From 63eb4647ccc4750ab9a0cc65e3572234f04ba557 Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Mon, 19 Apr 2021 13:38:43 -0400
Subject: [PATCH 1/4] Update Chromium.java

Add check for string encrypted.
---
 .../autopsy/recentactivity/Chromium.java      | 55 ++++++++++++++-----
 1 file changed, 40 insertions(+), 15 deletions(-)

diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
index c163ab16ad..ce55c03ad7 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
@@ -858,9 +858,15 @@ class Chromium extends Extract {
                     NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                     ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS
 
+            String valueText;
+            if (result.get("value") instanceof byte[]) {
+                valueText = "Encrypted Text";
+            } else {
+                valueText = result.get("value").toString();
+            }
             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
                     RecentActivityExtracterModuleFactory.getModuleName(),
-                    ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS
+                    isFieldEncrypted(result.get("value")))); //NON-NLS
 
             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COUNT,
                     RecentActivityExtracterModuleFactory.getModuleName(),
@@ -921,20 +927,19 @@ class Chromium extends Extract {
         logger.log(Level.INFO, "{0}- Now getting Web form addresses from {1} with {2} artifacts identified.", new Object[]{getName(), dbFilePath, addresses.size()}); //NON-NLS
         for (HashMap<String, Object> result : addresses) {
 
-            // get name fields
-            String first_name = result.get("first_name").toString() != null ? result.get("first_name").toString() : "";
-            String middle_name = result.get("middle_name").toString() != null ? result.get("middle_name").toString() : "";
-            String last_name = result.get("last_name").toString() != null ? result.get("last_name").toString() : "";
+            String first_name = isFieldEncrypted(result.get("first_name"));
+            String middle_name = isFieldEncrypted(result.get("middle_name"));
+            String last_name = isFieldEncrypted(result.get("last_name"));
 
             // get email and phone
-            String email_Addr = result.get("email").toString() != null ? result.get("email").toString() : "";
-            String phone_number = result.get("number").toString() != null ? result.get("number").toString() : "";
+            String email_Addr = isFieldEncrypted(result.get("email"));
+            String phone_number = isFieldEncrypted(result.get("number"));
 
             // Get the address fields
-            String city = result.get("city").toString() != null ? result.get("city").toString() : "";
-            String state = result.get("state").toString() != null ? result.get("state").toString() : "";
-            String zipcode = result.get("zipcode").toString() != null ? result.get("zipcode").toString() : "";
-            String country_code = result.get("country_code").toString() != null ? result.get("country_code").toString() : "";
+            String city = isFieldEncrypted(result.get("city"));
+            String state = isFieldEncrypted(result.get("state"));
+            String zipcode = isFieldEncrypted(result.get("zipcode"));
+            String country_code = isFieldEncrypted(result.get("country_code"));
 
             // schema version specific fields
             String full_name = "";
@@ -944,14 +949,15 @@ class Chromium extends Extract {
             long use_date = 0;
 
             if (isSchemaV8X) {
-                full_name = result.get("full_name").toString() != null ? result.get("full_name").toString() : "";
-                street_address = result.get("street_address").toString() != null ? result.get("street_address").toString() : "";
+                
+                full_name = isFieldEncrypted(result.get("full_name"));
+                street_address = isFieldEncrypted(result.get("street_address"));
                 date_modified = result.get("date_modified").toString() != null ? Long.valueOf(result.get("date_modified").toString()) : 0;
                 use_count = result.get("use_count").toString() != null ? Integer.valueOf(result.get("use_count").toString()) : 0;
                 use_date = result.get("use_date").toString() != null ? Long.valueOf(result.get("use_date").toString()) : 0;
             } else {
-                String address_line_1 = result.get("address_line_1").toString() != null ? result.get("street_address").toString() : "";
-                String address_line_2 = result.get("address_line_2").toString() != null ? result.get("address_line_2").toString() : "";
+                String address_line_1 = isFieldEncrypted(result.get("address_line_1"));
+                String address_line_2 = isFieldEncrypted(result.get("address_line_2"));
                 street_address = String.join(" ", address_line_1, address_line_2);
             }
 
@@ -976,6 +982,25 @@ class Chromium extends Extract {
         }
     }
 
+    /**
+     * Check the type of the object and if it is bytes then it is encrypted and return the string "Encrypted"
+     * otherwise return the string or an empty string
+     * @param dataValue Object to be checked, the object is from a database result set
+     * @return a string that says encrypted, the actual string or an empty string
+     */
+    private String isFieldEncrypted(Object dataValue) {
+
+        String stringValue;
+        if (dataValue instanceof byte[]) {
+            stringValue = "Encrypted Text";
+        } else {
+            stringValue = dataValue.toString() != null ? dataValue.toString() : "";
+        }
+        
+        return stringValue;
+        
+    }
+    
     private boolean isChromePreVersion30(String temps) {
         String query = "PRAGMA table_info(downloads)"; //NON-NLS
         List<HashMap<String, Object>> columns = this.dbConnect(temps, query);

