From 6e0c80eec25fc76014c4ae2dd96fe0cb08b656d0 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Tue, 29 Jan 2013 14:47:51 -0500 Subject: [PATCH 1/3] Changed flow of hash module --- .../hashdatabase/HashDbIngestModule.java | 195 ++++++++++-------- 1 file changed, 107 insertions(+), 88 deletions(-) diff --git a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbIngestModule.java b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbIngestModule.java index 044296c1c1..d98b523dd2 100644 --- a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbIngestModule.java +++ b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbIngestModule.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011 Basis Technology Corp. + * Copyright 2011-2013 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -23,20 +23,18 @@ import java.util.Collections; import java.util.HashMap; import java.util.Map; import java.util.logging.Level; -import org.sleuthkit.autopsy.coreutils.Logger; -import org.netbeans.api.options.OptionsDisplayer; -import org.netbeans.spi.options.OptionsPanelController; import org.sleuthkit.autopsy.casemodule.Case; -import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.IngestMessage; import org.sleuthkit.autopsy.ingest.IngestModuleAbstractFile; import org.sleuthkit.autopsy.ingest.IngestModuleInit; +import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.autopsy.ingest.ModuleDataEvent; +import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; -import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.ContentVisitor; import org.sleuthkit.datamodel.File; @@ -58,7 +56,7 @@ public class HashDbIngestModule implements IngestModuleAbstractFile { private IngestServices services; private SleuthkitCase skCase; private static int messageId = 0; - private int count; + private int knownBadCount; // Whether or not to do hash lookups (only set to true if there are dbs set) private boolean nsrlIsSet; private boolean knownBadIsSet; @@ -67,13 +65,13 @@ public class HashDbIngestModule implements IngestModuleAbstractFile { private int nsrlPointer; static long calctime = 0; static long lookuptime = 0; - private Map knownBadSets = new HashMap(); + private Map knownBadSets = new HashMap<>(); private HashDbManagementPanel panel; private final Hash hasher = new Hash(); private HashDbIngestModule() { - count = 0; + knownBadCount = 0; } public static synchronized HashDbIngestModule getDefault() { @@ -86,7 +84,6 @@ public class HashDbIngestModule implements IngestModuleAbstractFile { @Override public void init(IngestModuleInit initContext) { services = IngestServices.getDefault(); - this.services.postMessage(IngestMessage.createMessage(++messageId, IngestMessage.MessageType.INFO, this, "Started")); this.skCase = Case.getCurrentCase().getSleuthkitCase(); try { HashDbXML hdbxml = HashDbXML.getCurrent(); @@ -121,36 +118,39 @@ public class HashDbIngestModule implements IngestModuleAbstractFile { } } catch (TskException ex) { - logger.log(Level.WARNING, "Setting NSRL and Known database failed", ex); + logger.log(Level.SEVERE, "Setting NSRL and Known database failed", ex); + this.services.postMessage(IngestMessage.createErrorMessage(++messageId, this, "Error Configuring Hash Databases", "Setting NSRL and Known database failed.")); } } @Override public void complete() { - StringBuilder detailsSb = new StringBuilder(); - //details - detailsSb.append(""); + if ((knownBadIsSet) || (nsrlIsSet)) { + StringBuilder detailsSb = new StringBuilder(); + //details + detailsSb.append("
"); - detailsSb.append(""); - detailsSb.append(""); - detailsSb.append(""); - detailsSb.append(""); + detailsSb.append(""); + detailsSb.append(""); + detailsSb.append(""); + detailsSb.append(""); - detailsSb.append(""); - detailsSb.append(""); - detailsSb.append(""); - detailsSb.append(""); + detailsSb.append(""); + detailsSb.append(""); + detailsSb.append(""); + detailsSb.append(""); - for (HashDb db : knownBadSets.values()) { - detailsSb.append(""); + for (HashDb db : knownBadSets.values()) { + detailsSb.append(""); + } + + detailsSb.append("
Number of notable files found:").append(count).append("
