Update cachelocation.py

Check number of entries of cache files to see if it is greater then the file size, if it is then skip processing of the file, otherwise process the file.

InternalPythonModules/android/cachelocation.py

@@ -42,6 +42,7 @@ from org.sleuthkit.datamodel import TskCoreException
 import traceback
 import general
 import struct
+import os
 
 """
 Parses cache files that Android maintains for Wifi and cell towers. Adds GPS points to blackboard.
@@ -79,35 +80,39 @@ class CacheLocationAnalyzer(general.AndroidComponentAnalyzer):
             # code to parse the cache.wifi and cache.cell taken from https://forensics.spreitzenbarth.de/2011/10/28/decoding-cache-cell-and-cache-wifi-files/
             cacheFile = open(str(file), 'rb')
             (version, entries) = struct.unpack('>hh', cacheFile.read(4))
-            i = 0
-            while i < entries:
-                key = cacheFile.read(struct.unpack('>h', cacheFile.read(2))[0])
-                (accuracy, confidence, latitude, longitude, readtime) = struct.unpack('>iiddQ', cacheFile.read(32))
-                timestamp = readtime/1000
-                i = i + 1
+            # Check the number of entries * 32 (entry record size) to see if it is bigger then the file, this is a indication the file is malformed or corrupted
+            if ((entries * 32) < abstractFile.getSize()):            
+                i = 0
+                self._logger.log(Level.INFO, "Number of Entries is " + str(entries) + " File size is " + str(abstractFile.getSize()))
+                while i < entries:
+                    key = cacheFile.read(struct.unpack('>h', cacheFile.read(2))[0])
+                    (accuracy, confidence, latitude, longitude, readtime) = struct.unpack('>iiddQ', cacheFile.read(32))
+                    timestamp = readtime/1000
+                    i = i + 1
 
-                attributes = ArrayList()
-                artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_BOOKMARK)
-                attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE, general.MODULE_NAME, latitude))
-                attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE, general.MODULE_NAME, longitude))
-                attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, timestamp))
-                attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME,
-                    abstractFile.getName() + " Location History"))
-
-                artifact.addAttributes(attributes)
-                #Not storing these for now.
-                #    artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), AndroidModuleFactorymodule.moduleName, accuracy))
-                #    artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), AndroidModuleFactorymodule.moduleName, confidence))
-                try:
-                    # index the artifact for keyword search
-                    blackboard = Case.getCurrentCase().getSleuthkitCase().getBlackboard()
-                    blackboard.postArtifact(artifact, general.MODULE_NAME)
-                except Blackboard.BlackboardException as ex:
-                    self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex)
-                    self._logger.log(Level.SEVERE, traceback.format_exc())
-                    MessageNotifyUtil.Notify.error("Failed to index GPS trackpoint artifact for keyword search.", artifact.getDisplayName())
-            cacheFile.close()
+                    attributes = ArrayList()
+                    artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_BOOKMARK)
+                    attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE, general.MODULE_NAME, latitude))
+                    attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE, general.MODULE_NAME, longitude))
+                    attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, timestamp))
+                    attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME,
+                        abstractFile.getName() + " Location History"))
 
+                    artifact.addAttributes(attributes)
+                    #Not storing these for now.
+                    #    artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), AndroidModuleFactorymodule.moduleName, accuracy))
+                    #    artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), AndroidModuleFactorymodule.moduleName, confidence))
+                    try:
+                        # index the artifact for keyword search
+                        blackboard = Case.getCurrentCase().getSleuthkitCase().getBlackboard()
+                        blackboard.postArtifact(artifact, general.MODULE_NAME)
+                    except Blackboard.BlackboardException as ex:
+                        self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex)
+                        self._logger.log(Level.SEVERE, traceback.format_exc())
+                        MessageNotifyUtil.Notify.error("Failed to index GPS trackpoint artifact for keyword search.", artifact.getDisplayName())
+                cacheFile.close()
+            else:
+                self._logger.log(Level.WARNING, "Number of entries in file exceeds file size of file " + os.path.join(abstractFile.getParentPath(), abstractFile.getName()))
         except Exception as ex:
             self._logger.log(Level.SEVERE, "Error parsing Cached GPS locations to blackboard", ex)
             self._logger.log(Level.SEVERE, traceback.format_exc())