mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 10:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

Tweaks to reporting framework for grouped email hits

Browse Source
This commit is contained in:
Alex Ebadirad 2012-06-27 09:30:12 -07:00
parent 2f0b57c93b
commit d9b5c40d29
3 changed files with 37 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Report/src/org/sleuthkit/autopsy/report/Report.java
View File

@ -173,38 +173,39 @@ public class Report {
try {
tempDb.copyCaseDB(currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", "jdbc:sqlite:" + currentCase.getTempDirectory() + File.separator + "autopsy-copy.db");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_keyword;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_preview;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_exp;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_list;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_from;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_to;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_content;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_cc;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report_name;");
tempdbconnect.executeStmt("DROP TABLE IF EXISTS report;");
String temp1 = "CREATE TABLE report_keyword AS SELECT value_text as keyword,blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_FROM.getTypeID() + ";";
String temp2 = "CREATE TABLE report_preview AS SELECT value_text as preview, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_TO.getTypeID() + ";";
String temp3 = "CREATE TABLE report_exp AS SELECT value_text as exp, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_PLAIN.getTypeID() + ";";
String temp4 = "CREATE TABLE report_list AS SELECT value_text as list, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_CC.getTypeID() + ";";
String temp1 = "CREATE TABLE report_from AS SELECT value_text as path,blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_FROM.getTypeID() + ";";
String temp2 = "CREATE TABLE report_to AS SELECT value_text as to, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_TO.getTypeID() + ";";
String temp3 = "CREATE TABLE report_content AS SELECT value_text as content, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_PLAIN.getTypeID() + ";";
String temp4 = "CREATE TABLE report_cc AS SELECT value_text as cc, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_CC.getTypeID() + ";";
String temp7 = "CREATE TABLE report_bcc AS SELECT value_text as bcc, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_BCC.getTypeID() + ";";
String temp8 = "CREATE TABLE report_path AS SELECT value_text as path, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH.getTypeID() + ";";
String temp5 = "CREATE TABLE report_name AS SELECT name, report_keyword.artifact_id from tsk_files,blackboard_artifacts, report_keyword WHERE blackboard_artifacts.artifact_id = report_keyword.artifact_id AND blackboard_artifacts.obj_id = tsk_files.obj_id;";
String temp6 = "CREATE TABLE report AS SELECT keyword,preview,exp,list,name from report_keyword INNER JOIN report_preview ON report_keyword.artifact_id=report_preview.artifact_id INNER JOIN report_exp ON report_preview.artifact_id=report_exp.artifact_id INNER JOIN report_list ON report_exp.artifact_id=report_list.artifact_id INNER JOIN report_name ON report_list.artifact_id=report_name.artifact_id;";
String temp8 = "CREATE TABLE report_from AS SELECT value_text as path, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH.getTypeID() + ";";
String temp6 = "CREATE TABLE report_subject AS SELECT value_text as subject, blackboard_attributes.attribute_type_id, blackboard_attributes.artifact_id FROM blackboard_attributes WHERE attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID() + ";";
String temp5 = "CREATE TABLE report_name AS SELECT name, report_from.artifact_id from tsk_files,blackboard_artifacts, report_from WHERE blackboard_artifacts.artifact_id = report_from.artifact_id AND blackboard_artifacts.obj_id = tsk_files.obj_id;";
String temp9 = "CREATE TABLE report AS SELECT path,to,content,cc,name from report_from INNER JOIN report_to ON report_from.artifact_id=report_to.artifact_id INNER JOIN report_content ON report_to.artifact_id=report_content.artifact_id INNER JOIN report_cc ON report_content.artifact_id=report_cc.artifact_id INNER JOIN report_name ON report_cc.artifact_id=report_name.artifact_id;";
tempdbconnect.executeStmt(temp1);
tempdbconnect.executeStmt(temp2);
tempdbconnect.executeStmt(temp3);
tempdbconnect.executeStmt(temp4);
tempdbconnect.executeStmt(temp5);
tempdbconnect.executeStmt(temp6);
tempdbconnect.executeStmt(temp7);
tempdbconnect.executeStmt(temp7);
tempdbconnect.executeStmt(temp8);
tempdbconnect.executeStmt(temp9);
ResultSet uniqueresults = tempdbconnect.executeQry("SELECT keyword, exp, preview, list, name FROM report ORDER BY keyword ASC");
String keyword = "";
while (uniqueresults.next()) {
if (uniqueresults.getString("keyword") == null ? keyword == null : uniqueresults.getString("keyword").equals(keyword)) {
if (uniqueresults.getString("path") == null ? keyword == null : uniqueresults.getString("path").equals(keyword)) {
} else {
table.append("</tbody></table><br /><br />");
keyword = uniqueresults.getString("keyword");
keyword = uniqueresults.getString("path");
table.append("<strong>").append(keyword).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
table.append("<table><thead><tr><th>").append("Account").append("</th><th>Preview</th><th>Email Messages</th></tr><tbody>");
}
table.append("<tr><td>").append(uniqueresults.getString("name")).append("</td>");
table.append("<td>").append(uniqueresults.getString("preview")).append("</td>").append("<td>").append(uniqueresults.getString("list")).append("<br />(").append(uniqueresults.getString("exp")).append(")").append("</td>").append("</tr>");

