mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-19 19:14:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge https://github.com/sleuthkit/autopsy into Reporting

Browse Source
This commit is contained in:
Devin148 2012-12-11 10:31:42 -05:00
commit d53738c560
64 changed files with 572 additions and 261 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Core/manifest.mf
View File

@ -1,8 +1,8 @@
Manifest-Version: 1.0
OpenIDE-Module: org.sleuthkit.autopsy.core/4
OpenIDE-Module: org.sleuthkit.autopsy.core/5
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/core/Bundle.properties
OpenIDE-Module-Layer: org/sleuthkit/autopsy/core/layer.xml
OpenIDE-Module-Implementation-Version: 2
OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Requires: org.openide.windows.WindowManager, org.netbeans.api.javahelp.Help
AutoUpdate-Show-In-Client: true
AutoUpdate-Essential-Module: true

2
Core/nbproject/project.properties
View File

@ -5,5 +5,5 @@ license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/
nbm.module.author=Brian Carrier
nbm.needs.restart=true
spec.version.base=2.0
spec.version.base=3.0

5
Core/src/org/sleuthkit/autopsy/casemodule/Case.java
View File

@ -27,6 +27,7 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Collection;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.HashSet;
@ -573,6 +574,10 @@ public class Case {
return ids.toArray(new Long[ids.size()]);
}
public List<Image> getImages() throws TskCoreException {
return db.getImages();
}
/**
* Count the root objects.
* @return The number of total root objects in this case.

2
Core/src/org/sleuthkit/autopsy/casemodule/LocalDiskPanel.java
View File

@ -43,7 +43,7 @@ import org.sleuthkit.autopsy.coreutils.PlatformUtil;
import org.sleuthkit.datamodel.FsContent;
/**
* ImageTypePanel for adding a local disk or partition such as \\.\PhysicalDrive0 or \\.\C:.
* ImageTypePanel for adding a local disk or partition such as PhysicalDrive0 or C:.
*/
public class LocalDiskPanel extends ImageTypePanel {
private static LocalDiskPanel instance;

4
Core/src/org/sleuthkit/autopsy/casemodule/docs/hashDbMgmt.html
View File

@ -29,6 +29,7 @@
<li>EnCase: An EnCase hashset file.</li>
<li>MD5sum: Output from running the md5, md5sum, or md5deep program on a set of files.</li>
<li>NSRL: The format of the NSRL database.</li>
<li>HashKeeper: Hashset file conforming to the HashKeeper standard.</li>
</ul>
<h2>NIST NSRL</h2>
@ -49,7 +50,8 @@
Autopsy needs an index of the hashset to actualy use a hash database.
It can create the index if you import only the hashset.
When you select the database from within this window, it will tell you if the index needs to be created.
Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or use can use Autopsy.
Autopsy uses the hash database management system from The Sleuth Kit. You can manually create an index using the 'hfind' command line tool or you can use Autopsy.
If you attempt proceed without indexing a database, Autopsy will offer to automatically produce an index for you.
</p>
<p>
You can also specify only the index file and not use the full hashset - the index file is sufficient to identify known files.

4
Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java
View File

@ -42,6 +42,7 @@ public class FileManager implements Closeable {
}
/**
* @param image image where to find files
* @param fileName the name of the file or directory to match
* @return a list of FsContent for files/directories whose name matches the
* given fileName
@ -54,6 +55,7 @@ public class FileManager implements Closeable {
}
/**
* @param image image where to find files
* @param fileName the name of the file or directory to match
* @param dirName the name of a parent directory of fileName
* @return a list of FsContent for files/directories whose name matches
@ -67,6 +69,7 @@ public class FileManager implements Closeable {
}
/**
* @param image image where to find files
* @param fileName the name of the file or directory to match
* @param parentFsContent
* @return a list of FsContent for files/directories whose name matches
@ -80,6 +83,7 @@ public class FileManager implements Closeable {
}
/**
* @param image image where to find files
* @param filePath The full path to the file(s) of interest. This can
* optionally include the image and volume names.
* @return a list of FsContent that have the given file path.

2
Core/src/org/sleuthkit/autopsy/corecomponentinterfaces/package.dox
View File

@ -3,6 +3,6 @@
This package contains the interface classes that define the core components in Autopsy. These components are used in the different zones of the GUI.
See \ref design_page for examples of the modules and such that it defines.
See \ref design_data_flow for examples of the modules and such that it defines.
*/

3
Core/src/org/sleuthkit/autopsy/corecomponents/AbstractDataResultViewer.java
View File

@ -48,11 +48,10 @@ public abstract class AbstractDataResultViewer extends JPanel implements
//property listener to send nodes to content viewer
nodeSelListener = new PropertyChangeListener() {
/**
* Propagates changes in the current select node from the
* DataResultViewer to the DataContentTopComponent
*
* @param evt
*/
@Override
public void propertyChange(PropertyChangeEvent evt) {

2
Core/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties
View File

@ -96,3 +96,5 @@ DataResultViewerThumbnail.imagesLabel.text=Images:
DataResultViewerThumbnail.imagesRangeLabel.text=-
DataResultViewerThumbnail.pageNumLabel.text=-
DataResultViewerThumbnail.filePathLabel.text=\ \ \
DataResultViewerThumbnail.goToPageLabel.text=Go to Page:
DataResultViewerThumbnail.goToPageField.text=

4
Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerMedia.java
View File

@ -40,7 +40,7 @@ import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.corecomponentinterfaces.DataContentViewer;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM;
/**
*
@ -332,7 +332,7 @@ public class DataContentViewerMedia extends javax.swing.JPanel implements DataCo
return false;
}
if (File.dirFlagToValue(file.getDir_flags()).equals(TskData.TSK_FS_NAME_FLAG_ENUM.TSK_FS_NAME_FLAG_UNALLOC.toString())) {
if (file.getDirFlag() == TSK_FS_NAME_FLAG_ENUM.UNALLOC) {
return false;
}

29
Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerThumbnail.form
View File

@ -20,6 +20,7 @@
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="filePathLabel" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Component id="pageLabel" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
@ -30,12 +31,15 @@
<Component id="pagePrevButton" min="-2" pref="23" max="-2" attributes="0"/>
<EmptySpace min="0" pref="0" max="-2" attributes="0"/>
<Component id="pageNextButton" min="-2" pref="23" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="33" max="-2" attributes="0"/>
<EmptySpace type="unrelated" max="-2" attributes="0"/>
<Component id="goToPageLabel" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="goToPageField" min="-2" pref="54" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="12" max="-2" attributes="0"/>
<Component id="imagesLabel" min="-2" max="-2" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="imagesRangeLabel" min="-2" pref="91" max="-2" attributes="0"/>
</Group>
<Component id="filePathLabel" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace max="32767" attributes="0"/>
</Group>
@ -55,9 +59,11 @@
<Group type="103" groupAlignment="3" attributes="0">
<Component id="imagesLabel" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="imagesRangeLabel" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="goToPageLabel" alignment="3" min="-2" max="-2" attributes="0"/>
<Component id="goToPageField" alignment="3" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
<EmptySpace max="-2" attributes="0"/>
<EmptySpace min="0" pref="0" max="-2" attributes="0"/>
<Component id="thumbnailScrollPanel" max="32767" attributes="0"/>
<EmptySpace max="-2" attributes="0"/>
<Component id="filePathLabel" min="-2" max="-2" attributes="0"/>
@ -173,5 +179,22 @@
</Property>
</Properties>
</Component>
<Component class="javax.swing.JLabel" name="goToPageLabel">
<Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/corecomponents/Bundle.properties" key="DataResultViewerThumbnail.goToPageLabel.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property>
</Properties>
</Component>
<Component class="javax.swing.JTextField" name="goToPageField">
<Properties>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/corecomponents/Bundle.properties" key="DataResultViewerThumbnail.goToPageField.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property>
</Properties>
<Events>
<EventHandler event="actionPerformed" listener="java.awt.event.ActionListener" parameters="java.awt.event.ActionEvent" handler="goToPageFieldActionPerformed"/>
</Events>
</Component>
</SubComponents>
</Form>

58
Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerThumbnail.java
View File

