From 5c097c14e16610d9fd7458347d8e8dba0d0dfd08 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 25 May 2021 14:07:41 -0400 Subject: [PATCH 1/3] Update VMExtractorIngestModule.java Check if valid VHD files are in the list of files to extract. --- .../vmextractor/VMExtractorIngestModule.java | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java index 56e6b3fbdb..f07042c999 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java @@ -49,6 +49,7 @@ import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.autopsy.ingest.IngestMessage; import org.sleuthkit.autopsy.ingest.IngestModule; import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.DataSource; @@ -118,6 +119,7 @@ final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter { try { // look for all VM files vmFiles = findVirtualMachineFiles(dataSource); + vmFiles = removeNonVHDFiles(vmFiles); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error querying case database", ex); //NON-NLS return ProcessResult.ERROR; @@ -237,6 +239,34 @@ final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter { } return vmFiles; } + + /** + * Check all the files and if a file is a vhd then check to make sure it is a valid vhd using the mimetype + * @param vmFiles List of virtual machine abstract files to look at + * @return List of abstract files of virtual machine files. + */ + private static List removeNonVHDFiles(List vmFiles) { + List vFile = new ArrayList<>(); + + for (AbstractFile vmFile : vmFiles) { + if (vmFile.getNameExtension().equalsIgnoreCase("vhd")) { + FileTypeDetector fileTypeDetector = null; + try { + fileTypeDetector = new FileTypeDetector(); + } catch (FileTypeDetector.FileTypeDetectorInitException ex) { + logger.log(Level.WARNING, String.format("Unable to create file type detector for determining MIME type for file %s with id of %d", vmFile.getName(), vmFile.getId())); + } + String mimeType = fileTypeDetector.getMIMEType(vmFile); + if (mimeType.equalsIgnoreCase("application/x-vhd")) { + vFile.add(vmFile); + } + } else { + vFile.add(vmFile); + } + } + + return vFile; + } /** * Writes out an abstract file to a specified output folder. From 715e08a5347b9f4e8f2ff1c3adea21e9f29f1b63 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 25 May 2021 21:31:39 -0400 Subject: [PATCH 2/3] Update VMExtractorIngestModule.java Add check if mimetype exists first, it if does not then get mimetype and update abstractfile with mimetype detected. --- .../vmextractor/VMExtractorIngestModule.java | 34 +++++++++++++------ 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java index f07042c999..a79b0f1a12 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java @@ -119,7 +119,7 @@ final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter { try { // look for all VM files vmFiles = findVirtualMachineFiles(dataSource); - vmFiles = removeNonVHDFiles(vmFiles); + vmFiles = removeNonVMFiles(vmFiles); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error querying case database", ex); //NON-NLS return ProcessResult.ERROR; @@ -241,23 +241,35 @@ final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter { } /** - * Check all the files and if a file is a vhd then check to make sure it is a valid vhd using the mimetype + * Check all the files and if a file is a vhd then check to make sure it is a valid vhd using the mimetype. We are not + * checking the mimetype for VMDK's at this point in time. + * * @param vmFiles List of virtual machine abstract files to look at + * * @return List of abstract files of virtual machine files. */ - private static List removeNonVHDFiles(List vmFiles) { + private static List removeNonVMFiles(List vmFiles) { List vFile = new ArrayList<>(); for (AbstractFile vmFile : vmFiles) { if (vmFile.getNameExtension().equalsIgnoreCase("vhd")) { - FileTypeDetector fileTypeDetector = null; - try { - fileTypeDetector = new FileTypeDetector(); - } catch (FileTypeDetector.FileTypeDetectorInitException ex) { - logger.log(Level.WARNING, String.format("Unable to create file type detector for determining MIME type for file %s with id of %d", vmFile.getName(), vmFile.getId())); - } - String mimeType = fileTypeDetector.getMIMEType(vmFile); - if (mimeType.equalsIgnoreCase("application/x-vhd")) { + String fileMimeType = vmFile.getMIMEType(); + if (fileMimeType == null) { + FileTypeDetector fileTypeDetector = null; + try { + fileTypeDetector = new FileTypeDetector(); + } catch (FileTypeDetector.FileTypeDetectorInitException ex) { + logger.log(Level.WARNING, String.format("Unable to create file type detector for determining MIME type for file %s with id of %d", vmFile.getName(), vmFile.getId())); + } + fileMimeType = fileTypeDetector.getMIMEType(vmFile); + try { + vmFile.setMIMEType(fileMimeType); + vmFile.save(); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, String.format("Unable to save mimetype of %s for file %s with id of %d", fileMimeType, vmFile.getName(), vmFile.getId())); + } + } + if (fileMimeType.equalsIgnoreCase("application/x-vhd")) { vFile.add(vmFile); } } else { From 543fdd369b1e79d470c968d7303a3575e5df2161 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Thu, 27 May 2021 08:37:29 -0400 Subject: [PATCH 3/3] Update VMExtractorIngestModule.java Moved defining fileTypeDetector outside of loop so it only happens once. If there is an error initializing fileTypeDetector then add the file to the list of VM's that we look at even if it may not be a VM, this way we do not loose it. Continue on in the loop skipping over a potential NPE in the code after the initilization. --- .../autopsy/modules/vmextractor/VMExtractorIngestModule.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java index a79b0f1a12..80219c8e9d 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java @@ -250,16 +250,17 @@ final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter { */ private static List removeNonVMFiles(List vmFiles) { List vFile = new ArrayList<>(); - + FileTypeDetector fileTypeDetector = null; for (AbstractFile vmFile : vmFiles) { if (vmFile.getNameExtension().equalsIgnoreCase("vhd")) { String fileMimeType = vmFile.getMIMEType(); if (fileMimeType == null) { - FileTypeDetector fileTypeDetector = null; try { fileTypeDetector = new FileTypeDetector(); } catch (FileTypeDetector.FileTypeDetectorInitException ex) { logger.log(Level.WARNING, String.format("Unable to create file type detector for determining MIME type for file %s with id of %d", vmFile.getName(), vmFile.getId())); + vFile.add(vmFile); + continue; } fileMimeType = fileTypeDetector.getMIMEType(vmFile); try {