From bcbd23604444e03cf50afe129a802095fc4c1fb2 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 15:03:40 -0500 Subject: [PATCH 01/31] 4629 add OS X detection --- .../DataSourceSummaryPanel.java | 8 +-- .../DataSourceUsageAnalyzer.java | 53 ++++++++++++++----- 2 files changed, 44 insertions(+), 17 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java b/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java index 83a8147255..0cac9d0c70 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java @@ -118,11 +118,11 @@ final class DataSourceSummaryPanel extends javax.swing.JPanel { //assumes only one Operating System per datasource //get the datasource id from the OSInfo's first artifact if it has artifacts if (!osInfo.getArtifacts().isEmpty() && osInfo.getArtifacts().get(0).getDataSource().getId() == selectedDataSource.getId()) { - osName = osInfo.getOSName(); - //if this OSInfo object has a name use it otherwise keep checking OSInfo objects - if (!osName.isEmpty()) { - break; + if (!osName.isEmpty()){ + osName += ", "; } + osName += osInfo.getOSName(); + //if this OSInfo object has a name use it otherwise keep checking OSInfo objects } } catch (TskCoreException ignored) { //unable to get datasource for the OSInfo Object diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 99e6447b9a..c9c4131412 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -19,6 +19,7 @@ package org.sleuthkit.autopsy.recentactivity; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Level; @@ -41,14 +42,22 @@ import org.sleuthkit.datamodel.TskCoreException; public class DataSourceUsageAnalyzer extends Extract { private static final Logger logger = Logger.getLogger(DataSourceUsageAnalyzer.class.getName()); + private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; + private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; + private Content dataSource; + @Messages({ + "DataSourceAnalyzer.windowsVolume.label=Windows volume", + "DataSourceUsageAnalyzer.osxVolume.label=OS Drive (OS X)", + "DataSourceUsageAnalyzer.osx.label=Mac OS X"}) @Override void process(Content dataSource, IngestJobContext context) { this.dataSource = dataSource; try { - checkForWindowsVolume(); + checkForOpperatingSystemSpecificFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); + checkForOpperatingSystemSpecificFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), ""); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Failed to check if datasource contained Windows volume.", ex); } @@ -56,23 +65,41 @@ public class DataSourceUsageAnalyzer extends Extract { } /** - * Check if the data source contains files which would indicate a windows - * volume is present in it, and create an artifact for that volume if - * detected. + * Check if any of the specified file paths exist, if they do create a Data + * Source Usage if a description was specified and create and OS Info + * artifact if a program name was specified. * - * @throws TskCoreException + * @param filesToCheckFor - List of file paths to check for + * @param dataSourceUsageDescription- empty if no Data Source Usage Artifact + * should be created + * @param osInfoProgramName - empty if no OS Info Artifact should + * be created */ - private void checkForWindowsVolume() throws TskCoreException { + private void checkForOpperatingSystemSpecificFiles(List filesToCheckFor, String dataSourceUsageDescription, String osInfoProgramName) throws TskCoreException { + if (dataSourceUsageDescription.isEmpty() && osInfoProgramName.isEmpty()) { + //shortcut out if it was called with no artifacts to create + return; + } Collection bbattributes = new ArrayList<>(); FileManager fileManager = currentCase.getServices().getFileManager(); - List files = fileManager.findFilesByParentPath(dataSource.getId(), "/windows/system32"); - //create an artifact if any files with the windows/system32 path were found + List files = new ArrayList<>(); + for (String filePath : filesToCheckFor) { + files.addAll(fileManager.findFilesByParentPath(dataSource.getId(), filePath)); + } + //create an artifact if any files with the windows/system32 specific path were found if (!files.isEmpty()) { - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - "Windows volume")); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + if (!dataSourceUsageDescription.isEmpty()) { + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + dataSourceUsageDescription)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + } + if (!osInfoProgramName.isEmpty()) { + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + osInfoProgramName)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, dataSource, bbattributes); + } } } - } From 279a08d61c251bc8e808813cecf1f55b7300f74e Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 15:42:35 -0500 Subject: [PATCH 02/31] 4629 add creation of OS Info artifacts for OSX --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index c9c4131412..e5da425d81 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -57,7 +57,7 @@ public class DataSourceUsageAnalyzer extends Extract { this.dataSource = dataSource; try { checkForOpperatingSystemSpecificFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); - checkForOpperatingSystemSpecificFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), ""); + checkForOpperatingSystemSpecificFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Failed to check if datasource contained Windows volume.", ex); } From f51cf7b526f288b5041ed2109b267a3a92f54f60 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 16:02:32 -0500 Subject: [PATCH 03/31] 4630 add check for linux specific files to DataSourceUsageAnalyzer --- .../DataSourceUsageAnalyzer.java | 60 +++++++++++++++++-- 1 file changed, 55 insertions(+), 5 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index e5da425d81..316a1e4e41 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -42,24 +42,74 @@ import org.sleuthkit.datamodel.TskCoreException; public class DataSourceUsageAnalyzer extends Extract { private static final Logger logger = Logger.getLogger(DataSourceUsageAnalyzer.class.getName()); + private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; + //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html + private static final String LINUX_RED_HAT_PATH = "/etc/redhat-release, /etc/redhat_version"; + private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; + private static final String LINUX_FEDORA_PATH = "/etc/fedora-release"; + private static final String LINUX_SLACKWARE_PATHS[] = {"/etc/slackware-release", "/etc/slackware-version"}; + private static final String LINUX_DEBIAN_PATHS[] = {"/etc/debian_release", "/etc/debian_version"}; + private static final String LINUX_MANDRAKE_PATH = "/etc/mandrake-release"; + private static final String LINUX_YELLOW_DOG_PATH = "/etc/yellowdog-release"; + private static final String LINUX_SUN_JDS_PATH = "/etc/sun-release"; + private static final String LINUX_SOLARIS_SPARC_PATH = "/etc/release"; + private static final String LINUX_GENTOO_PATH = "/etc/gentoo-release"; + private static final String LINUX_UNITED_LINUX_PATH = "/etc/UnitedLinux-releasee"; + private static final String LINUX_UBUNTU_PATH = "/etc/lsb-release"; private Content dataSource; @Messages({ "DataSourceAnalyzer.windowsVolume.label=Windows volume", "DataSourceUsageAnalyzer.osxVolume.label=OS Drive (OS X)", - "DataSourceUsageAnalyzer.osx.label=Mac OS X"}) + "DataSourceUsageAnalyzer.osx.label=Mac OS X", + "DataSourceUsageAnalyzer.redhatLinuxVolume.label=OS Drive (Linux Redhat)", + "DataSourceUsageAnalyzer.redhatLinuxOs.label=Linux (Redhat)", + "DataSourceUsageAnalyzer.novellSUSEVolume.label=OS Drive (Linux Novell SUSE)", + "DataSourceUsageAnalyzer.novellSUSEOs.label=Linux (Novell SUSE)", + "DataSourceUsageAnalyzer.fedoraLinuxVolume.label=OS Drive (Linux Fedora)", + "DataSourceUsageAnalyzer.fedoraLinuxOs.lable=Linux (Fedora)", + "DataSourceUsageAnalyzer.slackwareLinuxVolume.label=OS Drive (Linux Slackware)", + "DataSourceUsageAnalyzer.slackwareLinuxOs.label=Linux (Slackware)", + "DataSourceUsageAnalyzer.debianLinuxVolume.label=OS Drive (Linux Debian)", + "DataSourceUsageAnalyzer.debianLinuxOs.label=Linux (Debian)", + "DataSourceUsageAnalyzer.mandrakeLinuxVolume.label=OS Drive (Linux Mandrake)", + "DataSourceUsageAnalyzer.mandrakeLinuxOs.label=Linux (Mandrake)", + "DataSourceUsageAnalyzer.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog)", + "DataSourceUsageAnalyzer.yellowDogLinuxOs.label=Linux (Yellow Dog)", + "DataSourceUsageAnalyzer.sunJDSLinuxVolume.label=OS Drive (Linux Sun JDS)", + "DataSourceUsageAnalyzer.sunJDSLinuxOs.label=Linux (Sun JDS)", + "DataSourceUsageAnalyzer.solarisSparcVolume.label=OS Drive (Linux Solaris/Sparc)", + "DataSourceUsageAnalyzer.solarisSparcOs.label=Linux (Solaris/Sparc)", + "DataSourceUsageAnalyzer.gentooLinuxVolume.label=OS Drive (Linux Gentoo)", + "DataSourceUsageAnalyzer.gentooLinuxOs.label=Linux (Gentoo)", + "DataSourceUsageAnalyzer.unitedLinuxVolume.label=OS Drive (Linux United Linux)", + "DataSourceUsageAnalyzer.unitedLinuxOs.label=Linux (United Linux)", + "DataSourceUsageAnalyzer.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)", + "DataSourceUsageAnalyzer.ubuntuLinuxOs.label=Linux (Ubuntu)"}) @Override void process(Content dataSource, IngestJobContext context) { this.dataSource = dataSource; try { - checkForOpperatingSystemSpecificFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); - checkForOpperatingSystemSpecificFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); + checkForOSFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); + checkForOSFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); + checkForOSFiles(Arrays.asList(LINUX_RED_HAT_PATH), Bundle.DataSourceUsageAnalyzer_redhatLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_redhatLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_NOVELL_SUSE_PATH), Bundle.DataSourceUsageAnalyzer_novellSUSEVolume_label(), Bundle.DataSourceUsageAnalyzer_novellSUSEOs_label()); + checkForOSFiles(Arrays.asList(LINUX_FEDORA_PATH), Bundle.DataSourceUsageAnalyzer_fedoraLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_fedoraLinuxOs_lable()); + checkForOSFiles(Arrays.asList(LINUX_SLACKWARE_PATHS), Bundle.DataSourceUsageAnalyzer_slackwareLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_slackwareLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_DEBIAN_PATHS), Bundle.DataSourceUsageAnalyzer_debianLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_debianLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_MANDRAKE_PATH), Bundle.DataSourceUsageAnalyzer_mandrakeLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_mandrakeLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_YELLOW_DOG_PATH), Bundle.DataSourceUsageAnalyzer_yellowDogLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_yellowDogLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_SUN_JDS_PATH), Bundle.DataSourceUsageAnalyzer_sunJDSLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_sunJDSLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_SOLARIS_SPARC_PATH), Bundle.DataSourceUsageAnalyzer_solarisSparcVolume_label(), Bundle.DataSourceUsageAnalyzer_solarisSparcOs_label()); + checkForOSFiles(Arrays.asList(LINUX_GENTOO_PATH), Bundle.DataSourceUsageAnalyzer_gentooLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_gentooLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_UNITED_LINUX_PATH), Bundle.DataSourceUsageAnalyzer_unitedLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_unitedLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_UBUNTU_PATH), Bundle.DataSourceUsageAnalyzer_ubuntuLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_ubuntuLinuxOs_label()); } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Failed to check if datasource contained Windows volume.", ex); + logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); } } @@ -75,7 +125,7 @@ public class DataSourceUsageAnalyzer extends Extract { * @param osInfoProgramName - empty if no OS Info Artifact should * be created */ - private void checkForOpperatingSystemSpecificFiles(List filesToCheckFor, String dataSourceUsageDescription, String osInfoProgramName) throws TskCoreException { + private void checkForOSFiles(List filesToCheckFor, String dataSourceUsageDescription, String osInfoProgramName) throws TskCoreException { if (dataSourceUsageDescription.isEmpty() && osInfoProgramName.isEmpty()) { //shortcut out if it was called with no artifacts to create return; From d75403a861859424175a628153afe468155d01b8 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 16:04:25 -0500 Subject: [PATCH 04/31] 4629 fix typo and refactor method name --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index e5da425d81..fd6de73f7a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -56,10 +56,10 @@ public class DataSourceUsageAnalyzer extends Extract { this.dataSource = dataSource; try { - checkForOpperatingSystemSpecificFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); - checkForOpperatingSystemSpecificFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); + checkForOSFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); + checkForOSFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Failed to check if datasource contained Windows volume.", ex); + logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); } } @@ -75,7 +75,7 @@ public class DataSourceUsageAnalyzer extends Extract { * @param osInfoProgramName - empty if no OS Info Artifact should * be created */ - private void checkForOpperatingSystemSpecificFiles(List filesToCheckFor, String dataSourceUsageDescription, String osInfoProgramName) throws TskCoreException { + private void checkForOSFiles(List filesToCheckFor, String dataSourceUsageDescription, String osInfoProgramName) throws TskCoreException { if (dataSourceUsageDescription.isEmpty() && osInfoProgramName.isEmpty()) { //shortcut out if it was called with no artifacts to create return; From 63a0c4998f68d5c028cffaeba123a2e227020c99 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 16:09:02 -0500 Subject: [PATCH 05/31] 4632 add check for Android specific files --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 