@ -23,6 +23,7 @@ import java.awt.Cursor;
import java.awt.EventQueue;
import java.beans.PropertyChangeEvent;
import java.util.logging.Level;
import javax.swing.JOptionPane;
import org.sleuthkit.autopsy.coreutils.Logger;
import javax.swing.ListSelectionModel;
import javax.swing.SwingWorker;
@ -94,6 +95,8 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
imagesRangeLabel = new javax.swing.JLabel();
pageNumLabel = new javax.swing.JLabel();
filePathLabel = new javax.swing.JLabel();
goToPageLabel = new javax.swing.JLabel();
goToPageField = new javax.swing.JTextField();
thumbnailScrollPanel.setPreferredSize(new java.awt.Dimension(582, 348));
@ -134,6 +137,15 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
filePathLabel.setText(org.openide.util.NbBundle.getMessage(DataResultViewerThumbnail.class, "DataResultViewerThumbnail.filePathLabel.text")); // NOI18N
goToPageLabel.setText(org.openide.util.NbBundle.getMessage(DataResultViewerThumbnail.class, "DataResultViewerThumbnail.goToPageLabel.text")); // NOI18N
goToPageField.setText(org.openide.util.NbBundle.getMessage(DataResultViewerThumbnail.class, "DataResultViewerThumbnail.goToPageField.text")); // NOI18N
goToPageField.addActionListener(new java.awt.event.ActionListener() {
public void actionPerformed(java.awt.event.ActionEvent evt) {
goToPageFieldActionPerformed(evt);
}
});
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this);
this.setLayout(layout);
layout.setHorizontalGroup(
@ -142,6 +154,7 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
.addGroup(layout.createSequentialGroup()
.addContainerGap()
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addComponent(filePathLabel)
.addGroup(layout.createSequentialGroup()
.addComponent(pageLabel)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
@ -152,11 +165,14 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
.addComponent(pagePrevButton, javax.swing.GroupLayout.PREFERRED_SIZE, 23, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGap(0, 0, 0)
.addComponent(pageNextButton, javax.swing.GroupLayout.PREFERRED_SIZE, 23, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGap(33, 33, 33)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addComponent(goToPageLabel)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(goToPageField, javax.swing.GroupLayout.PREFERRED_SIZE, 54, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGap(12, 12, 12)
.addComponent(imagesLabel)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(imagesRangeLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 91, javax.swing.GroupLayout.PREFERRED_SIZE))
.addComponent(filePathLabel))
.addComponent(imagesRangeLabel, javax.swing.GroupLayout.PREFERRED_SIZE, 91, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addContainerGap())
);
layout.setVerticalGroup(
@ -171,8 +187,10 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
.addComponent(pageNextButton, javax.swing.GroupLayout.PREFERRED_SIZE, 23, javax.swing.GroupLayout.PREFERRED_SIZE)
.addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.BASELINE)
.addComponent(imagesLabel)
.addComponent(imagesRangeLabel)))
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(imagesRangeLabel)
.addComponent(goToPageLabel)
.addComponent(goToPageField, javax.swing.GroupLayout.PREFERRED_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.PREFERRED_SIZE)))
.addGap(0, 0, 0)
.addComponent(thumbnailScrollPanel, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED)
.addComponent(filePathLabel))
@ -186,8 +204,15 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
private void pageNextButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_pageNextButtonActionPerformed
nextPage();
}//GEN-LAST:event_pageNextButtonActionPerformed
private void goToPageFieldActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_goToPageFieldActionPerformed
goToPage(goToPageField.getText());
}//GEN-LAST:event_goToPageFieldActionPerformed
// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JLabel filePathLabel;
private javax.swing.JTextField goToPageField;
private javax.swing.JLabel goToPageLabel;
private javax.swing.JLabel imagesLabel;
private javax.swing.JLabel imagesRangeLabel;
private javax.swing.JLabel pageLabel;
@ -310,6 +335,26 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
}
}
private void goToPage(String pageNumText) {
int newPage;
try {
newPage = Integer.parseInt(pageNumText);
}
catch (NumberFormatException e) {
//ignore input
return;
}
if (newPage > totalPages || newPage < 1) {
JOptionPane.showMessageDialog(this, "Please enter a valid page number between 1 and " + totalPages,
"Invalid page number", JOptionPane.WARNING_MESSAGE);
return;
}
curPage = newPage;
switchPage();
}
private void switchPage() {
EventQueue.invokeLater(new Runnable() {
@ -327,6 +372,7 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
protected Object doInBackground() throws Exception {
pagePrevButton.setEnabled(false);
pageNextButton.setEnabled(false);
goToPageField.setEnabled(false);
progress = ProgressHandleFactory.createHandle("Generating Thumbnails...");
progress.start();
progress.switchToIndeterminate();
@ -352,6 +398,7 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
if (totalPages == 0) {
pagePrevButton.setEnabled(false);
pageNextButton.setEnabled(false);
goToPageField.setEnabled(false);
pageNumLabel.setText("");
imagesRangeLabel.setText("");
} else {
@ -362,6 +409,7 @@ public final class DataResultViewerThumbnail extends AbstractDataResultViewer {
pageNextButton.setEnabled(!(curPage == totalPages));
pagePrevButton.setEnabled(!(curPage == 1));
goToPageField.setEnabled(totalPages>1);
}

1
Core/src/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-idx.xml
View File

@ -14,6 +14,7 @@ and open the template in the editor.
<indexitem text="Image Details Window" target="org.sleuthkit.autopsy.directorytree.image-details"/>
<indexitem text="Volume Details Window" target="org.sleuthkit.autopsy.directorytree.volume-details"/>
<indexitem text="File System Details Window" target="org.sleuthkit.autopsy.directorytree.filesystem-details"/>
<indexitem text="Extracting Unallocated Space" target="org.sleuthkit.autopsy.directorytree.unallocated-space"/>
<indexitem text="About File Search" target="org.sleuthkit.autopsy.filesearch.about"/>
<indexitem text="How to Open File Search" target="org.sleuthkit.autopsy.filesearch.open-filesearch"/>

1
Core/src/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-map.xml
View File

@ -9,6 +9,7 @@ and open the template in the editor.
<mapID target="org.sleuthkit.autopsy.directorytree.image-details" url="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/image-details.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.volume-details" url="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/volume-details.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.filesystem-details" url="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/filesystem-details.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.unallocated-space" url="nbdocs:/org/sleuthkit/autopsy/directorytree/docs/unallocated-space.html"/>
<mapID target="org.sleuthkit.autopsy.filesearch.about" url="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/filesearch-about.html"/>
<mapID target="org.sleuthkit.autopsy.filesearch.open-filesearch" url="nbdocs:/org/sleuthkit/autopsy/filesearch/docs/open-filesearch.html"/>

1
Core/src/org/sleuthkit/autopsy/corecomponents/docs/corecomponents-toc.xml
View File

@ -8,6 +8,7 @@
<tocitem text="About Directory Tree" target="org.sleuthkit.autopsy.directorytree.about"/>
<tocitem text="Image Details Window" target="org.sleuthkit.autopsy.directorytree.image-details"/>
<tocitem text="Volume Details Window" target="org.sleuthkit.autopsy.directorytree.volume-details"/>
<tocitem text="Extracting Unallocated Space" target="org.sleuthkit.autopsy.directorytree.unallocated-space"/>
</tocitem>
<tocitem text="File Search">
<tocitem text="About File Search" target="org.sleuthkit.autopsy.filesearch.about"/>

2
Core/src/org/sleuthkit/autopsy/coreutils/StringExtract.java
View File

@ -111,7 +111,7 @@ public class StringExtract {
/**
* Sets the enabled script to one provided, resets previous setting
*
* @param scripts script to consider for when extracting strings
* @param script script to consider for when extracting strings
*/
public final void setEnabledScript(SCRIPT script) {

6
Core/src/org/sleuthkit/autopsy/coreutils/XMLUtil.java
View File

@ -62,7 +62,8 @@ public class XMLUtil {
* The schema files are extracted automatically when this function is called, the XML being validated is not.
* Be sure the XML file is already extracted otherwise it will return false.
* @param xmlfile The XML file to validate, in DOMSource format
* @param type The file name of the schema to validate against, must exist as a resource in the same package as where this function is being called.
* @param clazz class frm package to extract schema file from
* @param schemaFile The file name of the schema to validate against, must exist as a resource in the same package as where this function is being called.
*
* For example usages, please see KeywordSearchListsXML, HashDbXML, or IngestModuleLoader.
*
@ -95,7 +96,8 @@ public class XMLUtil {
*
* The schema files are extracted automatically when this function is called, the XML being validated is not.
* Be sure the XML file is already extracted otherwise it will return false.
* @param xmlfile The XML file to validate
* @param doc The XML DOM to validate
* @param clazz class from package to extract schema from
* @param type The file name of the schema to validate against, must exist as a resource in the same package as where this function is being called
*
* For example usages, please see KeywordSearchListsXML, HashDbXML, or IngestModuleLoader.

6
Core/src/org/sleuthkit/autopsy/datamodel/AbstractContentChildren.java
View File

@ -26,7 +26,7 @@ import org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordHitsRootNode;
import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.SleuthkitVisitableItem;
import org.sleuthkit.datamodel.SleuthkitItemVisitor;
import org.sleuthkit.datamodel.TskException;
@ -92,8 +92,8 @@ abstract class AbstractContentChildren<T> extends Keys<T> {
}
@Override
public AbstractContentNode visit(LayoutDirectory ld) {
return new LayoutDirectoryNode(ld);
public AbstractContentNode visit(VirtualDirectory ld) {
return new VirtualDirectoryNode(ld);
}
@Override

