Parse unicode characters in shellbags

Parse Unicode characters in shellbags

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ShellBagParser.java

@@ -22,10 +22,12 @@
 package org.sleuthkit.autopsy.recentactivity;
 
 import java.io.BufferedReader;
-import java.io.FileReader;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.io.InputStreamReader;
+import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
@@ -63,7 +65,7 @@ class ShellBagParser {
 
         ShellBagParser sbparser = new ShellBagParser();
 
-        try (BufferedReader reader = new BufferedReader(new FileReader(regfile))) {
+        try (BufferedReader reader = new BufferedReader(new InputStreamReader(new FileInputStream(regfile), StandardCharsets.UTF_8))) {
             String line = reader.readLine();
             while (line != null) {
                 line = line.trim();

thirdparty/rr-full/plugins/shellbags.pl

@@ -42,6 +42,7 @@
 package shellbags;
 use strict;
 use Time::Local;
+use Encode::Unicode;
 
 my %config = (hive          => "USRCLASS\.DAT",
 							hivemask      => 32,
@@ -779,7 +780,7 @@ sub parseFolderEntry {
 				$tag = 0;
 			}
 			else {
-				$str .= $s;
+			    $str .= $s;
 				$cnt++;
 			}
 		}	
@@ -799,7 +800,7 @@ sub parseFolderEntry {
 				$tag = 0;
 			}
 			else {
-				$str .= $s;
+			    $str .= $s;
 				$cnt++;
 			}
 		}
@@ -858,13 +859,12 @@ sub parseFolderEntry {
 	
 		my $str = substr($data,$ofs,length($data) - 30);
 		my $longname = (split(/\00\00/,$str,2))[0];
-		$longname =~ s/\00//g;
 	
 		if ($longname ne "") {
-			$item{name} = $longname;
+			$item{name} = _uniToAscii($longname);
 		}
 		else {
-			$item{name} = $shortname;
+			$item{name} = _uniToAscii($shortname);
 		}
 	}
 	return %item;
@@ -957,7 +957,7 @@ sub parseFolderEntry2 {
 	
 	$item{name} = (split(/\00\00/,$str,2))[0];
 	$item{name} =~ s/\13\20/\2D\00/;
-	$item{name} =~ s/\00//g;
+	$item{name} = _uniToAscii($item{name});
 	
 	return %item;
 }
@@ -1024,7 +1024,7 @@ sub shellItem0x52 {
 			$tag = 0;
 		}
 		else {
-			$item{name} .= $d;
+            $item{name} .= $d;
 			$cnt += 2;
 		}
 	}	
@@ -1119,4 +1119,14 @@ sub getNum48 {
 	}
 }
 
+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;

thirdparty/rr-full/plugins/shellbags_test.pl

@@ -8,6 +8,7 @@
 #-----------------------------------------------------------
 package shellbags_test;
 use strict;
+use Encode::Unicode;
 
 require 'shellitems.pl';
 
@@ -100,7 +101,7 @@ sub traverse {
  		my $type = unpack("C",substr($values{$v},2,1));
 		my $size = unpack("v",substr($values{$v},0,2));
 #		probe($values{$v});
-		
+
 # Need to first check to see if the parent of the item was a zip folder
 # and if the 'zipsubfolder' value is set to 1		
 		if (exists ${$parent}{zipsubfolder} && ${$parent}{zipsubfolder} == 1) {
@@ -411,12 +412,22 @@ sub parseFolderItem {
 	$longname =~ s/\x00//g;
 	
 	if ($longname ne "") {
-		$item{name} = $longname;
+		$item{name} = _uniToAscii($longname);
 	}
 	else {
-		$item{name} = $shortname;
+		$item{name} = _uniToAscii($shortname);
 	}
 	return %item;
 }
 
+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;

thirdparty/rr-full/plugins/shellbags_xp.pl

@@ -36,6 +36,7 @@
 package shellbags_xp;
 use strict;
 use Time::Local;
+use Encode::Unicode;
 
 my %config = (hive          => "NTUSER\.DAT",
 							hivemask      => 32,
@@ -779,10 +780,10 @@ sub parseFolderEntry {
 	$longname =~ s/\x00//g;
 	
 	if ($longname ne "") {
-		$item{name} = $longname;
+		$item{name} = _uniToAscii($longname);
 	}
 	else {
-		$item{name} = $shortname;
+		$item{name} = _uniToAscii($shortname);
 	}
 	return %item;
 }
@@ -871,7 +872,7 @@ sub parseFolderEntry2 {
 	
 	$item{name} = (split(/\x00\x00/,$str,2))[0];
 	$item{name} =~ s/\x13\x20/\x2D\x00/;
-	$item{name} =~ s/\x00//g;
+	$item{name} = _uniToAscii($item{name});
 	
 	return %item;
 }
@@ -931,4 +932,14 @@ sub printData {
 	return @display;
 }
 
+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;

thirdparty/rr-full/shellitems.pl

@@ -27,6 +27,7 @@
 # Author: H. Carvey, keydet89@yahoo.com
 #-----------------------------------------------------------
 use Time::Local;
+use Encode::Unicode;
 
 my %guids = ("{bb64f8a7-bee7-4e1a-ab8d-7d8273f7fdb6}" => "Action Center",
     "{7a979262-40ce-46ff-aeee-7884ac3b6136}" => "Add Hardware",
@@ -634,10 +635,10 @@ sub parseFolderEntry {
 	$longname =~ s/\x00//g;
 	
 	if ($longname ne "") {
-		$item{name} = $longname;
+		$item{name} = _uniToAscii($longname);
 	}
 	else {
-		$item{name} = $shortname;
+		$item{name} = _uniToAscii($shortname);
 	}
 	return %item;
 }
@@ -716,7 +717,7 @@ sub parseFolderEntry2 {
 		
 	$item{name} = (split(/\x00\x00/,$str,2))[0];
 	$item{name} =~ s/\x13\x20/\x2D\x00/;
-	$item{name} =~ s/\x00//g;
+	$item{name} = _uniToAscii($item{name});
 	
 	return %item;
 }
@@ -837,4 +838,14 @@ sub getNum48 {
 	}
 }
 
+#---------------------------------------------------------------------
+# _uniToAscii()
+#---------------------------------------------------------------------
+sub _uniToAscii {
+  my $str = $_[0];
+  Encode::from_to($str,'UTF-16LE','utf8');
+  $str = Encode::decode_utf8($str);
+  return $str;
+}
+
 1;