316a1e4e41..d4d5bc9dca 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -42,9 +42,10 @@ import org.sleuthkit.datamodel.TskCoreException; public class DataSourceUsageAnalyzer extends Extract { private static final Logger logger = Logger.getLogger(DataSourceUsageAnalyzer.class.getName()); - + private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; + private static final String ANDROID_VOLUME_PATH = "data/data/com.android.providers.settings/databases/settings‌​.db"; //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html private static final String LINUX_RED_HAT_PATH = "/etc/redhat-release, /etc/redhat_version"; private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; @@ -65,6 +66,8 @@ public class DataSourceUsageAnalyzer extends Extract { "DataSourceAnalyzer.windowsVolume.label=Windows volume", "DataSourceUsageAnalyzer.osxVolume.label=OS Drive (OS X)", "DataSourceUsageAnalyzer.osx.label=Mac OS X", + "DataSourceUsageAnalyzer.androidVolume.label=OS Drive (Android)", + "DataSourceUsageAnalyzer.androidOs.label=Android", "DataSourceUsageAnalyzer.redhatLinuxVolume.label=OS Drive (Linux Redhat)", "DataSourceUsageAnalyzer.redhatLinuxOs.label=Linux (Redhat)", "DataSourceUsageAnalyzer.novellSUSEVolume.label=OS Drive (Linux Novell SUSE)", @@ -96,6 +99,7 @@ public class DataSourceUsageAnalyzer extends Extract { try { checkForOSFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); checkForOSFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); + checkForOSFiles(Arrays.asList(ANDROID_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_androidVolume_label(), Bundle.DataSourceUsageAnalyzer_androidOs_label()); checkForOSFiles(Arrays.asList(LINUX_RED_HAT_PATH), Bundle.DataSourceUsageAnalyzer_redhatLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_redhatLinuxOs_label()); checkForOSFiles(Arrays.asList(LINUX_NOVELL_SUSE_PATH), Bundle.DataSourceUsageAnalyzer_novellSUSEVolume_label(), Bundle.DataSourceUsageAnalyzer_novellSUSEOs_label()); checkForOSFiles(Arrays.asList(LINUX_FEDORA_PATH), Bundle.DataSourceUsageAnalyzer_fedoraLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_fedoraLinuxOs_lable()); From fe7ed5a438851545714d0d6a8dc0e0659b716357 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 16:15:12 -0500 Subject: [PATCH 06/31] 4629 use correct TSK_PROG_NAME attribute to store name of OS --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index fd6de73f7a..9f9d0fb420 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -95,7 +95,7 @@ public class DataSourceUsageAnalyzer extends Extract { addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); } if (!osInfoProgramName.isEmpty()) { - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, Bundle.DataSourceUsageAnalyzer_parentModuleName(), osInfoProgramName)); //NON-NLS addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, dataSource, bbattributes); From aee3b41bfd7c43b3c8e4f8365bc2da50574f5987 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 16:59:04 -0500 Subject: [PATCH 07/31] 4630 fix redhat paths --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index cb170b312a..bf8ab20db6 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -46,7 +46,7 @@ public class DataSourceUsageAnalyzer extends Extract { private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html - private static final String LINUX_RED_HAT_PATH = "/etc/redhat-release, /etc/redhat_version"; + private static final String LINUX_RED_HAT_PATHS[] = {"/etc/redhat-release", "/etc/redhat_version"}; private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; private static final String LINUX_FEDORA_PATH = "/etc/fedora-release"; private static final String LINUX_SLACKWARE_PATHS[] = {"/etc/slackware-release", "/etc/slackware-version"}; @@ -96,7 +96,7 @@ public class DataSourceUsageAnalyzer extends Extract { try { checkForOSFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); checkForOSFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); - checkForOSFiles(Arrays.asList(LINUX_RED_HAT_PATH), Bundle.DataSourceUsageAnalyzer_redhatLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_redhatLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_RED_HAT_PATHS), Bundle.DataSourceUsageAnalyzer_redhatLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_redhatLinuxOs_label()); checkForOSFiles(Arrays.asList(LINUX_NOVELL_SUSE_PATH), Bundle.DataSourceUsageAnalyzer_novellSUSEVolume_label(), Bundle.DataSourceUsageAnalyzer_novellSUSEOs_label()); checkForOSFiles(Arrays.asList(LINUX_FEDORA_PATH), Bundle.DataSourceUsageAnalyzer_fedoraLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_fedoraLinuxOs_lable()); checkForOSFiles(Arrays.asList(LINUX_SLACKWARE_PATHS), Bundle.DataSourceUsageAnalyzer_slackwareLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_slackwareLinuxOs_label()); From a93ea4b93cb62481b7d42b0970203bfd4f7c93fc Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 17:25:05 -0500 Subject: [PATCH 08/31] 4629 fix attributes to be associated with just their artifact --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 9f9d0fb420..f429d7bb2e 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -80,7 +80,6 @@ public class DataSourceUsageAnalyzer extends Extract { //shortcut out if it was called with no artifacts to create return; } - Collection bbattributes = new ArrayList<>(); FileManager fileManager = currentCase.getServices().getFileManager(); List files = new ArrayList<>(); for (String filePath : filesToCheckFor) { @@ -89,12 +88,14 @@ public class DataSourceUsageAnalyzer extends Extract { //create an artifact if any files with the windows/system32 specific path were found if (!files.isEmpty()) { if (!dataSourceUsageDescription.isEmpty()) { + Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, Bundle.DataSourceUsageAnalyzer_parentModuleName(), dataSourceUsageDescription)); //NON-NLS addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); } if (!osInfoProgramName.isEmpty()) { + Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, Bundle.DataSourceUsageAnalyzer_parentModuleName(), osInfoProgramName)); //NON-NLS From a0be72d37cd1b1634a0ddf302a3e091a00addfb9 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 17:27:07 -0500 Subject: [PATCH 09/31] 4630 fix typo in United Linux release path --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index ee479a0b9b..ee2d74b8d6 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -56,7 +56,7 @@ public class DataSourceUsageAnalyzer extends Extract { private static final String LINUX_SUN_JDS_PATH = "/etc/sun-release"; private static final String LINUX_SOLARIS_SPARC_PATH = "/etc/release"; private static final String LINUX_GENTOO_PATH = "/etc/gentoo-release"; - private static final String LINUX_UNITED_LINUX_PATH = "/etc/UnitedLinux-releasee"; + private static final String LINUX_UNITED_LINUX_PATH = "/etc/UnitedLinux-release"; private static final String LINUX_UBUNTU_PATH = "/etc/lsb-release"; private Content dataSource; From cdb9016afa5bbb0c11ee89b612a4852a442aed2d Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 18:53:58 -0500 Subject: [PATCH 10/31] 4629 Change query for files to look for files with a parent directory instead of parent dir --- RecentActivity/nbproject/project.xml | 9 + .../DataSourceUsageAnalyzer.java | 7 +- nbproject/platform.properties | 229 +++++++++--------- 3 files changed, 129 insertions(+), 116 deletions(-) diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml index ef1b87d6c2..402702e54b 100644 --- a/RecentActivity/nbproject/project.xml +++ b/RecentActivity/nbproject/project.xml @@ -63,6 +63,15 @@ 10.14 + + org.sleuthkit.autopsy.corelibs + + + + 3 + 1.2 + + diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index f429d7bb2e..d5e13bd39d 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -23,6 +23,7 @@ import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Level; +import org.apache.commons.io.FilenameUtils; import org.openide.util.NbBundle.Messages; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.Logger; @@ -83,11 +84,12 @@ public class DataSourceUsageAnalyzer extends Extract { FileManager fileManager = currentCase.getServices().getFileManager(); List files = new ArrayList<>(); for (String filePath : filesToCheckFor) { - files.addAll(fileManager.findFilesByParentPath(dataSource.getId(), filePath)); + files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); } - //create an artifact if any files with the windows/system32 specific path were found + //if any files existed matching the specified file if (!files.isEmpty()) { if (!dataSourceUsageDescription.isEmpty()) { + //if the data source usage description is not empty create a data source usage artifact Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, Bundle.DataSourceUsageAnalyzer_parentModuleName(), @@ -95,6 +97,7 @@ public class DataSourceUsageAnalyzer extends Extract { addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); } if (!osInfoProgramName.isEmpty()) { + //if the os info program name is not empty create an os info artifacts Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, Bundle.DataSourceUsageAnalyzer_parentModuleName(), diff --git a/nbproject/platform.properties b/nbproject/platform.properties index 898ac95983..b03c3b5199 100644 --- a/nbproject/platform.properties +++ b/nbproject/platform.properties @@ -11,125 +11,126 @@ autoupdate.catalog.url=https://updates.netbeans.org/netbeans/updates/${netbeans- cluster.path=\ ${nbplatform.active.dir}/harness:\ ${nbplatform.active.dir}/java:\ - ${nbplatform.active.dir}/platform + ${nbplatform.active.dir}/platform:\ + ${nbplatform.active.dir}/cluster disabled.modules=\ -org.apache.tools.ant.module,\ - org.netbeans.api.debugger.jpda,\ - org.netbeans.modules.debugger.jpda.jsui,\ - org.netbeans.api.java,\ - org.netbeans.api.maven,\ - org.netbeans.lib.nbjavac,\ - org.netbeans.libs.cglib,\ - org.netbeans.libs.javacapi,\ - org.netbeans.libs.javacimpl,\ - org.netbeans.libs.springframework,\ - org.netbeans.modules.ant.browsetask,\ - org.netbeans.modules.ant.debugger,\ - org.netbeans.modules.ant.freeform,\ - org.netbeans.modules.ant.grammar,\ - org.netbeans.modules.ant.kit,\ - org.netbeans.modules.beans,\ - org.netbeans.modules.classfile,\ - org.netbeans.modules.dbschema,\ - org.netbeans.modules.debugger.jpda,\ - org.netbeans.modules.debugger.jpda.ant,\ - org.netbeans.modules.debugger.jpda.js,\ - org.netbeans.modules.debugger.jpda.kit,\ - org.netbeans.modules.debugger.jpda.projects,\ - org.netbeans.modules.debugger.jpda.ui,\ - org.netbeans.modules.debugger.jpda.visual,\ - org.netbeans.modules.findbugs.installer,\ - org.netbeans.modules.form,\ - org.netbeans.modules.form.binding,\ - org.netbeans.modules.form.j2ee,\ - org.netbeans.modules.form.kit,\ - org.netbeans.modules.form.nb,\ - org.netbeans.modules.form.refactoring,\ - org.netbeans.modules.hibernate,\ - org.netbeans.modules.hibernate4lib,\ - org.netbeans.modules.hibernatelib,\ org.netbeans.modules.hudson.ant,\ - org.netbeans.modules.hudson.maven,\ - org.netbeans.modules.i18n,\ - org.netbeans.modules.i18n.form,\ - org.netbeans.modules.j2ee.core.utilities,\ - org.netbeans.modules.j2ee.eclipselink,\ - org.netbeans.modules.j2ee.eclipselinkmodelgen,\ - org.netbeans.modules.j2ee.jpa.refactoring,\ - org.netbeans.modules.j2ee.jpa.verification,\ - org.netbeans.modules.j2ee.metadata,\ - org.netbeans.modules.j2ee.metadata.model.support,\ - org.netbeans.modules.j2ee.persistence,\ - org.netbeans.modules.j2ee.persistence.kit,\ - org.netbeans.modules.j2ee.persistenceapi,\ - org.netbeans.modules.java.api.common,\ - org.netbeans.modules.java.debug,\ - org.netbeans.modules.java.editor,\ - org.netbeans.modules.java.editor.lib,\ - org.netbeans.modules.java.examples,\ - org.netbeans.modules.java.freeform,\ - org.netbeans.modules.java.guards,\ - org.netbeans.modules.java.helpset,\ - org.netbeans.modules.java.hints,\ - org.netbeans.modules.java.hints.declarative,\ - org.netbeans.modules.java.hints.declarative.test,\ - org.netbeans.modules.java.hints.legacy.spi,\ - org.netbeans.modules.java.hints.test,\ - org.netbeans.modules.java.hints.ui,\ - org.netbeans.modules.java.j2sedeploy,\ - org.netbeans.modules.java.j2seembedded,\ - org.netbeans.modules.java.j2seplatform,\ - org.netbeans.modules.java.j2seprofiles,\ - org.netbeans.modules.java.j2seproject,\ - org.netbeans.modules.java.kit,\ - org.netbeans.modules.java.lexer,\ - org.netbeans.modules.java.metrics,\ - org.netbeans.modules.java.navigation,\ - org.netbeans.modules.java.platform,\ - org.netbeans.modules.java.preprocessorbridge,\ - org.netbeans.modules.java.project,\ - org.netbeans.modules.java.source,\ - org.netbeans.modules.java.source.ant,\ - org.netbeans.modules.java.source.queries,\ - org.netbeans.modules.java.source.queriesimpl,\ - org.netbeans.modules.java.sourceui,\ - org.netbeans.modules.java.testrunner,\ - org.netbeans.modules.javadoc,\ - org.netbeans.modules.javaee.injection,\ - org.netbeans.modules.javawebstart,\ - org.netbeans.modules.junit,\ - org.netbeans.modules.maven,\ - org.netbeans.modules.maven.checkstyle,\ - org.netbeans.modules.maven.coverage,\ - org.netbeans.modules.maven.embedder,\ - org.netbeans.modules.maven.grammar,\ + org.netbeans.libs.cglib,\ org.netbeans.modules.maven.graph,\ - org.netbeans.modules.maven.hints,\ - org.netbeans.modules.maven.indexer,\ - org.netbeans.modules.maven.junit,\ - org.netbeans.modules.maven.kit,\ - org.netbeans.modules.maven.model,\ - org.netbeans.modules.maven.osgi,\ - org.netbeans.modules.maven.persistence,\ - org.netbeans.modules.maven.refactoring,\ - org.netbeans.modules.maven.repository,\ - org.netbeans.modules.maven.search,\ - org.netbeans.modules.maven.spring,\ + org.netbeans.modules.java.hints.declarative.test,\ + org.netbeans.libs.javacapi,\ org.netbeans.modules.nashorn.execution,\ + org.netbeans.modules.java.metrics,\ + org.netbeans.modules.debugger.jpda.js,\ + org.netbeans.api.java,\ + org.netbeans.modules.debugger.jpda.ant,\ + org.netbeans.modules.java.source.ant,\ + org.netbeans.modules.maven.refactoring,\ + org.netbeans.modules.ant.debugger,\ + org.netbeans.modules.hibernatelib,\ + org.netbeans.modules.hibernate,\ + org.netbeans.lib.nbjavac,\ + org.netbeans.modules.debugger.jpda.kit,\ + org.netbeans.modules.maven.persistence,\ + org.netbeans.modules.javaee.injection,\ + org.netbeans.modules.maven,\ org.netbeans.modules.performance,\ - org.netbeans.modules.performance.java,\ - org.netbeans.modules.projectimport.eclipse.core,\ - org.netbeans.modules.projectimport.eclipse.j2se,\ - org.netbeans.modules.refactoring.java,\ + org.netbeans.spi.java.hints,\ org.netbeans.modules.spellchecker.bindings.java,\ - org.netbeans.modules.spring.beans,\ - org.netbeans.modules.testng,\ - org.netbeans.modules.testng.ant,\ - org.netbeans.modules.testng.maven,\ - org.netbeans.modules.websvc.jaxws21,\ - org.netbeans.modules.websvc.jaxws21api,\ - org.netbeans.modules.websvc.saas.codegen.java,\ - org.netbeans.modules.whitelist,\ + org.netbeans.modules.java.j2seproject,\ + org.netbeans.modules.javawebstart,\ + org.netbeans.modules.debugger.jpda,\ + org.netbeans.modules.ant.grammar,\ + org.netbeans.modules.maven.checkstyle,\ + org.netbeans.modules.java.source.queries,\ + org.netbeans.modules.refactoring.java,\ + org.netbeans.modules.java.examples,\ + org.netbeans.modules.j2ee.jpa.verification,\ + org.netbeans.modules.j2ee.jpa.refactoring,\ + org.netbeans.modules.j2ee.metadata.model.support,\ + org.netbeans.modules.classfile,\ + org.netbeans.modules.maven.coverage,\ + org.netbeans.modules.debugger.jpda.ui,\ + org.netbeans.modules.java.guards,\ org.netbeans.modules.xml.jaxb,\ + org.netbeans.modules.java.preprocessorbridge,\ + org.netbeans.modules.debugger.jpda.jsui,\ + org.netbeans.api.debugger.jpda,\ + org.netbeans.modules.ant.freeform,\ + org.netbeans.modules.java.sourceui,\ + org.netbeans.modules.projectimport.eclipse.j2se,\ + org.netbeans.modules.form,\ + org.netbeans.modules.junit,\ + org.netbeans.modules.j2ee.persistence.kit,\ + org.netbeans.modules.j2ee.metadata,\ + org.netbeans.modules.java.j2seplatform,\ + org.netbeans.modules.javadoc,\ + org.netbeans.modules.debugger.jpda.projects,\ + org.netbeans.modules.java.source,\ + org.netbeans.modules.maven.spring,\ + org.netbeans.modules.maven.search,\ + org.netbeans.modules.java.debug,\ + org.netbeans.modules.maven.grammar,\ + org.netbeans.modules.java.kit,\ + org.netbeans.modules.testng,\ + org.netbeans.modules.spring.beans,\ + org.netbeans.modules.websvc.saas.codegen.java,\ + org.netbeans.modules.java.editor.lib,\ + org.netbeans.modules.java.testrunner,\ + org.netbeans.modules.java.source.queriesimpl,\ + org.netbeans.modules.maven.junit,\ + org.netbeans.modules.maven.hints,\ org.netbeans.modules.xml.tools.java,\ - org.netbeans.spi.java.hints + org.netbeans.modules.j2ee.persistenceapi,\ + org.netbeans.modules.java.j2seprofiles,\ + org.netbeans.modules.form.kit,\ + org.netbeans.modules.projectimport.eclipse.core,\ + org.netbeans.modules.form.refactoring,\ + org.apache.tools.ant.module,\ + org.netbeans.modules.testng.maven,\ + org.netbeans.modules.java.hints.test,\ + org.netbeans.modules.i18n.form,\ + org.netbeans.modules.maven.kit,\ + org.netbeans.modules.beans,\ + org.netbeans.modules.java.platform,\ + org.netbeans.modules.java.hints.legacy.spi,\ + org.netbeans.modules.java.lexer,\ + org.netbeans.modules.java.hints,\ + org.netbeans.modules.java.j2seembedded,\ + org.netbeans.modules.java.hints.ui,\ + org.netbeans.modules.java.editor,\ + org.netbeans.modules.websvc.jaxws21,\ + org.netbeans.modules.hudson.maven,\ + org.netbeans.modules.java.j2sedeploy,\ + org.netbeans.libs.javacimpl,\ + org.netbeans.modules.java.helpset,\ + org.netbeans.modules.i18n,\ + org.netbeans.modules.dbschema,\ + org.netbeans.api.maven,\ + org.netbeans.modules.findbugs.installer,\ + org.netbeans.modules.j2ee.eclipselinkmodelgen,\ + org.netbeans.modules.form.nb,\ + org.netbeans.modules.debugger.jpda.visual,\ + org.netbeans.modules.form.j2ee,\ + org.netbeans.modules.java.project,\ + org.netbeans.modules.java.api.common,\ + org.netbeans.modules.j2ee.persistence,\ + org.netbeans.modules.java.freeform,\ + org.netbeans.modules.whitelist,\ + org.netbeans.libs.springframework,\ + org.netbeans.modules.maven.embedder,\ + org.netbeans.modules.ant.kit,\ + org.netbeans.modules.java.hints.declarative,\ + org.netbeans.modules.testng.ant,\ + org.netbeans.modules.form.binding,\ + org.netbeans.modules.ant.browsetask,\ + org.netbeans.modules.j2ee.core.utilities,\ + org.netbeans.modules.performance.java,\ + org.netbeans.modules.websvc.jaxws21api,\ + org.netbeans.modules.maven.repository,\ + org.netbeans.modules.j2ee.eclipselink,\ + org.netbeans.modules.maven.model,\ + org.netbeans.modules.hibernate4lib,\ + org.netbeans.modules.java.navigation,\ + org.netbeans.modules.maven.indexer,\ + org.netbeans.modules.maven.osgi From c55d0c5d15ea88a507feab604a2502e82904d55e Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Tue, 15 Jan 2019 18:55:50 -0500 Subject: [PATCH 11/31] 4632 remove invisible characters from android volume path --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 8f7511532e..a7f9ff581c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -46,7 +46,7 @@ public class DataSourceUsageAnalyzer extends Extract { private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; - private static final String ANDROID_VOLUME_PATH = "data/data/com.android.providers.settings/databases/settings‌​.db"; + private static final String ANDROID_VOLUME_PATH = "data/data/com.android.providers.settings/databases/settings.db"; //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html private static final String LINUX_RED_HAT_PATHS[] = {"/etc/redhat-release", "/etc/redhat_version"}; private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; From 99053a002849283d5f72d47f1f96e47b17fd80f7 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Wed, 16 Jan 2019 12:19:21 -0500 Subject: [PATCH 12/31] 4629 prevent duplicate OS_INFO and DATA_SOURCE_USAGE from being generated --- .../DataSourceUsageAnalyzer.java | 37 +++++++++++++------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index d5e13bd39d..57bdc55fcb 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -89,20 +89,33 @@ public class DataSourceUsageAnalyzer extends Extract { //if any files existed matching the specified file if (!files.isEmpty()) { if (!dataSourceUsageDescription.isEmpty()) { - //if the data source usage description is not empty create a data source usage artifact - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - dataSourceUsageDescription)); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description + List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); + boolean createNewUsageArtifact = true; + for (BlackboardArtifact artifact : artifacts) { + if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { + createNewUsageArtifact = false; + break; + } + } + if (createNewUsageArtifact) { + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + dataSourceUsageDescription)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + } } if (!osInfoProgramName.isEmpty()) { - //if the os info program name is not empty create an os info artifacts - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - osInfoProgramName)); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, dataSource, bbattributes); + //check if OS INFO artifact already created on this file + if (tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0).getId()).isEmpty()) { + //if the os info program name is not empty create an os info artifact on the first of the files found + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + osInfoProgramName)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0), bbattributes); + } } } } From 5abc587349eb3cf3ff01b005f59214a0799e26e2 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Wed, 16 Jan 2019 13:46:09 -0500 Subject: [PATCH 13/31] 4629 add comment to explain possible combining of OSInfo objects --- .../casemodule/datasourceSummary/DataSourceSummaryPanel.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java b/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java index 0cac9d0c70..d1573a4dae 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java @@ -83,6 +83,7 @@ final class DataSourceSummaryPanel extends javax.swing.JPanel { SleuthkitCase skCase = Case.getCurrentCaseThrows().getSleuthkitCase(); allIngestJobs.addAll(skCase.getIngestJobs()); dataSources.addAll(skCase.getDataSources()); + //if for some reason multiple OS_INFO_ARTIFACTS were created with the same parent object id this will only return one OSInfo object for them osInfoList = OSUtility.getOSInfo(skCase); } catch (TskCoreException | NoCurrentCaseException ex) { logger.log(Level.SEVERE, "Failed to load ingest jobs.", ex); @@ -118,7 +119,7 @@ final class DataSourceSummaryPanel extends javax.swing.JPanel { //assumes only one Operating System per datasource //get the datasource id from the OSInfo's first artifact if it has artifacts if (!osInfo.getArtifacts().isEmpty() && osInfo.getArtifacts().get(0).getDataSource().getId() == selectedDataSource.getId()) { - if (!osName.isEmpty()){ + if (!osName.isEmpty()) { osName += ", "; } osName += osInfo.getOSName(); From 49568986adc1962bf5609b28206331297ffe4d2b Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Wed, 16 Jan 2019 18:08:10 -0500 Subject: [PATCH 14/31] 4632 fix android volume path to be correct --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index c4e41f02ef..887a50737d 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -46,7 +46,7 @@ public class DataSourceUsageAnalyzer extends Extract { private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; - private static final String ANDROID_VOLUME_PATH = "data/data/com.android.providers.settings/databases/settings.db"; + private static final String ANDROID_VOLUME_PATH = "data/com.android.providers.settings/databases/settings.db"; //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html private static final String LINUX_RED_HAT_PATHS[] = {"/etc/redhat-release", "/etc/redhat_version"}; private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; From 343c8218a3cb264893a5b25a5a6b1eaf0985bc3d Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Thu, 17 Jan 2019 11:12:35 -0500 Subject: [PATCH 15/31] 4632 change name of description for Windows volume to OS Drive (Windows) --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 887a50737d..1a415b7a3b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -64,7 +64,7 @@ public class DataSourceUsageAnalyzer extends Extract { private Content dataSource; @Messages({ - "DataSourceAnalyzer.windowsVolume.label=Windows volume", + "DataSourceAnalyzer.windowsVolume.label=OS Drive (Windows)", "DataSourceUsageAnalyzer.osxVolume.label=OS Drive (OS X)", "DataSourceUsageAnalyzer.osx.label=Mac OS X", "DataSourceUsageAnalyzer.androidVolume.label=OS Drive (Android)", From a0fd96acc0b0e7b143082159e68ea7d83d4a3fc0 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 13:40:11 -0500 Subject: [PATCH 16/31] 4632-4630-4629 split OS INFO art creation from OS DS Usage art creation --- .../DataSourceUsageAnalyzer.java | 180 +++++++++--------- .../autopsy/recentactivity/ExtractOs.java | 128 +++++++++++++ .../recentactivity/RAImageIngestModule.java | 20 +- 3 files changed, 225 insertions(+), 103 deletions(-) create mode 100644 RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 1a415b7a3b..4845d9a603 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -40,137 +40,129 @@ import org.sleuthkit.datamodel.TskCoreException; * */ @Messages({"DataSourceUsageAnalyzer.parentModuleName=Recent Activity"}) -public class DataSourceUsageAnalyzer extends Extract { +class DataSourceUsageAnalyzer extends Extract { private static final Logger logger = Logger.getLogger(DataSourceUsageAnalyzer.class.getName()); private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; - private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; - private static final String ANDROID_VOLUME_PATH = "data/com.android.providers.settings/databases/settings.db"; - //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html - private static final String LINUX_RED_HAT_PATHS[] = {"/etc/redhat-release", "/etc/redhat_version"}; - private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; - private static final String LINUX_FEDORA_PATH = "/etc/fedora-release"; - private static final String LINUX_SLACKWARE_PATHS[] = {"/etc/slackware-release", "/etc/slackware-version"}; - private static final String LINUX_DEBIAN_PATHS[] = {"/etc/debian_release", "/etc/debian_version"}; - private static final String LINUX_MANDRAKE_PATH = "/etc/mandrake-release"; - private static final String LINUX_YELLOW_DOG_PATH = "/etc/yellowdog-release"; - private static final String LINUX_SUN_JDS_PATH = "/etc/sun-release"; - private static final String LINUX_SOLARIS_SPARC_PATH = "/etc/release"; - private static final String LINUX_GENTOO_PATH = "/etc/gentoo-release"; - private static final String LINUX_UNITED_LINUX_PATH = "/etc/UnitedLinux-release"; - private static final String LINUX_UBUNTU_PATH = "/etc/lsb-release"; private Content dataSource; @Messages({ - "DataSourceAnalyzer.windowsVolume.label=OS Drive (Windows)", + "DataSourceUsageAnalyzer.windowsVolume.label=OS Drive (Windows)", "DataSourceUsageAnalyzer.osxVolume.label=OS Drive (OS X)", - "DataSourceUsageAnalyzer.osx.label=Mac OS X", "DataSourceUsageAnalyzer.androidVolume.label=OS Drive (Android)", - "DataSourceUsageAnalyzer.androidOs.label=Android", "DataSourceUsageAnalyzer.redhatLinuxVolume.label=OS Drive (Linux Redhat)", - "DataSourceUsageAnalyzer.redhatLinuxOs.label=Linux (Redhat)", "DataSourceUsageAnalyzer.novellSUSEVolume.label=OS Drive (Linux Novell SUSE)", - "DataSourceUsageAnalyzer.novellSUSEOs.label=Linux (Novell SUSE)", "DataSourceUsageAnalyzer.fedoraLinuxVolume.label=OS Drive (Linux Fedora)", - "DataSourceUsageAnalyzer.fedoraLinuxOs.lable=Linux (Fedora)", "DataSourceUsageAnalyzer.slackwareLinuxVolume.label=OS Drive (Linux Slackware)", - "DataSourceUsageAnalyzer.slackwareLinuxOs.label=Linux (Slackware)", "DataSourceUsageAnalyzer.debianLinuxVolume.label=OS Drive (Linux Debian)", - "DataSourceUsageAnalyzer.debianLinuxOs.label=Linux (Debian)", "DataSourceUsageAnalyzer.mandrakeLinuxVolume.label=OS Drive (Linux Mandrake)", - "DataSourceUsageAnalyzer.mandrakeLinuxOs.label=Linux (Mandrake)", "DataSourceUsageAnalyzer.