16
Core/src/org/sleuthkit/autopsy/datamodel/AbstractFsContentNode.java
View File

@ -18,11 +18,11 @@
*/
package org.sleuthkit.autopsy.datamodel;
import java.text.SimpleDateFormat;
import java.util.LinkedHashMap;
import java.util.Map;
import org.openide.nodes.Sheet;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.TskData.TSK_FS_META_MODE_ENUM;
/**
* Abstract class that implements the commonality between File and Directory
@ -236,15 +236,15 @@ public abstract class AbstractFsContentNode<T extends FsContent> extends Abstrac
map.put(FsContentPropertyType.ACCESS_TIME.toString(), ContentUtils.getStringTime(content.getAtime(), content));
map.put(FsContentPropertyType.CREATED_TIME.toString(), ContentUtils.getStringTime(content.getCrtime(), content));
map.put(FsContentPropertyType.SIZE.toString(), content.getSize());
map.put(FsContentPropertyType.FLAGS_DIR.toString(), content.getDirFlagsAsString());
map.put(FsContentPropertyType.FLAGS_META.toString(), content.getMetaFlagsAsString());
map.put(FsContentPropertyType.MODE.toString(), content.getModeAsString());
map.put(FsContentPropertyType.FLAGS_DIR.toString(), content.getDirFlag().toString());
map.put(FsContentPropertyType.FLAGS_META.toString(), Integer.toString(content.getMetaFlagsInt()));
map.put(FsContentPropertyType.MODE.toString(), TSK_FS_META_MODE_ENUM.toString(content.getModes(), content.getMetaType()));
map.put(FsContentPropertyType.USER_ID.toString(), content.getUid());
map.put(FsContentPropertyType.GROUP_ID.toString(), content.getGid());
map.put(FsContentPropertyType.META_ADDR.toString(), content.getMeta_addr());
map.put(FsContentPropertyType.ATTR_ADDR.toString(), Long.toString(content.getAttr_type()) + "-" + Long.toString(content.getAttr_id()));
map.put(FsContentPropertyType.TYPE_DIR.toString(), content.getDirTypeAsString());
map.put(FsContentPropertyType.TYPE_META.toString(), content.getMetaTypeAsString());
map.put(FsContentPropertyType.META_ADDR.toString(), content.getMetaAddr());
map.put(FsContentPropertyType.ATTR_ADDR.toString(), Long.toString(content.getAttrType().getValue()) + "-" + Long.toString(content.getAttrId()));
map.put(FsContentPropertyType.TYPE_DIR.toString(), content.getDirType().getLabel());
map.put(FsContentPropertyType.TYPE_META.toString(), content.getMetaType().toString());
map.put(FsContentPropertyType.KNOWN.toString(), content.getKnown().getName());
map.put(FsContentPropertyType.MD5HASH.toString(), content.getMd5Hash() == null ? "" : content.getMd5Hash());
}

9
Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java
View File

@ -89,8 +89,8 @@ public class BlackboardArtifactNode extends DisplayableItemNode {
Map<String, Object> map = new LinkedHashMap<String, Object>();
fillPropertyMap(map, artifact);
ss.put(new NodeProperty("File Name",
"File Name",
ss.put(new NodeProperty("Source File",
"Source File",
NO_DESCR,
associated.getName()));
@ -124,7 +124,10 @@ public class BlackboardArtifactNode extends DisplayableItemNode {
try {
for (BlackboardAttribute attribute : artifact.getAttributes()) {
final int attributeTypeID= attribute.getAttributeTypeID();
if (attributeTypeID == ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID()) {
//skip some internal attributes that user shouldn't see
if (attributeTypeID == ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID()
|| attributeTypeID == ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID())
{
continue;
} else {
switch (attribute.getValueType()) {

4
Core/src/org/sleuthkit/autopsy/datamodel/ContentHierarchyVisitor.java
View File

@ -28,7 +28,7 @@ import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentVisitor;
import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.datamodel.VolumeSystem;
@ -93,7 +93,7 @@ public class ContentHierarchyVisitor extends ContentVisitor.Default<List<? exten
}
@Override
public List<? extends Content> visit(LayoutDirectory ldir) {
public List<? extends Content> visit(VirtualDirectory ldir) {
//return getChildren(ldir);
return Collections.singletonList(ldir);
}

4
Core/src/org/sleuthkit/autopsy/datamodel/ContentIdHierarchyVisitor.java
View File

@ -28,7 +28,7 @@ import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentVisitor;
import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.datamodel.VolumeSystem;
@ -93,7 +93,7 @@ public class ContentIdHierarchyVisitor extends ContentVisitor.Default<List<? ext
}
@Override
public List<? extends Long> visit(LayoutDirectory ldir) {
public List<? extends Long> visit(VirtualDirectory ldir) {
//return getChildren(ldir);
return Collections.singletonList(ldir.getId());
}

4
Core/src/org/sleuthkit/autopsy/datamodel/ContentNodeVisitor.java
View File

@ -34,7 +34,7 @@ public interface ContentNodeVisitor<T> {
T visit(LayoutFileNode lcn);
T visit(LayoutDirectoryNode lcn);
T visit(VirtualDirectoryNode lcn);
/**
* Visitor with an implementable default behavior for all types. Override
@ -76,7 +76,7 @@ public interface ContentNodeVisitor<T> {
}
@Override
public T visit(LayoutDirectoryNode ldn) {
public T visit(VirtualDirectoryNode ldn) {
return defaultVisit(ldn);
}
}

4
Core/src/org/sleuthkit/autopsy/datamodel/ContentUtils.java
View File

@ -36,7 +36,7 @@ import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.LayoutFile;
import org.sleuthkit.datamodel.ReadContentInputStream;
import org.sleuthkit.datamodel.TskException;
@ -155,7 +155,7 @@ public final class ContentUtils {
}
@Override
public List<String> visit(LayoutDirectory ld) {
public List<String> visit(VirtualDirectory ld) {
List<String> path = ld.getParent().accept(this);
path.add(toString.visit(ld));
return path;

4
Core/src/org/sleuthkit/autopsy/datamodel/DirectoryNode.java
View File

@ -20,7 +20,7 @@ package org.sleuthkit.autopsy.datamodel;
import javax.swing.Action;
import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM;
/**
* This class is used to represent the "Node" for the directory.
@ -39,7 +39,7 @@ public class DirectoryNode extends AbstractFsContentNode<Directory> {
super(dir, directoryBrowseMode);
// set name, display name, and icon
if (Directory.dirFlagToValue(dir.getDir_flags()).equals(TskData.TSK_FS_NAME_FLAG_ENUM.TSK_FS_NAME_FLAG_UNALLOC.toString())) {
if (dir.getDirFlag() == TSK_FS_NAME_FLAG_ENUM.UNALLOC) {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-deleted.png");
} else {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/Folder-icon.png");

4
Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java
View File

@ -59,7 +59,7 @@ public interface DisplayableItemNodeVisitor<T> {
T visit(ResultsNode rn);
T visit(ImagesNode in);
T visit(LayoutFileNode lcn);
T visit(LayoutDirectoryNode ldn);
T visit(VirtualDirectoryNode ldn);
/**
* Visitor with an implementable default behavior for all types. Override
@ -191,7 +191,7 @@ public interface DisplayableItemNodeVisitor<T> {
}
@Override
public T visit(LayoutDirectoryNode ldn) {
public T visit(VirtualDirectoryNode ldn) {
return defaultVisit(ldn);
}

4
Core/src/org/sleuthkit/autopsy/datamodel/FileNode.java
View File

@ -20,7 +20,7 @@ package org.sleuthkit.autopsy.datamodel;
import javax.swing.Action;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.TskData.TSK_FS_NAME_FLAG_ENUM;
/**
* This class is used to represent the "Node" for the file. It has no children.
@ -39,7 +39,7 @@ public class FileNode extends AbstractFsContentNode<File> {
super(file, directoryBrowseMode);
// set name, display name, and icon
if (file.getDir_flags() == (TskData.TSK_FS_NAME_FLAG_ENUM.TSK_FS_NAME_FLAG_UNALLOC.getDirFlag())) {
if (file.getDirFlag() == TSK_FS_NAME_FLAG_ENUM.UNALLOC) {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/file-icon-deleted.png");
} else {
this.setIconBaseWithExtension(getIconForFileType(file));

51
Core/src/org/sleuthkit/autopsy/datamodel/LayoutDirectoryNode.java → Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java
View File

