From b4a5bf5cb85189ff5cc3678c72e82304ec87797a Mon Sep 17 00:00:00 2001
From: "U-BASIS\\dgrove" <dgrove@WIN-DGROV-4999.basistech.net>
Date: Fri, 4 May 2018 12:10:46 -0400
Subject: [PATCH 1/3] TSK_COMMENT added.

---
 .../EncryptionDetectionFileIngestModule.java   | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
index d075dec1e8..ae30e2f1b0 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
@@ -30,6 +30,7 @@ import org.apache.tika.metadata.Metadata;
 import org.apache.tika.parser.AutoDetectParser;
 import org.apache.tika.parser.ParseContext;
 import org.apache.tika.sax.BodyContentHandler;
+import org.openide.util.NbBundle.Messages;
 import org.sleuthkit.autopsy.casemodule.Case;
 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
 import org.sleuthkit.autopsy.casemodule.services.Blackboard;
@@ -43,14 +44,13 @@ import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
 import org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector;
 import org.sleuthkit.datamodel.AbstractFile;
 import org.sleuthkit.datamodel.BlackboardArtifact;
+import org.sleuthkit.datamodel.BlackboardAttribute;
 import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskData;
 import org.xml.sax.ContentHandler;
 import org.xml.sax.SAXException;
 
-
-
 /**
  * File ingest module to detect encryption and password protection.
  */
@@ -95,6 +95,10 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
         }
     }
 
+    @Messages({
+        "EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected.",
+        "EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f)."
+    })
     @Override
     public IngestModule.ProcessResult process(AbstractFile file) {
 
@@ -117,11 +121,11 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
                     String mimeType = fileTypeDetector.getMIMEType(file);
                     if (mimeType.equals("application/octet-stream")) {
                         if (isFileEncryptionSuspected(file)) {
-                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED);
+                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected());
                         }
                     } else {
                         if (isFilePasswordProtected(file)) {
-                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED);
+                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password());
                         }
                     }
                 }
@@ -153,14 +157,18 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
      *
      * @param file         The file to be processed.
      * @param artifactType The type of artifact to create.
+     * @param comment      A comment to be attached to the artifact.
      *
      * @return 'OK' if the file was processed successfully, or 'ERROR' if there
      *         was a problem.
      */
-    private IngestModule.ProcessResult flagFile(AbstractFile file, BlackboardArtifact.ARTIFACT_TYPE artifactType) {
+    private IngestModule.ProcessResult flagFile(AbstractFile file, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) {
         try {
             BlackboardArtifact artifact = file.newArtifact(artifactType);
 
+            artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
+                    EncryptionDetectionModuleFactory.getModuleName(), comment));
+
             try {
                 /*
                  * Index the artifact for keyword search.

From f7f4ad588221c24b86eb70ec6adfe8c08a1766e0 Mon Sep 17 00:00:00 2001
From: "U-BASIS\\dgrove" <dgrove@WIN-DGROV-4999.basistech.net>
Date: Fri, 4 May 2018 16:59:14 -0400
Subject: [PATCH 2/3] Fixed bug with missing entropy value.

---
 .../EncryptionDetectionFileIngestModule.java                | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
index ae30e2f1b0..8f101d3ab5 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
@@ -121,11 +121,13 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
                     String mimeType = fileTypeDetector.getMIMEType(file);
                     if (mimeType.equals("application/octet-stream")) {
                         if (isFileEncryptionSuspected(file)) {
-                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected());
+                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED,
+                                    String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy));
                         }
                     } else {
                         if (isFilePasswordProtected(file)) {
-                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password());
+                            return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED,
+                                    Bundle.EncryptionDetectionFileIngestModule_artifactComment_password());
                         }
                     }
                 }

From c393569ab2b4d4cab7cf7b59ecf2babd649b9acd Mon Sep 17 00:00:00 2001
From: "U-BASIS\\dgrove" <dgrove@WIN-DGROV-4999.basistech.net>
Date: Wed, 9 May 2018 14:02:32 -0400
Subject: [PATCH 3/3] Merge.

---
 .../EncryptionDetectionFileIngestModule.java                    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
index 6ba0ebaa1e..706105cddc 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java
@@ -64,7 +64,7 @@ import org.xml.sax.SAXException;
 final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter {
 
     private static final int FILE_SIZE_MODULUS = 512;
-    
+
     private static final String MIME_TYPE_OOXML_PROTECTED = "application/x-ooxml-protected";
     private static final String MIME_TYPE_MSWORD = "application/msword";
     private static final String MIME_TYPE_MSEXCEL = "application/vnd.ms-excel";