4
Report/src/org/sleuthkit/autopsy/report/ReportHTML.java
View File

@ -127,7 +127,7 @@ public class ReportHTML implements ReportModule {
countDevice++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) {
countDevice++;
countEmail++;
}
}
@ -244,7 +244,7 @@ public class ReportHTML implements ReportModule {
StringBuilder nodeTrackPoint = new StringBuilder("<h3><a name=\"track\">Track Points (").append(countTrackPoint).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeInstalled = new StringBuilder("<h3><a name=\"installed\">Installed Programs (").append(countInstalled).append(")</h3>").append(tableHeader).append("<th>Program Name</th><th>Install Date/Time</th></tr></thead><tbody>");
StringBuilder nodeKeyword = new StringBuilder("<h3><a name=\"keyword\">Keyword Search Hits (").append(countKeyword).append(")</h3>");
StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Size</th><th>Hashset Name</th></tr></thead><tbody>");
StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>");
StringBuilder nodeDevice = new StringBuilder("<h3><a name=\"device\">Attached Devices (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Serial #</th><th>Time</th></tr></thead><tbody>");
StringBuilder nodeEmail = new StringBuilder("<h3><a name=\"email\">Email Messages (").append(countHash).append(")</h3>");

20
Report/src/org/sleuthkit/autopsy/report/ReportXLS.java
View File

@ -79,6 +79,7 @@ public class ReportXLS implements ReportModule {
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
int countEmail = 0;
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++;
@ -115,6 +116,9 @@ public class ReportXLS implements ReportModule {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()) {
countEmail++;
}
}
try {
@ -146,6 +150,7 @@ public class ReportXLS implements ReportModule {
Sheet sheetBookmark = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName());
Sheet sheetDownload = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getDisplayName());
Sheet sheetHistory = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName());
Sheet sheetEmail = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getDisplayName());
//Bold/underline cell style for the top header rows
CellStyle style = wbtemp.createCellStyle();
@ -251,6 +256,16 @@ public class ReportXLS implements ReportModule {
sheetHistory.getRow(0).createCell(3).setCellValue("Title");
sheetHistory.getRow(0).createCell(4).setCellValue("Program");
sheetEmail.setDefaultColumnStyle(1, defaultstyle);
sheetEmail.createRow(0).setRowStyle(style);
sheetEmail.getRow(0).createCell(0).setCellValue("From");
sheetEmail.getRow(0).createCell(1).setCellValue("To");
sheetEmail.getRow(0).createCell(2).setCellValue("Subject");
sheetEmail.getRow(0).createCell(3).setCellValue("Content");
sheetEmail.getRow(0).createCell(4).setCellValue("CC");
sheetEmail.getRow(0).createCell(4).setCellValue("BCC");
sheetEmail.getRow(0).createCell(4).setCellValue("Path");
for (int i = 0; i < wbtemp.getNumberOfSheets(); i++) {
Sheet tempsheet = wbtemp.getSheetAt(i);
tempsheet.setAutobreaks(true);
@ -298,7 +313,7 @@ public class ReportXLS implements ReportModule {
}
String value = "";
int type = tempatt.getAttributeTypeID();
if (tempatt.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID() || tempatt.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID()) {
if (tempatt.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID() || tempatt.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID()) {
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong()) * 1000)).toString();
} else {
value = tempatt.getValueString();
@ -424,7 +439,8 @@ public class ReportXLS implements ReportModule {
String type = "XLS";
return type;
}
@Override
@Override
public String getExtension() {
String ext = ".xlsx";
return ext;