@ -22,19 +22,19 @@ import java.util.LinkedHashMap;
import java.util.Map;
import org.openide.nodes.Sheet;
import org.sleuthkit.autopsy.datamodel.LayoutFileNode.LayoutContentPropertyType;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.LayoutFile;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.TskData;
/**
* Node for layout dir
*/
public class LayoutDirectoryNode extends AbstractAbstractFileNode<LayoutDirectory> {
public class VirtualDirectoryNode extends AbstractAbstractFileNode<VirtualDirectory> {
public static String nameForLayoutFile(LayoutDirectory ld) {
public static String nameForLayoutFile(VirtualDirectory ld) {
return ld.getName();
}
public LayoutDirectoryNode(LayoutDirectory ld) {
public VirtualDirectoryNode(VirtualDirectory ld) {
super(ld);
this.setDisplayName(nameForLayoutFile(ld));
@ -84,11 +84,9 @@ public class LayoutDirectoryNode extends AbstractAbstractFileNode<LayoutDirector
return true;
}
//TODO consider extend AbstractFsContent node and use that
//first need methods such as getDirType() to be pushed to AbstractFile class
private static void fillPropertyMap(Map<String, Object> map, LayoutDirectory content) {
private static void fillPropertyMap(Map<String, Object> map, VirtualDirectory content) {
map.put(LayoutContentPropertyType.NAME.toString(), content.getName());
map.put(LayoutContentPropertyType.SIZE.toString(), content.getSize());
@ -97,9 +95,38 @@ public class LayoutDirectoryNode extends AbstractAbstractFileNode<LayoutDirector
map.put(AbstractFsContentNode.FsContentPropertyType.CHANGED_TIME.toString(), ContentUtils.getStringTime(0, content));
map.put(AbstractFsContentNode.FsContentPropertyType.ACCESS_TIME.toString(), ContentUtils.getStringTime(0, content));
map.put(AbstractFsContentNode.FsContentPropertyType.CREATED_TIME.toString(), ContentUtils.getStringTime(0, content));
map.put(AbstractFsContentNode.FsContentPropertyType.FLAGS_DIR.toString(), content.getDirFlagsAsString());
map.put(AbstractFsContentNode.FsContentPropertyType.FLAGS_META.toString(), content.getMetaFlagsAsString());
map.put(AbstractFsContentNode.FsContentPropertyType.TYPE_DIR.toString(), content.getDirTypeAsString());
map.put(AbstractFsContentNode.FsContentPropertyType.TYPE_META.toString(), content.getMetaTypeAsString());
map.put(AbstractFsContentNode.FsContentPropertyType.FLAGS_DIR.toString(), content.getDirFlags().toString());
map.put(AbstractFsContentNode.FsContentPropertyType.FLAGS_META.toString(), metaFlagToString(content.getMetaFlags()));
map.put(AbstractFsContentNode.FsContentPropertyType.TYPE_DIR.toString(), content.getDirType().toString());
map.put(AbstractFsContentNode.FsContentPropertyType.TYPE_META.toString(), content.getMetaType().toString());
}
/**
* Convert meta flag long to user-readable string / label
*
* @param metaFlag to convert
* @return string formatted meta flag representation
*/
public static String metaFlagToString(short metaFlag) {
String result = "";
short allocFlag = TskData.TSK_FS_META_FLAG_ENUM.ALLOC.getValue();
short unallocFlag = TskData.TSK_FS_META_FLAG_ENUM.UNALLOC.getValue();
// some variables that might be needed in the future
//long usedFlag = TskData.TSK_FS_META_FLAG_ENUM.USED.getMetaFlag();
//long unusedFlag = TskData.TSK_FS_META_FLAG_ENUM.UNUSED.getMetaFlag();
//long compFlag = TskData.TSK_FS_META_FLAG_ENUM.COMP.getMetaFlag();
//long orphanFlag = TskData.TSK_FS_META_FLAG_ENUM.ORPHAN.getMetaFlag();
if ((metaFlag & allocFlag) == allocFlag) {
result = TskData.TSK_FS_META_FLAG_ENUM.ALLOC.toString();
}
if ((metaFlag & unallocFlag) == unallocFlag) {
result = TskData.TSK_FS_META_FLAG_ENUM.UNALLOC.toString();
}
return result;
}
}

2
Core/src/org/sleuthkit/autopsy/directorytree/BookmarkAction.java
View File

@ -88,7 +88,7 @@ public class BookmarkAction extends AbstractAction {
}
@Override
public AbstractFile visit(org.sleuthkit.datamodel.LayoutDirectory ld) {
public AbstractFile visit(org.sleuthkit.datamodel.VirtualDirectory ld) {
return ld;
}

6
Core/src/org/sleuthkit/autopsy/directorytree/DataResultFilterNode.java
View File

@ -51,7 +51,7 @@ import org.sleuthkit.autopsy.datamodel.ImageNode;
import org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordHitsKeywordNode;
import org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordHitsListNode;
import org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordHitsRootNode;
import org.sleuthkit.autopsy.datamodel.LayoutDirectoryNode;
import org.sleuthkit.autopsy.datamodel.VirtualDirectoryNode;
import org.sleuthkit.autopsy.datamodel.LayoutFileNode;
import org.sleuthkit.autopsy.datamodel.RecentFilesFilterNode;
import org.sleuthkit.autopsy.datamodel.RecentFilesNode;
@ -192,7 +192,7 @@ public class DataResultFilterNode extends FilterNode {
}
@Override
public List<Action> visit(LayoutDirectoryNode ld) {
public List<Action> visit(VirtualDirectoryNode ld) {
List<Action> actions = new ArrayList<Action>();
actions.add(new BookmarkAction("Bookmark Directory", ld));
@ -416,7 +416,7 @@ public class DataResultFilterNode extends FilterNode {
}
@Override
public AbstractAction visit(LayoutDirectoryNode ldn) {
public AbstractAction visit(VirtualDirectoryNode ldn) {
return openChild(ldn);
}

6
Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java
View File

@ -284,14 +284,14 @@ class ExplorerNodeActionVisitor extends ContentVisitor.Default<List<? extends Ac
Arrays.fill(rowValues, 0, 1, new Object[]{
fs.getId(),
fs.getImg_offset(),
fs.getImageOffset(),
fs.getParent().getId(),
fs.getFs_type(),
fs.getFsType(),
fs.getBlock_size(),
fs.getBlock_count(),
fs.getRoot_inum(),
fs.getFirst_inum(),
fs.getLast_inum()
fs.getLastInum()
});

