From 50546c77deefd9184da2a0047537a8dd62826816 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\dgrove" Date: Mon, 4 Jun 2018 02:38:53 -0400 Subject: [PATCH 1/3] Added additional rules to qualify files to be processed. --- .../EncryptionDetectionFileIngestModule.java | 42 +++++++++++++++---- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java index 1d5d5d05d1..fdfb48499b 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java @@ -74,6 +74,8 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter private static final String MIME_TYPE_MSPOWERPOINT = "application/vnd.ms-powerpoint"; private static final String MIME_TYPE_MSACCESS = "application/x-msaccess"; private static final String MIME_TYPE_PDF = "application/pdf"; + + private static final String[] FILE_IGNORE_LIST = { "hiberfile.sys", "pagefile.sys" }; private final IngestServices services = IngestServices.getInstance(); private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName()); @@ -134,17 +136,39 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter */ if (!file.getKnown().equals(TskData.FileKnown.KNOWN)) { /* - * Qualify the MIME type. + * Has the file been deleted? */ - String mimeType = fileTypeDetector.getMIMEType(file); - if (mimeType.equals("application/octet-stream")) { - if (isFileEncryptionSuspected(file)) { - return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, - String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy)); + if (!file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) + && !file.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC)) { + /* + * Is the file in FILE_IGNORE_LIST? + */ + boolean ignoreFile = false; + String filePath = file.getParentPath(); + if (filePath.equals("/")) { + String fileName = file.getName(); + for (String listEntry : FILE_IGNORE_LIST) { + if (fileName.equalsIgnoreCase(listEntry)) { + ignoreFile = true; + break; + } + } } - } else { - if (isFilePasswordProtected(file)) { - return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password()); + if (!ignoreFile) { + /* + * Qualify the MIME type. + */ + String mimeType = fileTypeDetector.getMIMEType(file); + if (mimeType.equals("application/octet-stream")) { + if (isFileEncryptionSuspected(file)) { + return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, + String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy)); + } + } else { + if (isFilePasswordProtected(file)) { + return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password()); + } + } } } } From c97b22e7fbd5598b0582b301e7ac1e4b7266e29e Mon Sep 17 00:00:00 2001 From: "U-BASIS\\dgrove" Date: Mon, 11 Jun 2018 12:09:03 -0400 Subject: [PATCH 2/3] Return directly when file is to be ignored. --- .../EncryptionDetectionFileIngestModule.java | 35 +++++++++---------- 1 file changed, 16 insertions(+), 19 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java index fdfb48499b..ac0f83ce19 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java @@ -138,36 +138,33 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter /* * Has the file been deleted? */ - if (!file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) - && !file.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC)) { + if (!file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) { /* * Is the file in FILE_IGNORE_LIST? */ - boolean ignoreFile = false; String filePath = file.getParentPath(); if (filePath.equals("/")) { String fileName = file.getName(); for (String listEntry : FILE_IGNORE_LIST) { if (fileName.equalsIgnoreCase(listEntry)) { - ignoreFile = true; - break; + // Skip this file. + return IngestModule.ProcessResult.OK; } } } - if (!ignoreFile) { - /* - * Qualify the MIME type. - */ - String mimeType = fileTypeDetector.getMIMEType(file); - if (mimeType.equals("application/octet-stream")) { - if (isFileEncryptionSuspected(file)) { - return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, - String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy)); - } - } else { - if (isFilePasswordProtected(file)) { - return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password()); - } + + /* + * Qualify the MIME type. + */ + String mimeType = fileTypeDetector.getMIMEType(file); + if (mimeType.equals("application/octet-stream")) { + if (isFileEncryptionSuspected(file)) { + return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, + String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy)); + } + } else { + if (isFilePasswordProtected(file)) { + return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password()); } } } From aa7ae523ff278458d7130f3bd9621c3845469732 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\dgrove" Date: Tue, 12 Jun 2018 18:26:33 -0400 Subject: [PATCH 3/3] Codacy fixes. --- .../EncryptionDetectionFileIngestModule.java | 67 ++++++++----------- 1 file changed, 28 insertions(+), 39 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java index ac0f83ce19..ea1f4042bc 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java @@ -74,8 +74,8 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter private static final String MIME_TYPE_MSPOWERPOINT = "application/vnd.ms-powerpoint"; private static final String MIME_TYPE_MSACCESS = "application/x-msaccess"; private static final String MIME_TYPE_PDF = "application/pdf"; - - private static final String[] FILE_IGNORE_LIST = { "hiberfile.sys", "pagefile.sys" }; + + private static final String[] FILE_IGNORE_LIST = {"hiberfile.sys", "pagefile.sys"}; private final IngestServices services = IngestServices.getInstance(); private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName()); @@ -124,51 +124,40 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter try { /* - * Qualify the file type. + * Qualify the file type, qualify it against hash databases, and + * verify the file hasn't been deleted. */ if (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR) && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR) - && (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed)) { + && (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed) + && !file.getKnown().equals(TskData.FileKnown.KNOWN) + && !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) { /* - * Qualify the file against hash databases. + * Is the file in FILE_IGNORE_LIST? */ - if (!file.getKnown().equals(TskData.FileKnown.KNOWN)) { - /* - * Has the file been deleted? - */ - if (!file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) { - /* - * Is the file in FILE_IGNORE_LIST? - */ - String filePath = file.getParentPath(); - if (filePath.equals("/")) { - String fileName = file.getName(); - for (String listEntry : FILE_IGNORE_LIST) { - if (fileName.equalsIgnoreCase(listEntry)) { - // Skip this file. - return IngestModule.ProcessResult.OK; - } - } - } - - /* - * Qualify the MIME type. - */ - String mimeType = fileTypeDetector.getMIMEType(file); - if (mimeType.equals("application/octet-stream")) { - if (isFileEncryptionSuspected(file)) { - return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, - String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy)); - } - } else { - if (isFilePasswordProtected(file)) { - return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password()); - } + String filePath = file.getParentPath(); + if (filePath.equals("/")) { + String fileName = file.getName(); + for (String listEntry : FILE_IGNORE_LIST) { + if (fileName.equalsIgnoreCase(listEntry)) { + // Skip this file. + return IngestModule.ProcessResult.OK; } } } + + /* + * Qualify the MIME type. + */ + String mimeType = fileTypeDetector.getMIMEType(file); + if (mimeType.equals("application/octet-stream") && isFileEncryptionSuspected(file)) { + return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, + String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy)); + } else if (isFilePasswordProtected(file)) { + return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password()); + } } } catch (ReadContentInputStreamException | SAXException | TikaException | UnsupportedCodecException ex) { logger.log(Level.WARNING, String.format("Unable to read file '%s'", file.getParentPath() + file.getName()), ex); @@ -397,7 +386,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter fileSizeQualified = true; } } - + if (fileSizeQualified) { /* * Qualify the entropy. @@ -407,7 +396,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter possiblyEncrypted = true; } } - + return possiblyEncrypted; } }