mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

line endings.

Browse Source
This commit is contained in:
Jeff Wallace 2013-12-11 15:57:19 -05:00
parent bc4705cbd4
commit d31ed4a82d
32 changed files with 4972 additions and 4972 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Core/manifest.mf
View File

@ -1,10 +1,10 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
OpenIDE-Module: org.sleuthkit.autopsy.core/9 OpenIDE-Module: org.sleuthkit.autopsy.core/9
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/core/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/core/Bundle.properties
OpenIDE-Module-Layer: org/sleuthkit/autopsy/core/layer.xml OpenIDE-Module-Layer: org/sleuthkit/autopsy/core/layer.xml
OpenIDE-Module-Implementation-Version: 9 OpenIDE-Module-Implementation-Version: 9
OpenIDE-Module-Requires: org.openide.windows.WindowManager, org.netbeans.api.javahelp.Help OpenIDE-Module-Requires: org.openide.windows.WindowManager, org.netbeans.api.javahelp.Help
AutoUpdate-Show-In-Client: true AutoUpdate-Show-In-Client: true
AutoUpdate-Essential-Module: true AutoUpdate-Essential-Module: true
OpenIDE-Module-Install: org/sleuthkit/autopsy/core/Installer.class OpenIDE-Module-Install: org/sleuthkit/autopsy/core/Installer.class

194
Core/src/org/sleuthkit/autopsy/datamodel/DirectoryNode.java
View File

@ -1,97 +1,97 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.datamodel; package org.sleuthkit.autopsy.datamodel;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.swing.Action; import javax.swing.Action;
import org.sleuthkit.autopsy.directorytree.ExtractAction; import org.sleuthkit.autopsy.directorytree.ExtractAction;
import org.sleuthkit.autopsy.directorytree.NewWindowViewAction; import org.sleuthkit.autopsy.directorytree.NewWindowViewAction;
import org.sleuthkit.autopsy.directorytree.TagAbstractFileAction; import org.sleuthkit.autopsy.directorytree.TagAbstractFileAction;
import org.sleuthkit.autopsy.directorytree.ViewContextAction; import org.sleuthkit.autopsy.directorytree.ViewContextAction;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Directory; import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM; import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM;
/** /**
* This class is used to represent the "Node" for the directory. Its children * This class is used to represent the "Node" for the directory. Its children
* are more directories. * are more directories.
*/ */
public class DirectoryNode extends AbstractFsContentNode<AbstractFile> { public class DirectoryNode extends AbstractFsContentNode<AbstractFile> {
public static final String DOTDOTDIR = "[parent folder]"; public static final String DOTDOTDIR = "[parent folder]";
public static final String DOTDIR = "[current folder]"; public static final String DOTDIR = "[current folder]";
public DirectoryNode(Directory dir) { public DirectoryNode(Directory dir) {
this(dir, true); this(dir, true);
setIcon(dir); setIcon(dir);
} }
public DirectoryNode(AbstractFile dir, boolean directoryBrowseMode) { public DirectoryNode(AbstractFile dir, boolean directoryBrowseMode) {
super(dir, directoryBrowseMode); super(dir, directoryBrowseMode);
setIcon(dir); setIcon(dir);
} }
private void setIcon(AbstractFile dir) { private void setIcon(AbstractFile dir) {
// set name, display name, and icon // set name, display name, and icon
if (dir.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC)) { if (dir.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC)) {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-deleted.png"); this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-deleted.png");
} else { } else {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/Folder-icon.png"); this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/Folder-icon.png");
} }
} }
/** /**
* Right click action for this node * Right click action for this node
* *
* @param popup * @param popup
* @return * @return
*/ */
@Override @Override
public Action[] getActions(boolean popup) { public Action[] getActions(boolean popup) {
List<Action> actions = new ArrayList<>(); List<Action> actions = new ArrayList<>();
if (!getDirectoryBrowseMode()) { if (!getDirectoryBrowseMode()) {
actions.add(new ViewContextAction("View File in Directory", this)); actions.add(new ViewContextAction("View File in Directory", this));
actions.add(null); // creates a menu separator actions.add(null); // creates a menu separator
} }
actions.add(new NewWindowViewAction("View in New Window", this)); actions.add(new NewWindowViewAction("View in New Window", this));
actions.add(null); // creates a menu separator actions.add(null); // creates a menu separator
actions.add(ExtractAction.getInstance()); actions.add(ExtractAction.getInstance());
actions.add(null); // creates a menu separator actions.add(null); // creates a menu separator
actions.add(TagAbstractFileAction.getInstance()); actions.add(TagAbstractFileAction.getInstance());
return actions.toArray(new Action[0]); return actions.toArray(new Action[0]);
} }
@Override @Override
public <T> T accept(ContentNodeVisitor<T> v) { public <T> T accept(ContentNodeVisitor<T> v) {
return v.visit(this); return v.visit(this);
} }
@Override @Override
public <T> T accept(DisplayableItemNodeVisitor<T> v) { public <T> T accept(DisplayableItemNodeVisitor<T> v) {
return v.visit(this); return v.visit(this);
} }
@Override @Override
public TYPE getDisplayableItemNodeType() { public TYPE getDisplayableItemNodeType() {
return TYPE.CONTENT; return TYPE.CONTENT;
} }
} }

360
Core/src/org/sleuthkit/autopsy/datamodel/FileNode.java
View File

@ -1,180 +1,180 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.datamodel; package org.sleuthkit.autopsy.datamodel;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.swing.Action; import javax.swing.Action;
import org.sleuthkit.autopsy.directorytree.ExternalViewerAction; import org.sleuthkit.autopsy.directorytree.ExternalViewerAction;
import org.sleuthkit.autopsy.directorytree.ExtractAction; import org.sleuthkit.autopsy.directorytree.ExtractAction;
import org.sleuthkit.autopsy.directorytree.HashSearchAction; import org.sleuthkit.autopsy.directorytree.HashSearchAction;
import org.sleuthkit.autopsy.directorytree.NewWindowViewAction; import org.sleuthkit.autopsy.directorytree.NewWindowViewAction;
import org.sleuthkit.autopsy.directorytree.TagAbstractFileAction; import org.sleuthkit.autopsy.directorytree.TagAbstractFileAction;
import org.sleuthkit.autopsy.directorytree.ViewContextAction; import org.sleuthkit.autopsy.directorytree.ViewContextAction;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM;
import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM; import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM;
/** /**
* This class is used to represent the "Node" for the file. It may have derived * This class is used to represent the "Node" for the file. It may have derived
* files children. * files children.
*/ */
public class FileNode extends AbstractFsContentNode<AbstractFile> { public class FileNode extends AbstractFsContentNode<AbstractFile> {
/** /**
* @param file underlying Content * @param file underlying Content
*/ */
public FileNode(AbstractFile file) { public FileNode(AbstractFile file) {
this(file, true); this(file, true);
setIcon(file); setIcon(file);
} }
public FileNode(AbstractFile file, boolean directoryBrowseMode) { public FileNode(AbstractFile file, boolean directoryBrowseMode) {
super(file, directoryBrowseMode); super(file, directoryBrowseMode);
setIcon(file); setIcon(file);
} }
private void setIcon(AbstractFile file) { private void setIcon(AbstractFile file) {
// set name, display name, and icon // set name, display name, and icon
if (file.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC)) { if (file.isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM.UNALLOC)) {
if (file.getType().equals(TSK_DB_FILES_TYPE_ENUM.CARVED)) { if (file.getType().equals(TSK_DB_FILES_TYPE_ENUM.CARVED)) {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/carved-file-icon-16.png"); this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/carved-file-icon-16.png");
} else { } else {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/file-icon-deleted.png"); this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/file-icon-deleted.png");
} }
} else { } else {
this.setIconBaseWithExtension(getIconForFileType(file)); this.setIconBaseWithExtension(getIconForFileType(file));
} }
} }
/** /**
* Right click action for this node * Right click action for this node
* *
* @param popup * @param popup
* @return * @return
*/ */
@Override @Override
public Action[] getActions(boolean popup) { public Action[] getActions(boolean popup) {
List<Action> actionsList = new ArrayList<>(); List<Action> actionsList = new ArrayList<>();
if (!this.getDirectoryBrowseMode()) { if (!this.getDirectoryBrowseMode()) {
actionsList.add(new ViewContextAction("View File in Directory", this)); actionsList.add(new ViewContextAction("View File in Directory", this));
actionsList.add(null); // creates a menu separator actionsList.add(null); // creates a menu separator
} }
actionsList.add(new NewWindowViewAction("View in New Window", this)); actionsList.add(new NewWindowViewAction("View in New Window", this));
actionsList.add(new ExternalViewerAction("Open in External Viewer", this)); actionsList.add(new ExternalViewerAction("Open in External Viewer", this));
actionsList.add(null); // creates a menu separator actionsList.add(null); // creates a menu separator
actionsList.add(ExtractAction.getInstance()); actionsList.add(ExtractAction.getInstance());
actionsList.add(new HashSearchAction("Search for files with the same MD5 hash", this)); actionsList.add(new HashSearchAction("Search for files with the same MD5 hash", this));
actionsList.add(null); // creates a menu separator actionsList.add(null); // creates a menu separator
actionsList.add(TagAbstractFileAction.getInstance()); actionsList.add(TagAbstractFileAction.getInstance());
return actionsList.toArray(new Action[0]); return actionsList.toArray(new Action[0]);
} }
@Override @Override
public <T> T accept(ContentNodeVisitor< T> v) { public <T> T accept(ContentNodeVisitor< T> v) {
return v.visit(this); return v.visit(this);
} }
@Override @Override
public <T> T accept(DisplayableItemNodeVisitor< T> v) { public <T> T accept(DisplayableItemNodeVisitor< T> v) {
return v.visit(this); return v.visit(this);
} }
// Given a file, returns the correct icon for said // Given a file, returns the correct icon for said
// file based off it's extension // file based off it's extension
static String getIconForFileType(AbstractFile file) { static String getIconForFileType(AbstractFile file) {
// Get the name, extension // Get the name, extension
String name = file.getName(); String name = file.getName();
int dotIndex = name.lastIndexOf("."); int dotIndex = name.lastIndexOf(".");
if (dotIndex == -1) { if (dotIndex == -1) {
return "org/sleuthkit/autopsy/images/file-icon.png"; return "org/sleuthkit/autopsy/images/file-icon.png";
} }
String ext = name.substring(dotIndex).toLowerCase(); String ext = name.substring(dotIndex).toLowerCase();
// Images // Images
for (String s : FileTypeExtensions.getImageExtensions()) { for (String s : FileTypeExtensions.getImageExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/image-file.png"; return "org/sleuthkit/autopsy/images/image-file.png";
} }
} }
// Videos // Videos
for (String s : FileTypeExtensions.getVideoExtensions()) { for (String s : FileTypeExtensions.getVideoExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/video-file.png"; return "org/sleuthkit/autopsy/images/video-file.png";
} }
} }
// Audio Files // Audio Files
for (String s : FileTypeExtensions.getAudioExtensions()) { for (String s : FileTypeExtensions.getAudioExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/audio-file.png"; return "org/sleuthkit/autopsy/images/audio-file.png";
} }
} }
// Documents // Documents
for (String s : FileTypeExtensions.getDocumentExtensions()) { for (String s : FileTypeExtensions.getDocumentExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/doc-file.png"; return "org/sleuthkit/autopsy/images/doc-file.png";
} }
} }
// Executables / System Files // Executables / System Files
for (String s : FileTypeExtensions.getExecutableExtensions()) { for (String s : FileTypeExtensions.getExecutableExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/exe-file.png"; return "org/sleuthkit/autopsy/images/exe-file.png";
} }
} }
// Text Files // Text Files
for (String s : FileTypeExtensions.getTextExtensions()) { for (String s : FileTypeExtensions.getTextExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/text-file.png"; return "org/sleuthkit/autopsy/images/text-file.png";
} }
} }
// Web Files // Web Files
for (String s : FileTypeExtensions.getWebExtensions()) { for (String s : FileTypeExtensions.getWebExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/web-file.png"; return "org/sleuthkit/autopsy/images/web-file.png";
} }
} }
// PDFs // PDFs
for (String s : FileTypeExtensions.getPDFExtensions()) { for (String s : FileTypeExtensions.getPDFExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/pdf-file.png"; return "org/sleuthkit/autopsy/images/pdf-file.png";
} }
} }
// Archives // Archives
for (String s : FileTypeExtensions.getArchiveExtensions()) { for (String s : FileTypeExtensions.getArchiveExtensions()) {
if (ext.equals(s)) { if (ext.equals(s)) {
return "org/sleuthkit/autopsy/images/archive-file.png"; return "org/sleuthkit/autopsy/images/archive-file.png";
} }
} }
// Else return the default // Else return the default
return "org/sleuthkit/autopsy/images/file-icon.png"; return "org/sleuthkit/autopsy/images/file-icon.png";
} }
@Override @Override
public TYPE getDisplayableItemNodeType() { public TYPE getDisplayableItemNodeType() {
return TYPE.CONTENT; return TYPE.CONTENT;
} }
@Override @Override
public boolean isLeafTypeNode() { public boolean isLeafTypeNode() {
return true; //false; return true; //false;
} }
} }

140
Core/src/org/sleuthkit/autopsy/directorytree/TagAbstractFileAction.java
View File

@ -1,70 +1,70 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2013 Basis Technology Corp. * Copyright 2013 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.directorytree; package org.sleuthkit.autopsy.directorytree;
import java.awt.event.ActionEvent; import java.awt.event.ActionEvent;
import java.util.Collection; import java.util.Collection;
import javax.swing.AbstractAction; import javax.swing.AbstractAction;
import javax.swing.JMenuItem; import javax.swing.JMenuItem;
import org.openide.util.Utilities; import org.openide.util.Utilities;
import org.openide.util.actions.Presenter; import org.openide.util.actions.Presenter;
import org.sleuthkit.autopsy.datamodel.Tags; import org.sleuthkit.autopsy.datamodel.Tags;
import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.AbstractFile;
public class TagAbstractFileAction extends AbstractAction implements Presenter.Popup { public class TagAbstractFileAction extends AbstractAction implements Presenter.Popup {
// This class is a singleton to support multi-selection of nodes, since // This class is a singleton to support multi-selection of nodes, since
// org.openide.nodes.NodeOp.findActions(Node[] nodes) will only pick up an Action if every // org.openide.nodes.NodeOp.findActions(Node[] nodes) will only pick up an Action if every
// node in the array returns a reference to the same action object from Node.getActions(boolean). // node in the array returns a reference to the same action object from Node.getActions(boolean).
private static TagAbstractFileAction instance; private static TagAbstractFileAction instance;
public static synchronized TagAbstractFileAction getInstance() { public static synchronized TagAbstractFileAction getInstance() {
if (null == instance) { if (null == instance) {
instance = new TagAbstractFileAction(); instance = new TagAbstractFileAction();
} }
return instance; return instance;
} }
private TagAbstractFileAction() { private TagAbstractFileAction() {
} }
@Override @Override
public JMenuItem getPopupPresenter() { public JMenuItem getPopupPresenter() {
return new TagAbstractFileMenu(); return new TagAbstractFileMenu();
} }
@Override @Override
public void actionPerformed(ActionEvent e) { public void actionPerformed(ActionEvent e) {
// Do nothing - this action should never be performed. // Do nothing - this action should never be performed.
// Submenu actions are invoked instead. // Submenu actions are invoked instead.
} }
private static class TagAbstractFileMenu extends TagMenu { private static class TagAbstractFileMenu extends TagMenu {
public TagAbstractFileMenu() { public TagAbstractFileMenu() {
super(Utilities.actionsGlobalContext().lookupAll(AbstractFile.class).size() > 1 ? "Tag Files" : "Tag File"); super(Utilities.actionsGlobalContext().lookupAll(AbstractFile.class).size() > 1 ? "Tag Files" : "Tag File");
} }
@Override @Override
protected void applyTag(String tagName, String comment) { protected void applyTag(String tagName, String comment) {
Collection<? extends AbstractFile> selectedFiles = Utilities.actionsGlobalContext().lookupAll(AbstractFile.class); Collection<? extends AbstractFile> selectedFiles = Utilities.actionsGlobalContext().lookupAll(AbstractFile.class);
for (AbstractFile file : selectedFiles) { for (AbstractFile file : selectedFiles) {
Tags.createTag(file, tagName, comment); Tags.createTag(file, tagName, comment);
} }
} }
} }
} }

142
Core/src/org/sleuthkit/autopsy/directorytree/TagBlackboardArtifactAction.java
View File

@ -1,71 +1,71 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2013 Basis Technology Corp. * Copyright 2013 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.directorytree; package org.sleuthkit.autopsy.directorytree;
import java.awt.event.ActionEvent; import java.awt.event.ActionEvent;
import java.util.Collection; import java.util.Collection;
import javax.swing.AbstractAction; import javax.swing.AbstractAction;
import javax.swing.JMenuItem; import javax.swing.JMenuItem;
import org.openide.util.Utilities; import org.openide.util.Utilities;
import org.openide.util.actions.Presenter; import org.openide.util.actions.Presenter;
import org.sleuthkit.autopsy.datamodel.Tags; import org.sleuthkit.autopsy.datamodel.Tags;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
public class TagBlackboardArtifactAction extends AbstractAction implements Presenter.Popup { public class TagBlackboardArtifactAction extends AbstractAction implements Presenter.Popup {
// This class is a singleton to support multi-selection of nodes, since // This class is a singleton to support multi-selection of nodes, since
// org.openide.nodes.NodeOp.findActions(Node[] nodes) will only pick up an Action if every // org.openide.nodes.NodeOp.findActions(Node[] nodes) will only pick up an Action if every
// node in the array returns a reference to the same action object from Node.getActions(boolean). // node in the array returns a reference to the same action object from Node.getActions(boolean).
private static TagBlackboardArtifactAction instance; private static TagBlackboardArtifactAction instance;
public static synchronized TagBlackboardArtifactAction getInstance() { public static synchronized TagBlackboardArtifactAction getInstance() {
if (null == instance) { if (null == instance) {
instance = new TagBlackboardArtifactAction(); instance = new TagBlackboardArtifactAction();
} }
return instance; return instance;
} }
private TagBlackboardArtifactAction() { private TagBlackboardArtifactAction() {
} }
@Override @Override
public JMenuItem getPopupPresenter() { public JMenuItem getPopupPresenter() {
return new TagBlackboardArtifactMenu(); return new TagBlackboardArtifactMenu();
} }
@Override @Override
public void actionPerformed(ActionEvent e) { public void actionPerformed(ActionEvent e) {
// Do nothing - this action should never be performed. // Do nothing - this action should never be performed.
// Submenu actions are invoked instead. // Submenu actions are invoked instead.
} }
private static class TagBlackboardArtifactMenu extends TagMenu { private static class TagBlackboardArtifactMenu extends TagMenu {
public TagBlackboardArtifactMenu() { public TagBlackboardArtifactMenu() {
super(Utilities.actionsGlobalContext().lookupAll(BlackboardArtifact.class).size() > 1 ? "Tag Results" : "Tag Result"); super(Utilities.actionsGlobalContext().lookupAll(BlackboardArtifact.class).size() > 1 ? "Tag Results" : "Tag Result");
} }
@Override @Override
protected void applyTag(String tagName, String comment) { protected void applyTag(String tagName, String comment) {
Collection<? extends BlackboardArtifact> selectedArtifacts = Utilities.actionsGlobalContext().lookupAll(BlackboardArtifact.class); Collection<? extends BlackboardArtifact> selectedArtifacts = Utilities.actionsGlobalContext().lookupAll(BlackboardArtifact.class);
for (BlackboardArtifact artifact : selectedArtifacts) { for (BlackboardArtifact artifact : selectedArtifacts) {
Tags.createTag(artifact, tagName, comment); Tags.createTag(artifact, tagName, comment);
} }
} }
} }
} }

12
ExifParser/manifest.mf
View File

@ -1,6 +1,6 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.exifparser/3 OpenIDE-Module: org.sleuthkit.autopsy.exifparser/3
OpenIDE-Module-Implementation-Version: 9 OpenIDE-Module-Implementation-Version: 9
OpenIDE-Module-Layer: org/sleuthkit/autopsy/exifparser/layer.xml OpenIDE-Module-Layer: org/sleuthkit/autopsy/exifparser/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/exifparser/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/exifparser/Bundle.properties

14
HashDatabase/manifest.mf
View File

@ -1,7 +1,7 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.hashdatabase/3 OpenIDE-Module: org.sleuthkit.autopsy.hashdatabase/3
OpenIDE-Module-Implementation-Version: 9 OpenIDE-Module-Implementation-Version: 9
OpenIDE-Module-Layer: org/sleuthkit/autopsy/hashdatabase/layer.xml OpenIDE-Module-Layer: org/sleuthkit/autopsy/hashdatabase/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/hashdatabase/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/hashdatabase/Bundle.properties

12
HashDatabase/nbproject/project.properties
View File

@ -1,6 +1,6 @@
javac.source=1.7 javac.source=1.7
javac.compilerargs=-Xlint -Xlint:-serial javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/ nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true nbm.needs.restart=true
spec.version.base=1.3 spec.version.base=1.3

128
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/Bundle.properties
View File

@ -1,64 +1,64 @@
OpenIDE-Module-Display-Category=Ingest Module OpenIDE-Module-Display-Category=Ingest Module
OpenIDE-Module-Long-Description=\ OpenIDE-Module-Long-Description=\
Hash Database ingest module. \n\n\ Hash Database ingest module. \n\n\
The ingest module analyzes files in the disk image and marks them as "known" (based on NSRL database lookup for "known" files) and "bad / interesting" (based on one or more databases supplied by the user).\n\n\ The ingest module analyzes files in the disk image and marks them as "known" (based on NSRL database lookup for "known" files) and "bad / interesting" (based on one or more databases supplied by the user).\n\n\
The module also contains additional non-ingest tools that are integrated in the GUI, such as file lookup by hash and hash database configuration. The module also contains additional non-ingest tools that are integrated in the GUI, such as file lookup by hash and hash database configuration.
OpenIDE-Module-Name=HashDatabase OpenIDE-Module-Name=HashDatabase
HashDbSimplePanel.knownLabel.text=NSRL Database: HashDbSimplePanel.knownLabel.text=NSRL Database:
HashDbSimplePanel.notableLabel.text=Known Bad Database(s): HashDbSimplePanel.notableLabel.text=Known Bad Database(s):
HashDbSimplePanel.knownValLabel.text=- HashDbSimplePanel.knownValLabel.text=-
HashDbSimplePanel.notableValLabel.text=- HashDbSimplePanel.notableValLabel.text=-
HashDbSimplePanel.jLabel1.text=Enable known bad databases for ingest: HashDbSimplePanel.jLabel1.text=Enable known bad databases for ingest:
HashDbAddDatabaseDialog.cancelButton.text=Cancel HashDbAddDatabaseDialog.cancelButton.text=Cancel
HashDbAddDatabaseDialog.okButton.text=OK HashDbAddDatabaseDialog.okButton.text=OK
HashDbAddDatabaseDialog.nsrlRadioButton.text=NSRL HashDbAddDatabaseDialog.nsrlRadioButton.text=NSRL
HashDbAddDatabaseDialog.knownBadRadioButton.text=Known Bad HashDbAddDatabaseDialog.knownBadRadioButton.text=Known Bad
HashDbAddDatabaseDialog.databasePathTextField.text= HashDbAddDatabaseDialog.databasePathTextField.text=
HashDbAddDatabaseDialog.browseButton.text=Browse HashDbAddDatabaseDialog.browseButton.text=Browse
HashDbAddDatabaseDialog.jLabel1.text=Enter the name of the database: HashDbAddDatabaseDialog.jLabel1.text=Enter the name of the database:
HashDbAddDatabaseDialog.databaseNameTextField.text= HashDbAddDatabaseDialog.databaseNameTextField.text=
HashDbAddDatabaseDialog.jLabel2.text=Select the type of database: HashDbAddDatabaseDialog.jLabel2.text=Select the type of database:
HashDbAddDatabaseDialog.useForIngestCheckbox.text=Enable for ingest HashDbAddDatabaseDialog.useForIngestCheckbox.text=Enable for ingest
HashDbAddDatabaseDialog.sendInboxMessagesCheckbox.text=Enable sending messages to inbox during ingest HashDbAddDatabaseDialog.sendInboxMessagesCheckbox.text=Enable sending messages to inbox during ingest
HashDbSearchPanel.hashTable.columnModel.title0=MD5 Hashes HashDbSearchPanel.hashTable.columnModel.title0=MD5 Hashes
HashDbSearchPanel.hashTable.columnModel.title3=Title 4 HashDbSearchPanel.hashTable.columnModel.title3=Title 4
HashDbSearchPanel.hashTable.columnModel.title2=Title 3 HashDbSearchPanel.hashTable.columnModel.title2=Title 3
HashDbSearchPanel.hashTable.columnModel.title1=Title 2 HashDbSearchPanel.hashTable.columnModel.title1=Title 2
HashDbSearchPanel.addButton.text=Add Hash HashDbSearchPanel.addButton.text=Add Hash
HashDbSearchPanel.hashField.text= HashDbSearchPanel.hashField.text=
HashDbSearchPanel.hashLabel.text=MD5 hash: HashDbSearchPanel.hashLabel.text=MD5 hash:
HashDbSearchPanel.searchButton.text=Search HashDbSearchPanel.searchButton.text=Search
HashDbSearchPanel.removeButton.text=Remove Selected HashDbSearchPanel.removeButton.text=Remove Selected
HashDbSearchPanel.titleLabel.text=Search for files with the following MD5 hash(es): HashDbSearchPanel.titleLabel.text=Search for files with the following MD5 hash(es):
HashDbSearchPanel.errorField.text=Error: Not all files have been hashed. HashDbSearchPanel.errorField.text=Error: Not all files have been hashed.
HashDbSearchPanel.saveBox.text=Remember Hashes HashDbSearchPanel.saveBox.text=Remember Hashes
HashDbSearchPanel.cancelButton.text=Cancel HashDbSearchPanel.cancelButton.text=Cancel
HashDbSimplePanel.calcHashesButton.text=Calculate hashes even if no hash database is selected HashDbSimplePanel.calcHashesButton.text=Calculate hashes even if no hash database is selected
HashDbSimplePanel.nsrlDbLabel.text=NSRL Database: HashDbSimplePanel.nsrlDbLabel.text=NSRL Database:
HashDbSimplePanel.nsrlDbLabelVal.text=- HashDbSimplePanel.nsrlDbLabelVal.text=-
HashDbManagementPanel.hashDbIndexStatusLabel.text=No database selected HashDbManagementPanel.hashDbIndexStatusLabel.text=No database selected
HashDbManagementPanel.jLabel2.text=Name: HashDbManagementPanel.jLabel2.text=Name:
HashDbManagementPanel.showInboxMessagesCheckBox.text=Enable sending messages to inbox during ingest HashDbManagementPanel.showInboxMessagesCheckBox.text=Enable sending messages to inbox during ingest
HashDbManagementPanel.useForIngestCheckbox.text=Enable for ingest HashDbManagementPanel.useForIngestCheckbox.text=Enable for ingest
HashDbManagementPanel.indexButton.text=Index HashDbManagementPanel.indexButton.text=Index
HashDbManagementPanel.indexLabel.text=Index Status: HashDbManagementPanel.indexLabel.text=Index Status:
HashDbManagementPanel.optionsLabel.text=Options HashDbManagementPanel.optionsLabel.text=Options
HashDbManagementPanel.jLabel4.text=Location: HashDbManagementPanel.jLabel4.text=Location:
HashDbManagementPanel.jLabel6.text=Type: HashDbManagementPanel.jLabel6.text=Type:
HashDbManagementPanel.ingestWarningLabel.text=Ingest is ongoing, some settings will be unavailable until it finishes. HashDbManagementPanel.ingestWarningLabel.text=Ingest is ongoing, some settings will be unavailable until it finishes.
HashDbManagementPanel.hashDbTypeLabel.text=No database selected HashDbManagementPanel.hashDbTypeLabel.text=No database selected
HashDbManagementPanel.typeLabel.text=Type: HashDbManagementPanel.typeLabel.text=Type:
HashDbManagementPanel.deleteButton.text=Delete Database HashDbManagementPanel.deleteButton.text=Delete Database
HashDbManagementPanel.importButton.text=Import Database HashDbManagementPanel.importButton.text=Import Database
HashDbManagementPanel.hashDbNameLabel.text=No database selected HashDbManagementPanel.hashDbNameLabel.text=No database selected
HashDbManagementPanel.nameLabel.text=Name: HashDbManagementPanel.nameLabel.text=Name:
HashDbManagementPanel.jButton3.text=Import Database HashDbManagementPanel.jButton3.text=Import Database
HashDbManagementPanel.locationLabel.text=Location: HashDbManagementPanel.locationLabel.text=Location:
HashDbManagementPanel.hashDbLocationLabel.text=No database selected HashDbManagementPanel.hashDbLocationLabel.text=No database selected
HashDbManagementPanel.informationLabel.text=Information HashDbManagementPanel.informationLabel.text=Information
HashDbManagementPanel.hashDatabasesLabel.text=Hash Databases: HashDbManagementPanel.hashDatabasesLabel.text=Hash Databases:
OpenIDE-Module-Short-Description=Hash Database Ingest Module and hash db tools OpenIDE-Module-Short-Description=Hash Database Ingest Module and hash db tools
ModalNoButtons.CURRENTLYON_LABEL.text=Currently Indexing x of y ModalNoButtons.CURRENTLYON_LABEL.text=Currently Indexing x of y
ModalNoButtons.GO_GET_COFFEE_LABEL.text=Hash databases are currently being indexed, this may take some time. ModalNoButtons.GO_GET_COFFEE_LABEL.text=Hash databases are currently being indexed, this may take some time.
ModalNoButtons.CURRENTDB_LABEL.text=(CurrentDb) ModalNoButtons.CURRENTDB_LABEL.text=(CurrentDb)
ModalNoButtons.CANCEL_BUTTON.text=Cancel ModalNoButtons.CANCEL_BUTTON.text=Cancel

606
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDb.java
View File

@ -1,304 +1,304 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.hashdatabase; package org.sleuthkit.autopsy.hashdatabase;
import java.beans.PropertyChangeListener; import java.beans.PropertyChangeListener;
import java.beans.PropertyChangeSupport; import java.beans.PropertyChangeSupport;
import java.io.File; import java.io.File;
import java.util.List; import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import javax.swing.SwingWorker; import javax.swing.SwingWorker;
import org.netbeans.api.progress.ProgressHandle; import org.netbeans.api.progress.ProgressHandle;
import org.netbeans.api.progress.ProgressHandleFactory; import org.netbeans.api.progress.ProgressHandleFactory;
import org.openide.util.Cancellable; import org.openide.util.Cancellable;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.datamodel.SleuthkitJNI; import org.sleuthkit.datamodel.SleuthkitJNI;
import org.sleuthkit.datamodel.TskException; import org.sleuthkit.datamodel.TskException;
/** /**
* Hash database representation of NSRL and Known Bad hash databases * Hash database representation of NSRL and Known Bad hash databases
* with indexing capability * with indexing capability
* *
*/ */
public class HashDb implements Comparable<HashDb> { public class HashDb implements Comparable<HashDb> {
enum EVENT {INDEXING_DONE }; enum EVENT {INDEXING_DONE };
private final PropertyChangeSupport pcs = new PropertyChangeSupport(this); private final PropertyChangeSupport pcs = new PropertyChangeSupport(this);
public enum DBType{ public enum DBType{
NSRL("NSRL"), KNOWN_BAD("Known Bad"); NSRL("NSRL"), KNOWN_BAD("Known Bad");
private String displayName; private String displayName;
private DBType(String displayName) { private DBType(String displayName) {
this.displayName = displayName; this.displayName = displayName;
} }
public String getDisplayName() { public String getDisplayName() {
return this.displayName; return this.displayName;
} }
} }
// Suffix added to the end of a database name to get its index file // Suffix added to the end of a database name to get its index file
private static final String INDEX_SUFFIX = "-md5.idx"; private static final String INDEX_SUFFIX = "-md5.idx";
private String name; private String name;
private List<String> databasePaths; // TODO: Length limited to one for now... private List<String> databasePaths; // TODO: Length limited to one for now...
private boolean useForIngest; private boolean useForIngest;
private boolean showInboxMessages; private boolean showInboxMessages;
private boolean indexing; private boolean indexing;
private DBType type; private DBType type;
public HashDb(String name, List<String> databasePaths, boolean useForIngest, boolean showInboxMessages, DBType type) { public HashDb(String name, List<String> databasePaths, boolean useForIngest, boolean showInboxMessages, DBType type) {
this.name = name; this.name = name;
this.databasePaths = databasePaths; this.databasePaths = databasePaths;
this.useForIngest = useForIngest; this.useForIngest = useForIngest;
this.showInboxMessages = showInboxMessages; this.showInboxMessages = showInboxMessages;
this.type = type; this.type = type;
this.indexing = false; this.indexing = false;
} }
void addPropertyChangeListener(PropertyChangeListener pcl) { void addPropertyChangeListener(PropertyChangeListener pcl) {
pcs.addPropertyChangeListener(pcl); pcs.addPropertyChangeListener(pcl);
} }
void removePropertyChangeListener(PropertyChangeListener pcl) { void removePropertyChangeListener(PropertyChangeListener pcl) {
pcs.removePropertyChangeListener(pcl); pcs.removePropertyChangeListener(pcl);
} }
boolean getUseForIngest() { boolean getUseForIngest() {
return useForIngest; return useForIngest;
} }
boolean getShowInboxMessages() { boolean getShowInboxMessages() {
return showInboxMessages; return showInboxMessages;
} }
DBType getDbType() { DBType getDbType() {
return type; return type;
} }
String getName() { String getName() {
return name; return name;
} }
List<String> getDatabasePaths() { List<String> getDatabasePaths() {
return databasePaths; return databasePaths;
} }
void setUseForIngest(boolean useForIngest) { void setUseForIngest(boolean useForIngest) {
this.useForIngest = useForIngest; this.useForIngest = useForIngest;
} }
void setShowInboxMessages(boolean showInboxMessages) { void setShowInboxMessages(boolean showInboxMessages) {
this.showInboxMessages = showInboxMessages; this.showInboxMessages = showInboxMessages;
} }
void setName(String name) { void setName(String name) {
this.name = name; this.name = name;
} }
void setDatabasePaths(List<String> databasePaths) { void setDatabasePaths(List<String> databasePaths) {
this.databasePaths = databasePaths; this.databasePaths = databasePaths;
} }
void setDbType(DBType type) { void setDbType(DBType type) {
this.type = type; this.type = type;
} }
/** /**
* Checks if the database exists. * Checks if the database exists.
* @return true if a file exists at the database path, else false * @return true if a file exists at the database path, else false
*/ */
boolean databaseExists() { boolean databaseExists() {
return databaseFile().exists(); return databaseFile().exists();
} }
/** /**
* Checks if Sleuth Kit can open the index for the database path. * Checks if Sleuth Kit can open the index for the database path.
* @return true if the index was found and opened successfully, else false * @return true if the index was found and opened successfully, else false
*/ */
boolean indexExists() { boolean indexExists() {
try { try {
return hasIndex(databasePaths.get(0)); // TODO: support multiple paths return hasIndex(databasePaths.get(0)); // TODO: support multiple paths
} catch (TskException ex) { } catch (TskException ex) {
Logger.getLogger(this.getClass().getName()).log(Level.WARNING, "Error checking if index exists.", ex); Logger.getLogger(this.getClass().getName()).log(Level.WARNING, "Error checking if index exists.", ex);
return false; return false;
} }
} }
/** /**
* Gets the database file. * Gets the database file.
* @return a File initialized with the database path * @return a File initialized with the database path
*/ */
File databaseFile() { File databaseFile() {
return new File(databasePaths.get(0)); // TODO: support multiple paths return new File(databasePaths.get(0)); // TODO: support multiple paths
} }
/** /**
* Gets the index file * Gets the index file
* @return a File initialized with an index path derived from the database * @return a File initialized with an index path derived from the database
* path * path
*/ */
File indexFile() { File indexFile() {
return new File(toIndexPath(databasePaths.get(0))); // TODO: support multiple paths return new File(toIndexPath(databasePaths.get(0))); // TODO: support multiple paths
} }
/** /**
* Checks if the index file is older than the database file * Checks if the index file is older than the database file
* @return true if there is are files at the index path and the database * @return true if there is are files at the index path and the database
* path, and the index file has an older modified-time than the database * path, and the index file has an older modified-time than the database
* file, else false * file, else false
*/ */
boolean isOutdated() { boolean isOutdated() {
File i = indexFile(); File i = indexFile();
File db = databaseFile(); File db = databaseFile();
return i.exists() && db.exists() && isOlderThan(i, db); return i.exists() && db.exists() && isOlderThan(i, db);
} }
/** /**
* Checks if the database is being indexed * Checks if the database is being indexed
*/ */
boolean isIndexing() { boolean isIndexing() {
return indexing; return indexing;
} }
/** /**
* Returns the status of the HashDb as determined from indexExists(), * Returns the status of the HashDb as determined from indexExists(),
* databaseExists(), and isOutdated() * databaseExists(), and isOutdated()
* @return IndexStatus enum according to their definitions * @return IndexStatus enum according to their definitions
*/ */
IndexStatus status() { IndexStatus status() {
boolean i = this.indexExists(); boolean i = this.indexExists();
boolean db = this.databaseExists(); boolean db = this.databaseExists();
if(indexing) if(indexing)
return IndexStatus.INDEXING; return IndexStatus.INDEXING;
if (i) { if (i) {
if (db) { if (db) {
return this.isOutdated() ? IndexStatus.INDEX_OUTDATED : IndexStatus.INDEX_CURRENT; return this.isOutdated() ? IndexStatus.INDEX_OUTDATED : IndexStatus.INDEX_CURRENT;
} else { } else {
return IndexStatus.NO_DB; return IndexStatus.NO_DB;
} }
} else { } else {
return db ? IndexStatus.NO_INDEX : IndexStatus.NONE; return db ? IndexStatus.NO_INDEX : IndexStatus.NONE;
} }
} }
/** /**
* Tries to index the database (overwrites any existing index) * Tries to index the database (overwrites any existing index)
* @throws TskException if an error occurs in the SleuthKit bindings * @throws TskException if an error occurs in the SleuthKit bindings
*/ */
void createIndex() throws TskException { void createIndex() throws TskException {
indexing = true; indexing = true;
CreateIndex creator = new CreateIndex(); CreateIndex creator = new CreateIndex();
creator.execute(); creator.execute();
} }
/** /**
* Checks if one file is older than an other * Checks if one file is older than an other
* @param a first file * @param a first file
* @param b second file * @param b second file
* @return true if the first file's last modified data is before the second * @return true if the first file's last modified data is before the second
* file's last modified date * file's last modified date
*/ */
private static boolean isOlderThan(File a, File b) { private static boolean isOlderThan(File a, File b) {
return a.lastModified() < b.lastModified(); return a.lastModified() < b.lastModified();
} }
/** /**
* Determines if a path points to an index by checking the suffix * Determines if a path points to an index by checking the suffix
* @param path * @param path
* @return true if index * @return true if index
*/ */
static boolean isIndexPath(String path) { static boolean isIndexPath(String path) {
return path.endsWith(INDEX_SUFFIX); return path.endsWith(INDEX_SUFFIX);
} }
/** /**
* Derives database path from an image path by removing the suffix. * Derives database path from an image path by removing the suffix.
* @param indexPath * @param indexPath
* @return * @return
*/ */
static String toDatabasePath(String indexPath) { static String toDatabasePath(String indexPath) {
return indexPath.substring(0, indexPath.lastIndexOf(INDEX_SUFFIX)); return indexPath.substring(0, indexPath.lastIndexOf(INDEX_SUFFIX));
} }
/** /**
* Derives image path from an database path by appending the suffix. * Derives image path from an database path by appending the suffix.
* @param databasePath * @param databasePath
* @return * @return
*/ */
static String toIndexPath(String databasePath) { static String toIndexPath(String databasePath) {
return databasePath.concat(INDEX_SUFFIX); return databasePath.concat(INDEX_SUFFIX);
} }
/** /**
* Calls Sleuth Kit method via JNI to determine whether there is an * Calls Sleuth Kit method via JNI to determine whether there is an
* index for the given path * index for the given path
* @param databasePath path Path for the database the index is of * @param databasePath path Path for the database the index is of
* (database doesn't have to actually exist)' * (database doesn't have to actually exist)'
* @return true if index exists * @return true if index exists
* @throws TskException if there is an error in the JNI call * @throws TskException if there is an error in the JNI call
*/ */
static boolean hasIndex(String databasePath) throws TskException { static boolean hasIndex(String databasePath) throws TskException {
return SleuthkitJNI.lookupIndexExists(databasePath); return SleuthkitJNI.lookupIndexExists(databasePath);
} }
@Override @Override
public int compareTo(HashDb o) { public int compareTo(HashDb o) {
return this.name.compareTo(o.name); return this.name.compareTo(o.name);
} }
/* Thread that creates a database's index */ /* Thread that creates a database's index */
private class CreateIndex extends SwingWorker<Object,Void> { private class CreateIndex extends SwingWorker<Object,Void> {
private ProgressHandle progress; private ProgressHandle progress;
CreateIndex(){}; CreateIndex(){};
@Override @Override
protected Object doInBackground() throws Exception { protected Object doInBackground() throws Exception {
progress = ProgressHandleFactory.createHandle("Indexing " + name); progress = ProgressHandleFactory.createHandle("Indexing " + name);
/** We need proper cancel support in TSK to make the task cancellable /** We need proper cancel support in TSK to make the task cancellable
new Cancellable() { new Cancellable() {
Override Override
public boolean cancel() { public boolean cancel() {
return CreateIndex.this.cancel(true); return CreateIndex.this.cancel(true);
} }
}); });
*/ */
progress.start(); progress.start();
progress.switchToIndeterminate(); progress.switchToIndeterminate();
SleuthkitJNI.createLookupIndex(databasePaths.get(0)); SleuthkitJNI.createLookupIndex(databasePaths.get(0));
return null; return null;
} }
/* clean up or start the worker threads */ /* clean up or start the worker threads */
@Override @Override
protected void done() { protected void done() {
indexing = false; indexing = false;
progress.finish(); progress.finish();
pcs.firePropertyChange(EVENT.INDEXING_DONE.toString(), null, name); pcs.firePropertyChange(EVENT.INDEXING_DONE.toString(), null, name);
} }
} }
} }

850
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbXML.java
View File

@ -1,425 +1,425 @@
/* /*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org * Contact: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.hashdatabase; package org.sleuthkit.autopsy.hashdatabase;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import javax.swing.JFileChooser; import javax.swing.JFileChooser;
import javax.swing.JOptionPane; import javax.swing.JOptionPane;
import javax.swing.filechooser.FileNameExtensionFilter; import javax.swing.filechooser.FileNameExtensionFilter;
import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.ParserConfigurationException;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.coreutils.PlatformUtil;
import org.sleuthkit.autopsy.coreutils.XMLUtil; import org.sleuthkit.autopsy.coreutils.XMLUtil;
import org.sleuthkit.autopsy.hashdatabase.HashDb.DBType; import org.sleuthkit.autopsy.hashdatabase.HashDb.DBType;
import org.sleuthkit.datamodel.SleuthkitJNI; import org.sleuthkit.datamodel.SleuthkitJNI;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
import org.w3c.dom.Document; import org.w3c.dom.Document;
import org.w3c.dom.Element; import org.w3c.dom.Element;
import org.w3c.dom.NodeList; import org.w3c.dom.NodeList;
public class HashDbXML { public class HashDbXML {
private static final String ROOT_EL = "hash_sets"; private static final String ROOT_EL = "hash_sets";
private static final String SET_EL = "hash_set"; private static final String SET_EL = "hash_set";
private static final String SET_NAME_ATTR = "name"; private static final String SET_NAME_ATTR = "name";
private static final String SET_TYPE_ATTR = "type"; private static final String SET_TYPE_ATTR = "type";
private static final String SET_USE_FOR_INGEST_ATTR = "use_for_ingest"; private static final String SET_USE_FOR_INGEST_ATTR = "use_for_ingest";
private static final String SET_SHOW_INBOX_MESSAGES = "show_inbox_messages"; private static final String SET_SHOW_INBOX_MESSAGES = "show_inbox_messages";
private static final String PATH_EL = "hash_set_path"; private static final String PATH_EL = "hash_set_path";
private static final String PATH_NUMBER_ATTR = "number"; private static final String PATH_NUMBER_ATTR = "number";
private static final String CUR_HASHSETS_FILE_NAME = "hashsets.xml"; private static final String CUR_HASHSETS_FILE_NAME = "hashsets.xml";
private static final String XSDFILE = "HashsetsSchema.xsd"; private static final String XSDFILE = "HashsetsSchema.xsd";
private static final String ENCODING = "UTF-8"; private static final String ENCODING = "UTF-8";
private static final String CUR_HASHSET_FILE = PlatformUtil.getUserConfigDirectory() + File.separator + CUR_HASHSETS_FILE_NAME; private static final String CUR_HASHSET_FILE = PlatformUtil.getUserConfigDirectory() + File.separator + CUR_HASHSETS_FILE_NAME;
private static final String SET_CALC = "hash_calculate"; private static final String SET_CALC = "hash_calculate";
private static final String SET_VALUE = "value"; private static final String SET_VALUE = "value";
private static final Logger logger = Logger.getLogger(HashDbXML.class.getName()); private static final Logger logger = Logger.getLogger(HashDbXML.class.getName());
private static HashDbXML currentInstance; private static HashDbXML currentInstance;
private List<HashDb> knownBadSets; private List<HashDb> knownBadSets;
private HashDb nsrlSet; private HashDb nsrlSet;
private String xmlFile; private String xmlFile;
private boolean calculate; private boolean calculate;
private HashDbXML(String xmlFile) { private HashDbXML(String xmlFile) {
knownBadSets = new ArrayList<HashDb>(); knownBadSets = new ArrayList<HashDb>();
this.xmlFile = xmlFile; this.xmlFile = xmlFile;
} }
/** /**
* get instance for managing the current keyword list of the application * get instance for managing the current keyword list of the application
*/ */
static synchronized HashDbXML getCurrent() { static synchronized HashDbXML getCurrent() {
if (currentInstance == null) { if (currentInstance == null) {
currentInstance = new HashDbXML(CUR_HASHSET_FILE); currentInstance = new HashDbXML(CUR_HASHSET_FILE);
currentInstance.reload(); currentInstance.reload();
} }
return currentInstance; return currentInstance;
} }
/** /**
* Get the hash sets * Get the hash sets
*/ */
public List<HashDb> getAllSets() { public List<HashDb> getAllSets() {
List<HashDb> ret = new ArrayList<HashDb>(); List<HashDb> ret = new ArrayList<HashDb>();
if(nsrlSet != null) { if(nsrlSet != null) {
ret.add(nsrlSet); ret.add(nsrlSet);
} }
ret.addAll(knownBadSets); ret.addAll(knownBadSets);
return ret; return ret;
} }
/** /**
* Get the Known Bad sets * Get the Known Bad sets
*/ */
public List<HashDb> getKnownBadSets() { public List<HashDb> getKnownBadSets() {
return knownBadSets; return knownBadSets;
} }
/** /**
* Get the NSRL set * Get the NSRL set
*/ */
public HashDb getNSRLSet() { public HashDb getNSRLSet() {
return nsrlSet; return nsrlSet;
} }
/** /**
* Add a known bad hash set * Add a known bad hash set
*/ */
public void addKnownBadSet(HashDb set) { public void addKnownBadSet(HashDb set) {
knownBadSets.add(set); knownBadSets.add(set);
//save(); //save();
} }
/** /**
* Add a known bad hash set * Add a known bad hash set
*/ */
public void addKnownBadSet(int index, HashDb set) { public void addKnownBadSet(int index, HashDb set) {
knownBadSets.add(index, set); knownBadSets.add(index, set);
//save(); //save();
} }
/** /**
* Set the NSRL hash set (override old set) * Set the NSRL hash set (override old set)
*/ */
public void setNSRLSet(HashDb set) { public void setNSRLSet(HashDb set) {
this.nsrlSet = set; this.nsrlSet = set;
//save(); //save();
} }
/** /**
* Remove a hash known bad set * Remove a hash known bad set
*/ */
public void removeKnownBadSetAt(int index) { public void removeKnownBadSetAt(int index) {
knownBadSets.remove(index); knownBadSets.remove(index);
//save(); //save();
} }
/** /**
* Remove the NSRL database * Remove the NSRL database
*/ */
public void removeNSRLSet() { public void removeNSRLSet() {
this.nsrlSet = null; this.nsrlSet = null;
//save(); //save();
} }
/** /**
* load the file or create new * load the file or create new
*/ */
public void reload() { public void reload() {
boolean created = false; boolean created = false;
//TODO clearing the list causes a bug: we lose track of the state //TODO clearing the list causes a bug: we lose track of the state
//whether db is being indexed, we should somehow preserve the state when loading new HashDb objects //whether db is being indexed, we should somehow preserve the state when loading new HashDb objects
knownBadSets.clear(); knownBadSets.clear();
nsrlSet = null; nsrlSet = null;
if (!this.setsFileExists()) { if (!this.setsFileExists()) {
//create new if it doesn't exist //create new if it doesn't exist
save(); save();
created = true; created = true;
} }
//load, if fails to load create new; save regardless //load, if fails to load create new; save regardless
load(); load();
if (!created) { if (!created) {
//create new if failed to load //create new if failed to load
save(); save();
} }
} }
/** /**
* Sets the local variable calculate to the given boolean. * Sets the local variable calculate to the given boolean.
* @param set the state to make calculate * @param set the state to make calculate
*/ */
public void setCalculate(boolean set) { public void setCalculate(boolean set) {
this.calculate = set; this.calculate = set;
//save(); //save();
} }
/** /**
* Returns the value of the local boolean calculate. * Returns the value of the local boolean calculate.
* @return true if calculate is true, false otherwise * @return true if calculate is true, false otherwise
*/ */
public boolean getCalculate() { public boolean getCalculate() {
return this.calculate; return this.calculate;
} }
/** /**
* writes out current sets file replacing the last one * writes out current sets file replacing the last one
*/ */
public boolean save() { public boolean save() {
boolean success = false; boolean success = false;
DocumentBuilderFactory dbfac = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbfac = DocumentBuilderFactory.newInstance();
try { try {
DocumentBuilder docBuilder = dbfac.newDocumentBuilder(); DocumentBuilder docBuilder = dbfac.newDocumentBuilder();
Document doc = docBuilder.newDocument(); Document doc = docBuilder.newDocument();
Element rootEl = doc.createElement(ROOT_EL); Element rootEl = doc.createElement(ROOT_EL);
doc.appendChild(rootEl); doc.appendChild(rootEl);
for (HashDb set : knownBadSets) { for (HashDb set : knownBadSets) {
String useForIngest = Boolean.toString(set.getUseForIngest()); String useForIngest = Boolean.toString(set.getUseForIngest());
String showInboxMessages = Boolean.toString(set.getShowInboxMessages()); String showInboxMessages = Boolean.toString(set.getShowInboxMessages());
List<String> paths = set.getDatabasePaths(); List<String> paths = set.getDatabasePaths();
String type = DBType.KNOWN_BAD.toString(); String type = DBType.KNOWN_BAD.toString();
Element setEl = doc.createElement(SET_EL); Element setEl = doc.createElement(SET_EL);
setEl.setAttribute(SET_NAME_ATTR, set.getName()); setEl.setAttribute(SET_NAME_ATTR, set.getName());
setEl.setAttribute(SET_TYPE_ATTR, type); setEl.setAttribute(SET_TYPE_ATTR, type);
setEl.setAttribute(SET_USE_FOR_INGEST_ATTR, useForIngest); setEl.setAttribute(SET_USE_FOR_INGEST_ATTR, useForIngest);
setEl.setAttribute(SET_SHOW_INBOX_MESSAGES, showInboxMessages); setEl.setAttribute(SET_SHOW_INBOX_MESSAGES, showInboxMessages);
for (int i = 0; i < paths.size(); i++) { for (int i = 0; i < paths.size(); i++) {
String path = paths.get(i); String path = paths.get(i);
Element pathEl = doc.createElement(PATH_EL); Element pathEl = doc.createElement(PATH_EL);
pathEl.setAttribute(PATH_NUMBER_ATTR, Integer.toString(i)); pathEl.setAttribute(PATH_NUMBER_ATTR, Integer.toString(i));
pathEl.setTextContent(path); pathEl.setTextContent(path);
setEl.appendChild(pathEl); setEl.appendChild(pathEl);
} }
rootEl.appendChild(setEl); rootEl.appendChild(setEl);
} }
if(nsrlSet != null) { if(nsrlSet != null) {
String useForIngest = Boolean.toString(nsrlSet.getUseForIngest()); String useForIngest = Boolean.toString(nsrlSet.getUseForIngest());
String showInboxMessages = Boolean.toString(nsrlSet.getShowInboxMessages()); String showInboxMessages = Boolean.toString(nsrlSet.getShowInboxMessages());
List<String> paths = nsrlSet.getDatabasePaths(); List<String> paths = nsrlSet.getDatabasePaths();
String type = DBType.NSRL.toString(); String type = DBType.NSRL.toString();
Element setEl = doc.createElement(SET_EL); Element setEl = doc.createElement(SET_EL);
setEl.setAttribute(SET_NAME_ATTR, nsrlSet.getName()); setEl.setAttribute(SET_NAME_ATTR, nsrlSet.getName());
setEl.setAttribute(SET_TYPE_ATTR, type); setEl.setAttribute(SET_TYPE_ATTR, type);
setEl.setAttribute(SET_USE_FOR_INGEST_ATTR, useForIngest); setEl.setAttribute(SET_USE_FOR_INGEST_ATTR, useForIngest);
setEl.setAttribute(SET_SHOW_INBOX_MESSAGES, showInboxMessages); setEl.setAttribute(SET_SHOW_INBOX_MESSAGES, showInboxMessages);
for (int i = 0; i < paths.size(); i++) { for (int i = 0; i < paths.size(); i++) {
String path = paths.get(i); String path = paths.get(i);
Element pathEl = doc.createElement(PATH_EL); Element pathEl = doc.createElement(PATH_EL);
pathEl.setAttribute(PATH_NUMBER_ATTR, Integer.toString(i)); pathEl.setAttribute(PATH_NUMBER_ATTR, Integer.toString(i));
pathEl.setTextContent(path); pathEl.setTextContent(path);
setEl.appendChild(pathEl); setEl.appendChild(pathEl);
} }
rootEl.appendChild(setEl); rootEl.appendChild(setEl);
} }
String calcValue = Boolean.toString(calculate); String calcValue = Boolean.toString(calculate);
Element setCalc = doc.createElement(SET_CALC); Element setCalc = doc.createElement(SET_CALC);
setCalc.setAttribute(SET_VALUE, calcValue); setCalc.setAttribute(SET_VALUE, calcValue);
rootEl.appendChild(setCalc); rootEl.appendChild(setCalc);
success = XMLUtil.saveDoc(HashDbXML.class, xmlFile, ENCODING, doc); success = XMLUtil.saveDoc(HashDbXML.class, xmlFile, ENCODING, doc);
} catch (ParserConfigurationException e) { } catch (ParserConfigurationException e) {
logger.log(Level.SEVERE, "Error saving hash sets: can't initialize parser.", e); logger.log(Level.SEVERE, "Error saving hash sets: can't initialize parser.", e);
} }
return success; return success;
} }
/** /**
* load and parse XML, then dispose * load and parse XML, then dispose
*/ */
public boolean load() { public boolean load() {
final Document doc = XMLUtil.loadDoc(HashDbXML.class, xmlFile, XSDFILE); final Document doc = XMLUtil.loadDoc(HashDbXML.class, xmlFile, XSDFILE);
if (doc == null) { if (doc == null) {
return false; return false;
} }
Element root = doc.getDocumentElement(); Element root = doc.getDocumentElement();
if (root == null) { if (root == null) {
logger.log(Level.SEVERE, "Error loading hash sets: invalid file format."); logger.log(Level.SEVERE, "Error loading hash sets: invalid file format.");
return false; return false;
} }
NodeList setsNList = root.getElementsByTagName(SET_EL); NodeList setsNList = root.getElementsByTagName(SET_EL);
int numSets = setsNList.getLength(); int numSets = setsNList.getLength();
if(numSets==0) { if(numSets==0) {
logger.log(Level.WARNING, "No element hash_set exists."); logger.log(Level.WARNING, "No element hash_set exists.");
} }
for (int i = 0; i < numSets; ++i) { for (int i = 0; i < numSets; ++i) {
Element setEl = (Element) setsNList.item(i); Element setEl = (Element) setsNList.item(i);
final String name = setEl.getAttribute(SET_NAME_ATTR); final String name = setEl.getAttribute(SET_NAME_ATTR);
final String type = setEl.getAttribute(SET_TYPE_ATTR); final String type = setEl.getAttribute(SET_TYPE_ATTR);
final String useForIngest = setEl.getAttribute(SET_USE_FOR_INGEST_ATTR); final String useForIngest = setEl.getAttribute(SET_USE_FOR_INGEST_ATTR);
final String showInboxMessages = setEl.getAttribute(SET_SHOW_INBOX_MESSAGES); final String showInboxMessages = setEl.getAttribute(SET_SHOW_INBOX_MESSAGES);
Boolean useForIngestBool = Boolean.parseBoolean(useForIngest); Boolean useForIngestBool = Boolean.parseBoolean(useForIngest);
Boolean showInboxMessagesBool = Boolean.parseBoolean(showInboxMessages); Boolean showInboxMessagesBool = Boolean.parseBoolean(showInboxMessages);
List<String> paths = new ArrayList<String>(); List<String> paths = new ArrayList<String>();
// Parse all paths // Parse all paths
NodeList pathsNList = setEl.getElementsByTagName(PATH_EL); NodeList pathsNList = setEl.getElementsByTagName(PATH_EL);
final int numPaths = pathsNList.getLength(); final int numPaths = pathsNList.getLength();
for (int j = 0; j < numPaths; ++j) { for (int j = 0; j < numPaths; ++j) {
Element pathEl = (Element) pathsNList.item(j); Element pathEl = (Element) pathsNList.item(j);
String number = pathEl.getAttribute(PATH_NUMBER_ATTR); String number = pathEl.getAttribute(PATH_NUMBER_ATTR);
String path = pathEl.getTextContent(); String path = pathEl.getTextContent();
// If either the database or it's index exist // If either the database or it's index exist
File database = new File(path); File database = new File(path);
File index = new File(HashDb.toIndexPath(path)); File index = new File(HashDb.toIndexPath(path));
if(database.exists() || index.exists()) { if(database.exists() || index.exists()) {
paths.add(path); paths.add(path);
} else { } else {
// Ask for new path // Ask for new path
int ret = JOptionPane.showConfirmDialog(null, "Database " + name + " could not be found at location\n" int ret = JOptionPane.showConfirmDialog(null, "Database " + name + " could not be found at location\n"
+ path + "\n" + path + "\n"
+ " Would you like to search for the file?", "Missing Database", JOptionPane.YES_NO_OPTION); + " Would you like to search for the file?", "Missing Database", JOptionPane.YES_NO_OPTION);
if (ret == JOptionPane.YES_OPTION) { if (ret == JOptionPane.YES_OPTION) {
String filePath = searchForFile(name); String filePath = searchForFile(name);
if(filePath!=null) { if(filePath!=null) {
paths.add(filePath); paths.add(filePath);
} }
} }
} }
} }
// Check everything was properly set // Check everything was properly set
if(name.isEmpty()) { if(name.isEmpty()) {
logger.log(Level.WARNING, "Name was not set for hash_set at index {0}.", i); logger.log(Level.WARNING, "Name was not set for hash_set at index {0}.", i);
} }
if(type.isEmpty()) { if(type.isEmpty()) {
logger.log(Level.SEVERE, "Type was not set for hash_set at index {0}, cannot make instance of HashDb class.", i); logger.log(Level.SEVERE, "Type was not set for hash_set at index {0}, cannot make instance of HashDb class.", i);
return false; // exit because this causes a fatal error return false; // exit because this causes a fatal error
} }
if(useForIngest.isEmpty()) { if(useForIngest.isEmpty()) {
logger.log(Level.WARNING, "UseForIngest was not set for hash_set at index {0}.", i); logger.log(Level.WARNING, "UseForIngest was not set for hash_set at index {0}.", i);
} }
if(showInboxMessages.isEmpty()) { if(showInboxMessages.isEmpty()) {
logger.log(Level.WARNING, "ShowInboxMessages was not set for hash_set at index {0}.", i); logger.log(Level.WARNING, "ShowInboxMessages was not set for hash_set at index {0}.", i);
} }
if(paths.isEmpty()) { if(paths.isEmpty()) {
logger.log(Level.WARNING, "No paths were set for hash_set at index {0}. Removing the database.", i); logger.log(Level.WARNING, "No paths were set for hash_set at index {0}. Removing the database.", i);
} else { } else {
// No paths for this entry, the user most likely declined to search for them // No paths for this entry, the user most likely declined to search for them
DBType typeDBType = DBType.valueOf(type); DBType typeDBType = DBType.valueOf(type);
HashDb set = new HashDb(name, paths, useForIngestBool, showInboxMessagesBool, typeDBType); HashDb set = new HashDb(name, paths, useForIngestBool, showInboxMessagesBool, typeDBType);
if(typeDBType == DBType.KNOWN_BAD) { if(typeDBType == DBType.KNOWN_BAD) {
knownBadSets.add(set); knownBadSets.add(set);
} else if(typeDBType == DBType.NSRL) { } else if(typeDBType == DBType.NSRL) {
this.nsrlSet = set; this.nsrlSet = set;
} }
} }
} }
NodeList calcList = root.getElementsByTagName(SET_CALC); NodeList calcList = root.getElementsByTagName(SET_CALC);
int numCalc = calcList.getLength(); // Shouldn't be more than 1 int numCalc = calcList.getLength(); // Shouldn't be more than 1
if(numCalc==0) { if(numCalc==0) {
logger.log(Level.WARNING, "No element hash_calculate exists."); logger.log(Level.WARNING, "No element hash_calculate exists.");
} }
for(int i=0; i<numCalc; i++) { for(int i=0; i<numCalc; i++) {
Element calcEl = (Element) calcList.item(i); Element calcEl = (Element) calcList.item(i);
final String value = calcEl.getAttribute(SET_VALUE); final String value = calcEl.getAttribute(SET_VALUE);
calculate = Boolean.parseBoolean(value); calculate = Boolean.parseBoolean(value);
} }
return true; return true;
} }
/** /**
* Ask the user to browse to a new Hash Database file with the same database * Ask the user to browse to a new Hash Database file with the same database
* name as the one provided. If the names do not match, the database cannot * name as the one provided. If the names do not match, the database cannot
* be added. If the user cancels the search, return null, meaning the user * be added. If the user cancels the search, return null, meaning the user
* would like to remove the entry for the missing database. * would like to remove the entry for the missing database.
* *
* @param name the name of the database to add * @param name the name of the database to add
* @return the file path to the new database, or null if the user wants to * @return the file path to the new database, or null if the user wants to
* delete the old database * delete the old database
*/ */
private String searchForFile(String name) { private String searchForFile(String name) {
// Initialize the file chooser and only allow hash databases to be opened // Initialize the file chooser and only allow hash databases to be opened
JFileChooser fc = new JFileChooser(); JFileChooser fc = new JFileChooser();
fc.setDragEnabled(false); fc.setDragEnabled(false);
fc.setFileSelectionMode(JFileChooser.FILES_ONLY); fc.setFileSelectionMode(JFileChooser.FILES_ONLY);
String[] EXTENSION = new String[] { "txt", "idx", "hash", "Hash" }; String[] EXTENSION = new String[] { "txt", "idx", "hash", "Hash" };
FileNameExtensionFilter filter = new FileNameExtensionFilter( FileNameExtensionFilter filter = new FileNameExtensionFilter(
"Hash Database File", EXTENSION); "Hash Database File", EXTENSION);
fc.setFileFilter(filter); fc.setFileFilter(filter);
fc.setMultiSelectionEnabled(false); fc.setMultiSelectionEnabled(false);
int retval = fc.showOpenDialog(null); int retval = fc.showOpenDialog(null);
// If the user selects an appropriate file // If the user selects an appropriate file
if (retval == JFileChooser.APPROVE_OPTION) { if (retval == JFileChooser.APPROVE_OPTION) {
File f = fc.getSelectedFile(); File f = fc.getSelectedFile();
try { try {
String filePath = f.getCanonicalPath(); String filePath = f.getCanonicalPath();
if (HashDb.isIndexPath(filePath)) { if (HashDb.isIndexPath(filePath)) {
filePath = HashDb.toDatabasePath(filePath); filePath = HashDb.toDatabasePath(filePath);
} }
String derivedName = SleuthkitJNI.getDatabaseName(filePath); String derivedName = SleuthkitJNI.getDatabaseName(filePath);
// If the database has the same name as before, return it // If the database has the same name as before, return it
if(derivedName.equals(name)) { if(derivedName.equals(name)) {
return filePath; return filePath;
} else { } else {
int tryAgain = JOptionPane.showConfirmDialog(null, "Database file cannot be added because it does not have the same name as the original.\n" + int tryAgain = JOptionPane.showConfirmDialog(null, "Database file cannot be added because it does not have the same name as the original.\n" +
"Would you like to try a different database?", "Invalid File", JOptionPane.YES_NO_OPTION); "Would you like to try a different database?", "Invalid File", JOptionPane.YES_NO_OPTION);
if (tryAgain == JOptionPane.YES_OPTION) { if (tryAgain == JOptionPane.YES_OPTION) {
return searchForFile(name); return searchForFile(name);
} else { } else {
return null; return null;
} }
} }
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.WARNING, "Couldn't get selected file path.", ex); logger.log(Level.WARNING, "Couldn't get selected file path.", ex);
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
int tryAgain = JOptionPane.showConfirmDialog(null, "Database file you chose cannot be opened.\n" + "If it was just an index, please try to recreate it from the database.\n" + int tryAgain = JOptionPane.showConfirmDialog(null, "Database file you chose cannot be opened.\n" + "If it was just an index, please try to recreate it from the database.\n" +
"Would you like to choose another database?", "Invalid File", JOptionPane.YES_NO_OPTION); "Would you like to choose another database?", "Invalid File", JOptionPane.YES_NO_OPTION);
if (tryAgain == JOptionPane.YES_OPTION) { if (tryAgain == JOptionPane.YES_OPTION) {
return searchForFile(name); return searchForFile(name);
} else { } else {
return null; return null;
} }
} }
} }
// Otherwise the user cancelled, so delete the missing entry // Otherwise the user cancelled, so delete the missing entry
return null; return null;
} }
private boolean setsFileExists() { private boolean setsFileExists() {
File f = new File(xmlFile); File f = new File(xmlFile);
return f.exists() && f.canRead() && f.canWrite(); return f.exists() && f.canRead() && f.canWrite();
} }
} }

18
KeywordSearch/manifest.mf
View File

@ -1,9 +1,9 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.keywordsearch/5 OpenIDE-Module: org.sleuthkit.autopsy.keywordsearch/5
OpenIDE-Module-Implementation-Version: 9 OpenIDE-Module-Implementation-Version: 9
OpenIDE-Module-Install: org/sleuthkit/autopsy/keywordsearch/Installer.class OpenIDE-Module-Install: org/sleuthkit/autopsy/keywordsearch/Installer.class
OpenIDE-Module-Layer: org/sleuthkit/autopsy/keywordsearch/layer.xml OpenIDE-Module-Layer: org/sleuthkit/autopsy/keywordsearch/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/keywordsearch/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/keywordsearch/Bundle.properties
OpenIDE-Module-Requires: org.openide.windows.WindowManager OpenIDE-Module-Requires: org.openide.windows.WindowManager

12
KeywordSearch/nbproject/project.properties
View File

@ -1,6 +1,6 @@
javac.source=1.7 javac.source=1.7
javac.compilerargs=-Xlint -Xlint:-serial javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/ nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true nbm.needs.restart=true
spec.version.base=3.2 spec.version.base=3.2

182
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/Bundle.properties
View File

@ -1,91 +1,91 @@
OpenIDE-Module-Display-Category=Ingest Module OpenIDE-Module-Display-Category=Ingest Module
OpenIDE-Module-Long-Description=\ OpenIDE-Module-Long-Description=\
Keyword Search ingest module.\n\n\ Keyword Search ingest module.\n\n\
The module indexes files found in the disk image at ingest time. \ The module indexes files found in the disk image at ingest time. \
It then periodically runs the search on the indexed files using one or more keyword lists (containing pure words and/or regular expressions) and posts results.\n\n\ It then periodically runs the search on the indexed files using one or more keyword lists (containing pure words and/or regular expressions) and posts results.\n\n\
The module also contains additional tools integrated in the main GUI, such as keyword list configuration, keyword seach bar in the top-right corner, extracted text viewer and search results viewer showing highlighted keywords found. The module also contains additional tools integrated in the main GUI, such as keyword list configuration, keyword seach bar in the top-right corner, extracted text viewer and search results viewer showing highlighted keywords found.
OpenIDE-Module-Name=KeywordSearch OpenIDE-Module-Name=KeywordSearch
ListBundleName=Keyword Lists ListBundleName=Keyword Lists
ListBundleConfig=Keyword List Configuration ListBundleConfig=Keyword List Configuration
IndexProgressPanel.statusText.text=Status text IndexProgressPanel.statusText.text=Status text
IndexProgressPanel.cancelButton.text=Cancel IndexProgressPanel.cancelButton.text=Cancel
ExtractedContentPanel.hitLabel.text=Matches on page: ExtractedContentPanel.hitLabel.text=Matches on page:
ExtractedContentPanel.hitCountLabel.text=- ExtractedContentPanel.hitCountLabel.text=-
ExtractedContentPanel.hitOfLabel.text=of ExtractedContentPanel.hitOfLabel.text=of
ExtractedContentPanel.hitTotalLabel.text=- ExtractedContentPanel.hitTotalLabel.text=-
ExtractedContentPanel.hitButtonsLabel.text=Match ExtractedContentPanel.hitButtonsLabel.text=Match
ExtractedContentPanel.hitPreviousButton.text= ExtractedContentPanel.hitPreviousButton.text=
ExtractedContentPanel.hitNextButton.text= ExtractedContentPanel.hitNextButton.text=
ExtractedContentPanel.copyMenuItem.text=Copy ExtractedContentPanel.copyMenuItem.text=Copy
ExtractedContentPanel.selectAllMenuItem.text=Select All ExtractedContentPanel.selectAllMenuItem.text=Select All
KeywordSearchEditListPanel.saveListButton.text=Copy List KeywordSearchEditListPanel.saveListButton.text=Copy List
KeywordSearchEditListPanel.addWordField.text= KeywordSearchEditListPanel.addWordField.text=
KeywordSearchEditListPanel.addWordButton.text=Add KeywordSearchEditListPanel.addWordButton.text=Add
KeywordSearchEditListPanel.chRegex.text=Regular Expression KeywordSearchEditListPanel.chRegex.text=Regular Expression
KeywordSearchEditListPanel.deleteWordButton.text=Remove Selected KeywordSearchEditListPanel.deleteWordButton.text=Remove Selected
KeywordSearchEditListPanel.cutMenuItem.text=Cut KeywordSearchEditListPanel.cutMenuItem.text=Cut
KeywordSearchEditListPanel.selectAllMenuItem.text=Select All KeywordSearchEditListPanel.selectAllMenuItem.text=Select All
KeywordSearchEditListPanel.pasteMenuItem.text=Paste KeywordSearchEditListPanel.pasteMenuItem.text=Paste
KeywordSearchEditListPanel.copyMenuItem.text=Copy KeywordSearchEditListPanel.copyMenuItem.text=Copy
KeywordSearchEditListPanel.exportButton.text=Export List KeywordSearchEditListPanel.exportButton.text=Export List
KeywordSearchEditListPanel.deleteListButton.text=Delete List KeywordSearchEditListPanel.deleteListButton.text=Delete List
KeywordSearchListsManagementPanel.newListButton.text=New List KeywordSearchListsManagementPanel.newListButton.text=New List
KeywordSearchEditListPanel.useForIngestCheckbox.text=Enable for ingest KeywordSearchEditListPanel.useForIngestCheckbox.text=Enable for ingest
KeywordSearchListsManagementPanel.importButton.text=Import List KeywordSearchListsManagementPanel.importButton.text=Import List
KeywordSearchPanel.searchBox.text=Search... KeywordSearchPanel.searchBox.text=Search...
KeywordSearchPanel.regExCheckboxMenuItem.text=Use Regular Expressions KeywordSearchPanel.regExCheckboxMenuItem.text=Use Regular Expressions
KeywordSearchPanel.settingsLabel.text= KeywordSearchPanel.settingsLabel.text=
KeywordSearchListsViewerPanel.searchAddButton.text=Search KeywordSearchListsViewerPanel.searchAddButton.text=Search
KeywordSearchListsViewerPanel.manageListsButton.text=Manage Lists KeywordSearchListsViewerPanel.manageListsButton.text=Manage Lists
KeywordSearchListsViewerPanel.ingestIndexLabel.text=Files Indexed: KeywordSearchListsViewerPanel.ingestIndexLabel.text=Files Indexed:
KeywordSearchEditListPanel.selectorsCombo.toolTipText=Regular Expression selector type (optional) KeywordSearchEditListPanel.selectorsCombo.toolTipText=Regular Expression selector type (optional)
KeywordSearchPanel.searchButton.text= KeywordSearchPanel.searchButton.text=
KeywordSearchPanel.cutMenuItem.text=Cut KeywordSearchPanel.cutMenuItem.text=Cut
KeywordSearchPanel.copyMenuItem.text=Copy KeywordSearchPanel.copyMenuItem.text=Copy
KeywordSearchPanel.pasteMenuItem.text=Paste KeywordSearchPanel.pasteMenuItem.text=Paste
KeywordSearchPanel.selectAllMenuItem.text=Select All KeywordSearchPanel.selectAllMenuItem.text=Select All
ExtractedContentPanel.pageButtonsLabel.text=Page ExtractedContentPanel.pageButtonsLabel.text=Page
ExtractedContentPanel.pageNextButton.text= ExtractedContentPanel.pageNextButton.text=
ExtractedContentPanel.pagePreviousButton.actionCommand=pagePreviousButton ExtractedContentPanel.pagePreviousButton.actionCommand=pagePreviousButton
ExtractedContentPanel.pagePreviousButton.text= ExtractedContentPanel.pagePreviousButton.text=
ExtractedContentPanel.pagesLabel.text=Page: ExtractedContentPanel.pagesLabel.text=Page:
ExtractedContentPanel.pageOfLabel.text=of ExtractedContentPanel.pageOfLabel.text=of
ExtractedContentPanel.pageCurLabel.text=- ExtractedContentPanel.pageCurLabel.text=-
ExtractedContentPanel.pageTotalLabel.text=- ExtractedContentPanel.pageTotalLabel.text=-
ExtractedContentPanel.hitLabel.toolTipText= ExtractedContentPanel.hitLabel.toolTipText=
KeywordSearchEditListPanel.ingestMessagesCheckbox.text=Enable sending messages to inbox during ingest KeywordSearchEditListPanel.ingestMessagesCheckbox.text=Enable sending messages to inbox during ingest
KeywordSearchEditListPanel.ingestMessagesCheckbox.toolTipText=Send messages during triage / ingest when hits on keyword from this list occur KeywordSearchEditListPanel.ingestMessagesCheckbox.toolTipText=Send messages during triage / ingest when hits on keyword from this list occur
KeywordSearchConfigurationPanel2.skipNSRLCheckBox.text=Do not add files in NSRL (known files) to keyword index during ingest KeywordSearchConfigurationPanel2.skipNSRLCheckBox.text=Do not add files in NSRL (known files) to keyword index during ingest
KeywordSearchConfigurationPanel2.skipNSRLCheckBox.toolTipText=Requires Hash DB service to had run previously, or be selected for next ingest. KeywordSearchConfigurationPanel2.skipNSRLCheckBox.toolTipText=Requires Hash DB service to had run previously, or be selected for next ingest.
KeywordSearchConfigurationPanel2.filesIndexedValue.text=- KeywordSearchConfigurationPanel2.filesIndexedValue.text=-
KeywordSearchConfigurationPanel2.filesIndexedLabel.text=Files in keyword index: KeywordSearchConfigurationPanel2.filesIndexedLabel.text=Files in keyword index:
KeywordSearchIngestSimplePanel.languagesLabel.text=Scripts enabled for string extraction from unknown file types: KeywordSearchIngestSimplePanel.languagesLabel.text=Scripts enabled for string extraction from unknown file types:
KeywordSearchIngestSimplePanel.languagesValLabel.text=- KeywordSearchIngestSimplePanel.languagesValLabel.text=-
KeywordSearchIngestSimplePanel.languagesLabel.toolTipText=Scripts enabled for string extraction from unknown file types. Changes can be done in Advanced Settings. KeywordSearchIngestSimplePanel.languagesLabel.toolTipText=Scripts enabled for string extraction from unknown file types. Changes can be done in Advanced Settings.
KeywordSearchIngestSimplePanel.languagesValLabel.toolTipText= KeywordSearchIngestSimplePanel.languagesValLabel.toolTipText=
KeywordSearchConfigurationPanel3.languagesLabel.text=Enabled scripts (languages): KeywordSearchConfigurationPanel3.languagesLabel.text=Enabled scripts (languages):
KeywordSearchConfigurationPanel2.chunksLabel.text=Chunks in keyword index: KeywordSearchConfigurationPanel2.chunksLabel.text=Chunks in keyword index:
KeywordSearchConfigurationPanel2.chunksValLabel.text=- KeywordSearchConfigurationPanel2.chunksValLabel.text=-
KeywordSearchConfigurationPanel3.enableUTF8Checkbox.text=Enable UTF8 text extraction KeywordSearchConfigurationPanel3.enableUTF8Checkbox.text=Enable UTF8 text extraction
KeywordSearchConfigurationPanel3.enableUTF16Checkbox.text=Enable UTF16LE and UTF16BE string extraction KeywordSearchConfigurationPanel3.enableUTF16Checkbox.text=Enable UTF16LE and UTF16BE string extraction
KeywordSearchEditListPanel.keywordOptionsLabel.text=Keyword Options KeywordSearchEditListPanel.keywordOptionsLabel.text=Keyword Options
KeywordSearchEditListPanel.listOptionsLabel.text=List Options KeywordSearchEditListPanel.listOptionsLabel.text=List Options
KeywordSearchConfigurationPanel3.ingestSettingsLabel.text=Ingest settings for string extraction from unknown file types (changes effective on next ingest): KeywordSearchConfigurationPanel3.ingestSettingsLabel.text=Ingest settings for string extraction from unknown file types (changes effective on next ingest):
KeywordSearchConfigurationPanel2.settingsLabel.text=Settings KeywordSearchConfigurationPanel2.settingsLabel.text=Settings
KeywordSearchConfigurationPanel2.informationLabel.text=Information KeywordSearchConfigurationPanel2.informationLabel.text=Information
KeywordSearchListsManagementPanel.keywordListsLabel.text=Keyword Lists: KeywordSearchListsManagementPanel.keywordListsLabel.text=Keyword Lists:
KeywordSearchEditListPanel.keywordsLabel.text=Keywords: KeywordSearchEditListPanel.keywordsLabel.text=Keywords:
KeywordSearchConfigurationPanel2.timeRadioButton1.toolTipText=20 mins. (fastest ingest time) KeywordSearchConfigurationPanel2.timeRadioButton1.toolTipText=20 mins. (fastest ingest time)
KeywordSearchConfigurationPanel2.timeRadioButton1.text=20 minutes (slowest feedback, fastest ingest) KeywordSearchConfigurationPanel2.timeRadioButton1.text=20 minutes (slowest feedback, fastest ingest)
KeywordSearchConfigurationPanel2.timeRadioButton2.toolTipText=10 minutes (faster overall ingest time than default) KeywordSearchConfigurationPanel2.timeRadioButton2.toolTipText=10 minutes (faster overall ingest time than default)
KeywordSearchConfigurationPanel2.timeRadioButton2.text=10 minutes (slower feedback, faster ingest) KeywordSearchConfigurationPanel2.timeRadioButton2.text=10 minutes (slower feedback, faster ingest)
KeywordSearchConfigurationPanel2.timeRadioButton3.toolTipText=5 minutes (overall ingest time will be longer) KeywordSearchConfigurationPanel2.timeRadioButton3.toolTipText=5 minutes (overall ingest time will be longer)
KeywordSearchConfigurationPanel2.timeRadioButton3.text=5 minutes (default) KeywordSearchConfigurationPanel2.timeRadioButton3.text=5 minutes (default)
KeywordSearchIngestSimplePanel.encodingsLabel.text=Encodings: KeywordSearchIngestSimplePanel.encodingsLabel.text=Encodings:
KeywordSearchIngestSimplePanel.keywordSearchEncodings.text=- KeywordSearchIngestSimplePanel.keywordSearchEncodings.text=-
KeywordSearchIngestSimplePanel.titleLabel.text=Select keyword lists to enable during ingest: KeywordSearchIngestSimplePanel.titleLabel.text=Select keyword lists to enable during ingest:
OpenIDE-Module-Short-Description=Keyword Search ingest module, extracted text viewer and keyword search tools OpenIDE-Module-Short-Description=Keyword Search ingest module, extracted text viewer and keyword search tools
KeywordSearchListsViewerPanel.manageListsButton.toolTipText=Manage keyword lists, their settings and associated keywords. The settings are shared among all cases. KeywordSearchListsViewerPanel.manageListsButton.toolTipText=Manage keyword lists, their settings and associated keywords. The settings are shared among all cases.
KeywordSearchConfigurationPanel2.frequencyLabel.text=Results update frequency during ingest: KeywordSearchConfigurationPanel2.frequencyLabel.text=Results update frequency during ingest:
KeywordSearchConfigurationPanel2.timeRadioButton4.text_1=1 minute (faster feedback, longest ingest) KeywordSearchConfigurationPanel2.timeRadioButton4.text_1=1 minute (faster feedback, longest ingest)
KeywordSearchConfigurationPanel2.timeRadioButton4.toolTipText=1 minute (overall ingest time will be longest) KeywordSearchConfigurationPanel2.timeRadioButton4.toolTipText=1 minute (overall ingest time will be longest)

162
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-about.html
View File

@ -1,81 +1,81 @@
<!-- <!--
Autopsy Forensic Browser Autopsy Forensic Browser
Copyright 2011 Basis Technology Corp. Copyright 2011 Basis Technology Corp.
Contact: carrier <at> sleuthkit <dot> org Contact: carrier <at> sleuthkit <dot> org
Licensed under the Apache License, Version 2.0 (the "License"); Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License. you may not use this file except in compliance with the License.
You may obtain a copy of the License at You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
--> -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<title>Keyword Search</title> <title>Keyword Search</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head> </head>
<body> <body>
<h2>Keyword Search</h2> <h2>Keyword Search</h2>
<p> <p>
Autopsy ships a keyword search module, which provides the <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest capability</a> Autopsy ships a keyword search module, which provides the <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">ingest capability</a>
and also supports a manual text search mode. and also supports a manual text search mode.
</p> </p>
<p>The keyword search ingest module extracts text from the files on the image being ingested and adds them to the index that can then be searched.</p> <p>The keyword search ingest module extracts text from the files on the image being ingested and adds them to the index that can then be searched.</p>
<p> <p>
Autopsy tries its best to extract maximum amount of text from the files being indexed. Autopsy tries its best to extract maximum amount of text from the files being indexed.
First, the indexing will try to extract text from supported file formats, such as pure text file format, MS Office Documents, PDF files, Email files, and many others. First, the indexing will try to extract text from supported file formats, such as pure text file format, MS Office Documents, PDF files, Email files, and many others.
If the file is not supported by the standard text extractor, Autopsy will fallback to string extraction algorithm. If the file is not supported by the standard text extractor, Autopsy will fallback to string extraction algorithm.
String extraction on unknown file formats or arbitrary binary files can often still extract a good amount of text from the file, often good enough to provide additional clues. String extraction on unknown file formats or arbitrary binary files can often still extract a good amount of text from the file, often good enough to provide additional clues.
However, string extraction will not be able to extract text strings from binary files that have been encrypted. However, string extraction will not be able to extract text strings from binary files that have been encrypted.
</p> </p>
<p> <p>
Autopsy ships with some built-in lists that define regular expressions and enable user to search for Phone Numbers, IP addresses, URLs and E-mail addresses. Autopsy ships with some built-in lists that define regular expressions and enable user to search for Phone Numbers, IP addresses, URLs and E-mail addresses.
However, enabling some of these very general lists can produce a very large number of hits, many of them can be false-positives. However, enabling some of these very general lists can produce a very large number of hits, many of them can be false-positives.
</p> </p>
<p> <p>
Once files are in the index, they can be searched quickly for specific keywords, regular expressions, Once files are in the index, they can be searched quickly for specific keywords, regular expressions,
or using keyword search lists that can contain a mixture of keywords and regular expressions. or using keyword search lists that can contain a mixture of keywords and regular expressions.
Search queries can be executed automatically by the ingest during the ingest run, or at the end of the ingest, depending on the current settings and the time it takes to ingest the image. Search queries can be executed automatically by the ingest during the ingest run, or at the end of the ingest, depending on the current settings and the time it takes to ingest the image.
</p> </p>
<p>Search queries can also be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched.</p> <p>Search queries can also be executed manually by the user at any time, as long as there are some files already indexed and ready to be searched.</p>
<p> <p>
Keyword search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user. Keyword search module will save the search results regardless whether the search is performed by the ingest process, or manually by the user.
The saved results are available in the Directory Tree in the left hand side panel. The saved results are available in the Directory Tree in the left hand side panel.
</p> </p>
<p> <p>
To see keyword search results in real-time while ingest is running, add keyword lists using the To see keyword search results in real-time while ingest is running, add keyword lists using the
<a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html">Keyword Search Configuration Dialog</a> <a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-configuration.html">Keyword Search Configuration Dialog</a>
and select the "Use during ingest" check box. and select the "Use during ingest" check box.
You can select "Enable sending messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very specific searches. You can select "Enable sending messages to inbox during ingest" per list, if the hits on that list should be reported in the Inbox, which is recommended for very specific searches.
</p> </p>
<p> <p>
See <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">(Ingest)</a> See <a href="nbdocs:/org/sleuthkit/autopsy/ingest/docs/ingest-about.html">(Ingest)</a>
for more information on ingest in general. for more information on ingest in general.
</p> </p>
<p> <p>
Once there are files in the index, the <a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html">Keyword Search Bar</a> Once there are files in the index, the <a href="nbdocs:/org/sleuthkit/autopsy/keywordsearch/docs/keywordsearch-bar.html">Keyword Search Bar</a>
will be available for use to manually search at any time. will be available for use to manually search at any time.
</p> </p>
</body> </body>
</html> </html>
<!-- <!--
Tip: to create a link which will open in an external web browser, try: Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer"> <object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/"> <param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>"> <param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium"> <param name="textFontSize" value="medium">
<param name="textColor" value="blue"> <param name="textColor" value="blue">
</object> </object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.: To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a> <a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.) (This link will behave sanely if that module is disabled or missing.)
--> -->

20
RecentActivity/manifest.mf
View File

@ -1,10 +1,10 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
OpenIDE-Module: org.sleuthkit.autopsy.recentactivity/5 OpenIDE-Module: org.sleuthkit.autopsy.recentactivity/5
OpenIDE-Module-Implementation-Version: 9 OpenIDE-Module-Implementation-Version: 9
OpenIDE-Module-Layer: org/sleuthkit/autopsy/recentactivity/layer.xml OpenIDE-Module-Layer: org/sleuthkit/autopsy/recentactivity/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/recentactivity/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/recentactivity/Bundle.properties
OpenIDE-Module-Requires: OpenIDE-Module-Requires:
org.openide.modules.InstalledFileLocator, org.openide.modules.InstalledFileLocator,
org.openide.windows.TopComponent$Registry, org.openide.windows.TopComponent$Registry,
org.openide.windows.WindowManager org.openide.windows.WindowManager

14
RecentActivity/nbproject/project.properties
View File

@ -1,7 +1,7 @@
file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar
javac.source=1.7 javac.source=1.7
javac.compilerargs=-Xlint -Xlint:-serial javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/ nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true nbm.needs.restart=true
spec.version.base=3.0 spec.version.base=3.0

12
SevenZip/manifest.mf
View File

@ -1,6 +1,6 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
OpenIDE-Module: org.sleuthkit.autopsy.sevenzip/1 OpenIDE-Module: org.sleuthkit.autopsy.sevenzip/1
OpenIDE-Module-Implementation-Version: 3 OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/sevenzip/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/sevenzip/Bundle.properties

12
Testing/manifest.mf
View File

@ -1,6 +1,6 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
AutoUpdate-Show-In-Client: false AutoUpdate-Show-In-Client: false
OpenIDE-Module: org.sleuthkit.autopsy.testing/3 OpenIDE-Module: org.sleuthkit.autopsy.testing/3
OpenIDE-Module-Implementation-Version: 7 OpenIDE-Module-Implementation-Version: 7
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/testing/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/testing/Bundle.properties

2
Testing/src/org/sleuthkit/autopsy/testing/Bundle.properties
View File

@ -1 +1 @@
OpenIDE-Module-Name=Testing OpenIDE-Module-Name=Testing

14
Timeline/manifest.mf
View File

@ -1,7 +1,7 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
OpenIDE-Module: org.sleuthkit.autopsy.timeline/1 OpenIDE-Module: org.sleuthkit.autopsy.timeline/1
OpenIDE-Module-Layer: org/sleuthkit/autopsy/timeline/layer.xml OpenIDE-Module-Layer: org/sleuthkit/autopsy/timeline/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/timeline/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/timeline/Bundle.properties
OpenIDE-Module-Requires: org.openide.windows.WindowManager OpenIDE-Module-Requires: org.openide.windows.WindowManager
OpenIDE-Module-Implementation-Version: 3 OpenIDE-Module-Implementation-Version: 3

442
docs/QuickStartGuide/index.html
View File

@ -1,221 +1,221 @@
<html> <html>
<head> <head>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css"> <link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<style> <style>
h1 { font-size: 145%; color: #666666; } h1 { font-size: 145%; color: #666666; }
h2 { font-size: 120%; color: #666666; } h2 { font-size: 120%; color: #666666; }
</style> </style>
<title>Autopsy 3 Quick Start Guide</title> <title>Autopsy 3 Quick Start Guide</title>
</head> </head>
<body> <body>
<p align="center" style="font-size: 145%;"><strong>Autopsy 3 Quick Start Guide</strong></p> <p align="center" style="font-size: 145%;"><strong>Autopsy 3 Quick Start Guide</strong></p>
<p align="center" style="font-size: 120%;">June 2013</p> <p align="center" style="font-size: 120%;">June 2013</p>
<p align="center"><a href="http://www.sleuthkit.org/autopsy/">www.sleuthkit.org/autopsy/</a></p> <p align="center"><a href="http://www.sleuthkit.org/autopsy/">www.sleuthkit.org/autopsy/</a></p>
<h1>Installation</h1> <h1>Installation</h1>
<p> <p>
The current version of Autopsy 3 runs only on Microsoft Windows. The current version of Autopsy 3 runs only on Microsoft Windows.
We have gotten it to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries. We have gotten it to run on other platforms, such as Linux and OS X, but we do not have it in a state that makes it easy to distribute and find the needed libraries.
</p> </p>
<p> <p>
The Windows installer will make a directory for Autopsy and place all of the needed files inside of it. The Windows installer will make a directory for Autopsy and place all of the needed files inside of it.
The installer includes all dependencies, including Sleuth Kit and Java. The installer includes all dependencies, including Sleuth Kit and Java.
</p> </p>
<p>Note that Autopsy 3 is a complete rewrite from Autopsy 2 and none of this document is relevant to Autopsy 2.</p> <p>Note that Autopsy 3 is a complete rewrite from Autopsy 2 and none of this document is relevant to Autopsy 2.</p>
<h1>Adding a Data Source (image, local disk, logical files)</h1> <h1>Adding a Data Source (image, local disk, logical files)</h1>
<p> <p>
Data sources are added to a <strong>case</strong>. A case can have a single data source or it can have multiple data source if they are related. Data sources are added to a <strong>case</strong>. A case can have a single data source or it can have multiple data source if they are related.
Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case. Currently, a single report is generated for an entire case, so if you need to report on individual data sources, then you should use one data source per case.
</p> </p>
<h2>Creating a Case</h2> <h2>Creating a Case</h2>
<p> <p>
To create a case, use either the &quot;Create New Case&quot; option on the Welcome screen or from the &quot;File&quot; menu. To create a case, use either the &quot;Create New Case&quot; option on the Welcome screen or from the &quot;File&quot; menu.
This will start the <strong>New Case Wizard</strong>. You will need to supply it with the name of the case and a directory to store the case results into. This will start the <strong>New Case Wizard</strong>. You will need to supply it with the name of the case and a directory to store the case results into.
You can optionally provide case numbers and other details. You can optionally provide case numbers and other details.
</p> </p>
<h2>Adding a Data Source</h2> <h2>Adding a Data Source</h2>
<p> <p>
The next step is to add input data source to the case. The next step is to add input data source to the case.
The <strong>Add Data Source Wizard</strong> will start automatically after the case is created or you can manually start it from the &quot;File&quot; menu or toolbar. The <strong>Add Data Source Wizard</strong> will start automatically after the case is created or you can manually start it from the &quot;File&quot; menu or toolbar.
You will need to choose the type of input data source to add (image, local disk or logical files and folders). You will need to choose the type of input data source to add (image, local disk or logical files and folders).
Next, supply it with the location of the source to add. Next, supply it with the location of the source to add.
</p> </p>
<ul> <ul>
<li>For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files. <li>For a disk image, browse to the first file in the set (Autopsy will find the rest of the files). Autopsy currently supports E01 and raw (dd) files.
</li> </li>
<li> <li>
For local disk, select one of the detected disks. For local disk, select one of the detected disks.
Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data). Autopsy will add the current view of the disk to the case (i.e. snapshot of the meta-data).
However, the individual file content (not meta-data) does get updated with the changes made to the disk. However, the individual file content (not meta-data) does get updated with the changes made to the disk.
Note, you may need run Autopsy as an Administrator to detect all disks. Note, you may need run Autopsy as an Administrator to detect all disks.
</li> </li>
<li>For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case. Folders will be recursively added to the case.</li> <li>For logical files (a single file or folder of files), use the "Add" button to add one or more files or folders on your system to the case. Folders will be recursively added to the case.</li>
</ul> </ul>
<p> <p>
There are a couple of options in the wizard that will allow you to make the ingest process faster. There are a couple of options in the wizard that will allow you to make the ingest process faster.
These typically deal with deleted files. These typically deal with deleted files.
It will take longer if unallocated space is analyzed and the entire drive is searched for deleted files. It will take longer if unallocated space is analyzed and the entire drive is searched for deleted files.
In some scenarios, these recovery steps must be performed and in other scenarios these steps are not needed and instead fast results on the allocated files are needed. In some scenarios, these recovery steps must be performed and in other scenarios these steps are not needed and instead fast results on the allocated files are needed.
Use these options to control how long the analysis will take. Use these options to control how long the analysis will take.
</p> </p>
<p> <p>
Autopsy will start to analyze these data sources and add them to the case and internal database. While it is doing that, it will prompt you to configure the Ingest Modules. </p> Autopsy will start to analyze these data sources and add them to the case and internal database. While it is doing that, it will prompt you to configure the Ingest Modules. </p>
<h2>Ingest Modules</h2> <h2>Ingest Modules</h2>
<p> <p>
You will next be prompted to configure the Ingest Modules. You will next be prompted to configure the Ingest Modules.
Ingest modules will run in the background and perform specific tasks. Ingest modules will run in the background and perform specific tasks.
The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders. The Ingest Modules analyze files in a prioritized order so that files in a user's directory are analyzed before files in other folders.
Ingest modules can be developed by third-parties and here are some of the standard ingest modules that come with Autopsy: Ingest modules can be developed by third-parties and here are some of the standard ingest modules that come with Autopsy:
</p> </p>
<ul> <ul>
<li><strong>Recent Activity</strong> <li><strong>Recent Activity</strong>
extracts user activity as saved by web browsers and the OS. Also runs regripper on the registry hive. extracts user activity as saved by web browsers and the OS. Also runs regripper on the registry hive.
</li> </li>
<li><strong>Hash Lookup</strong> <li><strong>Hash Lookup</strong>
uses hash databases to ignore known files from the NIST NSRL and flag known bad files. uses hash databases to ignore known files from the NIST NSRL and flag known bad files.
Use the "Advanced" button to add and configure the hash databases to use during this process. Use the "Advanced" button to add and configure the hash databases to use during this process.
You will get updates on known bad file hits as the ingest occurs. You can later add hash databases You will get updates on known bad file hits as the ingest occurs. You can later add hash databases
via the Tools -&gt; Options menu in the main UI. You can download an index of the NIST NSRL from via the Tools -&gt; Options menu in the main UI. You can download an index of the NIST NSRL from
<a href="http://sourceforge.net/projects/autopsy/files/NSRL/">here</a>. <a href="http://sourceforge.net/projects/autopsy/files/NSRL/">here</a>.
</li> </li>
<li><strong>Keyword Search</strong> <li><strong>Keyword Search</strong>
uses keyword lists to identify files with specific words in them. uses keyword lists to identify files with specific words in them.
You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button. You can select the keyword lists to search for automatically and you can create new lists using the "Advanced" button.
Note that with keyword search, you can always conduct searches after ingest has finished. Note that with keyword search, you can always conduct searches after ingest has finished.
The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time. The keyword lists that you select during ingest will be searched for at periodic intervals and you will get the results in real-time.
You do not need to wait for all files to be indexed. You do not need to wait for all files to be indexed.
</li> </li>
<li><strong>Archive Extractor</strong> opens ZIP, RAR, and other archive formats and sends the files from those archive files back <li><strong>Archive Extractor</strong> opens ZIP, RAR, and other archive formats and sends the files from those archive files back
through the pipelines for analysis.</li> through the pipelines for analysis.</li>
<li><strong>Exif Image Parser</strong> extracts EXIF information from JPEG files and posts the results into the tree in the main UI.</li> <li><strong>Exif Image Parser</strong> extracts EXIF information from JPEG files and posts the results into the tree in the main UI.</li>
<li><strong>Thunderbird Parser</strong> Identifies Thunderbird MBOX files and extracts the e-mails from them.</li> <li><strong>Thunderbird Parser</strong> Identifies Thunderbird MBOX files and extracts the e-mails from them.</li>
</ul> </ul>
<p> <p>
When you select a module, you will have the option to change its settings. When you select a module, you will have the option to change its settings.
For example, you can configure which keyword search lists to use during ingest and which hash databases to use. For example, you can configure which keyword search lists to use during ingest and which hash databases to use.
Refer to the help system inside of Autopsy for details on configuring each module. Refer to the help system inside of Autopsy for details on configuring each module.
</p> </p>
<p> <p>
While ingest modules are running in the background, you will see a progress bar in the lower right. While ingest modules are running in the background, you will see a progress bar in the lower right.
You can use the GUI to review incoming results and perform other tasks while ingest at that time. You can use the GUI to review incoming results and perform other tasks while ingest at that time.
</p> </p>
<h1>Analysis Basics</h1> <h1>Analysis Basics</h1>
<img src="screenshot.png" alt="Autopsy Screenshot" /> <img src="screenshot.png" alt="Autopsy Screenshot" />
<p>You will start all of your analysis techniques from the tree on the left.</p> <p>You will start all of your analysis techniques from the tree on the left.</p>
<ul> <ul>
<li>The Data Sources root node shows all data in the case.</li> <li>The Data Sources root node shows all data in the case.</li>
<ul> <ul>
<li>The individual image nodes show the file system structure of the disk images or local disks in the case.</li> <li>The individual image nodes show the file system structure of the disk images or local disks in the case.</li>
<li>The LogicalFileSet nodes show the logical files in the case.</li> <li>The LogicalFileSet nodes show the logical files in the case.</li>
</ul> </ul>
<li>The Views node shows the same data from a file type or timeline perspective.</li> <li>The Views node shows the same data from a file type or timeline perspective.</li>
<li>The Results node shows the output from the ingest modules.</li> <li>The Results node shows the output from the ingest modules.</li>
</ul> </ul>
<p> <p>
When you select a node from the tree on the left, a list of files will be shown in the upper right. When you select a node from the tree on the left, a list of files will be shown in the upper right.
You can use the Thumbnail view in the upper right to view the pictures. You can use the Thumbnail view in the upper right to view the pictures.
When you select a file from the upper right, its contents will be shown in the lower right. When you select a file from the upper right, its contents will be shown in the lower right.
You can use the tabs in the lower right to view the text of the file, an image, or the hex data. You can use the tabs in the lower right to view the text of the file, an image, or the hex data.
</p> </p>
<p> <p>
If you are viewing files from the Views and Results nodes, you can right-click on a file to go to its file system location. If you are viewing files from the Views and Results nodes, you can right-click on a file to go to its file system location.
This feature is useful to see what else the user stored in the same folder as the file that you are currently looking at. This feature is useful to see what else the user stored in the same folder as the file that you are currently looking at.
You can also right click on a file to extract it to the local system. You can also right click on a file to extract it to the local system.
</p> </p>
<p> <p>
If you want to search for single keywords, then you can use the search box in the upper right of the program. If you want to search for single keywords, then you can use the search box in the upper right of the program.
The results will be shown in a table in the upper right. The results will be shown in a table in the upper right.
</p> </p>
<p> You can tag (or bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report.</p> <p> You can tag (or bookmark) arbitrary files so that you can more quickly find them later or so that you can include them specifically in a report.</p>
<h2>Ingest Inbox</h2> <h2>Ingest Inbox</h2>
<p> <p>
As you are going through the results in the tree, the ingest modules are running in the background. As you are going through the results in the tree, the ingest modules are running in the background.
The results are shown in the tree as soon as the ingest modules find them and report them. The results are shown in the tree as soon as the ingest modules find them and report them.
</p> </p>
<p> <p>
The Ingest Inbox receives messages from the ingest modules as they find results. The Ingest Inbox receives messages from the ingest modules as they find results.
You can open the inbox to see what has been recently found. You can open the inbox to see what has been recently found.
It keeps track of what messages you have read. It keeps track of what messages you have read.
</p> </p>
<p> <p>
The intended use of this inbox is that you can focus on some data for a while and then check back on the inbox at a time that is convenient for them. The intended use of this inbox is that you can focus on some data for a while and then check back on the inbox at a time that is convenient for them.
You can then see what else was found while you were focused on the previous task. You can then see what else was found while you were focused on the previous task.
You may learn that a known bad file was found or that a file was found with a relevant keyword and then decide to focus on that for a while. You may learn that a known bad file was found or that a file was found with a relevant keyword and then decide to focus on that for a while.
</p> </p>
<p> When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem.</p> <p> When you select a message, you can then jump to the Results tree where more details can be found or jump to the file's location in the filesystem.</p>
<h2>Timeline (Beta)</h2> <h2>Timeline (Beta)</h2>
<p>There is a basic timeline view that you can access via the Tools -&gt; Make Timeline feature. This will take a few minutes to create the timeline for analysis. Its features are still in development.</p> <p>There is a basic timeline view that you can access via the Tools -&gt; Make Timeline feature. This will take a few minutes to create the timeline for analysis. Its features are still in development.</p>
<h1>Example Use Cases</h1> <h1>Example Use Cases</h1>
<p>In this section, we will provide examples of how to do common analysis tasks.</p> <p>In this section, we will provide examples of how to do common analysis tasks.</p>
<h2>Web Artifacts</h2> <h2>Web Artifacts</h2>
<p> <p>
If you want to view the user's recent web activity, make sure that the Recent Activity ingest module was enabled. If you want to view the user's recent web activity, make sure that the Recent Activity ingest module was enabled.
You can then go to the &quot;Results &quot; node in the tree on the left and then into the &quot;Extracted Data&quot; node. You can then go to the &quot;Results &quot; node in the tree on the left and then into the &quot;Extracted Data&quot; node.
There, you can find bookmarks, cookies, downloads, and history. There, you can find bookmarks, cookies, downloads, and history.
</p> </p>
<h2>Known Bad Hash Files</h2> <h2>Known Bad Hash Files</h2>
<p> <p>
If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled. If you want to see if the data source had known bad files, make sure that the Hash Lookup ingest module was enabled.
You can then view the &quot;Hashset Hits&quot; section in the &quot;Results&quot; area of the tree on the left. You can then view the &quot;Hashset Hits&quot; section in the &quot;Results&quot; area of the tree on the left.
Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is occurring. Note that hash lookup can take a long time, so this section will be updated as long as the ingest process is occurring.
Use the Ingest Inbox to keep track of what known bad files were recently found. Use the Ingest Inbox to keep track of what known bad files were recently found.
</p> </p>
<p> <p>
When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location. When you find a known bad file in this interface, you may want to right click on the file to also view the file's original location.
You may find additional files that are relevant and stored in the same folder as this file. You may find additional files that are relevant and stored in the same folder as this file.
</p> </p>
<h2>Media: Images and Videos</h2> <h2>Media: Images and Videos</h2>
<p> <p>
If you want to see all images and video on the disk image, then go to the &quot;Views&quot; section in the tree on the left and then &quot;File Types&quot;. If you want to see all images and video on the disk image, then go to the &quot;Views&quot; section in the tree on the left and then &quot;File Types&quot;.
Select either &quot;Images&quot; or &quot;Videos&quot;. Select either &quot;Images&quot; or &quot;Videos&quot;.
You can use the thumbnail option in the upper right to view thumbnails of all images. You can use the thumbnail option in the upper right to view thumbnails of all images.
</p> </p>
<ul class="note"> <ul class="note">
<li><strong>Note</strong>: <li><strong>Note</strong>:
We are working on making this more efficient when there are lots of images and we are working on the feature to display video thumbnails. We are working on making this more efficient when there are lots of images and we are working on the feature to display video thumbnails.
</li> </li>
</ul> </ul>
<p>You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound.</p> <p>You can select an image or video from the upper right and view the video or image in the lower right. Video will be played with sound.</p>
<h1>Reporting</h1> <h1>Reporting</h1>
<p> <p>
A final report can be generated that will include all analysis results. A final report can be generated that will include all analysis results.
Use the &quot;Generate Report&quot; button to create this. Use the &quot;Generate Report&quot; button to create this.
It will create an HTML or XLS report in the Reports folder of the case folder. It will create an HTML or XLS report in the Reports folder of the case folder.
If you forgot the location of your case folder, you can determine it using the &quot;Case Properties&quot; option in the &quot;File&quot; menu. If you forgot the location of your case folder, you can determine it using the &quot;Case Properties&quot; option in the &quot;File&quot; menu.
There is also an option to export report files to a separate folder outside of the case folder. There is also an option to export report files to a separate folder outside of the case folder.
</p> </p>
<hr> <hr>
<p><i>Copyright &#169; 2012-2013 Basis Technology.</i></p> <p><i>Copyright &#169; 2012-2013 Basis Technology.</i></p>
<p><i> <p><i>
This work is licensed under a This work is licensed under a
<a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons Attribution-Share Alike 3.0 United States License</a>. <a rel="license" href="http://creativecommons.org/licenses/by-sa/3.0/us/">Creative Commons Attribution-Share Alike 3.0 United States License</a>.
</i></p> </i></p>
</body> </body>
</html> </html>

60
docs/doxygen/needs_a_home.dox
View File

@ -1,30 +1,30 @@
<!-- @@@ MOVE THIS SOMEWHERE ELSE -- the directory tree package maybe?? --> <!-- @@@ MOVE THIS SOMEWHERE ELSE -- the directory tree package maybe?? -->
The component is by default registered with the ingest manager as an ingest event listener. The component is by default registered with the ingest manager as an ingest event listener.
The viewer first loads all the viewer-supported data currently in the blackboard when Autopsy starts. The viewer first loads all the viewer-supported data currently in the blackboard when Autopsy starts.
During the ingest process the viewer receives events from ingest modules During the ingest process the viewer receives events from ingest modules
(relayed by ingest manager) and it selectively refreshes parts of the tree providing real-time updates to the user. (relayed by ingest manager) and it selectively refreshes parts of the tree providing real-time updates to the user.
When ingest is completed, the viewer responds to the final ingest data event generated by the ingest manager, When ingest is completed, the viewer responds to the final ingest data event generated by the ingest manager,
and performs a final refresh of all viewer-supported data in the blackboard. and performs a final refresh of all viewer-supported data in the blackboard.
Node content support capabilities are registered in the node's Lookup. Node content support capabilities are registered in the node's Lookup.
<!-- @@@ This is too detailed for here, but maybe should be broken up and put into the sections on making a result viewer and such… <!-- @@@ This is too detailed for here, but maybe should be broken up and put into the sections on making a result viewer and such…
--> -->
\section design_data_flow Data Flow \section design_data_flow Data Flow
\subsection design_data_flow_create Creating Nodes in DataExplorer \subsection design_data_flow_create Creating Nodes in DataExplorer
Data flows between the UI zones using a NetBeans node. The DataExplorer modules create the NetBeans nodes. They query the SQLite database or do whatever they want to identify the set of files that are of interest. They create the NetBeans nodes based on Sleuthkit data model objects. See the org.sleuthkit.autopsy.datamodel package for more details on this. Data flows between the UI zones using a NetBeans node. The DataExplorer modules create the NetBeans nodes. They query the SQLite database or do whatever they want to identify the set of files that are of interest. They create the NetBeans nodes based on Sleuthkit data model objects. See the org.sleuthkit.autopsy.datamodel package for more details on this.
\subsection design_data_flow_toResult Getting Nodes to DataResult \subsection design_data_flow_toResult Getting Nodes to DataResult
Each DataExplorer TopComponent is responsible for creating its own DataResult TopComponent to display its results. It can choose to re-use the same TopComponent for multiple searches (as DirectoryTree does) or it can choose to make a new one each time (as FileSearch does). The setNode() method on the DataResult object is used to set the root node to display. A dummy root node must be created as the parent if a parent does not already exist. Each DataExplorer TopComponent is responsible for creating its own DataResult TopComponent to display its results. It can choose to re-use the same TopComponent for multiple searches (as DirectoryTree does) or it can choose to make a new one each time (as FileSearch does). The setNode() method on the DataResult object is used to set the root node to display. A dummy root node must be created as the parent if a parent does not already exist.
The DataExplorer is responsible for setting the double-click and right-click actions associated with the node. The default single click action is to pass data to DataContent. To override this, you must create a new DataResultViewer instance that overrides the propertyChange() method. The DataExplorer adds actions to wrapping the node in a FilterNode variant. The FilterNode then defines the actions for the node by overriding the getPreferredAction() and getActions() methods. As an example, org.sleuthkit.autopsy.directorytree.DataResultFilterNode and org.sleuthkit.autopsy.directorytree.DataResultFilterChildren wraps the nodes that are passed over by the DirectoryTree DataExplorer. The DataExplorer is responsible for setting the double-click and right-click actions associated with the node. The default single click action is to pass data to DataContent. To override this, you must create a new DataResultViewer instance that overrides the propertyChange() method. The DataExplorer adds actions to wrapping the node in a FilterNode variant. The FilterNode then defines the actions for the node by overriding the getPreferredAction() and getActions() methods. As an example, org.sleuthkit.autopsy.directorytree.DataResultFilterNode and org.sleuthkit.autopsy.directorytree.DataResultFilterChildren wraps the nodes that are passed over by the DirectoryTree DataExplorer.
DataResult can send data back to its DataExplorer by making a custom action that looks up it's instance (DataExplorer.getInstance()). DataResult can send data back to its DataExplorer by making a custom action that looks up it's instance (DataExplorer.getInstance()).

106
docs/doxygen/workflow.dox
View File

@ -1,53 +1,53 @@
/*! \page workflow_page General Workflow and Design /*! \page workflow_page General Workflow and Design
\section design_overview Overview \section design_overview Overview
This section outlines the internal Autopsy design from the typical analysis work flow perspective. This section outlines the internal Autopsy design from the typical analysis work flow perspective.
This page is organized based on these phases: This page is organized based on these phases:
- A Case is created. - A Case is created.
- Images are added to the case and ingest modules are run. - Images are added to the case and ingest modules are run.
- Results are manually reviewed and searched. - Results are manually reviewed and searched.
- Reports are generated. - Reports are generated.
\section design_case Creating a Case \section design_case Creating a Case
The first step in Autopsy work flow is creating a case. This is done in the org.sleuthkit.autopsy.casemodule package (see \ref casemodule_overview for details). This module contains the wizards needed and deals with how to store the information. You should not need to do much modifications in this package. But, you will want to use the org.sleuthkit.autopsy.casemodule.Case object to access all data related to this case. The first step in Autopsy work flow is creating a case. This is done in the org.sleuthkit.autopsy.casemodule package (see \ref casemodule_overview for details). This module contains the wizards needed and deals with how to store the information. You should not need to do much modifications in this package. But, you will want to use the org.sleuthkit.autopsy.casemodule.Case object to access all data related to this case.
\section design_image Adding an Image and Running Ingest Modules \section design_image Adding an Image and Running Ingest Modules
After case is created, one or more disk images can be added to the case. There is a wizard to guide that process and it is located in the org.sleuthkit.autopsy.casemodule package. Refer to the package section \ref casemodule_add_image for more details on the wizard. Most developers will not need to touch this code though. An important concept though is that adding an image to a case means that Autopsy uses The Sleuth Kit to enumerate all of the files in the file system and make a database entry for them in the embedded SQLite database that was created for the case. The database will be used for all further analysis. After case is created, one or more disk images can be added to the case. There is a wizard to guide that process and it is located in the org.sleuthkit.autopsy.casemodule package. Refer to the package section \ref casemodule_add_image for more details on the wizard. Most developers will not need to touch this code though. An important concept though is that adding an image to a case means that Autopsy uses The Sleuth Kit to enumerate all of the files in the file system and make a database entry for them in the embedded SQLite database that was created for the case. The database will be used for all further analysis.
After image has been added to the case, the user can select one or more ingest modules to be executed on the image. Ingest modules focus on a specific type of analysis task and run in the background. They either analyze the entire disk image or individual files. The user will see the results from the modules in the result tree and in the ingest inbox. After image has been added to the case, the user can select one or more ingest modules to be executed on the image. Ingest modules focus on a specific type of analysis task and run in the background. They either analyze the entire disk image or individual files. The user will see the results from the modules in the result tree and in the ingest inbox.
The org.sleuthkit.autopsy.ingest package provides the basic infrastructure for the ingest module management. The org.sleuthkit.autopsy.ingest package provides the basic infrastructure for the ingest module management.
If you want to develop a module that analyzes drive data, then this is probably the type of module that you want to build. See \ref mod_ingest_page for more details on making an ingest module. If you want to develop a module that analyzes drive data, then this is probably the type of module that you want to build. See \ref mod_ingest_page for more details on making an ingest module.
\section design_view Viewing Results \section design_view Viewing Results
The UI has three main areas. The tree on the left-hand side, the result viewers in the upper right, and the content viewers in the lower right. Data passes between these areas by encapsulating them in Netbeans Node objects (see org.openide.nodes.Node). These allow Autopsy to generically handle all types of data. The org.sleuthkit.autopsy.datamodel package wraps the generic org.sleuthkit.datamodel Sleuth Kit objects as Netbeans Nodes. The UI has three main areas. The tree on the left-hand side, the result viewers in the upper right, and the content viewers in the lower right. Data passes between these areas by encapsulating them in Netbeans Node objects (see org.openide.nodes.Node). These allow Autopsy to generically handle all types of data. The org.sleuthkit.autopsy.datamodel package wraps the generic org.sleuthkit.datamodel Sleuth Kit objects as Netbeans Nodes.
Nodes are modeled in a parent-child hierarchy with other nodes. All data within a Case is represented in a hierarchy with the disk images being one level below the case and volumes and such below the image. Nodes are modeled in a parent-child hierarchy with other nodes. All data within a Case is represented in a hierarchy with the disk images being one level below the case and volumes and such below the image.
The tree on the left hand-side shows the analysis results. The tree on the left hand-side shows the analysis results.
Its contents are populated from the central database. Its contents are populated from the central database.
This is where you can browse the file system contents and see the results from the blackboard. This is where you can browse the file system contents and see the results from the blackboard.
<!-- @@@(see \ref blackboard_page). --> <!-- @@@(see \ref blackboard_page). -->
The tree is implemented in the org.sleuthkit.autopsy.directorytree package. The tree is implemented in the org.sleuthkit.autopsy.directorytree package.
The area in the upper right is the result viewer area. When a node is selected from the tree, the node and its children are sent to this area. This area is used to view a set of nodes. The viewer is itself a framework with modules that display the data in different layouts. For example, the standard version comes with a table viewer and a thumbnail viewer. Refer to \ref mod_result_page for details on building a data result module. The area in the upper right is the result viewer area. When a node is selected from the tree, the node and its children are sent to this area. This area is used to view a set of nodes. The viewer is itself a framework with modules that display the data in different layouts. For example, the standard version comes with a table viewer and a thumbnail viewer. Refer to \ref mod_result_page for details on building a data result module.
When an item is selected from the result viewer area, it is passed to the bottom right content viewers. It too is a framework with many modules that know how to show information about a specific file in different ways. For example, there are viewers that show the data in a hex dump format, extract the strings, and display pictures and movies. When an item is selected from the result viewer area, it is passed to the bottom right content viewers. It too is a framework with many modules that know how to show information about a specific file in different ways. For example, there are viewers that show the data in a hex dump format, extract the strings, and display pictures and movies.
See \ref mod_content_page for details on building new content viewers. See \ref mod_content_page for details on building new content viewers.
\section design_report Report generation \section design_report Report generation
When ingest is complete, the user can generate reports. When ingest is complete, the user can generate reports.
There is a reporting framework to enable many different formats. Autopsy currently comes with generic html, xml and Excel reports. See the org.sleuthkit.autopsy.report package for details on the framework and There is a reporting framework to enable many different formats. Autopsy currently comes with generic html, xml and Excel reports. See the org.sleuthkit.autopsy.report package for details on the framework and
\ref mod_report_page for details on building a new report module. \ref mod_report_page for details on building a new report module.
*/ */

240
nbproject/platform.properties
View File

@ -1,120 +1,120 @@
branding.token=autopsy branding.token=autopsy
netbeans-plat-version=7.3.1 netbeans-plat-version=7.3.1
suite.dir=${basedir} suite.dir=${basedir}
nbplatform.active.dir=${suite.dir}/netbeans-plat/${netbeans-plat-version} nbplatform.active.dir=${suite.dir}/netbeans-plat/${netbeans-plat-version}
harness.dir=${nbplatform.active.dir}/harness harness.dir=${nbplatform.active.dir}/harness
bootstrap.url=http://deadlock.netbeans.org/hudson/job/nbms-and-javadoc/lastStableBuild/artifact/nbbuild/netbeans/harness/tasks.jar bootstrap.url=http://deadlock.netbeans.org/hudson/job/nbms-and-javadoc/lastStableBuild/artifact/nbbuild/netbeans/harness/tasks.jar
autoupdate.catalog.url=http://dlc.sun.com.edgesuite.net/netbeans/updates/${netbeans-plat-version}/uc/final/distribution/catalog.xml.gz autoupdate.catalog.url=http://dlc.sun.com.edgesuite.net/netbeans/updates/${netbeans-plat-version}/uc/final/distribution/catalog.xml.gz
cluster.path=\ cluster.path=\
${nbplatform.active.dir}/harness:\ ${nbplatform.active.dir}/harness:\
${nbplatform.active.dir}/java:\ ${nbplatform.active.dir}/java:\
${nbplatform.active.dir}/platform ${nbplatform.active.dir}/platform
disabled.modules=\ disabled.modules=\
org.apache.tools.ant.module,\ org.apache.tools.ant.module,\
org.netbeans.api.debugger.jpda,\ org.netbeans.api.debugger.jpda,\
org.netbeans.api.java,\ org.netbeans.api.java,\
org.netbeans.lib.nbjavac,\ org.netbeans.lib.nbjavac,\
org.netbeans.libs.cglib,\ org.netbeans.libs.cglib,\
org.netbeans.libs.javacapi,\ org.netbeans.libs.javacapi,\
org.netbeans.libs.javacimpl,\ org.netbeans.libs.javacimpl,\
org.netbeans.libs.springframework,\ org.netbeans.libs.springframework,\
org.netbeans.modules.ant.browsetask,\ org.netbeans.modules.ant.browsetask,\
org.netbeans.modules.ant.debugger,\ org.netbeans.modules.ant.debugger,\
org.netbeans.modules.ant.freeform,\ org.netbeans.modules.ant.freeform,\
org.netbeans.modules.ant.grammar,\ org.netbeans.modules.ant.grammar,\
org.netbeans.modules.ant.kit,\ org.netbeans.modules.ant.kit,\
org.netbeans.modules.beans,\ org.netbeans.modules.beans,\
org.netbeans.modules.classfile,\ org.netbeans.modules.classfile,\
org.netbeans.modules.dbschema,\ org.netbeans.modules.dbschema,\
org.netbeans.modules.debugger.jpda,\ org.netbeans.modules.debugger.jpda,\
org.netbeans.modules.debugger.jpda.ant,\ org.netbeans.modules.debugger.jpda.ant,\
org.netbeans.modules.debugger.jpda.kit,\ org.netbeans.modules.debugger.jpda.kit,\
org.netbeans.modules.debugger.jpda.projects,\ org.netbeans.modules.debugger.jpda.projects,\
org.netbeans.modules.debugger.jpda.ui,\ org.netbeans.modules.debugger.jpda.ui,\
org.netbeans.modules.debugger.jpda.visual,\ org.netbeans.modules.debugger.jpda.visual,\
org.netbeans.modules.findbugs.installer,\ org.netbeans.modules.findbugs.installer,\
org.netbeans.modules.form,\ org.netbeans.modules.form,\
org.netbeans.modules.form.binding,\ org.netbeans.modules.form.binding,\
org.netbeans.modules.form.j2ee,\ org.netbeans.modules.form.j2ee,\
org.netbeans.modules.form.kit,\ org.netbeans.modules.form.kit,\
org.netbeans.modules.form.nb,\ org.netbeans.modules.form.nb,\
org.netbeans.modules.form.refactoring,\ org.netbeans.modules.form.refactoring,\
org.netbeans.modules.hibernate,\ org.netbeans.modules.hibernate,\
org.netbeans.modules.hibernatelib,\ org.netbeans.modules.hibernatelib,\
org.netbeans.modules.hudson.ant,\ org.netbeans.modules.hudson.ant,\
org.netbeans.modules.hudson.maven,\ org.netbeans.modules.hudson.maven,\
org.netbeans.modules.i18n,\ org.netbeans.modules.i18n,\
org.netbeans.modules.i18n.form,\ org.netbeans.modules.i18n.form,\
org.netbeans.modules.j2ee.core.utilities,\ org.netbeans.modules.j2ee.core.utilities,\
org.netbeans.modules.j2ee.eclipselink,\ org.netbeans.modules.j2ee.eclipselink,\
org.netbeans.modules.j2ee.eclipselinkmodelgen,\ org.netbeans.modules.j2ee.eclipselinkmodelgen,\
org.netbeans.modules.j2ee.jpa.refactoring,\ org.netbeans.modules.j2ee.jpa.refactoring,\
org.netbeans.modules.j2ee.jpa.verification,\ org.netbeans.modules.j2ee.jpa.verification,\
org.netbeans.modules.j2ee.metadata,\ org.netbeans.modules.j2ee.metadata,\
org.netbeans.modules.j2ee.metadata.model.support,\ org.netbeans.modules.j2ee.metadata.model.support,\
org.netbeans.modules.j2ee.persistence,\ org.netbeans.modules.j2ee.persistence,\
org.netbeans.modules.j2ee.persistence.kit,\ org.netbeans.modules.j2ee.persistence.kit,\
org.netbeans.modules.j2ee.persistenceapi,\ org.netbeans.modules.j2ee.persistenceapi,\
org.netbeans.modules.java.api.common,\ org.netbeans.modules.java.api.common,\
org.netbeans.modules.java.debug,\ org.netbeans.modules.java.debug,\
org.netbeans.modules.java.editor,\ org.netbeans.modules.java.editor,\
org.netbeans.modules.java.editor.lib,\ org.netbeans.modules.java.editor.lib,\
org.netbeans.modules.java.examples,\ org.netbeans.modules.java.examples,\
org.netbeans.modules.java.freeform,\ org.netbeans.modules.java.freeform,\
org.netbeans.modules.java.guards,\ org.netbeans.modules.java.guards,\
org.netbeans.modules.java.helpset,\ org.netbeans.modules.java.helpset,\
org.netbeans.modules.java.hints,\ org.netbeans.modules.java.hints,\
org.netbeans.modules.java.hints.declarative,\ org.netbeans.modules.java.hints.declarative,\
org.netbeans.modules.java.hints.declarative.test,\ org.netbeans.modules.java.hints.declarative.test,\
org.netbeans.modules.java.hints.legacy.spi,\ org.netbeans.modules.java.hints.legacy.spi,\
org.netbeans.modules.java.hints.test,\ org.netbeans.modules.java.hints.test,\
org.netbeans.modules.java.hints.ui,\ org.netbeans.modules.java.hints.ui,\
org.netbeans.modules.java.j2seplatform,\ org.netbeans.modules.java.j2seplatform,\
org.netbeans.modules.java.j2seproject,\ org.netbeans.modules.java.j2seproject,\
org.netbeans.modules.java.kit,\ org.netbeans.modules.java.kit,\
org.netbeans.modules.java.lexer,\ org.netbeans.modules.java.lexer,\
org.netbeans.modules.java.navigation,\ org.netbeans.modules.java.navigation,\
org.netbeans.modules.java.platform,\ org.netbeans.modules.java.platform,\
org.netbeans.modules.java.preprocessorbridge,\ org.netbeans.modules.java.preprocessorbridge,\
org.netbeans.modules.java.project,\ org.netbeans.modules.java.project,\
org.netbeans.modules.java.source,\ org.netbeans.modules.java.source,\
org.netbeans.modules.java.source.ant,\ org.netbeans.modules.java.source.ant,\
org.netbeans.modules.java.source.queries,\ org.netbeans.modules.java.source.queries,\
org.netbeans.modules.java.source.queriesimpl,\ org.netbeans.modules.java.source.queriesimpl,\
org.netbeans.modules.java.sourceui,\ org.netbeans.modules.java.sourceui,\
org.netbeans.modules.java.testrunner,\ org.netbeans.modules.java.testrunner,\
org.netbeans.modules.javadoc,\ org.netbeans.modules.javadoc,\
org.netbeans.modules.javawebstart,\ org.netbeans.modules.javawebstart,\
org.netbeans.modules.junit,\ org.netbeans.modules.junit,\
org.netbeans.modules.maven,\ org.netbeans.modules.maven,\
org.netbeans.modules.maven.checkstyle,\ org.netbeans.modules.maven.checkstyle,\
org.netbeans.modules.maven.coverage,\ org.netbeans.modules.maven.coverage,\
org.netbeans.modules.maven.embedder,\ org.netbeans.modules.maven.embedder,\
org.netbeans.modules.maven.grammar,\ org.netbeans.modules.maven.grammar,\
org.netbeans.modules.maven.graph,\ org.netbeans.modules.maven.graph,\
org.netbeans.modules.maven.hints,\ org.netbeans.modules.maven.hints,\
org.netbeans.modules.maven.indexer,\ org.netbeans.modules.maven.indexer,\
org.netbeans.modules.maven.junit,\ org.netbeans.modules.maven.junit,\
org.netbeans.modules.maven.kit,\ org.netbeans.modules.maven.kit,\
org.netbeans.modules.maven.model,\ org.netbeans.modules.maven.model,\
org.netbeans.modules.maven.osgi,\ org.netbeans.modules.maven.osgi,\
org.netbeans.modules.maven.persistence,\ org.netbeans.modules.maven.persistence,\
org.netbeans.modules.maven.refactoring,\ org.netbeans.modules.maven.refactoring,\
org.netbeans.modules.maven.repository,\ org.netbeans.modules.maven.repository,\
org.netbeans.modules.maven.search,\ org.netbeans.modules.maven.search,\
org.netbeans.modules.maven.spring,\ org.netbeans.modules.maven.spring,\
org.netbeans.modules.projectimport.eclipse.core,\ org.netbeans.modules.projectimport.eclipse.core,\
org.netbeans.modules.projectimport.eclipse.j2se,\ org.netbeans.modules.projectimport.eclipse.j2se,\
org.netbeans.modules.refactoring.java,\ org.netbeans.modules.refactoring.java,\
org.netbeans.modules.spellchecker.bindings.java,\ org.netbeans.modules.spellchecker.bindings.java,\
org.netbeans.modules.spring.beans,\ org.netbeans.modules.spring.beans,\
org.netbeans.modules.testng,\ org.netbeans.modules.testng,\
org.netbeans.modules.testng.ant,\ org.netbeans.modules.testng.ant,\
org.netbeans.modules.testng.maven,\ org.netbeans.modules.testng.maven,\
org.netbeans.modules.websvc.jaxws21,\ org.netbeans.modules.websvc.jaxws21,\
org.netbeans.modules.websvc.jaxws21api,\ org.netbeans.modules.websvc.jaxws21api,\
org.netbeans.modules.websvc.saas.codegen.java,\ org.netbeans.modules.websvc.saas.codegen.java,\
org.netbeans.modules.xml.jaxb,\ org.netbeans.modules.xml.jaxb,\
org.netbeans.modules.xml.tools.java,\ org.netbeans.modules.xml.tools.java,\
org.netbeans.spi.java.hints org.netbeans.spi.java.hints

26
test/README.txt
View File

@ -1,13 +1,13 @@
This folder contains the data and scripts required to run regression tests This folder contains the data and scripts required to run regression tests
for Autopsy. There is a 'Testing' folder in the root directory that contains for Autopsy. There is a 'Testing' folder in the root directory that contains
the Java code that drives Autopsy to perform the tests. the Java code that drives Autopsy to perform the tests.
To run these tests: To run these tests:
- You will need python3. We run this from within Cygwin. - You will need python3. We run this from within Cygwin.
- Download the input images by typing 'ant test-download-imgs' in the root Autopsy folder. - Download the input images by typing 'ant test-download-imgs' in the root Autopsy folder.
This will place images in 'test/input'. This will place images in 'test/input'.
- Run 'python3 regression.py' from inside of the 'test/scripts' folder. - Run 'python3 regression.py' from inside of the 'test/scripts' folder.
- Alternatively, run 'python3 regression.py -l [CONFIGFILE] to run the tests on a specified - Alternatively, run 'python3 regression.py -l [CONFIGFILE] to run the tests on a specified
list of images using a configuration file. See config.xml in the 'test/scripts' folder to list of images using a configuration file. See config.xml in the 'test/scripts' folder to
see configuration file formatting. see configuration file formatting.
- Run 'python3 regression.py -h' to see other options. - Run 'python3 regression.py -h' to see other options.

98
test/script/Emailer.py
View File

@ -1,49 +1,49 @@
import smtplib import smtplib
from email.mime.image import MIMEImage from email.mime.image import MIMEImage
from email.mime.multipart import MIMEMultipart from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText from email.mime.text import MIMEText
from email.mime.base import MIMEBase from email.mime.base import MIMEBase
from email import encoders from email import encoders
import xml import xml
from xml.dom.minidom import parse, parseString from xml.dom.minidom import parse, parseString
def send_email(to, server, subj, body, attachments): def send_email(to, server, subj, body, attachments):
"""Send an email with the given information. """Send an email with the given information.
Args: Args:
to: a String, the email address to send the email to to: a String, the email address to send the email to
server: a String, the mail server to send from server: a String, the mail server to send from
subj: a String, the subject line of the message subj: a String, the subject line of the message
body: a String, the body of the message body: a String, the body of the message
attachments: a listof_pathto_File, the attachements to include attachments: a listof_pathto_File, the attachements to include
""" """
msg = MIMEMultipart() msg = MIMEMultipart()
msg['Subject'] = subj msg['Subject'] = subj
# me == the sender's email address # me == the sender's email address
# family = the list of all recipients' email addresses # family = the list of all recipients' email addresses
msg['From'] = 'AutopsyTest' msg['From'] = 'AutopsyTest'
msg['To'] = to msg['To'] = to
msg.preamble = 'This is a test' msg.preamble = 'This is a test'
container = MIMEText(body, 'plain') container = MIMEText(body, 'plain')
msg.attach(container) msg.attach(container)
Build_email(msg, attachments) Build_email(msg, attachments)
s = smtplib.SMTP(server) s = smtplib.SMTP(server)
try: try:
print('Sending Email') print('Sending Email')
s.sendmail(msg['From'], msg['To'], msg.as_string()) s.sendmail(msg['From'], msg['To'], msg.as_string())
except Exception as e: except Exception as e:
print(str(e)) print(str(e))
s.quit() s.quit()
def Build_email(msg, attachments): def Build_email(msg, attachments):
for file in attachments: for file in attachments:
part = MIMEBase('application', "octet-stream") part = MIMEBase('application', "octet-stream")
atach = open(file, "rb") atach = open(file, "rb")
attch = atach.read() attch = atach.read()
noml = file.split("\\") noml = file.split("\\")
nom = noml[len(noml)-1] nom = noml[len(noml)-1]
part.set_payload(attch) part.set_payload(attch)
encoders.encode_base64(part) encoders.encode_base64(part)
part.add_header('Content-Disposition', 'attachment; filename="' + nom + '"') part.add_header('Content-Disposition', 'attachment; filename="' + nom + '"')
msg.attach(part) msg.attach(part)

3714
test/script/regression.py
View File

File diff suppressed because it is too large Load Diff

428
test/script/srcupdater.py
View File

@ -1,214 +1,214 @@
import codecs import codecs
import datetime import datetime
import logging import logging
import os import os
import re import re
import shutil import shutil
import socket import socket
import sqlite3 import sqlite3
import subprocess import subprocess
import sys import sys
from sys import platform as _platform from sys import platform as _platform
import time import time
import traceback import traceback
import xml import xml
from xml.dom.minidom import parse, parseString from xml.dom.minidom import parse, parseString
import Emailer import Emailer
from regression_utils import * from regression_utils import *
def compile(errore, attachli, parsedin): def compile(errore, attachli, parsedin):
global to global to
global server global server
global subj global subj
global email_enabled global email_enabled
global redo global redo
global tryredo global tryredo
global failedbool global failedbool
global errorem global errorem
errorem = errore errorem = errore
global attachl global attachl
attachl = attachli attachl = attachli
global passed global passed
global parsed global parsed
parsed = parsedin parsed = parsedin
passed = True passed = True
tryredo = False tryredo = False
redo = True redo = True
while(redo): while(redo):
passed = True passed = True
if(passed): if(passed):
gitPull("sleuthkit") gitPull("sleuthkit")
if(passed): if(passed):
vsBuild() vsBuild()
print("TSK") print("TSK")
if(passed): if(passed):
gitPull("autopsy") gitPull("autopsy")
if(passed): if(passed):
antBuild("datamodel", False) antBuild("datamodel", False)
print("DataModel") print("DataModel")
if(passed): if(passed):
antBuild("autopsy", True) antBuild("autopsy", True)
print("Aut") print("Aut")
if(passed): if(passed):
redo = False redo = False
else: else:
print("Compile Failed") print("Compile Failed")
time.sleep(3600) time.sleep(3600)
attachl = [] attachl = []
errorem = "The test standard didn't match the gold standard.\n" errorem = "The test standard didn't match the gold standard.\n"
failedbool = False failedbool = False
if(tryredo): if(tryredo):
errorem = "" errorem = ""
errorem += "Rebuilt properly.\n" errorem += "Rebuilt properly.\n"
if email_enabled: if email_enabled:
Emailer.send_email(to, server, subj, errorem, attachl) Emailer.send_email(to, server, subj, errorem, attachl)
attachl = [] attachl = []
passed = True passed = True
#Pulls from git #Pulls from git
def gitPull(TskOrAutopsy): def gitPull(TskOrAutopsy):
global SYS global SYS
global errorem global errorem
global attachl global attachl
ccwd = "" ccwd = ""
gppth = make_local_path("..", "GitPullOutput" + TskOrAutopsy + ".txt") gppth = make_local_path("..", "GitPullOutput" + TskOrAutopsy + ".txt")
attachl.append(gppth) attachl.append(gppth)
gpout = open(gppth, 'a') gpout = open(gppth, 'a')
toPull = "https://www.github.com/sleuthkit/" + TskOrAutopsy toPull = "https://www.github.com/sleuthkit/" + TskOrAutopsy
call = ["git", "pull", toPull] call = ["git", "pull", toPull]
if TskOrAutopsy == "sleuthkit": if TskOrAutopsy == "sleuthkit":
ccwd = os.path.join("..", "..", "..", "sleuthkit") ccwd = os.path.join("..", "..", "..", "sleuthkit")
else: else:
ccwd = os.path.join("..", "..") ccwd = os.path.join("..", "..")
subprocess.call(call, stdout=sys.stdout, cwd=ccwd) subprocess.call(call, stdout=sys.stdout, cwd=ccwd)
gpout.close() gpout.close()
#Builds TSK as a win32 applicatiion #Builds TSK as a win32 applicatiion
def vsBuild(): def vsBuild():
global redo global redo
global tryredo global tryredo
global passed global passed
global parsed global parsed
#Please ensure that the current working directory is $autopsy/testing/script #Please ensure that the current working directory is $autopsy/testing/script
oldpath = os.getcwd() oldpath = os.getcwd()
os.chdir(os.path.join("..", "..", "..","sleuthkit", "win32")) os.chdir(os.path.join("..", "..", "..","sleuthkit", "win32"))
vs = [] vs = []
vs.append("/cygdrive/c/windows/microsoft.NET/framework/v4.0.30319/MSBuild.exe") vs.append("/cygdrive/c/windows/microsoft.NET/framework/v4.0.30319/MSBuild.exe")
vs.append(os.path.join("Tsk-win.sln")) vs.append(os.path.join("Tsk-win.sln"))
vs.append("/p:configuration=release") vs.append("/p:configuration=release")
vs.append("/p:platform=x64") vs.append("/p:platform=x64")
vs.append("/t:clean") vs.append("/t:clean")
vs.append("/t:rebuild") vs.append("/t:rebuild")
print(vs) print(vs)
VSpth = make_local_path("..", "VSOutput.txt") VSpth = make_local_path("..", "VSOutput.txt")
VSout = open(VSpth, 'a') VSout = open(VSpth, 'a')
subprocess.call(vs, stdout=VSout) subprocess.call(vs, stdout=VSout)
VSout.close() VSout.close()
os.chdir(oldpath) os.chdir(oldpath)
chk = os.path.join("..", "..", "..","sleuthkit", "win32", "x64", "Release", "libtsk_jni.dll") chk = os.path.join("..", "..", "..","sleuthkit", "win32", "x64", "Release", "libtsk_jni.dll")
if not os.path.exists(chk): if not os.path.exists(chk):
print("path doesn't exist") print("path doesn't exist")
global errorem global errorem
global attachl global attachl
global email_enabled global email_enabled
if(not tryredo): if(not tryredo):
errorem += "LIBTSK C++ failed to build.\n" errorem += "LIBTSK C++ failed to build.\n"
attachl.append(VSpth) attachl.append(VSpth)
if email_enabled: if email_enabled:
Emailer.send_email(parsed, errorem, attachl, False) Emailer.send_email(parsed, errorem, attachl, False)
tryredo = True tryredo = True
passed = False passed = False
redo = True redo = True
#Builds Autopsy or the Datamodel #Builds Autopsy or the Datamodel
def antBuild(which, Build): def antBuild(which, Build):
print("building: ", which) print("building: ", which)
global redo global redo
global passed global passed
global tryredo global tryredo
global parsed global parsed
directory = os.path.join("..", "..") directory = os.path.join("..", "..")
ant = [] ant = []
if which == "datamodel": if which == "datamodel":
directory = os.path.join("..", "..", "..", "sleuthkit", "bindings", "java") directory = os.path.join("..", "..", "..", "sleuthkit", "bindings", "java")
ant.append("ant") ant.append("ant")
ant.append("-f") ant.append("-f")
ant.append(directory) ant.append(directory)
ant.append("clean") ant.append("clean")
if(Build): if(Build):
ant.append("build") ant.append("build")
else: else:
ant.append("dist") ant.append("dist")
antpth = make_local_path("..", "ant" + which + "Output.txt") antpth = make_local_path("..", "ant" + which + "Output.txt")
antout = open(antpth, 'a') antout = open(antpth, 'a')
succd = subprocess.call(ant, stdout=antout) succd = subprocess.call(ant, stdout=antout)
antout.close() antout.close()
global errorem global errorem
global attachl global attachl
global email_enabled global email_enabled
global to global to
global subj global subj
global server global server
if which == "datamodel": if which == "datamodel":
chk = os.path.join("..", "..", "..","sleuthkit", "bindings", "java", "dist", "TSK_DataModel.jar") chk = os.path.join("..", "..", "..","sleuthkit", "bindings", "java", "dist", "TSK_DataModel.jar")
try: try:
open(chk) open(chk)
except IOError as e: except IOError as e:
if(not tryredo): if(not tryredo):
errorem += "DataModel Java build failed.\n" errorem += "DataModel Java build failed.\n"
attachl.append(antpth) attachl.append(antpth)
if email_enabled: if email_enabled:
Emailer.send_email(to, server, subj, errorem, attachl) Emailer.send_email(to, server, subj, errorem, attachl)
passed = False passed = False
tryredo = True tryredo = True
elif (succd != 0 and (not tryredo)): elif (succd != 0 and (not tryredo)):
errorem += "Autopsy build failed.\n" errorem += "Autopsy build failed.\n"
attachl.append(antpth) attachl.append(antpth)
Emailer.send_email(to, server, subj, errorem, attachl) Emailer.send_email(to, server, subj, errorem, attachl)
tryredo = True tryredo = True
elif (succd != 0): elif (succd != 0):
passed = False passed = False
def main(): def main():
global email_enabled global email_enabled
global to global to
global server global server
global subj global subj
errore = "" errore = ""
attachli = [] attachli = []
config_file = "" config_file = ""
arg = sys.argv.pop(0) arg = sys.argv.pop(0)
arg = sys.argv.pop(0) arg = sys.argv.pop(0)
config_file = arg config_file = arg
parsedin = parse(config_file) parsedin = parse(config_file)
try: try:
to = parsedin.getElementsByTagName("email")[0].getAttribute("value").encode().decode("utf_8") to = parsedin.getElementsByTagName("email")[0].getAttribute("value").encode().decode("utf_8")
server = parsedin.getElementsByTagName("mail_server")[0].getAttribute("value").encode().decode("utf_8") server = parsedin.getElementsByTagName("mail_server")[0].getAttribute("value").encode().decode("utf_8")
subj = parsedin.getElementsByTagName("subject")[0].getAttribute("value").encode().decode("utf_8") subj = parsedin.getElementsByTagName("subject")[0].getAttribute("value").encode().decode("utf_8")
except Exception: except Exception:
email_enabled = False email_enabled = False
# email_enabled = (to is not None) and (server is not None) and (subj is not None) # email_enabled = (to is not None) and (server is not None) and (subj is not None)
email_enabled = False email_enabled = False
compile(errore, attachli, parsedin) compile(errore, attachli, parsedin)
class OS: class OS:
LINUX, MAC, WIN, CYGWIN = range(4) LINUX, MAC, WIN, CYGWIN = range(4)
if __name__ == "__main__": if __name__ == "__main__":
global SYS global SYS
if _platform == "linux" or _platform == "linux2": if _platform == "linux" or _platform == "linux2":
SYS = OS.LINUX SYS = OS.LINUX
elif _platform == "darwin": elif _platform == "darwin":
SYS = OS.MAC SYS = OS.MAC
elif _platform == "win32": elif _platform == "win32":
SYS = OS.WIN SYS = OS.WIN
elif _platform == "cygwin": elif _platform == "cygwin":
SYS = OS.CYGWIN SYS = OS.CYGWIN
if SYS is OS.WIN or SYS is OS.CYGWIN: if SYS is OS.WIN or SYS is OS.CYGWIN:
main() main()
else: else:
print("We only support Windows and Cygwin at this time.") print("We only support Windows and Cygwin at this time.")

14
thunderbirdparser/manifest.mf
View File

@ -1,7 +1,7 @@
Manifest-Version: 1.0 Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.thunderbirdparser/3 OpenIDE-Module: org.sleuthkit.autopsy.thunderbirdparser/3
OpenIDE-Module-Implementation-Version: 9 OpenIDE-Module-Implementation-Version: 9
OpenIDE-Module-Layer: org/sleuthkit/autopsy/thunderbirdparser/layer.xml OpenIDE-Module-Layer: org/sleuthkit/autopsy/thunderbirdparser/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/thunderbirdparser/Bundle.properties OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/thunderbirdparser/Bundle.properties

12
thunderbirdparser/nbproject/project.properties
View File

@ -1,6 +1,6 @@
javac.source=1.7 javac.source=1.7
javac.compilerargs=-Xlint -Xlint:-serial javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/ nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true nbm.needs.restart=true
spec.version.base=1.2 spec.version.base=1.2

1878
update_versions.py
View File

File diff suppressed because it is too large Load Diff