242
Core/src/org/sleuthkit/autopsy/directorytree/ExtractUnallocAction.java
View File

@ -18,6 +18,7 @@
*/
package org.sleuthkit.autopsy.directorytree;
import java.awt.Component;
import java.awt.Frame;
import java.awt.event.ActionEvent;
import java.io.File;
@ -29,6 +30,7 @@ import java.util.Comparator;
import java.util.List;
import java.util.logging.Level;
import javax.swing.AbstractAction;
import javax.swing.JFileChooser;
import javax.swing.JOptionPane;
import javax.swing.SwingWorker;
import org.netbeans.api.progress.ProgressHandle;
@ -42,7 +44,7 @@ import org.sleuthkit.datamodel.ContentVisitor;
import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.LayoutFile;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.Volume;
@ -55,8 +57,8 @@ public final class ExtractUnallocAction extends AbstractAction {
private final List<UnallocStruct> LstUnallocs = new ArrayList<UnallocStruct>();
private static final List<String> lockedVols = new ArrayList<String>();
private int numDone = 0;
private static boolean runningOnImage = false;
private static final List<Long> lockedImages = new ArrayList<Long>();
private long currentImage = 0L;
private static final Logger logger = Logger.getLogger(ExtractUnallocAction.class.getName());
private boolean isImage = false;
@ -65,9 +67,11 @@ public final class ExtractUnallocAction extends AbstractAction {
UnallocStruct us = new UnallocStruct(volu);
LstUnallocs.add(us);
}
public ExtractUnallocAction(String title, Image img) {
super(title);
isImage = true;
currentImage = img.getId();
if (hasVolumeSystem(img)) {
for (Volume v : getVolumes(img)) {
UnallocStruct us = new UnallocStruct(v);
@ -79,35 +83,58 @@ public final class ExtractUnallocAction extends AbstractAction {
}
}
/**
* Writes the unallocated files to $CaseDir/Export/ImgName-Unalloc-ImgObjectID-VolumeID.dat
* Writes the unallocated files to
* $CaseDir/Export/ImgName-Unalloc-ImgObjectID-VolumeID.dat
*
* @param e
*/
@Override
public void actionPerformed(ActionEvent e) {
if (LstUnallocs != null && LstUnallocs.size() > 0) {
if (runningOnImage) {
JOptionPane.showMessageDialog(new Frame(), "Unallocated Space is already running on this Image. Please select a different Image.");
if (lockedImages.contains(currentImage)) {
JOptionPane.showMessageDialog(new Frame(), "Unallocated Space is already being extracted on this Image. Please select a different Image.");
return;
}
List<UnallocStruct> copyList = new ArrayList<UnallocStruct>() {
{
addAll(LstUnallocs);
}
};
JFileChooser fc = new JFileChooser();
fc.setCurrentDirectory(new File(Case.getCurrentCase().getCaseDirectory()));
fc.setDialogTitle("Select directory to save to");
fc.setFileSelectionMode(JFileChooser.DIRECTORIES_ONLY);
fc.setAcceptAllFileFilterUsed(false);
int returnValue = fc.showSaveDialog((Component) e.getSource());
if (returnValue == JFileChooser.APPROVE_OPTION) {
String destination = fc.getSelectedFile().getPath();
for (UnallocStruct u : LstUnallocs) {
String UnallocName = u.ImageName + "-Unalloc-" + u.ImageId + "-" + u.VolumeId + ".dat";
if (u.llf != null && u.llf.size() > 0 && !lockedVols.contains(UnallocName)) {
u.setPath(destination);
if (u.llf != null && u.llf.size() > 0 && !lockedVols.contains(u.getFileName())) {
//Format for single Unalloc File is ImgName-Unalloc-ImgObjectID-VolumeID.dat
File unalloc = new File(Case.getCurrentCase().getCaseDirectory() + File.separator + "Export" + File.separator + UnallocName);
if (unalloc.exists()) {
int res = JOptionPane.showConfirmDialog(new Frame(), "The Unalloc File for this volume, " + UnallocName + " already exists, do you want to replace it?");
if (u.FileInstance.exists()) {
int res = JOptionPane.showConfirmDialog(new Frame(), "The Unalloc File for this volume, " + u.getFileName() + " already exists, do you want to replace it?");
if (res == JOptionPane.YES_OPTION) {
unalloc.delete();
u.FileInstance.delete();
} else {
return;
copyList.remove(u);
}
}
ExtractUnallocWorker uw = new ExtractUnallocWorker(unalloc, u);
if (!isImage & !copyList.isEmpty()) {
ExtractUnallocWorker uw = new ExtractUnallocWorker(u);
uw.execute();
}
} else {
logger.log(Level.WARNING, "Tried to get unallocated content from volume ID " + u.VolumeId + ", but its list of unallocated files was empty or null");
logger.log(Level.WARNING, "Tried to get unallocated content from volume ID but " + u.VolumeId + u.llf == null ? "its list of unallocated files was null" : "the volume is locked" );
}
}
if (isImage && !copyList.isEmpty()) {
ExtractUnallocWorker uw = new ExtractUnallocWorker(copyList);
uw.execute();
}
}
}
@ -116,8 +143,10 @@ public final class ExtractUnallocAction extends AbstractAction {
/**
* Gets all the unallocated files in a given Content.
*
* @param c Content to get Unallocated Files from
* @return A list<LayoutFile> if it didn't crash List may be empty. Returns null on failure.
* @return A list<LayoutFile> if it didn't crash List may be empty. Returns
* null on failure.
*/
private List<LayoutFile> getUnallocFiles(Content c) {
UnallocVisitor uv = new UnallocVisitor();
@ -129,67 +158,102 @@ public final class ExtractUnallocAction extends AbstractAction {
return null;
}
/**
* Private class for dispatching the file IO in a background thread.
*/
private class ExtractUnallocWorker extends SwingWorker<Integer, Integer> {
private File path;
private ProgressHandle progress;
private boolean canceled = false;
private UnallocStruct us;
private List<UnallocStruct> lus = new ArrayList<UnallocStruct>();
private File currentlyProcessing;
private int totalSizeinMegs;
ExtractUnallocWorker(File path, UnallocStruct us) {
this.path = path;
if(isImage){
runningOnImage = true;
ExtractUnallocWorker(UnallocStruct us) {
this.lus.add(us);
//Getting the total megs this worker is going to be doing
if (!lockedVols.contains(us.getFileName())) {
totalSizeinMegs = toMb(us.sizeInBytes());
lockedVols.add(us.getFileName());
}
lockedVols.add(path.getName());
this.us = us;
}
ExtractUnallocWorker(List<UnallocStruct> lst) {
//Getting the total megs this worker is going to be doing
long totalBytes = 0;
for (UnallocStruct lu : lst) {
if (!lockedVols.contains(lu.getFileName())) {
totalBytes += lu.sizeInBytes();
lockedVols.add(lu.getFileName());
this.lus.add(lu);
}
}
totalSizeinMegs = toMb(totalBytes);
lockedImages.add(currentImage);
}
private int toMb(long bytes) {
if (bytes > 1024 && (bytes / 1024.0) <= Double.MAX_VALUE) {
double Mb = ((bytes / 1024.0) / 1024.0);//Bytes -> Megabytes
if (Mb <= Integer.MAX_VALUE) {
return (int) Math.floor(Mb);
}
}
return 0;
}
@Override
protected Integer doInBackground() {
try {
progress = ProgressHandleFactory.createHandle("Extracting " + path.getName(), new Cancellable() {
progress = ProgressHandleFactory.createHandle("Extracting Unallocated Space", new Cancellable() {
@Override
public boolean cancel() {
logger.log(Level.INFO, "Canceling extraction of Unalloc file " + path.getName());
logger.log(Level.INFO, "Canceling extraction of unallocated space");
canceled = true;
if (progress != null) {
progress.setDisplayName(path.getName() + " (Cancelling...)");
progress.setDisplayName("Extracting Unallocated Space" + " (Cancelling...)");
}
return true;
}
});
FileOutputStream fos = new FileOutputStream(path);
int MAX_BYTES = 8192;
byte[] buf = new byte[MAX_BYTES]; //read 8kb at a time
logger.log(Level.INFO, "Writing Unalloc file to " + path.getPath());
progress.start(us.size());
int count = 0;
for (LayoutFile f : us.getLayouts()) {
//Begin the actual File IO
progress.start(totalSizeinMegs);
int kbs = 0; //Each completion of the while loop adds one to kbs. 8kb * 128 = 1mb.
int mbs = 0; //Increments every 128th tick of kbs
for (UnallocStruct u : this.lus) {
currentlyProcessing = u.getFile();
logger.log(Level.INFO, "Writing Unalloc file to " + currentlyProcessing.getPath());
FileOutputStream fos = new FileOutputStream(currentlyProcessing);
int count = 1;
for (LayoutFile f : u.getLayouts()) {
long offset = 0L;
while (offset != f.getSize() && !canceled) {
offset += f.read(buf, offset, MAX_BYTES); //Offset + Bytes read
fos.write(buf);
if (++kbs % 128 == 0) {
mbs++;
progress.progress("processing " + mbs + " of " + totalSizeinMegs + " MBs", mbs);
}
progress.progress("processing block " + ++count + "of " + us.size(), count);
}
progress.finish();
count++;
}
fos.flush();
fos.close();
if (canceled) {
path.delete();
logger.log(Level.INFO, "Canceled extraction of " + path.getName() + " and deleted file");
u.getFile().delete();
logger.log(Level.INFO, "Canceled extraction of " + u.getFileName() + " and deleted file");
} else {
logger.log(Level.INFO, "Finished writing unalloc file " + u.getFile().getPath());
}
else{
logger.log(Level.INFO, "Finished writing unalloc file " + path.getPath());
}
progress.finish();
} catch (IOException ioe) {
logger.log(Level.WARNING, "Could not create Unalloc File; error writing file", ioe);
return -1;
@ -202,16 +266,21 @@ public final class ExtractUnallocAction extends AbstractAction {
@Override
protected void done() {
lockedVols.remove(path.getName());
if(++numDone == LstUnallocs.size()){
runningOnImage = false;
numDone = 0;
if (isImage) {
lockedImages.remove(currentImage);
}
for (UnallocStruct u : lus) {
lockedVols.remove(u.getFileName());
}
if (!canceled && !lus.isEmpty()) {
JOptionPane.showMessageDialog(new Frame(), "Completed extraction of unallocated space. Files were extracted to " + lus.get(0).getFile().getParent());
}
}
}
/**
* Determines if an image has a volume system or not.
*
* @param img The Image to analyze
* @return True if there are Volume Systems present
*/
@ -226,8 +295,10 @@ public final class ExtractUnallocAction extends AbstractAction {
/**
* Gets the volumes on an given image.
*
* @param img The image to analyze
* @return A list of volumes from the image. Returns an empty list if no matches.
* @return A list of volumes from the image. Returns an empty list if no
* matches.
*/
private List<Volume> getVolumes(Image img) {
List<Volume> lstVol = new ArrayList<Volume>();
@ -243,16 +314,16 @@ public final class ExtractUnallocAction extends AbstractAction {
return lstVol;
}
/**
* Private visitor class for going through a Content file and grabbing unallocated files.
* Private visitor class for going through a Content file and grabbing
* unallocated files.
*/
private static class UnallocVisitor extends ContentVisitor.Default<List<LayoutFile>> {
/**
* If the volume has no FileSystem, then it will call this method to return the single instance of unallocated space.
* If the volume has no FileSystem, then it will call this method to
* return the single instance of unallocated space.
*
* @param lf the LayoutFile the visitor encountered
* @return A list<LayoutFile> of size 1, returns null if it fails
*/
@ -266,9 +337,12 @@ public final class ExtractUnallocAction extends AbstractAction {
}
/**
* If the visitor finds a FileSystem, it will filter the results for directories and return on the Root Dir.
* If the visitor finds a FileSystem, it will filter the results for
* directories and return on the Root Dir.
*
* @param fs the FileSystem the visitor encountered
* @return A list<LayoutFile> containing the layout files from subsequent Visits(), returns null if it fails
* @return A list<LayoutFile> containing the layout files from
* subsequent Visits(), returns null if it fails
*/
@Override
public List<LayoutFile> visit(FileSystem fs) {
@ -286,14 +360,16 @@ public final class ExtractUnallocAction extends AbstractAction {
/**
* LayoutDirectory has all the Layout(Unallocated) files
*
* @param ld LayoutDirectory the visitor encountered
* @return A list<LayoutFile> containing all the LayoutFile in ld, returns null if it fails
* @return A list<LayoutFile> containing all the LayoutFile in ld,
* returns null if it fails
*/
@Override
public List<LayoutFile> visit(LayoutDirectory ld){
public List<LayoutFile> visit(VirtualDirectory vd) {
try {
List<LayoutFile> lflst = new ArrayList<LayoutFile>();
for(Content layout : ld.getChildren()){
for (Content layout : vd.getChildren()) {
lflst.add((LayoutFile) layout);
}
return lflst;
@ -304,15 +380,18 @@ public final class ExtractUnallocAction extends AbstractAction {
}
/**
* The only time this visitor should ever encounter a directory is when parsing over Root
* The only time this visitor should ever encounter a directory is when
* parsing over Root
*
* @param dir the directory this visitor encountered
* @return A list<LayoutFile> containing LayoutFiles encountered during subsequent Visits(), returns null if it fails
* @return A list<LayoutFile> containing LayoutFiles encountered during
* subsequent Visits(), returns null if it fails
*/
@Override
public List<LayoutFile> visit(Directory dir) {
try {
for (Content c : dir.getChildren()) {
if(c instanceof LayoutDirectory){
if (c instanceof VirtualDirectory) {
return c.accept(this);
}
}
@ -328,11 +407,10 @@ public final class ExtractUnallocAction extends AbstractAction {
}
}
/**
* Comparator for sorting lists of LayoutFiles based on their Object ID
* Ensures that the single Unalloc File is in proper order, and that the bytes
* are continuous.
* Ensures that the single Unalloc File is in proper order, and that the
* bytes are continuous.
*/
private class SortObjId implements Comparator<LayoutFile> {
@ -343,35 +421,43 @@ public final class ExtractUnallocAction extends AbstractAction {
}
if (o1.getId() > o2.getId()) {
return -1;
}
else{
} else {
return 1;
}
}
}
/**
* Private class for assisting in the running the action over an image with multiple volumes.
* Private class for assisting in the running the action over an image with
* multiple volumes.
*/
private class UnallocStruct {
private List<LayoutFile> llf;
private long VolumeId;
private long ImageId;
private String ImageName;
private String FileName;
private File FileInstance;
/**
* Contingency constructor in event no VolumeSystem exists on an Image.
*
* @param img Image file to be analyzed
*/
UnallocStruct(Image img) {
this.llf = getUnallocFiles(img);
Collections.sort(llf, new SortObjId());
this.VolumeId = 0;
this.ImageId = img.getId();
this.ImageName = img.getName();
this.FileName = this.ImageName + "-Unalloc-" + this.ImageId + "-" + 0 + ".dat";
this.FileInstance = new File(Case.getCurrentCase().getCaseDirectory() + File.separator + "Export" + File.separator + this.FileName);
}
/**
* Default constructor for extracting info from Volumes.
*
* @param volu Volume file to be analyzed
*/
UnallocStruct(Volume volu) {
@ -384,6 +470,8 @@ public final class ExtractUnallocAction extends AbstractAction {
this.ImageName = "";
this.ImageId = 0;
}
this.FileName = this.ImageName + "-Unalloc-" + this.ImageId + "-" + VolumeId + ".dat";
this.FileInstance = new File(Case.getCurrentCase().getCaseDirectory() + File.separator + "Export" + File.separator + this.FileName);
this.llf = getUnallocFiles(volu);
Collections.sort(llf, new SortObjId());
}
@ -392,21 +480,41 @@ public final class ExtractUnallocAction extends AbstractAction {
int size() {
return llf.size();
}
long sizeInBytes() {
long size = 0L;
for (LayoutFile f : llf) {
size += f.getSize();
}
return size;
}
long getVolumeId() {
return this.VolumeId;
}
long getImageId() {
return this.ImageId;
}
String getImageName() {
return this.ImageName;
}
List<LayoutFile> getLayouts() {
return this.llf;
}
String getFileName() {
return this.FileName;
}
File getFile() {
return this.FileInstance;
}
void setPath(String path) {
this.FileInstance = new File(path + File.separator + this.FileName);
}
}
}