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog)", - "DataSourceUsageAnalyzer.yellowDogLinuxOs.label=Linux (Yellow Dog)", "DataSourceUsageAnalyzer.sunJDSLinuxVolume.label=OS Drive (Linux Sun JDS)", - "DataSourceUsageAnalyzer.sunJDSLinuxOs.label=Linux (Sun JDS)", "DataSourceUsageAnalyzer.solarisSparcVolume.label=OS Drive (Linux Solaris/Sparc)", - "DataSourceUsageAnalyzer.solarisSparcOs.label=Linux (Solaris/Sparc)", "DataSourceUsageAnalyzer.gentooLinuxVolume.label=OS Drive (Linux Gentoo)", - "DataSourceUsageAnalyzer.gentooLinuxOs.label=Linux (Gentoo)", "DataSourceUsageAnalyzer.unitedLinuxVolume.label=OS Drive (Linux United Linux)", - "DataSourceUsageAnalyzer.unitedLinuxOs.label=Linux (United Linux)", - "DataSourceUsageAnalyzer.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)", - "DataSourceUsageAnalyzer.ubuntuLinuxOs.label=Linux (Ubuntu)"}) + "DataSourceUsageAnalyzer.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"}) @Override void process(Content dataSource, IngestJobContext context) { this.dataSource = dataSource; try { - checkForOSFiles(Arrays.asList(WINDOWS_VOLUME_PATH), Bundle.DataSourceAnalyzer_windowsVolume_label(), ""); - checkForOSFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_osxVolume_label(), Bundle.DataSourceUsageAnalyzer_osx_label()); - checkForOSFiles(Arrays.asList(ANDROID_VOLUME_PATH), Bundle.DataSourceUsageAnalyzer_androidVolume_label(), Bundle.DataSourceUsageAnalyzer_androidOs_label()); - checkForOSFiles(Arrays.asList(LINUX_RED_HAT_PATHS), Bundle.DataSourceUsageAnalyzer_redhatLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_redhatLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_NOVELL_SUSE_PATH), Bundle.DataSourceUsageAnalyzer_novellSUSEVolume_label(), Bundle.DataSourceUsageAnalyzer_novellSUSEOs_label()); - checkForOSFiles(Arrays.asList(LINUX_FEDORA_PATH), Bundle.DataSourceUsageAnalyzer_fedoraLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_fedoraLinuxOs_lable()); - checkForOSFiles(Arrays.asList(LINUX_SLACKWARE_PATHS), Bundle.DataSourceUsageAnalyzer_slackwareLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_slackwareLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_DEBIAN_PATHS), Bundle.DataSourceUsageAnalyzer_debianLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_debianLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_MANDRAKE_PATH), Bundle.DataSourceUsageAnalyzer_mandrakeLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_mandrakeLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_YELLOW_DOG_PATH), Bundle.DataSourceUsageAnalyzer_yellowDogLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_yellowDogLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_SUN_JDS_PATH), Bundle.DataSourceUsageAnalyzer_sunJDSLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_sunJDSLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_SOLARIS_SPARC_PATH), Bundle.DataSourceUsageAnalyzer_solarisSparcVolume_label(), Bundle.DataSourceUsageAnalyzer_solarisSparcOs_label()); - checkForOSFiles(Arrays.asList(LINUX_GENTOO_PATH), Bundle.DataSourceUsageAnalyzer_gentooLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_gentooLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_UNITED_LINUX_PATH), Bundle.DataSourceUsageAnalyzer_unitedLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_unitedLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_UBUNTU_PATH), Bundle.DataSourceUsageAnalyzer_ubuntuLinuxVolume_label(), Bundle.DataSourceUsageAnalyzer_ubuntuLinuxOs_label()); + createDataSourceUsageArtifacts(); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); } } - /** - * Check if any of the specified file paths exist, if they do create a Data - * Source Usage if a description was specified and create and OS Info - * artifact if a program name was specified. - * - * @param filesToCheckFor - List of file paths to check for - * @param dataSourceUsageDescription- empty if no Data Source Usage Artifact - * should be created - * @param osInfoProgramName - empty if no OS Info Artifact should - * be created - */ - private void checkForOSFiles(List filesToCheckFor, String dataSourceUsageDescription, String osInfoProgramName) throws TskCoreException { - if (dataSourceUsageDescription.isEmpty() && osInfoProgramName.isEmpty()) { - //shortcut out if it was called with no artifacts to create - return; + private void createDataSourceUsageArtifacts() throws TskCoreException { + boolean windowsOsDetected = false; + List osInfoArtifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO); + for (BlackboardArtifact osInfoArt : osInfoArtifacts) { + //if it is the current data source + if (osInfoArt.getDataSource().getId() == dataSource.getId()) { + BlackboardAttribute progNameAttr = osInfoArt.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)); + if (progNameAttr != null) { + String dataSourceUsageDescription = ""; + if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls + windowsOsDetected = true; + dataSourceUsageDescription = progNameAttr.getDisplayString(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_osx_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_osxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_androidOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_androidVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_redhatLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_redhatLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_novellSUSEOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_novellSUSEVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_fedoraLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_fedoraLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_slackwareLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_slackwareLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_debianLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_debianLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_mandrakeLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_mandrakeLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_yellowDogLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_yellowDogLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_sunJDSLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_sunJDSLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_solarisSparcOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_solarisSparcVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_gentooLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_gentooLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_unitedLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_unitedLinuxVolume_label(); + } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_ubuntuLinuxOs_label())) { + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_ubuntuLinuxVolume_label(); + } + createDataSourceUsageArtifact(dataSourceUsageDescription); + } + } } + if (!windowsOsDetected) { + if (osSpecificVolumeFilesExist(Arrays.asList(WINDOWS_VOLUME_PATH))) { + createDataSourceUsageArtifact(Bundle.DataSourceUsageAnalyzer_windowsVolume_label()); + } + } + } + + private void createDataSourceUsageArtifact(String dataSourceUsageDescription) throws TskCoreException { + if (!dataSourceUsageDescription.isEmpty()) { + //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description + List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); + boolean createNewUsageArtifact = true; + for (BlackboardArtifact artifact : artifacts) { + if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { + createNewUsageArtifact = false; + break; + } + } + if (createNewUsageArtifact) { + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + dataSourceUsageDescription)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + } + } + } + + /** + * Check if any of the specified file paths exist, if they do return true + * otherwise return false. + * + * @param filesToCheckFor - List of file paths to check for + * + * @return true if any specified files exist false if none exist + */ + private boolean osSpecificVolumeFilesExist(List filesToCheckFor) throws TskCoreException { FileManager fileManager = currentCase.getServices().getFileManager(); List files = new ArrayList<>(); for (String filePath : filesToCheckFor) { files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); } - //if any files existed matching the specified file - if (!files.isEmpty()) { - if (!dataSourceUsageDescription.isEmpty()) { - //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description - List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); - boolean createNewUsageArtifact = true; - for (BlackboardArtifact artifact : artifacts) { - if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { - createNewUsageArtifact = false; - break; - } - } - if (createNewUsageArtifact) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - dataSourceUsageDescription)); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); - } - } - if (!osInfoProgramName.isEmpty()) { - //check if OS INFO artifact already created on this file - if (tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0).getId()).isEmpty()) { - //if the os info program name is not empty create an os info artifact on the first of the files found - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - osInfoProgramName)); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0), bbattributes); - } - } - } + return !files.isEmpty(); } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java new file mode 100644 index 0000000000..4a5fafea82 --- /dev/null +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -0,0 +1,128 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2019 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.recentactivity; + +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.List; +import java.util.logging.Level; +import org.apache.commons.io.FilenameUtils; +import org.openide.util.NbBundle.Messages; +import org.sleuthkit.autopsy.casemodule.services.FileManager; +import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.autopsy.ingest.IngestJobContext; +import org.sleuthkit.datamodel.AbstractFile; +import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.TskCoreException; + +class ExtractOs extends Extract { + + private static final Logger logger = Logger.getLogger(ExtractOs.class.getName()); + + private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; + private static final String ANDROID_VOLUME_PATH = "data/com.android.providers.settings/databases/settings.db"; + //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html + private static final String LINUX_RED_HAT_PATHS[] = {"/etc/redhat-release", "/etc/redhat_version"}; + private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; + private static final String LINUX_FEDORA_PATH = "/etc/fedora-release"; + private static final String LINUX_SLACKWARE_PATHS[] = {"/etc/slackware-release", "/etc/slackware-version"}; + private static final String LINUX_DEBIAN_PATHS[] = {"/etc/debian_release", "/etc/debian_version"}; + private static final String LINUX_MANDRAKE_PATH = "/etc/mandrake-release"; + private static final String LINUX_YELLOW_DOG_PATH = "/etc/yellowdog-release"; + private static final String LINUX_SUN_JDS_PATH = "/etc/sun-release"; + private static final String LINUX_SOLARIS_SPARC_PATH = "/etc/release"; + private static final String LINUX_GENTOO_PATH = "/etc/gentoo-release"; + private static final String LINUX_UNITED_LINUX_PATH = "/etc/UnitedLinux-release"; + private static final String LINUX_UBUNTU_PATH = "/etc/lsb-release"; + + private Content dataSource; + + @Messages({ + "ExtractOs.osx.label=Mac OS X", + "ExtractOs.androidOs.label=Android", + "ExtractOs.redhatLinuxOs.label=Linux (Redhat)", + "ExtractOs.novellSUSEOs.label=Linux (Novell SUSE)", + "ExtractOs.fedoraLinuxOs.label=Linux (Fedora)", + "ExtractOs.slackwareLinuxOs.label=Linux (Slackware)", + "ExtractOs.debianLinuxOs.label=Linux (Debian)", + "ExtractOs.mandrakeLinuxOs.label=Linux (Mandrake)", + "ExtractOs.yellowDogLinuxOs.label=Linux (Yellow Dog)", + "ExtractOs.sunJDSLinuxOs.label=Linux (Sun JDS)", + "ExtractOs.solarisSparcOs.label=Linux (Solaris/Sparc)", + "ExtractOs.gentooLinuxOs.label=Linux (Gentoo)", + "ExtractOs.unitedLinuxOs.label=Linux (United Linux)", + "ExtractOs.ubuntuLinuxOs.label=Linux (Ubuntu)"}) + @Override + void process(Content dataSource, IngestJobContext context) { + this.dataSource = dataSource; + try { + checkForOSFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.ExtractOs_osx_label()); + checkForOSFiles(Arrays.asList(ANDROID_VOLUME_PATH), Bundle.ExtractOs_androidOs_label()); + checkForOSFiles(Arrays.asList(LINUX_RED_HAT_PATHS), Bundle.ExtractOs_redhatLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_NOVELL_SUSE_PATH), Bundle.ExtractOs_novellSUSEOs_label()); + checkForOSFiles(Arrays.asList(LINUX_FEDORA_PATH), Bundle.ExtractOs_fedoraLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_SLACKWARE_PATHS), Bundle.ExtractOs_slackwareLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_DEBIAN_PATHS), Bundle.ExtractOs_debianLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_MANDRAKE_PATH), Bundle.ExtractOs_mandrakeLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_YELLOW_DOG_PATH), Bundle.ExtractOs_yellowDogLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_SUN_JDS_PATH), Bundle.ExtractOs_sunJDSLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_SOLARIS_SPARC_PATH), Bundle.ExtractOs_solarisSparcOs_label()); + checkForOSFiles(Arrays.asList(LINUX_GENTOO_PATH), Bundle.ExtractOs_gentooLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_UNITED_LINUX_PATH), Bundle.ExtractOs_unitedLinuxOs_label()); + checkForOSFiles(Arrays.asList(LINUX_UBUNTU_PATH), Bundle.ExtractOs_ubuntuLinuxOs_label()); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); + } + } + + /** + * Check if any of the specified file paths exist if they do create an OS + * Info artifact if a program name was specified. + * + * @param filesToCheckFor - List of file paths to check for + * @param osInfoProgramName - empty if no OS Info Artifact should be created + */ + private void checkForOSFiles(List