From 8b5263e18c9ddb12002140ef750f38ae396836d5 Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Tue, 20 Apr 2021 16:02:01 -0400
Subject: [PATCH 2/4] Update Chromium.java

Add comments if data is encrypted
Add Encrypted detection artifact if detected.
---
 .../autopsy/recentactivity/Chromium.java      | 42 +++++++++++++------
 1 file changed, 29 insertions(+), 13 deletions(-)

diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
index ce55c03ad7..ee4ced3692 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
@@ -91,6 +91,10 @@ class Chromium extends Extract {
     private static final String LOGIN_DATA_FILE_NAME = "Login Data";
     private static final String WEB_DATA_FILE_NAME = "Web Data";
     private static final String UC_BROWSER_NAME = "UC Browser";
+    private static final String ENCRYPTED_FIELD_MESSAGE = "The data was encrypted.";
+    
+    private Boolean databaseEncrypted = false;
+    private Boolean fieldEncrypted = false;
 
     private final Logger logger = Logger.getLogger(this.getClass().getName());
     private Content dataSource;
@@ -783,6 +787,7 @@ class Chromium extends Extract {
         Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
         int j = 0;
         while (j < webDataFiles.size()) {
+            databaseEncrypted = false;
             AbstractFile webDataFile = webDataFiles.get(j++);
             if ((webDataFile.getSize() == 0) || (webDataFile.getName().toLowerCase().contains("-slack"))) {
                 continue;
@@ -817,11 +822,18 @@ class Chromium extends Extract {
             try {
                 // get form address atifacts
                 getFormAddressArtifacts(webDataFile, tempFilePath, isSchemaV8X);
+                if (databaseEncrypted) {
+                   Collection<BlackboardAttribute> bbattributes = new ArrayList<>(); 
+                   bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
+                            RecentActivityExtracterModuleFactory.getModuleName(), 
+                            String.format("%s Autofill Database Encryption Detected", browser)));
+                   bbartifacts.add(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, webDataFile, bbattributes)); 
+                }
             } catch (NoCurrentCaseException | TskCoreException | Blackboard.BlackboardException ex) {
                 logger.log(Level.SEVERE, String.format("Error adding artifacts to the case database "
                         + "for chrome file %s [objId=%d]", webDataFile.getName(), webDataFile.getId()), ex);
             }
-
+            
             dbFile.delete();
         }
 
@@ -858,12 +870,7 @@ class Chromium extends Extract {
                     NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                     ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS
 
-            String valueText;
-            if (result.get("value") instanceof byte[]) {
-                valueText = "Encrypted Text";
-            } else {
-                valueText = result.get("value").toString();
-            }
+            fieldEncrypted = false;
             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
                     RecentActivityExtracterModuleFactory.getModuleName(),
                     isFieldEncrypted(result.get("value")))); //NON-NLS
@@ -885,7 +892,11 @@ class Chromium extends Extract {
 
             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
                     RecentActivityExtracterModuleFactory.getModuleName(), browser));
-
+            if (fieldEncrypted) {
+                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
+                        RecentActivityExtracterModuleFactory.getModuleName(), ENCRYPTED_FIELD_MESSAGE));
+            }
+            
             // Add an artifact
             try {
                 bbartifacts.add(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, webDataFile, bbattributes));
@@ -927,6 +938,8 @@ class Chromium extends Extract {
         logger.log(Level.INFO, "{0}- Now getting Web form addresses from {1} with {2} artifacts identified.", new Object[]{getName(), dbFilePath, addresses.size()}); //NON-NLS
         for (HashMap<String, Object> result : addresses) {
 
+            fieldEncrypted = false;
+            
             String first_name = isFieldEncrypted(result.get("first_name"));
             String middle_name = isFieldEncrypted(result.get("middle_name"));
             String last_name = isFieldEncrypted(result.get("last_name"));
@@ -973,6 +986,11 @@ class Chromium extends Extract {
                 otherAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED,
                         RecentActivityExtracterModuleFactory.getModuleName(),
                         date_modified)); //NON-NLS
+                if (fieldEncrypted) {
+                    otherAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
+                            RecentActivityExtracterModuleFactory.getModuleName(), ENCRYPTED_FIELD_MESSAGE)); //NON-NLS
+                    
+                }
             }
 
             helper.addWebFormAddress(
@@ -990,14 +1008,12 @@ class Chromium extends Extract {
      */
     private String isFieldEncrypted(Object dataValue) {
 