4
Core/src/org/sleuthkit/autopsy/directorytree/ViewContextAction.java
View File

@ -43,7 +43,7 @@ import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.LayoutFile;
import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.datamodel.Volume;
@ -209,7 +209,7 @@ class ViewContextAction extends AbstractAction {
}
@Override
public List<Content> visit(LayoutDirectory ld) {
public List<Content> visit(VirtualDirectory ld) {
ret.add(ld);
ret.addAll(ld.getParent().accept(this));

BIN
Core/src/org/sleuthkit/autopsy/directorytree/docs/ExtractUnallocImage.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.8 KiB

1
Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-idx.xml
View File

@ -9,4 +9,5 @@ and open the template in the editor.
<indexitem text="Image Details Window" target="org.sleuthkit.autopsy.directorytree.image-details"/>
<indexitem text="Volume Details Window" target="org.sleuthkit.autopsy.directorytree.volume-details"/>
<indexitem text="File System Details Window" target="org.sleuthkit.autopsy.directorytree.filesystem-details"/>
<indexitem text="Unallocated Space" target="org.sleuthkit.autopsy.directorytree.unallocated-space"/>
</index>

3
Core/src/org/sleuthkit/autopsy/directorytree/docs/directorytree-map.xml
View File

@ -9,5 +9,6 @@ and open the template in the editor.
<mapID target="org.sleuthkit.autopsy.directorytree.how-to-use-directorytree" url="how-to-use-directorytree.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.image-details" url="image-details.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.volume-details" url="volume-details.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.filesystem-details" url="filesystem-details.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.filesystem-details" url="filesystemm-details.html"/>
<mapID target="org.sleuthkit.autopsy.directorytree.unallocated-space" url="unallocated-space.html"/>
</map>

53
Core/src/org/sleuthkit/autopsy/directorytree/docs/unallocated-space.html Normal file
View File

@ -0,0 +1,53 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Extracting Unallocated Space</title>
<link rel="stylesheet" href="nbdocs:/org/sleuthkit/autopsy/core/docs/ide.css" type="text/css">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<h2>Extracting Unallocated Space</h2>
<p>
Unallocated space are chunks of the file system that is currently not being used for anything.
Unallocated space can store deleted files and other interesting artifacts. On the actual image,
Unallocated space is stored in blocks with distinct locations on the system. However, because
of the way various carving tools work, it is more ideal to feed them a single, large unallocated
file.
Autopsy provides access to both methods of looking at unallocated space.
</p>
<ul>
<li><strong>Individual Blocks</strong>
Underneath a volume, there is a folder named Unalloc. This folder contains all the individual unallocated blocks as the image is storing them.
You can right click and extract them the same way you can extract any other type of file in the Directory Tree.
</li>
<li><strong>Single Files</strong>
There are two ways to extract unallocated space as a single file. Right clicking on a volume and selecting "Extract Unallocated Space as Single File"
will concatenate all the unallocated files into a single, continuous file for the volume.
The second way is to right click on an image, and select "Extract Unallocated Space to Single Files". This option will extract one single file for each
volume in the image.
Progress on extraction is sent to the progress bar in the bottom right. Progress is based on number of files concatenated.
These files are stored in the Export folder under the case directory.
Files are named according to ImageName-Unalloc-ImageObjectID-VolumeID.dat
This naming scheme ensures that no duplicate file names will occur even if an there are two images with the same name in a case.
</li>
</ul>
<p>Below is where to find the single file extraction option</p>
<img src="ExtractUnallocImage.png" alt="Extracting Unallocated Space from an Image" />
</body>
</html>
<!--
Tip: to create a link which will open in an external web browser, try:
<object classid="java:org.netbeans.modules.javahelp.BrowserDisplayer">
<param name="content" value="http://www.netbeans.org/">
<param name="text" value="<html><u>http://www.netbeans.org/</u></html>">
<param name="textFontSize" value="medium">
<param name="textColor" value="blue">
</object>
To create a link to a help set from another module, you need to know the code name base and path, e.g.:
<a href="nbdocs://org.netbeans.modules.usersguide/org/netbeans/modules/usersguide/configure/configure_options.html">Using the Options Window</a>
(This link will behave sanely if that module is disabled or missing.)
!-->

4
Core/src/org/sleuthkit/autopsy/ingest/GetFilesContentVisitor.java
View File

@ -29,7 +29,7 @@ import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.datamodel.Volume;
import org.sleuthkit.datamodel.VolumeSystem;
@ -53,7 +53,7 @@ public abstract class GetFilesContentVisitor implements ContentVisitor<Collectio
public abstract Collection<AbstractFile> visit(LayoutFile lc);
@Override
public Collection<AbstractFile> visit(LayoutDirectory ld) {
public Collection<AbstractFile> visit(VirtualDirectory ld) {
return getAllFromChildren(ld);
}

