From 1640fbf7935d66df8eccba548f710c41228fa9b1 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Wed, 7 Apr 2021 15:07:20 -0400 Subject: [PATCH 1/5] Changed RA to use TSK_DELETED_PROG artifact for unistalled programs --- .../org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index ad5c1e9ed4..3330e6181a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -803,7 +803,7 @@ class ExtractRegistry extends Extract { try { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime)); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); + BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DELETED_PROG); bbart.addAttributes(bbattributes); newArtifacts.add(bbart); From 0bfebda36cb8bede4b148e03b745d80e44ca2f17 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 13 Apr 2021 13:16:47 -0400 Subject: [PATCH 2/5] Update ExtractPrefetch.java Sanitize name to avoid having write issues to file system when an ads file is encountered. --- .../org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java index 3144c831b2..da8e7d2286 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java @@ -42,6 +42,7 @@ import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.ExecUtil; +import static org.sleuthkit.autopsy.coreutils.FileUtil.escapeFileName; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.coreutils.SQLiteDBConnect; @@ -154,7 +155,7 @@ final class ExtractPrefetch extends Extract { String origFileName = pFile.getName(); String ext = FilenameUtils.getExtension(origFileName); String baseName = FilenameUtils.getBaseName(origFileName); - String fileName = String.format("%s_%d.%s", baseName, pFile.getId(), ext); + String fileName = escapeFileName(String.format("%s_%d.%s", baseName, pFile.getId(), ext)); String baseRaTempPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId); String prefetchFile = Paths.get(baseRaTempPath, fileName).toString(); try { From 64fc8bba12009520b186096a86ba45c2c966bc51 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 13 Apr 2021 13:46:09 -0400 Subject: [PATCH 3/5] Update ExtractPrefetch.java Check if thirdparty database file exists before trying to process it. --- .../sleuthkit/autopsy/recentactivity/ExtractPrefetch.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java index 3144c831b2..490f59e7d2 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java @@ -119,7 +119,10 @@ final class ExtractPrefetch extends Extract { try { String tempDirPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId); parsePrefetchFiles(prefetchDumper, tempDirPath, modOutFile, modOutPath); - createAppExecArtifacts(modOutFile, dataSource); + File prefetchDatabase = new File(modOutFile); + if (prefetchDatabase.exists()) { + createAppExecArtifacts(modOutFile, dataSource); + } } catch (IOException ex) { logger.log(Level.SEVERE, "Error parsing prefetch files", ex); //NON-NLS addErrorMessage(Bundle.ExtractPrefetch_errMsg_prefetchParsingFailed(Bundle.ExtractPrefetch_module_name())); From 30edb0a53d4a470558fc2a252fe60a95c96ce957 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 13 Apr 2021 16:42:15 -0400 Subject: [PATCH 4/5] Handle key not found exception and realm scope Handle key not found exception Fix check for realm scope when creating user. --- .../org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java | 4 ++-- .../sleuthkit/autopsy/recentactivity/ParseRegistryHive.java | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 95f0fee429..4e2e6fb6cc 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -1105,7 +1105,7 @@ class ExtractRegistry extends Extract { //add remaining userinfos as accounts; for (Map userInfo : userInfoMap.values()) { - OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null || !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); + OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null && !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); } @@ -2025,7 +2025,7 @@ class ExtractRegistry extends Extract { Optional optional = accountMgr.getWindowsOsAccount(sid, null, null, host); OsAccount osAccount; if (!optional.isPresent()) { - osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null || !domainName.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); + osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null && !domainName.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); } else { osAccount = optional.get(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java index 2048313c43..b02489112c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java @@ -27,6 +27,7 @@ import java.io.IOException; import java.io.UnsupportedEncodingException; import java.util.Calendar; import java.util.List; +import java.util.NoSuchElementException; import java.util.logging.Level; import org.sleuthkit.autopsy.coreutils.Logger; @@ -116,6 +117,9 @@ public class ParseRegistryHive { } } catch (RegistryParseException ex) { return null; + } catch (NoSuchElementException ex) { + logger.log(Level.WARNING, String.format("Cannot find the registry key %s in the registry hive file %s", registryKey, registryHiveFile.toString())); + return null; } return currentKey; From 216985fe4eb10a664913771c3b64511f2810392b Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 13 Apr 2021 20:59:31 -0400 Subject: [PATCH 5/5] Update ExtractRegistry.java Add check for zero length file and ignore it if it is. --- .../org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 95f0fee429..a32bf32581 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -1147,7 +1147,7 @@ class ExtractRegistry extends Extract { List regFiles = findRegistryFiles(); for (AbstractFile systemHive: regFiles) { - if (systemHive.getName().toLowerCase().equals("system")) { + if (systemHive.getName().toLowerCase().equals("system") && systemHive.getSize() > 0) { String systemFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg", ingestJobId) + File.separator + systemHive.getName(); File systemFileNameLocalFile = new File(systemFileNameLocal);