filesToCheckFor, String osInfoProgramName) throws TskCoreException { + if (osInfoProgramName.isEmpty()) { + //shortcut out if it was called with no OS Program nameartifacts to create + return; + } + FileManager fileManager = currentCase.getServices().getFileManager(); + List files = new ArrayList<>(); + for (String filePath : filesToCheckFor) { + files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); + } + if (!files.isEmpty()) { + if (!osInfoProgramName.isEmpty()) { + //check if OS INFO artifact already created on this file + if (tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0).getId()).isEmpty()) { + //if the os info program name is not empty create an os info artifact on the first of the files found + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + osInfoProgramName)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0), bbattributes); + } + } + } + } +} diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index 7d17030809..58b6afbba8 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -1,19 +1,19 @@ - /* +/* * * Autopsy Forensic Browser - * + * * Copyright 2012-2019 Basis Technology Corp. - * + * * Copyright 2012 42six Solutions. * Contact: aebadirad 42six com * Project Contact/Architect: carrier sleuthkit org - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -70,15 +70,17 @@ public final class RAImageIngestModule implements DataSourceIngestModule { Extract chrome = new Chrome(); Extract firefox = new Firefox(); Extract SEUQA = new SearchEngineURLQueryAnalyzer(); - Extract dataSourceProfiler = new DataSourceUsageAnalyzer(); + Extract osExtract = new ExtractOs(); + Extract dataSourceAnalyzer = new DataSourceUsageAnalyzer(); extractors.add(chrome); extractors.add(firefox); extractors.add(iexplore); extractors.add(recentDocuments); - extractors.add(dataSourceProfiler); extractors.add(SEUQA); // this needs to run after the web browser modules - extractors.add(registry); // this runs last because it is slowest + extractors.add(registry); // this should run after quicker modules like the browser modules and needs to run before the DataSourceUsageAnalyzer + extractors.add(osExtract); // this needs to run before the DataSourceUsageAnalyzer + extractors.add(dataSourceAnalyzer); //this needs to run after ExtractRegistry and ExtractOs browserExtracters.add(chrome); browserExtracters.add(firefox); From 2a3a4a7b882800755ffbb8935e752b55a4efeecf Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 13:45:15 -0500 Subject: [PATCH 17/31] 4632-4630-4629 spelling fix for word extractor --- .../recentactivity/RAImageIngestModule.java | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index 58b6afbba8..5f1c31664a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -46,7 +46,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { private static final Logger logger = Logger.getLogger(RAImageIngestModule.class.getName()); private final List extractors = new ArrayList<>(); - private final List browserExtracters = new ArrayList<>(); + private final List browserExtractors = new ArrayList<>(); private IngestServices services = IngestServices.getInstance(); private IngestJobContext context; private StringBuilder subCompleted = new StringBuilder(); @@ -82,12 +82,12 @@ public final class RAImageIngestModule implements DataSourceIngestModule { extractors.add(osExtract); // this needs to run before the DataSourceUsageAnalyzer extractors.add(dataSourceAnalyzer); //this needs to run after ExtractRegistry and ExtractOs - browserExtracters.add(chrome); - browserExtracters.add(firefox); - browserExtracters.add(iexplore); + browserExtractors.add(chrome); + browserExtractors.add(firefox); + browserExtractors.add(iexplore); - for (Extract extracter : extractors) { - extracter.init(); + for (Extract extractor : extractors) { + extractor.init(); } } @@ -157,7 +157,7 @@ public final class RAImageIngestModule implements DataSourceIngestModule { StringBuilder historyMsg = new StringBuilder(); historyMsg.append( NbBundle.getMessage(this.getClass(), "RAImageIngestModule.process.histMsg.title", dataSource.getName())); - for (Extract module : browserExtracters) { + for (Extract module : browserExtractors) { historyMsg.append("
  • ").append(module.getName()); //NON-NLS historyMsg.append(": ").append((module.foundData()) ? NbBundle .getMessage(this.getClass(), "RAImageIngestModule.process.histMsg.found") : NbBundle From f9e612cee160e806579b438c9a584d804003f323 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 13:59:32 -0500 Subject: [PATCH 18/31] 4632-4630-4629-simplify check for existing attributes method --- .../DataSourceUsageAnalyzer.java | 20 +++++++++---------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 4845d9a603..f44cad47f5 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -49,6 +49,8 @@ class DataSourceUsageAnalyzer extends Extract { private Content dataSource; @Messages({ + "# {0} - OS name", + "DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})", "DataSourceUsageAnalyzer.windowsVolume.label=OS Drive (Windows)", "DataSourceUsageAnalyzer.osxVolume.label=OS Drive (OS X)", "DataSourceUsageAnalyzer.androidVolume.label=OS Drive (Android)", @@ -87,7 +89,7 @@ class DataSourceUsageAnalyzer extends Extract { String dataSourceUsageDescription = ""; if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls windowsOsDetected = true; - dataSourceUsageDescription = progNameAttr.getDisplayString(); + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString()); } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_osx_label())) { dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_osxVolume_label(); } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_androidOs_label())) { @@ -132,20 +134,16 @@ class DataSourceUsageAnalyzer extends Extract { if (!dataSourceUsageDescription.isEmpty()) { //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); - boolean createNewUsageArtifact = true; for (BlackboardArtifact artifact : artifacts) { if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { - createNewUsageArtifact = false; - break; + return; //already exists don't create a duplicate } } - if (createNewUsageArtifact) { - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - dataSourceUsageDescription)); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); - } + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + dataSourceUsageDescription)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); } } From b0fab6d18fc32f4d7f178915711b66a1e8f25dc9 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 14:14:20 -0500 Subject: [PATCH 19/31] 4632-4630-4629 adjust comments and bundle message --- .../DataSourceUsageAnalyzer.java | 20 +++++++++++++++---- .../autopsy/recentactivity/ExtractOs.java | 7 ++++++- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index f44cad47f5..1f8f2717a5 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -43,9 +43,7 @@ import org.sleuthkit.datamodel.TskCoreException; class DataSourceUsageAnalyzer extends Extract { private static final Logger logger = Logger.getLogger(DataSourceUsageAnalyzer.class.getName()); - private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; - private Content dataSource; @Messages({ @@ -68,7 +66,6 @@ class DataSourceUsageAnalyzer extends Extract { "DataSourceUsageAnalyzer.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"}) @Override void process(Content dataSource, IngestJobContext context) { - this.dataSource = dataSource; try { createDataSourceUsageArtifacts(); @@ -78,6 +75,12 @@ class DataSourceUsageAnalyzer extends Extract { } + /** + * Create TSK_DATA_SOURCE_USAGE artifacts based on OS_INFO artifacts + * existing as well as other criteria such as specific paths existing. + * + * @throws TskCoreException + */ private void createDataSourceUsageArtifacts() throws TskCoreException { boolean windowsOsDetected = false; List osInfoArtifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO); @@ -123,13 +126,22 @@ class DataSourceUsageAnalyzer extends Extract { } } } - if (!windowsOsDetected) { + if (!windowsOsDetected) { //if we didn't find a windows OS_INFO artifact check if we still think it is a windows volume if (osSpecificVolumeFilesExist(Arrays.asList(WINDOWS_VOLUME_PATH))) { createDataSourceUsageArtifact(Bundle.DataSourceUsageAnalyzer_windowsVolume_label()); } } } + /** + * If a TSK_DATA_SOURCE_USAGE artifact does not exist with the given + * description create one. + * + * @param dataSourceUsageDescription the text for the description attribute + * of the TSK_DATA_SOURCE_USAGE artifact + * + * @throws TskCoreException + */ private void createDataSourceUsageArtifact(String dataSourceUsageDescription) throws TskCoreException { if (!dataSourceUsageDescription.isEmpty()) { //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 4a5fafea82..11fa6dd8d9 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -34,6 +34,11 @@ import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.TskCoreException; +/** + * Create OS INFO artifacts for the Operating Systems believed to be present on + * the data source. + */ +@Messages({"ExtractOs.parentModuleName=Recent Activity"}) class ExtractOs extends Extract { private static final Logger logger = Logger.getLogger(ExtractOs.class.getName()); @@ -118,7 +123,7 @@ class ExtractOs extends Extract { //if the os info program name is not empty create an os info artifact on the first of the files found Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), + Bundle.ExtractOs_parentModuleName(), osInfoProgramName)); //NON-NLS addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0), bbattributes); } From e0a836e3e0db37df033409b5369f8394e4a58724 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 15:10:12 -0500 Subject: [PATCH 20/31] 4632-4630-4629 use enum to make code easier to read and mantain --- .../DataSourceUsageAnalyzer.java | 55 ++---- .../autopsy/recentactivity/ExtractOs.java | 160 ++++++++++++------ 2 files changed, 123 insertions(+), 92 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 1f8f2717a5..6740e7e0eb 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -48,22 +48,8 @@ class DataSourceUsageAnalyzer extends Extract { @Messages({ "# {0} - OS name", - "DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})", - "DataSourceUsageAnalyzer.windowsVolume.label=OS Drive (Windows)", - "DataSourceUsageAnalyzer.osxVolume.label=OS Drive (OS X)", - "DataSourceUsageAnalyzer.androidVolume.label=OS Drive (Android)", - "DataSourceUsageAnalyzer.redhatLinuxVolume.label=OS Drive (Linux Redhat)", - "DataSourceUsageAnalyzer.novellSUSEVolume.label=OS Drive (Linux Novell SUSE)", - "DataSourceUsageAnalyzer.fedoraLinuxVolume.label=OS Drive (Linux Fedora)", - "DataSourceUsageAnalyzer.slackwareLinuxVolume.label=OS Drive (Linux Slackware)", - "DataSourceUsageAnalyzer.debianLinuxVolume.label=OS Drive (Linux Debian)", - "DataSourceUsageAnalyzer.mandrakeLinuxVolume.label=OS Drive (Linux Mandrake)", - "DataSourceUsageAnalyzer.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog)", - "DataSourceUsageAnalyzer.sunJDSLinuxVolume.label=OS Drive (Linux Sun JDS)", - "DataSourceUsageAnalyzer.solarisSparcVolume.label=OS Drive (Linux Solaris/Sparc)", - "DataSourceUsageAnalyzer.gentooLinuxVolume.label=OS Drive (Linux Gentoo)", - "DataSourceUsageAnalyzer.unitedLinuxVolume.label=OS Drive (Linux United Linux)", - "DataSourceUsageAnalyzer.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"}) + "DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})" + }) @Override void process(Content dataSource, IngestJobContext context) { this.dataSource = dataSource; @@ -92,35 +78,16 @@ class DataSourceUsageAnalyzer extends Extract { String dataSourceUsageDescription = ""; if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls windowsOsDetected = true; + //use the program name when it appears to be windows dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString()); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_osx_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_osxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_androidOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_androidVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_redhatLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_redhatLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_novellSUSEOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_novellSUSEVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_fedoraLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_fedoraLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_slackwareLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_slackwareLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_debianLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_debianLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_mandrakeLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_mandrakeLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_yellowDogLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_yellowDogLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_sunJDSLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_sunJDSLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_solarisSparcOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_solarisSparcVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_gentooLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_gentooLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_unitedLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_unitedLinuxVolume_label(); - } else if (progNameAttr.getDisplayString().contains(Bundle.ExtractOs_ubuntuLinuxOs_label())) { - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_ubuntuLinuxVolume_label(); + } else { + ExtractOs.OS_TYPE osType = ExtractOs.OS_TYPE.fromOsInfoLabel(moduleName); + if (osType != null) { + dataSourceUsageDescription = osType.getDsUsageLabel(); + } else { + //unable to determine name for DATA_SOURCE_USAGE artifact using program name + dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString()); + } } createDataSourceUsageArtifact(dataSourceUsageDescription); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 11fa6dd8d9..7a21ea71b1 