19
Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java
View File

@ -22,7 +22,6 @@ import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
@ -42,15 +41,13 @@ import org.sleuthkit.datamodel.ContentVisitor;
import org.sleuthkit.datamodel.Directory;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.FileSystem;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LayoutDirectory;
import org.sleuthkit.datamodel.VirtualDirectory;
import org.sleuthkit.datamodel.LayoutFile;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.Volume;
import org.sleuthkit.datamodel.VolumeSystem;
import org.sleuthkit.datamodel.TskData.TSK_FS_META_TYPE_ENUM;
/**
* Schedules images and files with their associated modules for ingest, and
@ -313,7 +310,7 @@ class IngestScheduler {
* @return
*/
private static List<ProcessTask> createFromScheduledTask(ScheduledTask scheduledTask) {
Collection<AbstractFile> rootObjects = new GetRootDirVisitor().visit(scheduledTask.image);
Collection<AbstractFile> rootObjects = scheduledTask.image.accept(new GetRootDirVisitor());
List<AbstractFile> firstLevelFiles = new ArrayList<AbstractFile>();
for (AbstractFile root : rootObjects) {
//TODO use more specific get AbstractFile children method
@ -609,7 +606,7 @@ class IngestScheduler {
//skip files in root dir, starting with $, containing : (not default attributes)
//with meta address < 32, i.e. some special large NTFS and FAT files
final TskData.TSK_FS_TYPE_ENUM fsType = f.getFileSystem().getFs_type();
final TskData.TSK_FS_TYPE_ENUM fsType = f.getFileSystem().getFsType();
if ((fsType.getValue() & FAT_NTFS_FLAGS) == 0) {
//not fat or ntfs, accept all files
@ -623,7 +620,7 @@ class IngestScheduler {
logger.log(Level.WARNING, "Could not check if should enqueue the file: " + f.getName(), ex);
}
if (isInRootDir && f.getMeta_addr() < 32) {
if (isInRootDir && f.getMetaAddr() < 32) {
String name = f.getName();
if (name.length() > 0
@ -745,8 +742,8 @@ class IngestScheduler {
queryB.append("SELECT COUNT(*) FROM tsk_files WHERE ( (fs_obj_id = ").append(fs.getId());
//queryB.append(") OR (fs_obj_id = NULL) )");
queryB.append(") )");
queryB.append(" AND ( (meta_type = ").append(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG.getMetaType());
queryB.append(") OR (meta_type = ").append(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getMetaType());
queryB.append(" AND ( (meta_type = ").append(TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG.getValue());
queryB.append(") OR (meta_type = ").append(TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR.getValue());
queryB.append(" AND (name != '.') AND (name != '..')");
queryB.append(") )");
@ -815,7 +812,7 @@ class IngestScheduler {
static class GetRootDirVisitor extends GetFilesContentVisitor {
@Override
public Collection<AbstractFile> visit(LayoutDirectory ld) {
public Collection<AbstractFile> visit(VirtualDirectory ld) {
//case when we hit a layout directory, not under a real FS
Collection<AbstractFile> ret = new ArrayList<AbstractFile>();
ret.add(ld);

10
Core/src/org/sleuthkit/autopsy/report/ReportBodyFile.java
View File

@ -42,6 +42,7 @@ import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.datamodel.*;
import org.sleuthkit.datamodel.TskData.TSK_FS_META_MODE_ENUM;
/**
* ReportBodyFile generates a report in the body file format specified on
@ -120,10 +121,11 @@ public class ReportBodyFile implements ReportModule {
out.write(file.getUniquePath());
}
out.write("|");
out.write(Long.toString(file.getMeta_addr()));
out.write(Long.toString(file.getMetaAddr()));
out.write("|");
if(file.getModeAsString()!=null) {
out.write(file.getModeAsString());
String modeString = TSK_FS_META_MODE_ENUM.toString(file.getModes(), file.getMetaType());
if(modeString != null) {
out.write(modeString);
}
out.write("|");
out.write(Long.toString(file.getUid()));
@ -168,7 +170,7 @@ public class ReportBodyFile implements ReportModule {
@Override
public String getName() {
String name = "Body File";
String name = "Body File (Timeline Report)";
return name;
}

2
ExifParser/manifest.mf
View File

@ -1,6 +1,6 @@
Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.exifparser/3
OpenIDE-Module-Implementation-Version: 2
OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Layer: org/sleuthkit/autopsy/exifparser/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/exifparser/Bundle.properties

4
ExifParser/nbproject/project.xml
View File

@ -11,8 +11,8 @@
<build-prerequisite/>
<compile-dependency/>
<run-dependency>
<release-version>4</release-version>
<specification-version>2.0</specification-version>
<release-version>5</release-version>
<specification-version>3.0</specification-version>
</run-dependency>
</dependency>
</module-dependencies>

2
HashDatabase/manifest.mf
View File

@ -1,7 +1,7 @@
Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.hashdatabase/3
OpenIDE-Module-Implementation-Version: 2
OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Layer: org/sleuthkit/autopsy/hashdatabase/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/hashdatabase/Bundle.properties

2
HashDatabase/nbproject/project.properties
View File

@ -3,4 +3,4 @@ javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true
spec.version.base=1.0
spec.version.base=1.1

4
HashDatabase/nbproject/project.xml
View File

@ -77,8 +77,8 @@
<build-prerequisite/>
<compile-dependency/>
<run-dependency>
<release-version>4</release-version>
<specification-version>2.0</specification-version>
<release-version>5</release-version>
<specification-version>3.0</specification-version>
</run-dependency>
</dependency>
</module-dependencies>

2
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDb.java
View File

@ -281,7 +281,7 @@ public class HashDb implements Comparable<HashDb> {
/** We need proper cancel support in TSK to make the task cancellable
new Cancellable() {
@Override
Override
public boolean cancel() {
return CreateIndex.this.cancel(true);
}

4
KeywordSearch/manifest.mf
View File

@ -1,7 +1,7 @@
Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.keywordsearch/3
OpenIDE-Module-Implementation-Version: 2
OpenIDE-Module: org.sleuthkit.autopsy.keywordsearch/4
OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Install: org/sleuthkit/autopsy/keywordsearch/Installer.class
OpenIDE-Module-Layer: org/sleuthkit/autopsy/keywordsearch/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/keywordsearch/Bundle.properties

2
KeywordSearch/nbproject/project.properties
View File

@ -3,4 +3,4 @@ javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true
spec.version.base=1.1
spec.version.base=2.0

4
KeywordSearch/nbproject/project.xml
View File

@ -95,8 +95,8 @@
<build-prerequisite/>
<compile-dependency/>
<run-dependency>
<release-version>4</release-version>
<specification-version>2.0</specification-version>
<release-version>5</release-version>
<specification-version>3.0</specification-version>
</run-dependency>
</dependency>
</module-dependencies>

1
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java
View File

@ -320,7 +320,6 @@ public final class KeywordSearchIngestModule implements IngestModuleAbstractFile
* Initializes the module for new ingest run Sets up threads, timers,
* retrieves settings, keyword lists to run on
*
* @param services
*/
@Override
public void init(IngestModuleInit initContext) {

28
NEWS.txt
View File

@ -1,18 +1,30 @@
---------------- VERSION Current (development) --------------
---------------- VERSION Current (dev) --------------
New features:
- Added Hashkeeper hash database support
Improvements:
- File Ingest: minimized file queuing time and memory usage
- Add Image Wizard - better work-flow, better device size reporting, info on currently processed directory
- Added extraction of all unallocated blocks (from volume, image) as a single file
- Reporting improvements: reorganized columns, sorted by 1st column, added logo to html report
Bugfixes:
- fixed periodic keyword search during ingest, when it'd run max. 2 times only
---------------- VERSION 3.0.2 --------------
New features:
- Extraction of all unallocated blocks as a single file
- Results bookmarks with comments and basic bookmark reporting
- Hashkeeper hash database support
Improvements:
- File Ingest: minimized file queuing time and memory usage, also improving ingest stability
- Jump to arbitrary page in Thumbnail View
- Add Image Wizard - better work-flow, better device size reporting, info on currently processed directory
- Reporting: reorganized columns, sorted by 1st column, added logo, better styling
Bugfixes:
- fixed periodic keyword search during ingest, when it would only search max. 2 times
- fixed Downloads "target" in Recent Activity
- fixed missing hash and keyword search hits in reports
- fixed deselecting NSRL database for hash ingest
---------------- VERSION 3.0.1 --------------

4
RecentActivity/manifest.mf
View File

@ -1,6 +1,6 @@
Manifest-Version: 1.0
OpenIDE-Module: org.sleuthkit.autopsy.recentactivity/3
OpenIDE-Module-Implementation-Version: 2
OpenIDE-Module: org.sleuthkit.autopsy.recentactivity/4
OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Layer: org/sleuthkit/autopsy/recentactivity/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/recentactivity/Bundle.properties
OpenIDE-Module-Requires:

2
RecentActivity/nbproject/project.properties
View File

@ -4,4 +4,4 @@ javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true
spec.version.base=1.1
spec.version.base=2.0

4
RecentActivity/nbproject/project.xml
View File

@ -35,8 +35,8 @@
<build-prerequisite/>
<compile-dependency/>
<run-dependency>
<release-version>4</release-version>
<specification-version>2.0</specification-version>
<release-version>5</release-version>
<specification-version>3.0</specification-version>
</run-dependency>
</dependency>
</module-dependencies>

6
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -36,6 +36,7 @@ import javax.xml.parsers.ParserConfigurationException;
import org.openide.modules.InstalledFileLocator;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.PlatformUtil;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.autopsy.ingest.IngestModuleImage;
@ -88,8 +89,13 @@ public class ExtractRegistry extends Extract implements IngestModuleImage {
final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome);
if (PlatformUtil.isWindowsOS()) {
RR_PATH = rrHome + File.separator + "rip.exe";
}
else {
RR_PATH = "perl " + rrHome + File.separator + "rip.pl";
}
}
@Override
public String getVersion() {

2
Testing/manifest.mf
View File

@ -1,6 +1,6 @@
Manifest-Version: 1.0
AutoUpdate-Show-In-Client: false
OpenIDE-Module: org.sleuthkit.autopsy.testing/3
OpenIDE-Module-Implementation-Version: 2
OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/testing/Bundle.properties

2
Testing/nbproject/project.properties
View File

@ -3,4 +3,4 @@ javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt
nbm.homepage=http://www.sleuthkit.org/autopsy/
nbm.needs.restart=true
spec.version.base=1.0
spec.version.base=1.1

4
Testing/nbproject/project.xml
View File

@ -11,8 +11,8 @@
<build-prerequisite/>
<compile-dependency/>
<run-dependency>
<release-version>4</release-version>
<specification-version>2.0</specification-version>
<release-version>5</release-version>
<specification-version>3.0</specification-version>
</run-dependency>
</dependency>
</module-dependencies>

