diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java index 3144c831b2..beba8feb6d 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java @@ -42,6 +42,7 @@ import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.ExecUtil; +import static org.sleuthkit.autopsy.coreutils.FileUtil.escapeFileName; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.coreutils.SQLiteDBConnect; @@ -119,7 +120,10 @@ final class ExtractPrefetch extends Extract { try { String tempDirPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId); parsePrefetchFiles(prefetchDumper, tempDirPath, modOutFile, modOutPath); - createAppExecArtifacts(modOutFile, dataSource); + File prefetchDatabase = new File(modOutFile); + if (prefetchDatabase.exists()) { + createAppExecArtifacts(modOutFile, dataSource); + } } catch (IOException ex) { logger.log(Level.SEVERE, "Error parsing prefetch files", ex); //NON-NLS addErrorMessage(Bundle.ExtractPrefetch_errMsg_prefetchParsingFailed(Bundle.ExtractPrefetch_module_name())); @@ -154,7 +158,7 @@ final class ExtractPrefetch extends Extract { String origFileName = pFile.getName(); String ext = FilenameUtils.getExtension(origFileName); String baseName = FilenameUtils.getBaseName(origFileName); - String fileName = String.format("%s_%d.%s", baseName, pFile.getId(), ext); + String fileName = escapeFileName(String.format("%s_%d.%s", baseName, pFile.getId(), ext)); String baseRaTempPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId); String prefetchFile = Paths.get(baseRaTempPath, fileName).toString(); try { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 95f0fee429..c42f312ded 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -807,7 +807,7 @@ class ExtractRegistry extends Extract { try { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime)); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); + BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DELETED_PROG); bbart.addAttributes(bbattributes); newArtifacts.add(bbart); @@ -1105,7 +1105,7 @@ class ExtractRegistry extends Extract { //add remaining userinfos as accounts; for (Map userInfo : userInfoMap.values()) { - OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null || !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); + OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null && !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); } @@ -1147,7 +1147,7 @@ class ExtractRegistry extends Extract { List regFiles = findRegistryFiles(); for (AbstractFile systemHive: regFiles) { - if (systemHive.getName().toLowerCase().equals("system")) { + if (systemHive.getName().toLowerCase().equals("system") && systemHive.getSize() > 0) { String systemFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg", ingestJobId) + File.separator + systemHive.getName(); File systemFileNameLocalFile = new File(systemFileNameLocal); @@ -2025,7 +2025,7 @@ class ExtractRegistry extends Extract { Optional optional = accountMgr.getWindowsOsAccount(sid, null, null, host); OsAccount osAccount; if (!optional.isPresent()) { - osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null || !domainName.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); + osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null && !domainName.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } else { osAccount = optional.get(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java index 2048313c43..b02489112c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java @@ -27,6 +27,7 @@ import java.io.IOException; import java.io.UnsupportedEncodingException; import java.util.Calendar; import java.util.List; +import java.util.NoSuchElementException; import java.util.logging.Level; import org.sleuthkit.autopsy.coreutils.Logger; @@ -116,6 +117,9 @@ public class ParseRegistryHive { } } catch (RegistryParseException ex) { return null; + } catch (NoSuchElementException ex) { + logger.log(Level.WARNING, String.format("Cannot find the registry key %s in the registry hive file %s", registryKey, registryHiveFile.toString())); + return null; } return currentKey;