) {
|
public ExtractIE(List<String> image, IngestImageWorkerController controller) {
|
||||||
init(image, controller);
|
init(image, controller);
|
||||||
|
|
||||||
|
//Favorites section
|
||||||
|
// This gets the favorite info
|
||||||
|
try
|
||||||
|
{
|
||||||
|
Case currentCase = Case.getCurrentCase(); // get the most updated case
|
||||||
|
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
|
||||||
|
String allFS = new String();
|
||||||
|
for(String img : image)
|
||||||
|
{
|
||||||
|
allFS += " AND fs_obj_id = '" + img + "'";
|
||||||
|
}
|
||||||
|
List<FsContent> FavoriteList;
|
||||||
|
|
||||||
|
ResultSet rs = tempDb.runQuery(favoriteQuery + allFS);
|
||||||
|
FavoriteList = tempDb.resultSetToFsContents(rs);
|
||||||
|
rs.close();
|
||||||
|
rs.getStatement().close();
|
||||||
|
|
||||||
|
for(FsContent Favorite : FavoriteList)
|
||||||
|
{
|
||||||
|
if (controller.isCancelled() ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
Content fav = Favorite;
|
||||||
|
byte[] t = fav.read(0, fav.getSize());
|
||||||
|
String bookmarkString = new String(t);
|
||||||
|
String re1=".*?"; // Non-greedy match on filler
|
||||||
|
String re2="((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1
|
||||||
|
String url = "";
|
||||||
|
Pattern p = Pattern.compile(re1+re2,Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
|
||||||
|
Matcher m = p.matcher(bookmarkString);
|
||||||
|
if (m.find())
|
||||||
|
{
|
||||||
|
url = m.group(1);
|
||||||
|
}
|
||||||
|
String name = Favorite.getName();
|
||||||
|
String datetime = Favorite.getCrtimeAsDate();
|
||||||
|
|
||||||
|
BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
||||||
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
|
||||||
|
bbart.addAttributes(bbattributes);
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch(TskException ex)
|
||||||
|
{
|
||||||
|
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
|
||||||
|
}
|
||||||
|
catch(SQLException ioex)
|
||||||
|
{
|
||||||
|
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
|
||||||
|
}
|
||||||
|
|
||||||
|
//Cookies section
|
||||||
|
// This gets the cookies info
|
||||||
|
try
|
||||||
|
{
|
||||||
|
Case currentCase = Case.getCurrentCase(); // get the most updated case
|
||||||
|
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
|
||||||
|
String allFS = new String();
|
||||||
|
for(String img : image)
|
||||||
|
{
|
||||||
|
allFS += " AND fs_obj_id = '" + img + "'";
|
||||||
|
}
|
||||||
|
List<FsContent> CookiesList;
|
||||||
|
|
||||||
|
ResultSet rs = tempDb.runQuery(cookiesQuery + allFS);
|
||||||
|
CookiesList = tempDb.resultSetToFsContents(rs);
|
||||||
|
rs.close();
|
||||||
|
rs.getStatement().close();
|
||||||
|
|
||||||
|
for(FsContent Cookie : CookiesList)
|
||||||
|
{
|
||||||
|
if (controller.isCancelled() ) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
Content fav = Cookie;
|
||||||
|
byte[] t = fav.read(0, fav.getSize());
|
||||||
|
String cookieString = new String(t);
|
||||||
|
|
||||||
|
String[] values = cookieString.split("\n");
|
||||||
|
String url = values[2];
|
||||||
|
String value = values[1];
|
||||||
|
String name = values[0];
|
||||||
|
String datetime = Cookie.getCrtimeAsDate();
|
||||||
|
|
||||||
|
BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
|
||||||
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",datetime));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : ""));
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
|
||||||
|
bbart.addAttributes(bbattributes);
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch(TskException ex)
|
||||||
|
{
|
||||||
|
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
|
||||||
|
}
|
||||||
|
catch(SQLException ioex)
|
||||||
|
{
|
||||||
|
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
//@Override
|
//@Override
|
||||||
|
|||||||
@ -4,9 +4,14 @@
|
|||||||
*/
|
*/
|
||||||
package org.sleuthkit.autopsy.recentactivity;
|
package org.sleuthkit.autopsy.recentactivity;
|
||||||
|
|
||||||
|
import java.io.BufferedReader;
|
||||||
import java.io.File;
|
import java.io.File;
|
||||||
|
import java.io.FileInputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
|
import java.io.InputStream;
|
||||||
|
import java.io.InputStreamReader;
|
||||||
import java.io.StringReader;
|
import java.io.StringReader;
|
||||||
|
import java.nio.charset.Charset;
|
||||||
import java.sql.ResultSet;
|
import java.sql.ResultSet;
|
||||||
import java.sql.SQLException;
|
import java.sql.SQLException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
@ -111,7 +116,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
|
|||||||
//Now fetch the results, parse them and the delete the files.