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -21,6 +21,7 @@ package org.sleuthkit.autopsy.recentactivity; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.List; import java.util.logging.Level; import org.apache.commons.io.FilenameUtils; @@ -43,6 +44,7 @@ class ExtractOs extends Extract { private static final Logger logger = Logger.getLogger(ExtractOs.class.getName()); + private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; private static final String ANDROID_VOLUME_PATH = "data/com.android.providers.settings/databases/settings.db"; //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html @@ -61,6 +63,48 @@ class ExtractOs extends Extract { private Content dataSource; + @Override + void process(Content dataSource, IngestJobContext context) { + this.dataSource = dataSource; + try { + for (OS_TYPE value : OS_TYPE.values()) { + checkForOSFiles(value); + } + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); + } + } + + /** + * Check if any of the specified file paths exist if they do create an OS + * Info artifact if a program name was specified. + * + * @param osType - the enumeration of OS_TYPE which represents the operating + * system being checked for + */ + private void checkForOSFiles(OS_TYPE osType) throws TskCoreException { + if (osType.getOsInfoLabel().isEmpty()) { + //shortcut out if it was called with no OS Program nameartifacts to create + return; + } + FileManager fileManager = currentCase.getServices().getFileManager(); + List files = new ArrayList<>(); + for (String filePath : osType.getFilePaths()) { + files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); + } + if (!files.isEmpty()) { + //check if OS INFO artifact already created on this file + if (tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0).getId()).isEmpty()) { + //if the os info program name is not empty create an os info artifact on the first of the files found + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, + Bundle.ExtractOs_parentModuleName(), + osType.getOsInfoLabel())); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0), bbattributes); + } + } + } + @Messages({ "ExtractOs.osx.label=Mac OS X", "ExtractOs.androidOs.label=Android", @@ -75,59 +119,79 @@ class ExtractOs extends Extract { "ExtractOs.solarisSparcOs.label=Linux (Solaris/Sparc)", "ExtractOs.gentooLinuxOs.label=Linux (Gentoo)", "ExtractOs.unitedLinuxOs.label=Linux (United Linux)", - "ExtractOs.ubuntuLinuxOs.label=Linux (Ubuntu)"}) - @Override - void process(Content dataSource, IngestJobContext context) { - this.dataSource = dataSource; - try { - checkForOSFiles(Arrays.asList(OSX_VOLUME_PATH), Bundle.ExtractOs_osx_label()); - checkForOSFiles(Arrays.asList(ANDROID_VOLUME_PATH), Bundle.ExtractOs_androidOs_label()); - checkForOSFiles(Arrays.asList(LINUX_RED_HAT_PATHS), Bundle.ExtractOs_redhatLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_NOVELL_SUSE_PATH), Bundle.ExtractOs_novellSUSEOs_label()); - checkForOSFiles(Arrays.asList(LINUX_FEDORA_PATH), Bundle.ExtractOs_fedoraLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_SLACKWARE_PATHS), Bundle.ExtractOs_slackwareLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_DEBIAN_PATHS), Bundle.ExtractOs_debianLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_MANDRAKE_PATH), Bundle.ExtractOs_mandrakeLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_YELLOW_DOG_PATH), Bundle.ExtractOs_yellowDogLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_SUN_JDS_PATH), Bundle.ExtractOs_sunJDSLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_SOLARIS_SPARC_PATH), Bundle.ExtractOs_solarisSparcOs_label()); - checkForOSFiles(Arrays.asList(LINUX_GENTOO_PATH), Bundle.ExtractOs_gentooLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_UNITED_LINUX_PATH), Bundle.ExtractOs_unitedLinuxOs_label()); - checkForOSFiles(Arrays.asList(LINUX_UBUNTU_PATH), Bundle.ExtractOs_ubuntuLinuxOs_label()); - } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); - } - } + "ExtractOs.ubuntuLinuxOs.label=Linux (Ubuntu)", + "ExtractOs.windowsVolume.label=OS Drive (Windows)", + "ExtractOs.osxVolume.label=OS Drive (OS X)", + "ExtractOs.androidVolume.label=OS Drive (Android)", + "ExtractOs.redhatLinuxVolume.label=OS Drive (Linux Redhat)", + "ExtractOs.novellSUSEVolume.label=OS Drive (Linux Novell SUSE)", + "ExtractOs.fedoraLinuxVolume.label=OS Drive (Linux Fedora)", + "ExtractOs.slackwareLinuxVolume.label=OS Drive (Linux Slackware)", + "ExtractOs.debianLinuxVolume.label=OS Drive (Linux Debian)", + "ExtractOs.mandrakeLinuxVolume.label=OS Drive (Linux Mandrake)", + "ExtractOs.yellowDogLinuxVolume.label=OS Drive (Linux Yellow Dog)", + "ExtractOs.sunJDSLinuxVolume.label=OS Drive (Linux Sun JDS)", + "ExtractOs.solarisSparcVolume.label=OS Drive (Linux Solaris/Sparc)", + "ExtractOs.gentooLinuxVolume.label=OS Drive (Linux Gentoo)", + "ExtractOs.unitedLinuxVolume.label=OS Drive (Linux United Linux)", + "ExtractOs.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"}) + enum OS_TYPE { + WINDOWS("", Bundle.DataSourceUsageAnalyzer_windowsVolume_label(), Arrays.asList(WINDOWS_VOLUME_PATH)), //windows doesn't get OS_INFO artifacts created for it here + MAC_OS_X(Bundle.ExtractOs_osx_label(), Bundle.ExtractOs_osxVolume_label(), Arrays.asList(OSX_VOLUME_PATH)), + ANDROID(Bundle.ExtractOs_androidOs_label(), Bundle.ExtractOs_androidVolume_label(), Arrays.asList(ANDROID_VOLUME_PATH)), + LINUX_REDHAT(Bundle.ExtractOs_redhatLinuxOs_label(), Bundle.ExtractOs_redhatLinuxVolume_label(), Arrays.asList(LINUX_RED_HAT_PATHS)), + LINUX_NOVELL_SUSE(Bundle.ExtractOs_novellSUSEOs_label(), Bundle.ExtractOs_novellSUSEVolume_label(), Arrays.asList(LINUX_NOVELL_SUSE_PATH)), + LINUX_FEDORA(Bundle.ExtractOs_fedoraLinuxOs_label(), Bundle.ExtractOs_fedoraLinuxVolume_label(), Arrays.asList(LINUX_FEDORA_PATH)), + LINUX_SLACKWARE(Bundle.ExtractOs_slackwareLinuxOs_label(), Bundle.ExtractOs_slackwareLinuxVolume_label(), Arrays.asList(LINUX_SLACKWARE_PATHS)), + LINUX_DEBIAN(Bundle.ExtractOs_debianLinuxOs_label(), Bundle.ExtractOs_debianLinuxVolume_label(), Arrays.asList(LINUX_DEBIAN_PATHS)), + LINUX_MANDRAKE(Bundle.ExtractOs_mandrakeLinuxOs_label(), Bundle.ExtractOs_mandrakeLinuxVolume_label(), Arrays.asList(LINUX_MANDRAKE_PATH)), + LINUX_YELLOW_DOG(Bundle.ExtractOs_yellowDogLinuxOs_label(), Bundle.ExtractOs_yellowDogLinuxVolume_label(), Arrays.asList(LINUX_YELLOW_DOG_PATH)), + LINUX_SUN_JDS(Bundle.ExtractOs_sunJDSLinuxOs_label(), Bundle.ExtractOs_sunJDSLinuxVolume_label(), Arrays.asList(LINUX_SUN_JDS_PATH)), + LINUX_SOLARIS_SPARC(Bundle.ExtractOs_solarisSparcOs_label(), Bundle.ExtractOs_solarisSparcVolume_label(), Arrays.asList(LINUX_SOLARIS_SPARC_PATH)), + LINUX_GENTOO(Bundle.ExtractOs_gentooLinuxOs_label(), Bundle.ExtractOs_gentooLinuxVolume_label(), Arrays.asList(LINUX_GENTOO_PATH)), + LINUX_UNITED_LINUX(Bundle.ExtractOs_unitedLinuxOs_label(), Bundle.ExtractOs_unitedLinuxVolume_label(), Arrays.asList(LINUX_UNITED_LINUX_PATH)), + LINUX_UBUNTU(Bundle.ExtractOs_ubuntuLinuxOs_label(), Bundle.ExtractOs_ubuntuLinuxVolume_label(), Arrays.asList(LINUX_UBUNTU_PATH)); - /** - * Check if any of the specified file paths exist if they do create an OS - * Info artifact if a program name was specified. - * - * @param filesToCheckFor - List of file paths to check for - * @param osInfoProgramName - empty if no OS Info Artifact should be created - */ - private void checkForOSFiles(List filesToCheckFor, String osInfoProgramName) throws TskCoreException { - if (osInfoProgramName.isEmpty()) { - //shortcut out if it was called with no OS Program nameartifacts to create - return; + private final String osInfoLabel; + private final String dsUsageLabel; + private final List filePaths; + + private OS_TYPE(String osInfoText, String dsUsageText, List filePathList) { + this.osInfoLabel = osInfoText; + this.dsUsageLabel = dsUsageText; + this.filePaths = filePathList; } - FileManager fileManager = currentCase.getServices().getFileManager(); - List files = new ArrayList<>(); - for (String filePath : filesToCheckFor) { - files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); + + String getOsInfoLabel() { + return osInfoLabel; } - if (!files.isEmpty()) { - if (!osInfoProgramName.isEmpty()) { - //check if OS INFO artifact already created on this file - if (tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0).getId()).isEmpty()) { - //if the os info program name is not empty create an os info artifact on the first of the files found - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, - Bundle.ExtractOs_parentModuleName(), - osInfoProgramName)); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0), bbattributes); + + String getDsUsageLabel() { + return dsUsageLabel; + } + + List getFilePaths() { + return Collections.unmodifiableList(filePaths); + } + + static public OS_TYPE fromDsUsageLabel(String dsUsageLabel) { + for (OS_TYPE value : OS_TYPE.values()) { + if (value.getDsUsageLabel().equals(dsUsageLabel)) { + return value; } } + return null; } + + static public OS_TYPE fromOsInfoLabel(String osInfoLabel) { + for (OS_TYPE value : OS_TYPE.values()) { + if (value.getOsInfoLabel().equals(osInfoLabel)) { + return value; + } + } + return null; + } + } + } From 665d61c413b25fa5341534fe994cb9bfad9617d0 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 15:23:05 -0500 Subject: [PATCH 21/31] 4632-4630-4629 clean up code after changes to Enum based approach. --- .../DataSourceUsageAnalyzer.java | 52 +++++++------------ .../autopsy/recentactivity/ExtractOs.java | 12 ++++- 2 files changed, 29 insertions(+), 35 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 6740e7e0eb..67649ced21 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -19,7 +19,6 @@ package org.sleuthkit.autopsy.recentactivity; import java.util.ArrayList; -import java.util.Arrays; import java.util.Collection; import java.util.List; import java.util.logging.Level; @@ -41,11 +40,10 @@ import org.sleuthkit.datamodel.TskCoreException; */ @Messages({"DataSourceUsageAnalyzer.parentModuleName=Recent Activity"}) class DataSourceUsageAnalyzer extends Extract { - + private static final Logger logger = Logger.getLogger(DataSourceUsageAnalyzer.class.getName()); - private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private Content dataSource; - + @Messages({ "# {0} - OS name", "DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})" @@ -58,7 +56,7 @@ class DataSourceUsageAnalyzer extends Extract { } catch (TskCoreException ex) { logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); } - + } /** @@ -94,52 +92,38 @@ class DataSourceUsageAnalyzer extends Extract { } } if (!windowsOsDetected) { //if we didn't find a windows OS_INFO artifact check if we still think it is a windows volume - if (osSpecificVolumeFilesExist(Arrays.asList(WINDOWS_VOLUME_PATH))) { - createDataSourceUsageArtifact(Bundle.DataSourceUsageAnalyzer_windowsVolume_label()); - } + checkIfOsSpecificVolume(ExtractOs.OS_TYPE.WINDOWS); } } /** - * If a TSK_DATA_SOURCE_USAGE artifact does not exist with the given - * description create one. + * Check if any of the specified file paths exist for the specified OS_TYPE + * exist, if they do create a TSK_DATA_SOURCE_USAGE artifact does if one + * does not exist with the given description. * - * @param dataSourceUsageDescription the text for the description attribute - * of the TSK_DATA_SOURCE_USAGE artifact + * @param osType - the OS_TYPE to check for * - * @throws TskCoreException + * @return true if any specified files exist false if none exist */ - private void createDataSourceUsageArtifact(String dataSourceUsageDescription) throws TskCoreException { - if (!dataSourceUsageDescription.isEmpty()) { + private void checkIfOsSpecificVolume(ExtractOs.OS_TYPE osType) { + FileManager fileManager = currentCase.getServices().getFileManager(); + List files = new ArrayList<>(); + for (String filePath : osType.getFilePaths()) { + files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); + } + if (!files.isEmpty) { //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); for (BlackboardArtifact artifact : artifacts) { - if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { + if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(osType.getDsUsageLabel())) { return; //already exists don't create a duplicate } } Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, Bundle.DataSourceUsageAnalyzer_parentModuleName(), - dataSourceUsageDescription)); //NON-NLS + osType.getDsUsageLabel())); //NON-NLS addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); } } - - /** - * Check if any of the specified file paths exist, if they do return true - * otherwise return false. - * - * @param filesToCheckFor - List of file paths to check for - * - * @return true if any specified files exist false if none exist - */ - private boolean osSpecificVolumeFilesExist(List filesToCheckFor) throws TskCoreException { - FileManager fileManager = currentCase.getServices().getFileManager(); - List files = new ArrayList<>(); - for (String filePath : filesToCheckFor) { - files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); - } - return !files.isEmpty(); - } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 7a21ea71b1..70424f3004 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -134,7 +134,11 @@ class ExtractOs extends Extract { "ExtractOs.solarisSparcVolume.label=OS Drive (Linux Solaris/Sparc)", "ExtractOs.gentooLinuxVolume.label=OS Drive (Linux Gentoo)", "ExtractOs.unitedLinuxVolume.label=OS Drive (Linux United Linux)", - "ExtractOs.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"}) + "ExtractOs.