From eb366cab641abf44a3991f0090a43eb0a95fe26e Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 21 Sep 2021 11:14:55 -0400 Subject: [PATCH 1/9] Move the update of the SCO columns to the EDT --- .../datamodel/BlackboardArtifactNode.java | 58 ++++++++++++------- 1 file changed, 37 insertions(+), 21 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index fabb83bac0..5f38eceb80 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -38,6 +38,7 @@ import java.util.concurrent.TimeUnit; import java.util.logging.Level; import java.util.stream.Collectors; import javax.swing.Action; +import javax.swing.SwingUtilities; import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.tuple.Pair; import org.openide.nodes.Sheet; @@ -179,27 +180,7 @@ public class BlackboardArtifactNode extends AbstractContentNode( - Bundle.BlackboardArtifactNode_createSheet_score_name(), - Bundle.BlackboardArtifactNode_createSheet_score_displayName(), - scoData.getScoreAndDescription().getRight(), - scoData.getScoreAndDescription().getLeft())); - } - if (scoData.getComment() != null) { - updateSheet(new NodeProperty<>( - Bundle.BlackboardArtifactNode_createSheet_comment_name(), - Bundle.BlackboardArtifactNode_createSheet_comment_displayName(), - NO_DESCR, scoData.getComment())); - } - if (scoData.getCountAndDescription() != null) { - updateSheet(new NodeProperty<>( - Bundle.BlackboardArtifactNode_createSheet_count_name(), - Bundle.BlackboardArtifactNode_createSheet_count_displayName(), - scoData.getCountAndDescription().getRight(), - scoData.getCountAndDescription().getLeft())); - } + updateSCOColumns((SCOData) evt.getNewValue()); } else if (eventType.equals(FileNameTransTask.getPropertyName())) { /* * Replace the value of the Source File property with the @@ -1224,6 +1205,41 @@ public class BlackboardArtifactNode extends AbstractContentNode( + Bundle.BlackboardArtifactNode_createSheet_score_name(), + Bundle.BlackboardArtifactNode_createSheet_score_displayName(), + scoData.getScoreAndDescription().getRight(), + scoData.getScoreAndDescription().getLeft())); + } + if (scoData.getComment() != null) { + updateSheet(new NodeProperty<>( + Bundle.BlackboardArtifactNode_createSheet_comment_name(), + Bundle.BlackboardArtifactNode_createSheet_comment_displayName(), + NO_DESCR, scoData.getComment())); + } + if (scoData.getCountAndDescription() != null) { + updateSheet(new NodeProperty<>( + Bundle.BlackboardArtifactNode_createSheet_count_name(), + Bundle.BlackboardArtifactNode_createSheet_count_displayName(), + scoData.getCountAndDescription().getRight(), + scoData.getCountAndDescription().getLeft())); + } + } + }); + } /** * Adds the score property for the artifact represented by this node to the From 103df21150ae723d00d63cacd67bdb8bf814e50d Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Fri, 24 Sep 2021 10:20:42 -0400 Subject: [PATCH 2/9] Moved the call to start the GetSCOTask to the bottom of createSheet --- .../datamodel/BlackboardArtifactNode.java | 23 +++++++++++-------- .../autopsy/datamodel/GetSCOTask.java | 23 +++++++++++++------ .../sleuthkit/autopsy/datamodel/SCOData.java | 23 ++++++++----------- 3 files changed, 39 insertions(+), 30 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index bf7bcade13..5ce277036f 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -37,6 +37,7 @@ import java.util.Map; import java.util.MissingResourceException; import java.util.Set; import java.util.concurrent.ExecutionException; +import java.util.concurrent.Future; import java.util.concurrent.TimeUnit; import java.util.logging.Level; import java.util.stream.Collectors; @@ -888,12 +889,11 @@ public class BlackboardArtifactNode extends AbstractContentNode( Bundle.BlackboardArtifactNode_analysisSheet_soureName_name(), Bundle.BlackboardArtifactNode_analysisSheet_soureName_name(), NO_DESCR, srcContentShortDescription)); - addSCOColumns(sheetSet); + GetSCOTask task = addSCOColumns(sheetSet); sheetSet.put(new NodeProperty<>( Bundle.BlackboardArtifactNode_analysisSheet_sourceType_name(), @@ -1448,9 +1450,11 @@ public class BlackboardArtifactNode extends AbstractContentNode(this), weakListener)); + return new GetSCOTask(new WeakReference<>(this), weakListener); } + return null; } /** diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/GetSCOTask.java b/Core/src/org/sleuthkit/autopsy/datamodel/GetSCOTask.java index c721fe9536..3113c1716f 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/GetSCOTask.