-        String stringValue;
         if (dataValue instanceof byte[]) {
-            stringValue = "Encrypted Text";
-        } else {
-            stringValue = dataValue.toString() != null ? dataValue.toString() : "";
+            fieldEncrypted = true;
+            databaseEncrypted = true;
         }
         
-        return stringValue;
+        return dataValue.toString() != null ? dataValue.toString() : "";
         
     }
     

From 9cf6046e3e821247dcf2fe81d71c6c726523c284 Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Wed, 21 Apr 2021 10:17:30 -0400
Subject: [PATCH 3/4] Update Chromium.java

Update comment
---
 .../src/org/sleuthkit/autopsy/recentactivity/Chromium.java  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
index ee4ced3692..01f8091225 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
@@ -1001,10 +1001,10 @@ class Chromium extends Extract {
     }
 
     /**
-     * Check the type of the object and if it is bytes then it is encrypted and return the string "Encrypted"
-     * otherwise return the string or an empty string
+     * Check the type of the object and if it is bytes then it is encrypted and return the string and
+     * set flag that field and file are encrypted
      * @param dataValue Object to be checked, the object is from a database result set
-     * @return a string that says encrypted, the actual string or an empty string
+     * @return the actual string or an empty string
      */
     private String isFieldEncrypted(Object dataValue) {
 

From a4f95355aca63a4ae093168dd7e1f492a3e00d35 Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Wed, 21 Apr 2021 15:05:04 -0400
Subject: [PATCH 4/4] Update Chromium.java

Rename method per comment
---
 .../autopsy/recentactivity/Chromium.java      | 30 +++++++++----------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
index 01f8091225..c8a3bb64cd 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chromium.java
@@ -873,7 +873,7 @@ class Chromium extends Extract {
             fieldEncrypted = false;
             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
                     RecentActivityExtracterModuleFactory.getModuleName(),
-                    isFieldEncrypted(result.get("value")))); //NON-NLS
+                    processFields(result.get("value")))); //NON-NLS
 
             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COUNT,
                     RecentActivityExtracterModuleFactory.getModuleName(),
@@ -940,19 +940,19 @@ class Chromium extends Extract {
 
             fieldEncrypted = false;
             
-            String first_name = isFieldEncrypted(result.get("first_name"));
-            String middle_name = isFieldEncrypted(result.get("middle_name"));
-            String last_name = isFieldEncrypted(result.get("last_name"));
+            String first_name = processFields(result.get("first_name"));
+            String middle_name = processFields(result.get("middle_name"));
+            String last_name = processFields(result.get("last_name"));
 
             // get email and phone
-            String email_Addr = isFieldEncrypted(result.get("email"));
-            String phone_number = isFieldEncrypted(result.get("number"));
+            String email_Addr = processFields(result.get("email"));
+            String phone_number = processFields(result.get("number"));
 
             // Get the address fields
-            String city = isFieldEncrypted(result.get("city"));
-            String state = isFieldEncrypted(result.get("state"));
-            String zipcode = isFieldEncrypted(result.get("zipcode"));
-            String country_code = isFieldEncrypted(result.get("country_code"));
+            String city = processFields(result.get("city"));
+            String state = processFields(result.get("state"));
+            String zipcode = processFields(result.get("zipcode"));
+            String country_code = processFields(result.get("country_code"));
 
             // schema version specific fields
             String full_name = "";
@@ -963,14 +963,14 @@ class Chromium extends Extract {
 
             if (isSchemaV8X) {
                 
-                full_name = isFieldEncrypted(result.get("full_name"));
-                street_address = isFieldEncrypted(result.get("street_address"));
+                full_name = processFields(result.get("full_name"));
+                street_address = processFields(result.get("street_address"));
                 date_modified = result.get("date_modified").toString() != null ? Long.valueOf(result.get("date_modified").toString()) : 0;
                 use_count = result.get("use_count").toString() != null ? Integer.valueOf(result.get("use_count").toString()) : 0;
                 use_date = result.get("use_date").toString() != null ? Long.valueOf(result.get("use_date").toString()) : 0;
             } else {
-                String address_line_1 = isFieldEncrypted(result.get("address_line_1"));
-                String address_line_2 = isFieldEncrypted(result.get("address_line_2"));
+                String address_line_1 = processFields(result.get("address_line_1"));
+                String address_line_2 = processFields(result.get("address_line_2"));
                 street_address = String.join(" ", address_line_1, address_line_2);
             }
 
@@ -1006,7 +1006,7 @@ class Chromium extends Extract {
      * @param dataValue Object to be checked, the object is from a database result set
      * @return the actual string or an empty string
      */
-    private String isFieldEncrypted(Object dataValue) {
+    private String processFields(Object dataValue) {
 
         if (dataValue instanceof byte[]) {
             fieldEncrypted = true;