Number of notable files found:").append(knownBadCount).append("
Notable databases used:Calc Time: ").append(calctime).append(" Lookup Time: ").append(lookuptime).append("
Notable databases used:Calc Time: ").append(calctime).append(" Lookup Time: ").append(lookuptime).append("
"); - detailsSb.append(db.getName()); - detailsSb.append(""); - detailsSb.append(db.getDatabasePaths().get(0)); // TODO: support multiple database paths - detailsSb.append("
"); + detailsSb.append(db.getName()); + detailsSb.append(""); + detailsSb.append(db.getDatabasePaths().get(0)); // TODO: support multiple database paths + detailsSb.append("
"); + services.postMessage(IngestMessage.createMessage(++messageId, IngestMessage.MessageType.INFO, this, "Hash Lookup Results", detailsSb.toString())); } - - detailsSb.append(""); - services.postMessage(IngestMessage.createMessage(++messageId, IngestMessage.MessageType.INFO, this, "Hash Ingest Complete", detailsSb.toString())); } /** @@ -159,7 +159,7 @@ public class HashDbIngestModule implements IngestModuleAbstractFile { */ @Override public void stop() { - //manager.postMessage(IngestMessage.createMessage(++messageId, IngestMessage.MessageType.INFO, this, "STOP")); + } /** @@ -312,70 +312,89 @@ public class HashDbIngestModule implements IngestModuleAbstractFile { } private ProcessResult process(FsContent fsContent) { - - ProcessResult ret = ProcessResult.OK; - boolean processFile = true; - if (fsContent.getKnown().equals(TskData.FileKnown.BAD)) { - processFile = false; + // bail out if we have no hashes set + if ((nsrlIsSet == false) && (knownBadIsSet == false) && (calcHashesIsSet == false)) { + return ProcessResult.OK; } - if (processFile && (nsrlIsSet || knownBadIsSet)) { - String name = fsContent.getName(); + + // calc hash value + String name = fsContent.getName(); + String md5Hash = fsContent.getMd5Hash(); + if (md5Hash == null || md5Hash.isEmpty()) { try { - String md5Hash = fsContent.getMd5Hash(); - if (md5Hash == null || md5Hash.isEmpty()) { - long calcstart = System.currentTimeMillis(); - md5Hash = hasher.calculateMd5(fsContent); - calctime += (System.currentTimeMillis() - calcstart); - } - TskData.FileKnown status = TskData.FileKnown.UKNOWN; - boolean foundBad = false; - for (Map.Entry entry : knownBadSets.entrySet()) { + long calcstart = System.currentTimeMillis(); + md5Hash = hasher.calculateMd5(fsContent); + calctime += (System.currentTimeMillis() - calcstart); + } catch (IOException ex) { + logger.log(Level.WARNING, "Error calculating hash of file " + name, ex); + services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Read Error: " + name, + "Error encountered while calculating the hash value for " + name + ".")); + return ProcessResult.ERROR; + } + } + + + // look up in known bad first + TskData.FileKnown status = TskData.FileKnown.UKNOWN; + boolean foundBad = false; + ProcessResult ret = ProcessResult.OK; + + if (knownBadIsSet) { + for (Map.Entry entry : knownBadSets.entrySet()) { + + try { long lookupstart = System.currentTimeMillis(); status = skCase.knownBadLookupMd5(md5Hash, entry.getKey()); lookuptime += (System.currentTimeMillis() - lookupstart); - if (status.equals(TskData.FileKnown.BAD)) { - foundBad = true; - count += 1; - skCase.setKnown(fsContent, status); - String hashSetName = entry.getValue().getName(); - processBadFile(fsContent, md5Hash, hashSetName, entry.getValue().getShowInboxMessages()); - } + } catch (TskException ex) { + logger.log(Level.WARNING, "Couldn't lookup known bad hash for file " + name + " - see sleuthkit log for details", ex); + services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Hash Lookup Error: " + name, + "Error encountered while looking up known bad hash value for " + name + ".")); + ret = ProcessResult.ERROR; + } + + if (status.equals(TskData.FileKnown.BAD)) { + foundBad = true; + knownBadCount += 1; + try { + skCase.setKnown(fsContent, TskData.FileKnown.BAD); + } catch (TskException ex) { + logger.log(Level.WARNING, "Couldn't set known bad state for file " + name + " - see sleuthkit log for details", ex); + services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Hash