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"})s + /** + * Enum used for coupling the TSK_OS_INFO artifacts created in ExtractOs and + * the TSK_DATA_SOURCE_USAGE artifacts created in DataSourceUsageAnalyzer + */ enum OS_TYPE { WINDOWS("", Bundle.DataSourceUsageAnalyzer_windowsVolume_label(), Arrays.asList(WINDOWS_VOLUME_PATH)), //windows doesn't get OS_INFO artifacts created for it here MAC_OS_X(Bundle.ExtractOs_osx_label(), Bundle.ExtractOs_osxVolume_label(), Arrays.asList(OSX_VOLUME_PATH)), @@ -156,6 +160,12 @@ class ExtractOs extends Extract { private final String dsUsageLabel; private final List filePaths; + /** + * An OS_TYPE enum containing the messages + * @param osInfoText + * @param dsUsageText + * @param filePathList + */ private OS_TYPE(String osInfoText, String dsUsageText, List filePathList) { this.osInfoLabel = osInfoText; this.dsUsageLabel = dsUsageText; From 0f004b2cbe35ec223524ff64f321c1d5d3e04365 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 15:41:47 -0500 Subject: [PATCH 22/31] 4632-4630-4629 add missing comments and correct errors with enum refactor --- .../DataSourceUsageAnalyzer.java | 54 +++++++++++------- .../autopsy/recentactivity/ExtractOs.java | 55 ++++++++++++++++--- 2 files changed, 80 insertions(+), 29 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 67649ced21..66cb9ad5ac 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -40,10 +40,10 @@ import org.sleuthkit.datamodel.TskCoreException; */ @Messages({"DataSourceUsageAnalyzer.parentModuleName=Recent Activity"}) class DataSourceUsageAnalyzer extends Extract { - + private static final Logger logger = Logger.getLogger(DataSourceUsageAnalyzer.class.getName()); private Content dataSource; - + @Messages({ "# {0} - OS name", "DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})" @@ -56,7 +56,7 @@ class DataSourceUsageAnalyzer extends Extract { } catch (TskCoreException ex) { logger.log(Level.WARNING, "Failed to check if datasource contained a volume with operating system specific files", ex); } - + } /** @@ -73,21 +73,19 @@ class DataSourceUsageAnalyzer extends Extract { if (osInfoArt.getDataSource().getId() == dataSource.getId()) { BlackboardAttribute progNameAttr = osInfoArt.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)); if (progNameAttr != null) { - String dataSourceUsageDescription = ""; if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls windowsOsDetected = true; //use the program name when it appears to be windows - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString()); + createDataSourceUsageArtifact(Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString())); } else { ExtractOs.OS_TYPE osType = ExtractOs.OS_TYPE.fromOsInfoLabel(moduleName); if (osType != null) { - dataSourceUsageDescription = osType.getDsUsageLabel(); + createDataSourceUsageArtifact(osType.getDsUsageLabel()); } else { //unable to determine name for DATA_SOURCE_USAGE artifact using program name - dataSourceUsageDescription = Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString()); + createDataSourceUsageArtifact(Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString())); } } - createDataSourceUsageArtifact(dataSourceUsageDescription); } } } @@ -96,6 +94,30 @@ class DataSourceUsageAnalyzer extends Extract { } } + /** + * If a TSK_DATA_SOURCE_USAGE artifact does not exist with the given + * description create one. + * + * @param dataSourceUsageDescription the text for the description attribute + * of the TSK_DATA_SOURCE_USAGE artifact + * + * @throws TskCoreException + */ + private void createDataSourceUsageArtifact(String dataSourceUsageDescription) throws TskCoreException { + //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description + List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); + for (BlackboardArtifact artifact : artifacts) { + if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { + return; //already exists don't create a duplicate + } + } + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + dataSourceUsageDescription)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + } + /** * Check if any of the specified file paths exist for the specified OS_TYPE * exist, if they do create a TSK_DATA_SOURCE_USAGE artifact does if one @@ -105,25 +127,15 @@ class DataSourceUsageAnalyzer extends Extract { * * @return true if any specified files exist false if none exist */ - private void checkIfOsSpecificVolume(ExtractOs.OS_TYPE osType) { + private void checkIfOsSpecificVolume(ExtractOs.OS_TYPE osType) throws TskCoreException { FileManager fileManager = currentCase.getServices().getFileManager(); List files = new ArrayList<>(); for (String filePath : osType.getFilePaths()) { files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); } - if (!files.isEmpty) { + if (!files.isEmpty()) { //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description - List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); - for (BlackboardArtifact artifact : artifacts) { - if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(osType.getDsUsageLabel())) { - return; //already exists don't create a duplicate - } - } - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - osType.getDsUsageLabel())); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + createDataSourceUsageArtifact(osType.getDsUsageLabel()); } } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 70424f3004..6693c059bd 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -134,13 +134,13 @@ class ExtractOs extends Extract { "ExtractOs.solarisSparcVolume.label=OS Drive (Linux Solaris/Sparc)", "ExtractOs.gentooLinuxVolume.label=OS Drive (Linux Gentoo)", "ExtractOs.unitedLinuxVolume.label=OS Drive (Linux United Linux)", - "ExtractOs.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"})s + "ExtractOs.ubuntuLinuxVolume.label=OS Drive (Linux Ubuntu)"}) /** * Enum used for coupling the TSK_OS_INFO artifacts created in ExtractOs and * the TSK_DATA_SOURCE_USAGE artifacts created in DataSourceUsageAnalyzer */ enum OS_TYPE { - WINDOWS("", Bundle.DataSourceUsageAnalyzer_windowsVolume_label(), Arrays.asList(WINDOWS_VOLUME_PATH)), //windows doesn't get OS_INFO artifacts created for it here + WINDOWS("", Bundle.ExtractOs_windowsVolume_label(), Arrays.asList(WINDOWS_VOLUME_PATH)), //windows doesn't get OS_INFO artifacts created for it here MAC_OS_X(Bundle.ExtractOs_osx_label(), Bundle.ExtractOs_osxVolume_label(), Arrays.asList(OSX_VOLUME_PATH)), ANDROID(Bundle.ExtractOs_androidOs_label(), Bundle.ExtractOs_androidVolume_label(), Arrays.asList(ANDROID_VOLUME_PATH)), LINUX_REDHAT(Bundle.ExtractOs_redhatLinuxOs_label(), Bundle.ExtractOs_redhatLinuxVolume_label(), Arrays.asList(LINUX_RED_HAT_PATHS)), @@ -161,10 +161,14 @@ class ExtractOs extends Extract { private final List filePaths; /** - * An OS_TYPE enum containing the messages - * @param osInfoText - * @param dsUsageText - * @param filePathList + * An constructs a value for an OS_TYPE enum + * + * @param osInfoText - the program name to use for TSK_OS_INFO + * artifacts + * @param dsUsageText - the description to use for + * TSK_DATA_SOURCE_USAGE artifacts + * @param filePathList - the list of file paths to create these + * artifacts for */ private OS_TYPE(String osInfoText, String dsUsageText, List filePathList) { this.osInfoLabel = osInfoText; @@ -172,18 +176,46 @@ class ExtractOs extends Extract { this.filePaths = filePathList; } + /** + * Get the string to use for the PROG_NAME attribute of TSK_OS_INFO + * artifacts. + * + * @return osInfoLabel + */ String getOsInfoLabel() { return osInfoLabel; } + /** + * Get the string to use for the DESCRIPTION attribute of + * TSK_DATA_SOURCE_USAGE artifacts. + * + * @return dsUsageLabel + */ String getDsUsageLabel() { return dsUsageLabel; } + /** + * Get the list of string representations of file paths which should + * identify that this OS_TYPE is present in the data source. + * + * @return filePaths + */ List getFilePaths() { return Collections.unmodifiableList(filePaths); } + /** + * Given the Description text of a TSK_DATA_SOURCE_USAGE artifact + * determine what type OS_TYPE this is + * + * @param dsUsageLabel description text of the TSK_DATA_SOURCE_USAGE + * artifact + * + * @return the OS_TYPE which matches the specified dsUsageLabel, null if + * no types match + */ static public OS_TYPE fromDsUsageLabel(String dsUsageLabel) { for (OS_TYPE value : OS_TYPE.values()) { if (value.getDsUsageLabel().equals(dsUsageLabel)) { @@ -193,6 +225,15 @@ class ExtractOs extends Extract { return null; } + /** + * Given the Program Name text of a TSK_OS_INFO artifact determine what + * type OS_TYPE this is + * + * @param osInfoLabel program name text of the TSK_OS_INFO artifact + * + * @return the OS_TYPE which matches the specified osInfoLabel, null if + * no types match + */ static public OS_TYPE fromOsInfoLabel(String osInfoLabel) { for (OS_TYPE value : OS_TYPE.values()) { if (value.getOsInfoLabel().equals(osInfoLabel)) { @@ -201,7 +242,5 @@ class ExtractOs extends Extract { } return null; } - } - } From 5609f1bf6b2bec95646cb45697d7c28bb46cd7af Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 15:44:22 -0500 Subject: [PATCH 23/31] 4632-4630-4629 clarify comment regarding early return in method checkForOSFiles --- .../src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 6693c059bd..3b6863ecb2 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -84,7 +84,7 @@ class ExtractOs extends Extract { */ private void checkForOSFiles(OS_TYPE osType) throws TskCoreException { if (osType.getOsInfoLabel().isEmpty()) { - //shortcut out if it was called with no OS Program nameartifacts to create + //shortcut out if it was called with out a specified program name so no OS INFO artifacts are created return; } FileManager fileManager = currentCase.getServices().getFileManager(); From 991ba3ff0fd3dc3c8fc5a501113f2bb064f3cffe Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 15:59:20 -0500 Subject: [PATCH 24/31] 4632-4630-4629 Fix bug with matching OS_INFO artifacts --- .../autopsy/recentactivity/DataSourceUsageAnalyzer.java | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 66cb9ad5ac..13de86b9b5 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -73,12 +73,15 @@ class DataSourceUsageAnalyzer extends Extract { if (osInfoArt.getDataSource().getId() == dataSource.getId()) { BlackboardAttribute progNameAttr = osInfoArt.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)); if (progNameAttr != null) { - if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls + if (progNameAttr.getValueString().isEmpty()) { + //skip empty Program Name text + } + else if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls windowsOsDetected = true; //use the program name when it appears to be windows createDataSourceUsageArtifact(Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString())); } else { - ExtractOs.OS_TYPE osType = ExtractOs.OS_TYPE.fromOsInfoLabel(moduleName); + ExtractOs.OS_TYPE osType = ExtractOs.OS_TYPE.fromOsInfoLabel(progNameAttr.getValueString()); if (osType != null) { createDataSourceUsageArtifact(osType.getDsUsageLabel()); } else { From 9a22de93e4f28ffa7042d7f1fdcb9cc91f30884e Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 17:47:17 -0500 Subject: [PATCH 25/31] 4632 4630 4629 add check to ensure exact matches of paths and file names found --- .../DataSourceUsageAnalyzer.java | 37 +++++++++---------- .../autopsy/recentactivity/ExtractOs.java | 34 +++++++++++++---- 2 files changed, 44 insertions(+), 27 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java index 13de86b9b5..9c841442a3 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/DataSourceUsageAnalyzer.java @@ -75,8 +75,7 @@ class DataSourceUsageAnalyzer extends Extract { if (progNameAttr != null) { if (progNameAttr.getValueString().isEmpty()) { //skip empty Program Name text - } - else if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls + } else if (progNameAttr.getDisplayString().toLowerCase().contains("windows")) { //non-nls windowsOsDetected = true; //use the program name when it appears to be windows createDataSourceUsageArtifact(Bundle.DataSourceUsageAnalyzer_customVolume_label(progNameAttr.getDisplayString())); @@ -107,18 +106,18 @@ class DataSourceUsageAnalyzer extends Extract { * @throws TskCoreException */ private void createDataSourceUsageArtifact(String dataSourceUsageDescription) throws TskCoreException { - //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description - List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); - for (BlackboardArtifact artifact : artifacts) { - if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { - return; //already exists don't create a duplicate - } + //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description + List artifacts = tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource.getId()); + for (BlackboardArtifact artifact : artifacts) { + if (artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)).getValueString().equals(dataSourceUsageDescription)) { + return; //already exists don't create a duplicate } - Collection bbattributes = new ArrayList<>(); - bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, - Bundle.DataSourceUsageAnalyzer_parentModuleName(), - dataSourceUsageDescription)); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); + } + Collection bbattributes = new ArrayList<>(); + bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, + Bundle.DataSourceUsageAnalyzer_parentModuleName(), + dataSourceUsageDescription)); //NON-NLS + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE, dataSource, bbattributes); } /** @@ -132,13 +131,13 @@ class DataSourceUsageAnalyzer extends Extract { */ private void checkIfOsSpecificVolume(ExtractOs.OS_TYPE osType) throws TskCoreException { FileManager fileManager = currentCase.getServices().getFileManager(); - List files = new ArrayList<>(); for (String filePath : osType.getFilePaths()) { - files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); - } - if (!files.isEmpty()) { - //if the data source usage description is not empty create a data source usage artifact if an Usage artifact does not already exist with the same description - createDataSourceUsageArtifact(osType.getDsUsageLabel()); + for (AbstractFile file : fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))) { + if ((file.getParentPath() + file.getName()).equals(filePath)) { + createDataSourceUsageArtifact(osType.getDsUsageLabel()); + return; + } + } } } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 3b6863ecb2..8da3f5a0d6 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -87,24 +87,42 @@ class ExtractOs extends Extract { //shortcut out if it was called with out a specified program name so no OS INFO artifacts are created return; } - FileManager fileManager = currentCase.getServices().getFileManager(); - List files = new ArrayList<>(); - for (String filePath : osType.getFilePaths()) { - files.addAll(fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))); - } - if (!files.isEmpty()) { + AbstractFile file = getFirstFileFound(osType.getFilePaths()); + if (file != null) { //check if OS INFO artifact already created on this file - if (tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0).getId()).isEmpty()) { + if (tskCase.