20
docs/doxygen/modDev.dox
View File

@ -101,11 +101,19 @@ TODO we should outline the process of adding a JAR file dependency for an extern
E.g. adding jar directly to the module project, or (preferred) wrapping set of jars in another module
e.g. NewModuleName-Libs and adding a dependency on the libs module. Add info how to bundle OS-specific dlls in the jar (work in progress).
\section mod_dev_services Services
\section mod_dev_services Getting Access to Services
A Services class is provided to give developers access to the services provided by the Autopsy framework. Currently, the following
services are provided:
Autopsy-Core module contains the core Autopsy application, and also the framework the application is built upon that other modules can use.
Among the Core APIs there are general services available to the Autopsy modules. The relevant packages include:
- FileManager: the org.sleuthkit.autopsy.casemodule.services.FileManager service provides an API for easy access to files and directories for a given image.
You can access the org.sleuthkit.autopsy.casemodule.services.FileManager service by calling the getFileManager() method of the
org.sleuthkit.autopsy.casemodule.services.Services class.
\section mod_dev_utilities Utilities
Autopsy-Core module contains the core Autopsy application and also the framework the application is built upon that other modules can use.
Among the Core APIs there are general utilities available to the Autopsy modules. The relevant packages include:
- org.sleuthkit.autopsy.casemodule.Case class - for the module to access Case data (TSK database) and subscribe to Case change events
- org.sleuthkit.autopsy.coreutils package has classes providing utilities for getting access to Autopsy loggers, configuration persistance API,
@ -115,11 +123,11 @@ Relevant service classes are org.sleuthkit.autopsy.coreutils.Version,
org.sleuthkit.autopsy.coreutils.PlatformUtil, org.sleuthkit.autopsy.coreutils.ModuleSettings,
org.sleuthkit.autopsy.coreutils.Logger and org.sleuthkit.autopsy.coreutils.FileUtil.
TODO: Add additional info about service classes (log, Case, database, etc.) Similar to the C++ section about services (http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_devpage.html)
TODO: Add additional info about utility classes (log, Case, database, etc.) Similar to the C++ section about services (http://sleuthkit.org/sleuthkit/docs/framework-docs/mod_devpage.html)
TODO: Move the log content from the wiki (http://wiki.sleuthkit.org/index.php?title=Autopsy_3_Logging_and_Error_Checking) to here.
Note: \ref IngestModuleServices provides services specifically for the ingest modules.
Note: org.sleuthkit.autopsy.ingest.IngestServices provides services specifically for the ingest modules.
\section mod_dev_configuration Making a Configuration Panel
@ -155,7 +163,7 @@ First, use NetBeans' GUI builder to design the panel. Be sure to include all opt
Second, in the source code of the panel, there are two important methods: \c load() and \c store(). When the options panel is opened via Tools > Options in Autopsy, the \c load() method will be called. Conversely, when the user presses OK after editing the options, the \c store() method will be called.
If one wishes to make any additional panels within the original options panel, or panels which the original opens, Autopsy provides the \ref OptionsPanel interface to help. This interface requires the \c store() and \c load() functions also be provided in the separate panels, allowing for easier child storing and loading.
If one wishes to make any additional panels within the original options panel, or panels which the original opens, Autopsy provides the org.sleuthkit.autopsy.corecomponents.OptionsPanel interface to help. This interface requires the \c store() and \c load() functions also be provided in the separate panels, allowing for easier child storing and loading.
Any storing or loading of settings or properties should be done in the \c store() and \c load() methods. Continue to \ref mod_dev_properties for more details.

3
docs/doxygen/platformConcepts.dox
View File

@ -3,7 +3,8 @@
\section platform_basics Basic Concepts
- <b>Central Database</b>: All data except for the disk image is stored in a SQLite database. This includes information about what files exist in the disk image and the output from modules. Access to this database can be found from the SleuthKitCase class. <!-- @@@ IS THAT CORRECT -->
- <b>Services</b>: There are core services that the platform provides to modules. See the \ref mod_dev_services section for more details.
- <b>Utilities</b>: There are core utilities that the platform provides to modules. See the \ref mod_dev_utilities section for more details.
- <b>Services</b>: There are services provided by the platform. See the \ref mod_dev_services section for more details.
- <b>Pipelines and Plug-in Modules:</b> The platform has several places where plug-in modules can be incorporated. This modular approach allows other developers to extend the functionality of the system. See the \ref platform_frameworks section for more details.
- <b>Blackboard:</b> The platform uses the blackboard to enable modules to communicate with each other and to display data in the GUI. See the \ref platform_blackboard section for more details.
- <b>Single tree:</b> Results from the various modules can generally be found in a single tree. This makes it easy for users to find their results.

19
docs/doxygen/workflow.dox
View File

@ -36,10 +36,13 @@ See \ref mod_ingest_page for more details on making an ingest module.
The UI has three main areas. The tree on the left-hand side, the result viewers in the upper right, and the content viewers in the lower right. Data passes between these areas by encapsulating them in Netbeans Node objects (see org.openide.nodes.Node). These allow Autopsy to generically handle all types of data. The org.sleuthkit.autopsy.datamodel package details with wrapping the org.sleuthkit.datamodel objects as Netbeans Nodes.
Nodes are modeled in a parent-child hierarchy with other nodes. All data within a Case is represented in a hierarchy with the disk images being one level below the case and volumes and such below the image.
The tree on the left hand-side shows the analysis results. Its contents are populated from the central database. This is where you can browse the file system contents and see the results from the blackboard (see \ref blackboard_page). The tree is implemented in the org.sleuthkit.autopsy.directorytree package.
The tree on the left hand-side shows the analysis results.
Its contents are populated from the central database.
This is where you can browse the file system contents and see the results from the blackboard.
<!-- @@@(see \ref blackboard_page). -->
The tree is implemented in the org.sleuthkit.autopsy.directorytree package.
The area in the upper right is the result viewer area. When a node is selected from the tree, the node and its children are sent to this area. This area is used to view a set of nodes. The viewer is itself a framework with modules that display the data in different layouts. For example, the standard version comes with a table viewer and a thumbnail viewer. Refer to \ref mod_result_page for details on building a module.
@ -50,12 +53,13 @@ See \ref mod_content_page for details on building new content viewers.
\section design_report Report generation
When ingest is complete, the user can generate reports. There is a reporting framework to enable many different formats. Autopsy currently comes with generic html, xml and Excel reports. See the org.sleuthkit.autopsy.report package for details on the framework and
\ref report_making for details on building a new report module.
When ingest is complete, the user can generate reports.
There is a reporting framework to enable many different formats. Autopsy currently comes with generic html, xml and Excel reports. See the org.sleuthkit.autopsy.report package for details on the framework and
\ref mod_report_page for details on building a new report module.
<!-- @@@ MOVE THIS SOMEWHERE ELSE -- the directory tree package maybe??
<!-- @@@ MOVE THIS SOMEWHERE ELSE -- the directory tree package maybe?? -->
The component is by default registered with the ingest manager as an ingest event listener.
The viewer first loads all the viewer-supported data currently in the blackboard when Autopsy starts.
@ -66,9 +70,10 @@ and performs a final refresh of all viewer-supported data in the blackboard.
Node content support capabilities are registered in the node's Lookup.
-->
<!-- @@@ This is too detailed for here, but maybe should be broken up and put into the sections on making a result viewer and such…
-->
\section design_data_flow Data Flow
@ -88,6 +93,6 @@ DataResult can send data back to its DataExplorer by making a custom action that
A default DataContent viewer is created when a case is opened. To display the contents of a node, it must be passed to a DataContent instance. The default single-click behavior of the DataResultViewers is to lookup the default DataContent TopComponent and pass the selected node to it. See org.sleuthkit.autopsy.corecomponents.AbstractDataResultViewer.propertyChange(PropertyChangeEvent) for details.
-->
*/

2
nbproject/project.properties
View File

@ -4,7 +4,7 @@ app.title=Autopsy
### lowercase version of above
app.name=autopsy
### if left unset, version will default to today's date
#app.version=3.0.0
#app.version=3.0.2
### Build type isn't used at this point, but it may be useful
### Must be one of: DEVELOPMENT, RELEASE
#build.type=RELEASE

2
thunderbirdparser/manifest.mf
View File

@ -1,7 +1,7 @@
Manifest-Version: 1.0
AutoUpdate-Show-In-Client: true
OpenIDE-Module: org.sleuthkit.autopsy.thunderbirdparser/3
OpenIDE-Module-Implementation-Version: 2
OpenIDE-Module-Implementation-Version: 3
OpenIDE-Module-Layer: org/sleuthkit/autopsy/thunderbirdparser/layer.xml
OpenIDE-Module-Localizing-Bundle: org/sleuthkit/autopsy/thunderbirdparser/Bundle.properties

4
thunderbirdparser/nbproject/project.xml
View File

@ -11,8 +11,8 @@
<build-prerequisite/>
<compile-dependency/>
<run-dependency>
<release-version>4</release-version>
<specification-version>2.0</specification-version>
<release-version>5</release-version>
<specification-version>3.0</specification-version>
</run-dependency>
</dependency>
</module-dependencies>