Lookup Error: " + name, + "Error encountered while setting known bad state for " + name + ".")); + ret = ProcessResult.ERROR; + } + String hashSetName = entry.getValue().getName(); + processBadFile(fsContent, md5Hash, hashSetName, entry.getValue().getShowInboxMessages()); } - if (!foundBad && nsrlIsSet) { - long lookupstart = System.currentTimeMillis(); - status = skCase.nsrlLookupMd5(md5Hash); - lookuptime += (System.currentTimeMillis() - lookupstart); - if (status.equals(TskData.FileKnown.KNOWN)) { - skCase.setKnown(fsContent, status); - } - } - } catch (TskException ex) { - logger.log(Level.WARNING, "Couldn't analyze file " + name + " - see sleuthkit log for details", ex); - services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Hash Lookup Error: " + name, - "Error encountered while updating the hash values for " + name + ".")); - ret = ProcessResult.ERROR; - } catch (IOException ex) { - logger.log(Level.WARNING, "Error reading file " + name, ex); - services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Read Error: " + name, - "Error encountered while calculating the hash value for " + name + ".")); - ret = ProcessResult.ERROR; - } - } else if (processFile && calcHashesIsSet) { - String name = fsContent.getName(); - try { - String md5Hash = fsContent.getMd5Hash(); - if (md5Hash == null || md5Hash.isEmpty()) { - long calcstart = System.currentTimeMillis(); - hasher.calculateMd5(fsContent); - calctime += (System.currentTimeMillis() - calcstart); - } - ret = ProcessResult.OK; - } catch (IOException ex) { - logger.log(Level.WARNING, "Error reading file " + name, ex); - services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Read Error: " + name, - "Error encountered while calculating the hash value for " + name + " without databases.")); } } + + // only do NSRL if we didn't find a known bad + if (!foundBad && nsrlIsSet) { + try { + long lookupstart = System.currentTimeMillis(); + status = skCase.nsrlLookupMd5(md5Hash); + lookuptime += (System.currentTimeMillis() - lookupstart); + } catch (TskException ex) { + logger.log(Level.WARNING, "Couldn't lookup NSRL hash for file " + name + " - see sleuthkit log for details", ex); + services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Hash Lookup Error: " + name, + "Error encountered while looking up NSRL hash value for " + name + ".")); + ret = ProcessResult.ERROR; + } + + if (status.equals(TskData.FileKnown.KNOWN)) { + try { + skCase.setKnown(fsContent, TskData.FileKnown.KNOWN); + } catch (TskException ex) { + logger.log(Level.WARNING, "Couldn't set known state for file " + name + " - see sleuthkit log for details", ex); + services.postMessage(IngestMessage.createErrorMessage(++messageId, HashDbIngestModule.this, "Hash Lookup Error: " + name, + "Error encountered while setting known (NSRL) state for " + name + ".")); + ret = ProcessResult.ERROR; + } + } + } + return ret; } } From 5887f2fbda4ba8c431f446288e8a20883e1d85fa Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Tue, 29 Jan 2013 14:49:02 -0500 Subject: [PATCH 2/3] Made ingest inbox messages more consistent --- .../ExifParserFileIngestModule.java | 5 -- .../KeywordSearchIngestModule.java | 7 +-- .../recentactivity/RAImageIngestModule.java | 60 +++++++++---------- .../ThunderbirdMboxFileIngestModule.java | 4 +- 4 files changed, 33 insertions(+), 43 deletions(-) diff --git a/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java b/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java index 64406e5692..cbdb6c922d 100644 --- a/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java +++ b/ExifParser/src/org/sleuthkit/autopsy/exifparser/ExifParserFileIngestModule.java @@ -198,9 +198,6 @@ public final class ExifParserFileIngestModule implements IngestModuleAbstractFil public void complete() { logger.log(Level.INFO, "completed exif parsing " + this.toString()); - final IngestMessage msg = IngestMessage.createMessage(++messageId, MessageType.INFO, this, "Complete"); - services.postMessage(msg); - //module specific cleanup due to completion here } @@ -235,13 +232,11 @@ public final class