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, file.getId()).isEmpty()) { //if the os info program name is not empty create an os info artifact on the first of the files found Collection bbattributes = new ArrayList<>(); bbattributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, Bundle.ExtractOs_parentModuleName(), osType.getOsInfoLabel())); //NON-NLS - addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, files.get(0), bbattributes); + addArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO, file, bbattributes); } } } + /** + * Get the first file found which matches one of the specified paths. Return + * null if no file is found. + * + * @param pathsToSearchFor the list of strings which represent the paths to + * search + * + * @return the first AbstractFile found which matched a specified path to + * search for + */ + private AbstractFile getFirstFileFound(List pathsToSearchFor) throws TskCoreException{ + FileManager fileManager = currentCase.getServices().getFileManager(); + for (String filePath : pathsToSearchFor) { + for (AbstractFile file : fileManager.findFiles(dataSource, FilenameUtils.getName(filePath), FilenameUtils.getPath(filePath))) { + if ((file.getParentPath() + file.getName()).equals(filePath)) { + return file; + } + } + } + return null; + } + @Messages({ "ExtractOs.osx.label=Mac OS X", "ExtractOs.androidOs.label=Android", From 3717e277a5a1c37b53de1a17ce1b612f5beef6b1 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 18 Jan 2019 18:09:55 -0500 Subject: [PATCH 26/31] 4632-4630-4629 fix leading slash on Android volume path --- .../src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 8da3f5a0d6..47ace3e833 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -46,7 +46,7 @@ class ExtractOs extends Extract { private static final String WINDOWS_VOLUME_PATH = "/windows/system32"; private static final String OSX_VOLUME_PATH = "/System/Library/CoreServices/SystemVersion.plist"; - private static final String ANDROID_VOLUME_PATH = "data/com.android.providers.settings/databases/settings.db"; + private static final String ANDROID_VOLUME_PATH = "/data/com.android.providers.settings/databases/settings.db"; //linux specific files reference https://www.novell.com/coolsolutions/feature/11251.html private static final String LINUX_RED_HAT_PATHS[] = {"/etc/redhat-release", "/etc/redhat_version"}; private static final String LINUX_NOVELL_SUSE_PATH = "/etc/SUSE-release"; From 2f7ccd15494f073b4256a0490c41359614f20975 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Mon, 28 Jan 2019 14:24:58 -0500 Subject: [PATCH 27/31] 4632-4630-4629 remove out of date comment --- .../casemodule/datasourceSummary/DataSourceSummaryPanel.java | 1 - 1 file changed, 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java b/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java index d1573a4dae..25f97d8937 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/datasourceSummary/DataSourceSummaryPanel.java @@ -123,7 +123,6 @@ final class DataSourceSummaryPanel extends javax.swing.JPanel { osName += ", "; } osName += osInfo.getOSName(); - //if this OSInfo object has a name use it otherwise keep checking OSInfo objects } } catch (TskCoreException ignored) { //unable to get datasource for the OSInfo Object From eb0c140f0f068eb397d5923ec28aeaad517d5235 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Mon, 28 Jan 2019 14:27:51 -0500 Subject: [PATCH 28/31] 4632 4630 4629 fix typo in constructor comment --- .../src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java index 47ace3e833..04976cb95b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractOs.java @@ -179,7 +179,7 @@ class ExtractOs extends Extract { private final List filePaths; /** - * An constructs a value for an OS_TYPE enum + * Constructs a value for an OS_TYPE enum * * @param osInfoText - the program name to use for TSK_OS_INFO * artifacts From 6b0bd3a983068e1462fd24c2d5d90921c1d640e5 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 1 Feb 2019 14:37:36 -0500 Subject: [PATCH 29/31] Fix typo in arguement documentation --- .../org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 88bcb3ae8b..1d20f27cd7 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -992,7 +992,7 @@ class ExtractRegistry extends Extract { * Create a UserInfo object * * @param name - the os user account name - * @param userIdString - the SID for the user account + * @param userSidString - the SID for the user account */ private UserInfo(String name, String userSidString) { userName = name; From f3c224208e706d14e582a2b0a310201a51452675 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 1 Feb 2019 14:38:45 -0500 Subject: [PATCH 30/31] 4632-4630-4629 reduce versions of gson to single version in corelibs --- Core/nbproject/project.properties | 2 +- Core/nbproject/project.xml | 28 ++++++++------------- CoreLibs/ivy.xml | 5 ++-- CoreLibs/nbproject/project.properties | 2 +- CoreLibs/nbproject/project.xml | 8 ++++-- KeywordSearch/nbproject/project.properties | 1 - KeywordSearch/nbproject/project.xml | 8 ------ RecentActivity/ivy.xml | 3 --- RecentActivity/nbproject/project.properties | 1 - RecentActivity/nbproject/project.xml | 4 --- 10 files changed, 21 insertions(+), 41 deletions(-) diff --git a/Core/nbproject/project.properties b/Core/nbproject/project.properties index 2406271416..39197ade36 100644 --- a/Core/nbproject/project.properties +++ b/Core/nbproject/project.properties @@ -15,7 +15,6 @@ file.reference.commons-pool2-2.4.2.jar=release/modules/ext/commons-pool2-2.4.2.j file.reference.dd-plist-1.20.jar=release/modules/ext/dd-plist-1.20.jar file.reference.geoapi-3.0.0.jar=release/modules/ext/geoapi-3.0.0.jar file.reference.grib-4.5.5.jar=release/modules/ext/grib-4.5.5.jar -file.reference.gson-2.8.1.jar=release/modules/ext/gson-2.8.1.jar file.reference.httpservices-4.5.5.jar=release/modules/ext/httpservices-4.5.5.jar file.reference.isoparser-1.1.18.jar=release/modules/ext/isoparser-1.1.18.jar file.reference.jackcess-2.2.0.jar=release/modules/ext/jackcess-2.2.0.jar @@ -52,6 +51,7 @@ file.reference.sis-metadata-0.6.jar=release/modules/ext/sis-metadata-0.6.jar file.reference.sis-netcdf-0.6.jar=release/modules/ext/sis-netcdf-0.6.jar file.reference.sis-utility-0.6.jar=release/modules/ext/sis-utility-0.6.jar file.reference.slf4j-api-1.7.24.jar=release/modules/ext/slf4j-api-1.7.24.jar +file.reference.sqlite-jdbc-3.25.2.jar=release/modules/ext/sqlite-jdbc-3.25.2.jar file.reference.sqlite-jdbc-3.8.11.jar=release/modules/ext/sqlite-jdbc-3.8.11.jar file.reference.StixLib.jar=release/modules/ext/StixLib.jar file.reference.jempbox-1.8.13.jar=release/modules/ext/jempbox-1.8.13.jar diff --git a/Core/nbproject/project.xml b/Core/nbproject/project.xml index 37ea029fba..802dcfbd43 100644 --- a/Core/nbproject/project.xml +++ b/Core/nbproject/project.xml @@ -415,6 +415,10 @@ ext/StixLib.jar release/modules/ext/StixLib.jar + + ext/jackson-core-2.9.7.jar + release/modules/ext/jackson-core-2.9.7.jar + ext/pdfbox-tools-2.0.8.jar release/modules/ext/pdfbox-tools-2.0.8.jar @@ -431,10 +435,6 @@ ext/tika-parsers-1.17.jar release/modules/ext/tika-parsers-1.17.jar - - ext/sqlite-jdbc-3.25.2.jar - release/modules/ext/sqlite-jdbc-3.25.2.jar - ext/json-simple-1.1.1.jar release/modules/ext/json-simple-1.1.1.jar @@ -447,6 +447,10 @@ ext/jhighlight-1.0.2.jar release/modules/ext/jhighlight-1.0.2.jar + + ext/sleuthkit-postgresql-4.6.5.jar + release/modules/ext/sleuthkit-postgresql-4.6.5.jar + ext/jempbox-1.8.13.jar release/modules/ext/jempbox-1.8.13.jar @@ -499,10 +503,6 @@ ext/isoparser-1.1.18.jar release/modules/ext/isoparser-1.1.18.jar - - ext/sleuthkit-postgresql-4.6.5.jar - release/modules/ext/sleuthkit-postgresql-4.6.5.jar - ext/vorbis-java-core-0.8.jar release/modules/ext/vorbis-java-core-0.8.jar @@ -527,10 +527,6 @@ ext/jul-to-slf4j-1.7.24.jar release/modules/ext/jul-to-slf4j-1.7.24.jar - - ext/gson-2.8.1.jar - release/modules/ext/gson-2.8.1.jar - ext/poi-3.17.jar release/modules/ext/poi-3.17.jar @@ -608,8 +604,8 @@ release/modules/ext/curator-client-2.8.0.jar - ext/jackson-core-2.9.7.jar - release/modules/ext/jackson-core-2.9.7.jar + ext/sqlite-jdbc-3.25.2.jar + release/modules/ext/sqlite-jdbc-3.25.2.jar ext/cxf-rt-frontend-jaxrs-3.0.16.jar @@ -619,10 +615,6 @@ ext/grib-4.5.5.jar release/modules/ext/grib-4.5.5.jar - - ext/jackson-core-2.9.2.jar - release/modules/ext/jackson-core-2.9.2.jar - ext/activemq-all-5.11.1.jar release/modules/ext/activemq-all-5.11.1.jar diff --git a/CoreLibs/ivy.xml b/CoreLibs/ivy.xml index a5f7aab768..196fcc36ee 100644 --- a/CoreLibs/ivy.xml +++ b/CoreLibs/ivy.xml @@ -9,6 +9,8 @@ + + @@ -26,7 +28,6 @@ - @@ -66,5 +67,5 @@ - + diff --git a/CoreLibs/nbproject/project.properties b/CoreLibs/nbproject/project.properties index 08ccc6fea1..fee5235915 100644 --- a/CoreLibs/nbproject/project.properties +++ b/CoreLibs/nbproject/project.properties @@ -22,7 +22,7 @@ file.reference.compiler-0.9.1.jar=release/modules/ext/compiler-0.9.1.jar file.reference.controlsfx-8.40.11.jar=release/modules/ext/controlsfx-8.40.11.jar file.reference.dom4j-1.6.1.jar=release/modules/ext/dom4j-1.6.1.jar file.reference.geronimo-jms_1.1_spec-1.0.jar=release/modules/ext/geronimo-jms_1.1_spec-1.0.jar -file.reference.gson-1.4.jar=release/modules/ext/gson-1.4.jar +file.reference.gson-2.8.1.jar=release/modules/ext/gson-2.8.1.jar file.reference.gstreamer-java-1.5.jar=release/modules/ext/gstreamer-java-1.5.jar file.reference.guava-19.0.jar=release/modules/ext/guava-19.0.jar file.reference.imageio-bmp-3.2.jar=release/modules/ext/imageio-bmp-3.2.jar diff --git a/CoreLibs/nbproject/project.xml b/CoreLibs/nbproject/project.xml index 38da548a38..bb34c3281e 100644 --- a/CoreLibs/nbproject/project.xml +++ b/CoreLibs/nbproject/project.xml @@ -64,7 +64,11 @@ com.google.common.xml com.google.gson com.google.gson.annotations + com.google.gson.internal + com.google.gson.internal.bind + com.google.gson.internal.bind.util com.google.gson.reflect + com.google.gson.stream com.sun.activation.registries com.sun.activation.viewers com.sun.jna @@ -739,8 +743,8 @@ release/modules/ext/jna-3.4.0.jar - ext/gson-1.4.jar - release/modules/ext/gson-1.4.jar + ext/gson-2.8.1.jar + release/modules/ext/gson-2.8.1.jar ext/jfxtras-common-8.0-r4.jar diff --git a/KeywordSearch/nbproject/project.properties b/KeywordSearch/nbproject/project.properties index 4af4a610bf..b47080f282 100644 --- a/KeywordSearch/nbproject/project.properties +++ b/KeywordSearch/nbproject/project.properties @@ -39,7 +39,6 @@ file.reference.findstructapi-0.0.1.jar=release/modules/ext/findstructapi-0.0.1.j file.reference.fontbox-2.0.8.jar=release/modules/ext/fontbox-2.0.8.jar file.reference.geoapi-3.0.0.jar=release/modules/ext/geoapi-3.0.0.jar file.reference.grib-4.5.5.jar=release/modules/ext/grib-4.5.5.jar -file.reference.gson-2.8.1.jar=release/modules/ext/gson-2.8.1.jar file.reference.guava-17.0.jar=release/modules/ext/guava-17.0.jar file.reference.hamcrest-core-1.3.jar=release/modules/ext/hamcrest-core-1.3.jar file.reference.httpclient-4.5.4.jar=release/modules/ext/httpclient-4.5.4.jar diff --git a/KeywordSearch/nbproject/project.xml b/KeywordSearch/nbproject/project.xml index c66ad369eb..109ee0e66c 100644 --- a/KeywordSearch/nbproject/project.xml +++ b/KeywordSearch/nbproject/project.xml @@ -205,10 +205,6 @@ ext/quartz-2.2.0.jar release/modules/ext/quartz-2.2.0.jar - - ext/sqlite-jdbc-3.25.2.jar - release/modules/ext/sqlite-jdbc-3.25.2.jar - ext/guava-17.0.jar release/modules/ext/guava-17.0.jar @@ -325,10 +321,6 @@ ext/commons-codec-1.10.jar release/modules/ext/commons-codec-1.10.jar - - ext/gson-2.8.1.jar - release/modules/ext/gson-2.8.1.jar - ext/poi-ooxml-schemas-3.17.jar release/modules/ext/poi-ooxml-schemas-3.17.jar diff --git a/RecentActivity/ivy.xml b/RecentActivity/ivy.xml index 9b857153ee..290c8371ea 100644 --- a/RecentActivity/ivy.xml +++ b/RecentActivity/ivy.xml @@ -6,7 +6,4 @@ - - - diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties index bc09675c9d..9736070e53 100644 --- a/RecentActivity/nbproject/project.properties +++ b/RecentActivity/nbproject/project.properties @@ -1,4 +1,3 @@ -file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar javac.source=1.8 javac.compilerargs=-Xlint -Xlint:-serial license.file=../LICENSE-2.0.txt diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml index 402702e54b..87619a8356 100644 --- a/RecentActivity/nbproject/project.xml +++ b/RecentActivity/nbproject/project.xml @@ -74,10 +74,6 @@ - - ext/gson-2.1.jar - release/modules/ext/gson-2.1.jar - From 513fe57eed72d220346a5f1777e26985046b1575 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 1 Feb 2019 15:38:04 -0500 Subject: [PATCH 31/31] 4632 4630 4629 remove older sqlite-jdbc jar from project.properties after new one got included --- Core/nbproject/project.properties | 1 - 1 file changed, 1 deletion(-) diff --git a/Core/nbproject/project.properties b/Core/nbproject/project.properties index 39197ade36..58622cf7a5 100644 --- a/Core/nbproject/project.properties +++ b/Core/nbproject/project.properties @@ -52,7 +52,6 @@ file.reference.sis-netcdf-0.6.jar=release/modules/ext/sis-netcdf-0.6.jar file.reference.sis-utility-0.6.jar=release/modules/ext/sis-utility-0.6.jar file.reference.slf4j-api-1.7.24.jar=release/modules/ext/slf4j-api-1.7.24.jar file.reference.sqlite-jdbc-3.25.2.jar=release/modules/ext/sqlite-jdbc-3.25.2.jar -file.reference.sqlite-jdbc-3.8.11.jar=release/modules/ext/sqlite-jdbc-3.8.11.jar file.reference.StixLib.jar=release/modules/ext/StixLib.jar file.reference.jempbox-1.8.13.jar=release/modules/ext/jempbox-1.8.13.jar file.reference.javax.ws.rs-api-2.0.1.jar=release/modules/ext/javax.ws.rs-api-2.0.1.jar