From e5e2c0fc2f233d6e3e1e2eaae76c522714404b89 Mon Sep 17 00:00:00 2001 From: Jeff Wallace Date: Wed, 4 Dec 2013 15:58:54 -0500 Subject: [PATCH 1/3] Updated uses of new encryption artifact. --- .../autopsy/datamodel/ArtifactTypeNode.java | 2 ++ .../autopsy/datamodel/BlackboardArtifactNode.java | 2 ++ .../sleuthkit/autopsy/images/encrypted-file.png | Bin 0 -> 801 bytes .../sleuthkit/autopsy/report/ReportGenerator.java | 10 ++++++++++ .../autopsy/sevenzip/SevenZipIngestModule.java | 9 ++++++--- 5 files changed, 20 insertions(+), 3 deletions(-) create mode 100755 Core/src/org/sleuthkit/autopsy/images/encrypted-file.png diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java index c5d347ae6e..5b6ac9c950 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java @@ -124,6 +124,8 @@ public class ArtifactTypeNode extends DisplayableItemNode { return "gps-search.png"; case TSK_SERVICE_ACCOUNT: return "account-icon-16.png"; + case TSK_ENCRYPTED_FILE: + return "encrypted-file.png"; } return "artifact-icon.png"; } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index 27caebc469..3bd1989365 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -329,6 +329,8 @@ public class BlackboardArtifactNode extends DisplayableItemNode { return "gps-search.png"; case TSK_SERVICE_ACCOUNT: return "account-icon-16.png"; + case TSK_ENCRYPTED_FILE: + return "encrypted-file.png"; } return "artifact-icon.png"; diff --git a/Core/src/org/sleuthkit/autopsy/images/encrypted-file.png b/Core/src/org/sleuthkit/autopsy/images/encrypted-file.png new file mode 100755 index 0000000000000000000000000000000000000000..d6626cb09eb11a298b90a8a27b0d8eab41f49a82 GIT binary patch literal 801 zcmV++1K#|JP)$lC4gU2-`f*>nhR-;k6IP7e>YO!0^w)WK%3$w02v-#>5Ep64PCP| zJihT#O|N+nT7XR2h7dAB?UEAOhJF^mol1i`QtQB`HSY}RE7=r! z)zaVIHr5?>v2Gz&fdYw&2ug$!p+txby(aWZ7(4QT)l2`jX7eMQ{>)lG6ev(fWKxmH zOr%mM5$6B%u~qGtCf40#`mbGj3s!n+^%wnJ&#rl>g<4Z)lB5J6f!?|AP275)Zswr* z%T}4~{;_(?waU!#?JabbF3Cy-kf0{R{z}6$e=5yMQKt3BPcl2>zoTPMqMwF;3!_n|>sT?~bK_-2O_m+o>GJ6h zt=+g$4n7y%1qVJI7*5Yw(hqM=JusY{d}*?U(Oj*gT655eZ>Ksn(qrd7v3}DX1}C>` z+X+8@+4-pVq_fxG zlU}~Ye!0+%>J+pPk+0wV{GM$QaYM?5ux)w2z59=S&H2+K?;gH$bZGzL&g5>G ft+noNiyiPkP9r@8gT|RZ00000NkvXXu0mjfuqTIu literal 0 HcmV?d00001 diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index e0a8c486fe..c47068fbd9 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -904,6 +904,9 @@ public class ReportGenerator { case TSK_TOOL_OUTPUT: columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Text", "Source File"})); break; + case TSK_ENCRYPTED_FILE: + columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Entropy", "Encryption Type", "Source File"})); + break; default: return null; } @@ -1210,6 +1213,13 @@ public class ReportGenerator { row.add(attributes.get(ATTRIBUTE_TYPE.TSK_TEXT.getTypeID())); row.add(getFileUniquePath(artifactData.getObjectID())); return row; + case TSK_ENCRYPTED_FILE: + List encryptedFile = new ArrayList<>(); + encryptedFile.add(attributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); + encryptedFile.add(attributes.get(ATTRIBUTE_TYPE.TSK_ENTROPY.getTypeID())); + encryptedFile.add(attributes.get(ATTRIBUTE_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID())); + encryptedFile.add(getFileUniquePath(artifactData.getObjectID())); + return encryptedFile; } return null; } diff --git a/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java b/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java index 322f7c669f..9e08e53691 100644 --- a/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java +++ b/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java @@ -51,6 +51,7 @@ import org.sleuthkit.autopsy.ingest.PipelineContext; import org.sleuthkit.autopsy.ingest.IngestMessage; import org.sleuthkit.autopsy.ingest.IngestMonitor; import org.sleuthkit.autopsy.ingest.ModuleContentEvent; +import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; @@ -553,11 +554,13 @@ public final class SevenZipIngestModule extends IngestModuleAbstractFile { if (hasEncrypted) { String encryptionType = fullEncryption ? ENCRYPTION_FULL : ENCRYPTION_FILE_LEVEL; try { - BlackboardArtifact generalInfo = archiveFile.getGenInfoArtifact(); - generalInfo.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID(), + BlackboardArtifact artifact = archiveFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTED_FILE); + artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID(), MODULE_NAME, encryptionType)); + //artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), MODULE_NAME, ...); + //artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ENTROPY.getTypeID(), MODULE_NAME, ...); //@@@ We don't fire here because GEN_INFO isn't displayed in the tree.... Need to address how these should be displayed - //services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA_EXIF)); + services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTED_FILE)); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error creating blackboard artifact for encryption detected for file: " + archiveFile, ex); } From 5fac79558796904c7c5211e4f3487a6116a08c3c Mon Sep 17 00:00:00 2001 From: Jeff Wallace Date: Thu, 5 Dec 2013 12:09:25 -0500 Subject: [PATCH 2/3] Updated name of encrption artifact. --- .../org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java | 2 +- .../autopsy/datamodel/BlackboardArtifactNode.java | 2 +- .../src/org/sleuthkit/autopsy/report/ReportGenerator.java | 8 ++++---- .../sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java index 5b6ac9c950..7edc15c46d 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java @@ -124,7 +124,7 @@ public class ArtifactTypeNode extends DisplayableItemNode { return "gps-search.png"; case TSK_SERVICE_ACCOUNT: return "account-icon-16.png"; - case TSK_ENCRYPTED_FILE: + case TSK_ENCRYPTION_DETECTED: return "encrypted-file.png"; } return "artifact-icon.png"; diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index 3bd1989365..a0d61814e8 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -329,7 +329,7 @@ public class BlackboardArtifactNode extends DisplayableItemNode { return "gps-search.png"; case TSK_SERVICE_ACCOUNT: return "account-icon-16.png"; - case TSK_ENCRYPTED_FILE: + case TSK_ENCRYPTION_DETECTED: return "encrypted-file.png"; } diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index c47068fbd9..628b334fa2 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -904,8 +904,8 @@ public class ReportGenerator { case TSK_TOOL_OUTPUT: columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Text", "Source File"})); break; - case TSK_ENCRYPTED_FILE: - columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Entropy", "Encryption Type", "Source File"})); + case TSK_ENCRYPTION_DETECTED: + columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Entropy", "Source File"})); break; default: return null; @@ -1213,11 +1213,11 @@ public class ReportGenerator { row.add(attributes.get(ATTRIBUTE_TYPE.TSK_TEXT.getTypeID())); row.add(getFileUniquePath(artifactData.getObjectID())); return row; - case TSK_ENCRYPTED_FILE: + case TSK_ENCRYPTION_DETECTED: List encryptedFile = new ArrayList<>(); encryptedFile.add(attributes.get(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID())); encryptedFile.add(attributes.get(ATTRIBUTE_TYPE.TSK_ENTROPY.getTypeID())); - encryptedFile.add(attributes.get(ATTRIBUTE_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID())); +// encryptedFile.add(attributes.get(ATTRIBUTE_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID())); encryptedFile.add(getFileUniquePath(artifactData.getObjectID())); return encryptedFile; } diff --git a/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java b/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java index 9e08e53691..a88eb51489 100644 --- a/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java +++ b/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java @@ -554,13 +554,13 @@ public final class SevenZipIngestModule extends IngestModuleAbstractFile { if (hasEncrypted) { String encryptionType = fullEncryption ? ENCRYPTION_FULL : ENCRYPTION_FILE_LEVEL; try { - BlackboardArtifact artifact = archiveFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTED_FILE); + BlackboardArtifact artifact = archiveFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED); artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID(), MODULE_NAME, encryptionType)); //artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), MODULE_NAME, ...); //artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ENTROPY.getTypeID(), MODULE_NAME, ...); //@@@ We don't fire here because GEN_INFO isn't displayed in the tree.... Need to address how these should be displayed - services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTED_FILE)); + services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED)); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error creating blackboard artifact for encryption detected for file: " + archiveFile, ex); } From 199c347a79abb4407b0e70d6b42aad1c74c969b4 Mon Sep 17 00:00:00 2001 From: Jeff Wallace Date: Fri, 13 Dec 2013 13:28:17 -0500 Subject: [PATCH 3/3] Updated attributes associated with encryption artifact. --- Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java | 6 +++++- .../sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java | 6 +----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java index 11be1cf4c3..7a71d8a0af 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportGenerator.java @@ -998,7 +998,7 @@ public class ReportGenerator { columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Text", "Source File"})); break; case TSK_ENCRYPTION_DETECTED: - columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Program Name", "Entropy", "Source File"})); + columnHeaders = new ArrayList<>(Arrays.asList(new String[] {"Name", "Source File"})); break; default: return null; @@ -1324,6 +1324,10 @@ public class ReportGenerator { orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_TEXT.getTypeID())); orderedRowData.add(getFileUniquePath(getObjectID())); break; + case TSK_ENCRYPTION_DETECTED: + orderedRowData.add(mappedAttributes.get(ATTRIBUTE_TYPE.TSK_NAME.getTypeID())); + orderedRowData.add(getFileUniquePath(getObjectID())); + break; } orderedRowData.add(makeCommaSeparatedList(getTags())); diff --git a/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java b/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java index a88eb51489..56c23fcf71 100644 --- a/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java +++ b/SevenZip/src/org/sleuthkit/autopsy/sevenzip/SevenZipIngestModule.java @@ -555,11 +555,7 @@ public final class SevenZipIngestModule extends IngestModuleAbstractFile { String encryptionType = fullEncryption ? ENCRYPTION_FULL : ENCRYPTION_FILE_LEVEL; try { BlackboardArtifact artifact = archiveFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED); - artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID(), - MODULE_NAME, encryptionType)); - //artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), MODULE_NAME, ...); - //artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ENTROPY.getTypeID(), MODULE_NAME, ...); - //@@@ We don't fire here because GEN_INFO isn't displayed in the tree.... Need to address how these should be displayed + artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), MODULE_NAME, encryptionType)); services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED)); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error creating blackboard artifact for encryption detected for file: " + archiveFile, ex);