ExifParserFileIngestModule implements IngestModuleAbstractFil public void init(IngestModuleInit initContext) { services = IngestServices.getDefault(); logger.log(Level.INFO, "init() " + this.toString()); - } @Override public void stop() { logger.log(Level.INFO, "stop()"); - services.postMessage(IngestMessage.createMessage(++messageId, MessageType.INFO, this, "Stopped")); //module specific cleanup due to interruption here } diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java index 1ecfc2cfb3..8d435032d1 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java @@ -252,7 +252,6 @@ public final class KeywordSearchIngestModule implements IngestModuleAbstractFile finalSearcher.execute(); } else { finalSearcherDone = true; - services.postMessage(IngestMessage.createMessage(++messageID, MessageType.INFO, this, "Completed")); } //log number of files / chunks in index @@ -438,8 +437,6 @@ public final class KeywordSearchIngestModule implements IngestModuleAbstractFile commitTimer.start(); searchTimer.start(); - - services.postMessage(IngestMessage.createMessage(++messageID, MessageType.INFO, this, "Started")); } @Override @@ -551,7 +548,7 @@ public final class KeywordSearchIngestModule implements IngestModuleAbstractFile msg.append("
Skipped files: ").append(skipped).append("
"); String indexStats = msg.toString(); logger.log(Level.INFO, "Keyword Indexing Completed: " + indexStats); - services.postMessage(IngestMessage.createMessage(++messageID, MessageType.INFO, this, "Keyword Indexing Completed", indexStats)); + services.postMessage(IngestMessage.createMessage(++messageID, MessageType.INFO, this, "Keyword Indexing Results", indexStats)); } @@ -1180,8 +1177,6 @@ public final class KeywordSearchIngestModule implements IngestModuleAbstractFile logger.log(Level.INFO, "The final searcher in this ingest done."); finalSearcherDone = true; - services.postMessage(IngestMessage.createMessage(++messageID, MessageType.INFO, KeywordSearchIngestModule.instance, "Completed")); - //run module cleanup cleanup(); } else { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index 1833d46ce1..79364d83b9 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -44,7 +44,6 @@ public final class RAImageIngestModule implements IngestModuleImage { private static RAImageIngestModule defaultInstance = null; private IngestServices services; private static int messageId = 0; - private ArrayList errors = new ArrayList(); private StringBuilder subCompleted = new StringBuilder(); private ArrayList modules; final public static String MODULE_VERSION = "1.0"; @@ -66,12 +65,15 @@ public final class RAImageIngestModule implements IngestModuleImage { @Override public void process(Image image, IngestImageWorkerController controller) { services.postMessage(IngestMessage.createMessage(++messageId, MessageType.INFO, this, "Started " + image.getName())); + controller.switchToDeterminate(modules.size()); controller.progress(0); + ArrayList errors = new ArrayList<>(); + for (int i = 0; i < modules.size(); i++) { Extract module = modules.get(i); if (controller.isCancelled()) { - logger.log(Level.INFO, "Recent Activity has been canceled, quitting before " + module.getName()); + logger.log(Level.INFO, "Recent Activity has been canceled, quitting before {0}", module.getName()); break; } try { @@ -83,47 +85,45 @@ public final class RAImageIngestModule implements IngestModuleImage { controller.progress(i + 1); errors.addAll(module.getErrorMessages()); } + + // create the final message for inbox + StringBuilder errorMessage = new StringBuilder(); + String errorMsgSubject; + if (!errors.isEmpty()) { + errorMessage.append("Errors encountered during analysis:
    \n"); + for (String msg : errors) { + errorMessage.append("
  • ").append(msg).append("
    • \n"); + } + errorMessage.append("