|
//Now fetch the results, parse them and the delete the files.
|
||||||
if(Success)
|
if(Success)
|
||||||
{
|
{
|
||||||
//Delete dat file since it was succcessfully by Pasco
|
//Delete dat file since it was succcessful
|
||||||
regFile.delete();
|
regFile.delete();
|
||||||
}
|
}
|
||||||
j++;
|
j++;
|
||||||
@ -144,11 +149,11 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
|
|||||||
|
|
||||||
if(regFilePath.toLowerCase().contains("system"))
|
if(regFilePath.toLowerCase().contains("system"))
|
||||||
{
|
{
|
||||||
type = "system";
|
type = "1system";
|
||||||
}
|
}
|
||||||
if(regFilePath.toLowerCase().contains("software"))
|
if(regFilePath.toLowerCase().contains("software"))
|
||||||
{
|
{
|
||||||
type = "software";
|
type = "1software";
|
||||||
}
|
}
|
||||||
if(regFilePath.toLowerCase().contains("ntuser"))
|
if(regFilePath.toLowerCase().contains("ntuser"))
|
||||||
{
|
{
|
||||||
@ -156,15 +161,15 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
|
|||||||
}
|
}
|
||||||
if(regFilePath.toLowerCase().contains("default"))
|
if(regFilePath.toLowerCase().contains("default"))
|
||||||
{
|
{
|
||||||
type = "default";
|
type = "1default";
|
||||||
}
|
}
|
||||||
if(regFilePath.toLowerCase().contains("sam"))
|
if(regFilePath.toLowerCase().contains("sam"))
|
||||||
{
|
{
|
||||||
type = "sam";
|
type = "1sam";
|
||||||
}
|
}
|
||||||
if(regFilePath.toLowerCase().contains("security"))
|
if(regFilePath.toLowerCase().contains("security"))
|
||||||
{
|
{
|
||||||
type = "security";
|
type = "1security";
|
||||||
}
|
}
|
||||||
|
|
||||||
String command = RR_PATH + " -r " + regFilePath +" -f " + type + "> " + txtPath;
|
String command = RR_PATH + " -r " + regFilePath +" -f " + type + "> " + txtPath;
|
||||||
@ -188,8 +193,10 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
|
|||||||
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
|
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
|
||||||
|
|
||||||
try {
|
try {
|
||||||
|
File regfile = new File(regRecord);
|
||||||
|
|
||||||
String regString = new Scanner(new File(regRecord)).useDelimiter("\\Z").next();
|
BufferedReader input = new BufferedReader(new InputStreamReader(new FileInputStream(regfile)));
|
||||||
|
String regString = new Scanner(input).useDelimiter("\\Z").next();
|
||||||
String startdoc = "<document>";
|
String startdoc = "<document>";
|
||||||
String result = regString.replaceAll("----------------------------------------","");
|
String result = regString.replaceAll("----------------------------------------","");
|
||||||
String enddoc = "</document>";
|
String enddoc = "</document>";
|
||||||
@ -212,17 +219,20 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
|
|||||||
|
|
||||||
Element artroot = tempnode.getChild("artifacts");
|
Element artroot = tempnode.getChild("artifacts");
|
||||||
List artlist = artroot.getChildren();
|
List artlist = artroot.getChildren();
|
||||||
|
if(artlist.isEmpty()){
|
||||||
|
}
|
||||||
|
else{
|
||||||
|
|
||||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
|
|
||||||
Iterator aiterator = artlist.iterator();
|
Iterator aiterator = artlist.iterator();
|
||||||
while (aiterator.hasNext()) {
|
while (aiterator.hasNext()) {
|
||||||
Element artnode = (Element) aiterator.next();
|
Element artnode = (Element) aiterator.next();
|
||||||
String name = artnode.getAttributeValue("name");
|
String name = artnode.getAttributeValue("name");
|
||||||
String value = artnode.getTextTrim();
|
String value = artnode.getTextTrim();
|
||||||
|
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
|
||||||
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
|
||||||
|
|
||||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
|
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
|
||||||
}
|
|
||||||
if("recentdocs".equals(context)){
|
if("recentdocs".equals(context)){
|
||||||
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
|
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
|
||||||
bbart.addAttributes(bbattributes);
|
bbart.addAttributes(bbattributes);
|
||||||
@ -238,13 +248,16 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
|
|||||||
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
|
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
|
||||||
bbart.addAttributes(bbattributes);
|
bbart.addAttributes(bbattributes);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
catch (Exception ex)
|
catch (Exception ex)
|
||||||
{
|
{
|
||||||
|
|
||||||
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex);
|
logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user