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/GetSCOTask.java @@ -22,6 +22,7 @@ import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeListener; import java.lang.ref.WeakReference; import java.util.List; +import org.apache.commons.lang3.tuple.Pair; import org.openide.util.NbBundle.Messages; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance; import org.sleuthkit.autopsy.core.UserPreferences; @@ -29,6 +30,8 @@ import org.sleuthkit.autopsy.events.AutopsyEvent; import org.sleuthkit.datamodel.Tag; import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil; +import org.sleuthkit.autopsy.corecomponents.DataResultViewerTable; +import org.sleuthkit.datamodel.Score; /** * Background task to get Score, Comment and Occurrences values for an Abstract @@ -57,13 +60,16 @@ class GetSCOTask implements Runnable { } // get the SCO column values List tags = contentNode.getAllTagsFromDatabase(); - SCOData scoData = new SCOData(); - scoData.setScoreAndDescription(contentNode.getScorePropertyAndDescription(tags)); + Pair scoreAndDescription = null; + DataResultViewerTable.HasCommentStatus comment = null; + Pair countAndDescription = null; + + scoreAndDescription = contentNode.getScorePropertyAndDescription(tags); //getting the correlation attribute and setting the comment column is done before the eamdb isEnabled check //because the Comment column will reflect the presence of comments in the CR when the CR is enabled, but reflect tag comments regardless String description = Bundle.GetSCOTask_occurrences_defaultDescription(); List listOfPossibleAttributes = CorrelationAttributeUtil.makeCorrAttrsForSearch(contentNode.getContent()); - scoData.setComment(contentNode.getCommentProperty(tags, listOfPossibleAttributes)); + comment = contentNode.getCommentProperty(tags, listOfPossibleAttributes); CorrelationAttributeInstance corInstance = null; if (CentralRepository.isEnabled()) { if (listOfPossibleAttributes.size() > 1) { @@ -73,16 +79,19 @@ class GetSCOTask implements Runnable { //there should only be one item in the list corInstance = listOfPossibleAttributes.get(0); } - scoData.setCountAndDescription(contentNode.getCountPropertyAndDescription(corInstance, description)); + countAndDescription = contentNode.getCountPropertyAndDescription(corInstance, description); } + if(Thread.currentThread().isInterrupted()) { + return; + } + // signal SCO data is available. - if (listener - != null) { + if (listener != null) { listener.propertyChange(new PropertyChangeEvent( AutopsyEvent.SourceType.LOCAL.toString(), AbstractAbstractFileNode.NodeSpecificEvents.SCO_AVAILABLE.toString(), - null, scoData)); + null, new SCOData(scoreAndDescription, comment, countAndDescription))); } } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/SCOData.java b/Core/src/org/sleuthkit/autopsy/datamodel/SCOData.java index ed9d232034..1d496e377b 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/SCOData.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/SCOData.java @@ -28,10 +28,16 @@ import org.sleuthkit.datamodel.Score; */ class SCOData { - private Pair scoreAndDescription = null; - private DataResultViewerTable.HasCommentStatus comment = null; - private Pair countAndDescription = null; + private final Pair scoreAndDescription; + private final DataResultViewerTable.HasCommentStatus comment; + private final Pair countAndDescription; + SCOData (Pair scoreAndDescription, DataResultViewerTable.HasCommentStatus comment, Pair countAndDescription){ + this.scoreAndDescription = scoreAndDescription; + this.comment = comment; + this.countAndDescription = countAndDescription; + } + Pair getScoreAndDescription() { return scoreAndDescription; } @@ -43,15 +49,4 @@ class SCOData { Pair getCountAndDescription() { return countAndDescription; } - - void setScoreAndDescription(Pair scoreAndDescription) { - this.scoreAndDescription = scoreAndDescription; - } - void setComment(DataResultViewerTable.HasCommentStatus comment) { - this.comment = comment; - } - void setCountAndDescription(Pair countAndDescription) { - this.countAndDescription = countAndDescription; - } - } From b7796a15c7008ca51e0bd7af74d3f06fb9952a3d Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 28 Sep 2021 11:58:09 -0400 Subject: [PATCH 3/9] fixed RA instance issue --- .../recentactivity/ExtractRegistry.java | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index f51bcbd0f4..72ab38a41c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -61,6 +61,7 @@ import java.util.AbstractMap; import java.util.ArrayList; import java.util.List; import java.util.Collection; +import java.util.Collections; import java.util.Date; import java.util.HashMap; import java.util.Map; @@ -1105,6 +1106,7 @@ class ExtractRegistry extends Extract { String sid = optional.get(); Map userInfo = userInfoMap.remove(sid); if(userInfo != null) { + addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); updateOsAccount(osAccount, userInfo, groupMap.get(sid), regAbstractFile); } } @@ -1999,9 +2001,10 @@ class ExtractRegistry extends Extract { accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } else { osAccount = optional.get(); - if (userName != null && !userName.isEmpty()) { + addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); + if (userName != null && !userName.isEmpty()) { OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, domainName.isEmpty() ? null : domainName, host); - osAccount = updateResult.getUpdatedAccount().orElse(osAccount); + osAccount = updateResult.getUpdatedAccount().orElse(osAccount); } } @@ -2269,4 +2272,23 @@ class ExtractRegistry extends Extract { private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.ATTRIBUTE_TYPE type, Integer value, OsAccount osAccount, Host host, AbstractFile file) { return osAccount.new OsAccountAttribute(new BlackboardAttribute.Type(type), value, osAccount, host, file); } + + /** + * Adds an account instance for the given data source if one does not already + * exist. + * + * @param accountMgr + * @param osAccount + * @param dataSource + * @throws TskCoreException + */ + private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException { + List acctInstances = accountMgr.getOsAccountInstances(Collections.singletonList(osAccount.getId())); + for(OsAccountInstance instance: acctInstances) { + if(instance.getDataSource().getId() == dataSource.getId()) { + return; + } + } + accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); + } } From cbf92237730eec2a92b9017be39e8e6bd7b8caf1 Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Tue, 28 Sep 2021 15:24:19 -0400 Subject: [PATCH 4/9] 8004 run updates on EDT --- .../autopsy/casemodule/IngestJobInfoPanel.java | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/IngestJobInfoPanel.java b/Core/src/org/sleuthkit/autopsy/casemodule/IngestJobInfoPanel.java index 89b696c041..300cce64c7 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/IngestJobInfoPanel.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/IngestJobInfoPanel.java @@ -30,6 +30,7 @@ import java.util.concurrent.CancellationException; import java.util.concurrent.ExecutionException; import java.util.logging.Level; import javax.swing.JOptionPane; +import javax.swing.SwingUtilities; import javax.swing.SwingWorker; import javax.swing.event.ListSelectionEvent; import javax.swing.table.AbstractTableModel; @@ -125,12 +126,15 @@ public final class IngestJobInfoPanel extends javax.swing.JPanel { } } this.ingestJobTableModel = new IngestJobTableModel(); - this.ingestJobTable.setModel(ingestJobTableModel); - //if there were ingest jobs select the first one by default - if (!ingestJobsForSelectedDataSource.isEmpty()) { - ingestJobTable.setRowSelectionInterval(0, 0); - } - this.repaint(); + + SwingUtilities.invokeLater(() -> { + this.ingestJobTable.setModel(ingestJobTableModel); + //if there were ingest jobs select the first one by default + if (!ingestJobsForSelectedDataSource.isEmpty()) { + ingestJobTable.setRowSelectionInterval(0, 0); + } + this.repaint(); + }); } /** @@ -168,7 +172,7 @@ public final class IngestJobInfoPanel extends javax.swing.JPanel { } } catch (InterruptedException | ExecutionException ex) { logger.log(Level.WARNING, "Error getting results from Ingest Job Info Panel's refresh worker", ex); - } catch (CancellationException ignored){ + } catch (CancellationException ignored) { logger.log(Level.INFO, "The refreshing of the IngestJobInfoPanel was cancelled"); } } From 0e89366339966024e25df79b6e221c563ae32091 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 28 Sep 2021 15:24:41 -0400 Subject: [PATCH 5/9] Simplfied addAccountInstance method on ExtractRegisty --- .../sleuthkit/autopsy/recentactivity/ExtractRegistry.java | 6 ------ 1 file changed, 6 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 72ab38a41c..ba2b68ca9f 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -2283,12 +2283,6 @@ class ExtractRegistry extends Extract { * @throws TskCoreException */ private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource) throws TskCoreException { - List acctInstances = accountMgr.getOsAccountInstances(Collections.singletonList(osAccount.getId())); - for(OsAccountInstance instance: acctInstances) { - if(instance.getDataSource().getId() == dataSource.getId()) { - return; - } - } accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } } From c1cea5f389ad290a3525be0824916d4baf1c1f51 Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Tue, 28 Sep 2021 15:54:05 -0400 Subject: [PATCH 6/9] shows scope for os account node --- .../datamodel/Bundle.properties-MERGED | 3 ++ .../autopsy/datamodel/OsAccounts.java | 50 +++++++++++++------ 2 files changed, 39 insertions(+), 14 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED index f5da7a8696..847e10b58d 100755 --- a/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED @@ -356,6 +356,9 @@ OsAccounts_accountNameProperty_name=Name OsAccounts_accountRealmNameProperty_desc=OS Account Realm Name OsAccounts_accountRealmNameProperty_displayName=Realm Name OsAccounts_accountRealmNameProperty_name=RealmName +OsAccounts_accountScopeNameProperty_desc=OS Account Scope Name +OsAccounts_accountScopeNameProperty_displayName=Scope +OsAccounts_accountScopeNameProperty_name=ScopeName OsAccounts_createdTimeProperty_desc=OS Account Creation Time OsAccounts_createdTimeProperty_displayName=Creation Time OsAccounts_createdTimeProperty_name=creationTime diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java b/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java index e74275503b..492b952eab 100755 --- a/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java @@ -31,6 +31,7 @@ import java.util.Optional; import java.util.logging.Level; import java.util.stream.Collectors; import javax.swing.Action; +import org.apache.commons.lang3.StringUtils; import org.openide.nodes.ChildFactory; import org.openide.nodes.Children; import org.openide.nodes.Node; @@ -208,6 +209,8 @@ public final class OsAccounts implements AutopsyVisitableItem { && evt.getNewValue() instanceof AsynchOsAcctData && ((AsynchOsAcctData) evt.getNewValue()).getOsAccountId() == account.getId()) { + List> propertiesToUpdate = new ArrayList<>(); + AsynchOsAcctData osAcctData = (AsynchOsAcctData) evt.getNewValue(); List realmNames = osAcctData.getOsAcctRealm().getRealmNames(); @@ -215,31 +218,41 @@ public final class OsAccounts implements AutopsyVisitableItem { String realmNamesStr = realmNames.stream() .map(String::trim) .distinct() - .sorted((a,b) -> a.compareToIgnoreCase(b)) + .sorted((a, b) -> a.compareToIgnoreCase(b)) .collect(Collectors.joining(", ")); - updateSheet(new NodeProperty<>( + propertiesToUpdate.add(new NodeProperty<>( Bundle.OsAccounts_accountRealmNameProperty_name(), Bundle.OsAccounts_accountRealmNameProperty_displayName(), Bundle.OsAccounts_accountRealmNameProperty_desc(), realmNamesStr)); } + String scopeName = osAcctData.getOsAcctRealm().getScope().getName(); + if (StringUtils.isNotBlank(scopeName)) { + propertiesToUpdate.add(new NodeProperty<>( + Bundle.OsAccounts_accountScopeNameProperty_name(), + Bundle.OsAccounts_accountScopeNameProperty_displayName(), + Bundle.OsAccounts_accountScopeNameProperty_desc(), + scopeName)); + } + List hosts = osAcctData.getHosts(); if (!hosts.isEmpty()) { String hostsString = hosts.stream() .map(h -> h.getName().trim()) .distinct() - .sorted((a,b) -> a.compareToIgnoreCase(b)) + .sorted((a, b) -> a.compareToIgnoreCase(b)) .collect(Collectors.joining(", ")); - updateSheet(new NodeProperty<>( + propertiesToUpdate.add(new NodeProperty<>( Bundle.OsAccounts_accountHostNameProperty_name(), Bundle.OsAccounts_accountHostNameProperty_displayName(), Bundle.OsAccounts_accountHostNameProperty_desc(), hostsString)); } + updateSheet(propertiesToUpdate.toArray(new NodeProperty[propertiesToUpdate.size()])); } } }; @@ -296,6 +309,9 @@ public final class OsAccounts implements AutopsyVisitableItem { "OsAccounts_accountHostNameProperty_name=HostName", "OsAccounts_accountHostNameProperty_displayName=Host", "OsAccounts_accountHostNameProperty_desc=OS Account Host Name", + "OsAccounts_accountScopeNameProperty_name=ScopeName", + "OsAccounts_accountScopeNameProperty_displayName=Scope", + "OsAccounts_accountScopeNameProperty_desc=OS Account Scope Name", "OsAccounts_createdTimeProperty_name=creationTime", "OsAccounts_createdTimeProperty_displayName=Creation Time", "OsAccounts_createdTimeProperty_desc=OS Account Creation Time", @@ -332,20 +348,25 @@ public final class OsAccounts implements AutopsyVisitableItem { Bundle.OsAccounts_loginNameProperty_displayName(), Bundle.OsAccounts_loginNameProperty_desc(), optional.isPresent() ? optional.get() : "")); - // Fill with empty string, fetch on background task. - String realmName = ""; - propertiesSet.put(new NodeProperty<>( - Bundle.OsAccounts_accountRealmNameProperty_name(), - Bundle.OsAccounts_accountRealmNameProperty_displayName(), - Bundle.OsAccounts_accountRealmNameProperty_desc(), - realmName)); - String hostName = ""; + // Fill with empty string, fetch on background task. propertiesSet.put(new NodeProperty<>( Bundle.OsAccounts_accountHostNameProperty_name(), Bundle.OsAccounts_accountHostNameProperty_displayName(), Bundle.OsAccounts_accountHostNameProperty_desc(), - hostName)); + "")); + + propertiesSet.put(new NodeProperty<>( + Bundle.OsAccounts_accountScopeNameProperty_name(), + Bundle.OsAccounts_accountScopeNameProperty_displayName(), + Bundle.OsAccounts_accountScopeNameProperty_desc(), + "")); + + propertiesSet.put(new NodeProperty<>( + Bundle.OsAccounts_accountRealmNameProperty_name(), + Bundle.OsAccounts_accountRealmNameProperty_displayName(), + Bundle.OsAccounts_accountRealmNameProperty_desc(), + "")); Optional creationTimeValue = account.getCreationTime(); String timeDisplayStr @@ -442,9 +463,10 @@ public final class OsAccounts implements AutopsyVisitableItem { /** * Main constructor. + * * @param osAccountId The id of the os account. * @param osAcctRealm The realm of the os account. - * @param hosts The hosts that the os account belongs to. + * @param hosts The hosts that the os account belongs to. */ AsynchOsAcctData(long osAccountId, OsAccountRealm osAcctRealm, List hosts) { this.osAccountId = osAccountId; From 4ad1d0f4c9150618b76dfba442289283eea59ff3 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 28 Sep 2021 17:15:04 -0400 Subject: [PATCH 7/9] First pass --- .../recentactivity/ExtractRegistry.java | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index ba2b68ca9f..1122a1e115 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -751,7 +751,7 @@ class ExtractRegistry extends Extract { try{ sid = userMap.getKey(); String userName = userMap.getValue(); - createOrUpdateOsAccount(regFile, sid, userName, null); + createOrUpdateOsAccount(regFile, sid, userName, null, null); } catch(TskCoreException | TskDataException | NotUserSIDException ex) { logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex); } @@ -863,9 +863,13 @@ class ExtractRegistry extends Extract { String homeDir = value; String sid = artnode.getAttribute("sid"); //NON-NLS String username = artnode.getAttribute("username"); //NON-NLS - + String domName = domainName; + Map userMap = getUserNameMap(); + if(userMap.containsKey(sid)) { + domName = null; + } try{ - createOrUpdateOsAccount(regFile, sid, username, homeDir); + createOrUpdateOsAccount(regFile, sid, username, homeDir, domName); } catch(TskCoreException | TskDataException | NotUserSIDException ex) { logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex); } @@ -1989,7 +1993,7 @@ class ExtractRegistry extends Extract { * @throws TskDataException * @throws OsAccountManager.NotUserSIDException */ - private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir) throws TskCoreException, TskDataException, NotUserSIDException { + private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName1) throws TskCoreException, TskDataException, NotUserSIDException { OsAccountManager accountMgr = tskCase.getOsAccountManager(); HostManager hostMrg = tskCase.getHostManager(); Host host = hostMrg.getHostByDataSource((DataSource)dataSource); @@ -1997,13 +2001,16 @@ class ExtractRegistry extends Extract { Optional optional = accountMgr.getWindowsOsAccount(sid, null, null, host); OsAccount osAccount; if (!optional.isPresent()) { - osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null && !domainName.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); + if(sid.endsWith("20") || sid.endsWith("19")) { + domainName1 = null; + } + osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName1, host, domainName1 != null && !domainName1.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } else { osAccount = optional.get(); addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); if (userName != null && !userName.isEmpty()) { - OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, domainName.isEmpty() ? null : domainName, host); + OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName1 == null || domainName1.isEmpty()) ? null : domainName1, host); osAccount = updateResult.getUpdatedAccount().orElse(osAccount); } } @@ -2195,7 +2202,7 @@ class ExtractRegistry extends Extract { accountMgr.addExtendedOsAccountAttributes(osAccount, attributes); // update the loginname - accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, loginName, domainName.isEmpty() ? null : domainName, host); + accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, loginName, null, host); // update other standard attributes - fullname, creationdate accountMgr.updateStandardOsAccountAttributes(osAccount, fullName, null, null, creationTime); From 2906ce2401bb778fa3e64c594306e4f5adca18fe Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 28 Sep 2021 18:46:10 -0400 Subject: [PATCH 8/9] Implemented new logic to determine if an account is in a domain realm --- .../recentactivity/ExtractRegistry.java | 57 +++++++++++++++---- 1 file changed, 46 insertions(+), 11 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 1122a1e115..2a60f35d4f 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -751,7 +751,7 @@ class ExtractRegistry extends Extract { try{ sid = userMap.getKey(); String userName = userMap.getValue(); - createOrUpdateOsAccount(regFile, sid, userName, null, null); + createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL); } catch(TskCoreException | TskDataException | NotUserSIDException ex) { logger.log(Level.WARNING, String.format("Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex); } @@ -864,12 +864,14 @@ class ExtractRegistry extends Extract { String sid = artnode.getAttribute("sid"); //NON-NLS String username = artnode.getAttribute("username"); //NON-NLS String domName = domainName; - Map userMap = getUserNameMap(); - if(userMap.containsKey(sid)) { + OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN; + if(knownMachineSID(sid)) { domName = null; + scope = OsAccountRealm.RealmScope.LOCAL; } + try{ - createOrUpdateOsAccount(regFile, sid, username, homeDir, domName); + createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope); } catch(TskCoreException | TskDataException | NotUserSIDException ex) { logger.log(Level.SEVERE, String.format("Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex); } @@ -1117,7 +1119,7 @@ class ExtractRegistry extends Extract { //add remaining userinfos as accounts; for (Map userInfo : userInfoMap.values()) { - OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null && !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); + OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); } @@ -1730,6 +1732,42 @@ class ExtractRegistry extends Extract { return map; } + /** + * Strip the machine sid off of the osAccountSID. The returned string will + * include everything in the osAccountSID up to the last -. + * + * @param osAccountSID The SID of the os account. + * + * @return The Machine SID + */ + private String getMachineSID(String osAccountSID) { + int index = osAccountSID.lastIndexOf("-"); + return osAccountSID.substring(0, index); + } + + private final List machineSIDs = new ArrayList<>(); + /** + * Returns true if the machine part of the SID was seen prior + * to ExtractRegistry running. + * + * @param osAccountSID + * + * @return + */ + private boolean knownMachineSID(String osAccountSID) { + if (machineSIDs.isEmpty()) { + Map userMap = getUserNameMap(); + for (String str : userMap.keySet()) { + String temp = getMachineSID(str); + if (!machineSIDs.contains(temp)) { + machineSIDs.add(temp); + } + } + } + String machineSID = getMachineSID(osAccountSID); + return machineSIDs.contains(machineSID); + } + /** * Returns a mapping of user sids to user names. * @@ -1993,7 +2031,7 @@ class ExtractRegistry extends Extract { * @throws TskDataException * @throws OsAccountManager.NotUserSIDException */ - private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName1) throws TskCoreException, TskDataException, NotUserSIDException { + private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException { OsAccountManager accountMgr = tskCase.getOsAccountManager(); HostManager hostMrg = tskCase.getHostManager(); Host host = hostMrg.getHostByDataSource((DataSource)dataSource); @@ -2001,16 +2039,13 @@ class ExtractRegistry extends Extract { Optional optional = accountMgr.getWindowsOsAccount(sid, null, null, host); OsAccount osAccount; if (!optional.isPresent()) { - if(sid.endsWith("20") || sid.endsWith("19")) { - domainName1 = null; - } - osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName1, host, domainName1 != null && !domainName1.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); + osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } else { osAccount = optional.get(); addAccountInstance(accountMgr, osAccount, (DataSource)dataSource); if (userName != null && !userName.isEmpty()) { - OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName1 == null || domainName1.isEmpty()) ? null : domainName1, host); + OsAccountUpdateResult updateResult= accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host); osAccount = updateResult.getUpdatedAccount().orElse(osAccount); } } From ae56b0da256b44b01823a9461d4f8271d13d79ae Mon Sep 17 00:00:00 2001 From: Greg DiCristofaro Date: Tue, 28 Sep 2021 19:35:47 -0400 Subject: [PATCH 9/9] wrap in invokeLater --- Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java b/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java index 492b952eab..060c8f19ba 100755 --- a/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java @@ -31,6 +31,7 @@ import java.util.Optional; import java.util.logging.Level; import java.util.stream.Collectors; import javax.swing.Action; +import javax.swing.SwingUtilities; import org.apache.commons.lang3.StringUtils; import org.openide.nodes.ChildFactory; import org.openide.nodes.Children; @@ -252,7 +253,8 @@ public final class OsAccounts implements AutopsyVisitableItem { hostsString)); } - updateSheet(propertiesToUpdate.toArray(new NodeProperty[propertiesToUpdate.size()])); + SwingUtilities.invokeLater(() -> + updateSheet(propertiesToUpdate.toArray(new NodeProperty[propertiesToUpdate.size()]))); } } };