\n"); + + if (errors.size() == 1) { + errorMsgSubject = "1 error found"; + } else { + errorMsgSubject = errors.size() + " errors found"; + } + } else { + errorMessage.append("No errors encountered."); + errorMsgSubject = "No errors reported"; + } + final IngestMessage msg = IngestMessage.createMessage(++messageId, MessageType.INFO, this, "Finished " + image.getName()+ " - " + errorMsgSubject, errorMessage.toString()); + services.postMessage(msg); } @Override public void complete() { logger.log(Level.INFO, "complete() " + this.toString()); - StringBuilder errorMessage = new StringBuilder(); - String errorsFound = ""; - + + // close modules for (int i = 0; i < modules.size(); i++) { Extract module = modules.get(i); try { module.complete(); - subCompleted.append(module.getName()).append(" complete
"); } catch (Exception ex) { logger.log(Level.SEVERE, "Exception occurred when completing " + module.getName(), ex); subCompleted.append(module.getName()).append(" failed to complete - see log for details
"); } } - errorMessage.append(subCompleted); - int i = 0; - if (!errors.isEmpty()) { - errorMessage.append("
There were some errors extracting the data:
"); - for (String msg : errors) { - i++; - final IngestMessage error = IngestMessage.createMessage(++messageId, MessageType.INFO, this, msg + "
"); - services.postMessage(error); - } - - if (i == 1) { - errorsFound = i + " error found"; - } else { - errorsFound = i + " errors found"; - } - } else { - errorMessage.append("
No errors encountered."); - errorsFound = "No errors reported"; - } - final IngestMessage msg = IngestMessage.createMessage(++messageId, MessageType.INFO, this, "Completed - " + errorsFound, errorMessage.toString()); - services.postMessage(msg); - //module specific cleanup due to completion here } @@ -139,8 +139,8 @@ public final class RAImageIngestModule implements IngestModuleImage { @Override public void init(IngestModuleInit initContext) { - modules = new ArrayList(); - logger.log(Level.INFO, "init() " + this.toString()); + modules = new ArrayList<>(); + logger.log(Level.INFO, "init() {0}", this.toString()); services = IngestServices.getDefault(); final Extract registry = new ExtractRegistry(); diff --git a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java index 7c5ce0c152..52b3d2365b 100644 --- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java +++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java @@ -114,7 +114,8 @@ public class ThunderbirdMboxFileIngestModule implements IngestModuleAbstractFile if (isMbox) { - services.postMessage(IngestMessage.createMessage(++messageId, MessageType.INFO, this, "Processing " + fsContent.getName())); + logger.log(Level.INFO, "ThunderbirdMboxFileIngestModule: Parsing {0}", fsContent.getName()); + String mboxName = fsContent.getName(); String msfName = mboxName + ".msf"; //Long mboxId = fsContent.getId(); @@ -248,7 +249,6 @@ public class ThunderbirdMboxFileIngestModule implements IngestModuleAbstractFile @Override public void complete() { logger.log(Level.INFO, "complete()"); - services.postMessage(IngestMessage.createMessage(++messageId, MessageType.INFO, this, "COMPLETE")); //module specific cleanup due completion here } From 768642b7fe03998dcda24847bef16fac5f86ad88 Mon Sep 17 00:00:00 2001 From: adam-m Date: Tue, 29 Jan 2013 22:13:18 -0500 Subject: [PATCH 3/3] update TSK_USER_NAME artifact type --- .../src/org/sleuthkit/autopsy/recentactivity/Chrome.java | 2 +- .../src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 3151cc22db..d52f06eb8c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -406,7 +406,7 @@ public class Chrome extends Extract implements IngestModuleImage { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "Recent Activity", ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "Recent Activity", ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), "Recent Activity", ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", result.get("signon_realm").toString())); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFiles.get(j), bbattributes); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 202b1b7c30..34305db877 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -500,7 +500,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", user)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), "RecentActivity", user)); bbart.addAttributes(bbattributes); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex);