mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'develop' of github.com:sleuthkit/autopsy into 7434-netbeansBundles

Browse Source
This commit is contained in:
Greg DiCristofaro 2021-04-14 21:05:25 -04:00
commit dcb42f385c
3 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java
View File

@ -42,6 +42,7 @@ import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.autopsy.coreutils.ExecUtil; import org.sleuthkit.autopsy.coreutils.ExecUtil;
import static org.sleuthkit.autopsy.coreutils.FileUtil.escapeFileName;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.PlatformUtil; import org.sleuthkit.autopsy.coreutils.PlatformUtil;
import org.sleuthkit.autopsy.coreutils.SQLiteDBConnect; import org.sleuthkit.autopsy.coreutils.SQLiteDBConnect;
@ -119,7 +120,10 @@ final class ExtractPrefetch extends Extract {
try { try {
String tempDirPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId); String tempDirPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId);
parsePrefetchFiles(prefetchDumper, tempDirPath, modOutFile, modOutPath); parsePrefetchFiles(prefetchDumper, tempDirPath, modOutFile, modOutPath);
createAppExecArtifacts(modOutFile, dataSource); File prefetchDatabase = new File(modOutFile);
if (prefetchDatabase.exists()) {
createAppExecArtifacts(modOutFile, dataSource);
}
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error parsing prefetch files", ex); //NON-NLS logger.log(Level.SEVERE, "Error parsing prefetch files", ex); //NON-NLS
addErrorMessage(Bundle.ExtractPrefetch_errMsg_prefetchParsingFailed(Bundle.ExtractPrefetch_module_name())); addErrorMessage(Bundle.ExtractPrefetch_errMsg_prefetchParsingFailed(Bundle.ExtractPrefetch_module_name()));
@ -154,7 +158,7 @@ final class ExtractPrefetch extends Extract {
String origFileName = pFile.getName(); String origFileName = pFile.getName();
String ext = FilenameUtils.getExtension(origFileName); String ext = FilenameUtils.getExtension(origFileName);
String baseName = FilenameUtils.getBaseName(origFileName); String baseName = FilenameUtils.getBaseName(origFileName);
String fileName = String.format("%s_%d.%s", baseName, pFile.getId(), ext); String fileName = escapeFileName(String.format("%s_%d.%s", baseName, pFile.getId(), ext));
String baseRaTempPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId); String baseRaTempPath = RAImageIngestModule.getRATempPath(Case.getCurrentCase(), dataSource.getName() + "-" + PREFETCH_DIR_NAME, ingestJobId);
String prefetchFile = Paths.get(baseRaTempPath, fileName).toString(); String prefetchFile = Paths.get(baseRaTempPath, fileName).toString();
try { try {

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -807,7 +807,7 @@ class ExtractRegistry extends Extract {
try { try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime));
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DELETED_PROG);
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
newArtifacts.add(bbart); newArtifacts.add(bbart);
@ -1105,7 +1105,7 @@ class ExtractRegistry extends Extract {
//add remaining userinfos as accounts; //add remaining userinfos as accounts;
for (Map<String, String> userInfo : userInfoMap.values()) { for (Map<String, String> userInfo : userInfoMap.values()) {
OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null || !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null && !domainName.isEmpty() ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile); updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile);
} }
@ -1147,7 +1147,7 @@ class ExtractRegistry extends Extract {
List<AbstractFile> regFiles = findRegistryFiles(); List<AbstractFile> regFiles = findRegistryFiles();
for (AbstractFile systemHive: regFiles) { for (AbstractFile systemHive: regFiles) {
if (systemHive.getName().toLowerCase().equals("system")) { if (systemHive.getName().toLowerCase().equals("system") && systemHive.getSize() > 0) {
String systemFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg", ingestJobId) + File.separator + systemHive.getName(); String systemFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg", ingestJobId) + File.separator + systemHive.getName();
File systemFileNameLocalFile = new File(systemFileNameLocal); File systemFileNameLocalFile = new File(systemFileNameLocal);
@ -2025,7 +2025,7 @@ class ExtractRegistry extends Extract {
Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host); Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host);
OsAccount osAccount; OsAccount osAccount;
if (!optional.isPresent()) { if (!optional.isPresent()) {
osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null || !domainName.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN); osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null && !domainName.isEmpty()? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN);
accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED); accountMgr.newOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
} else { } else {
osAccount = optional.get(); osAccount = optional.get();

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ParseRegistryHive.java
View File

@ -27,6 +27,7 @@ import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.util.Calendar; import java.util.Calendar;
import java.util.List; import java.util.List;
import java.util.NoSuchElementException;
import java.util.logging.Level; import java.util.logging.Level;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
@ -116,6 +117,9 @@ public class ParseRegistryHive {
} }
} catch (RegistryParseException ex) { } catch (RegistryParseException ex) {
return null; return null;
} catch (NoSuchElementException ex) {
logger.log(Level.WARNING, String.format("Cannot find the registry key %s in the registry hive file %s", registryKey, registryHiveFile.toString()));
return null;
} }
return currentKey; return currentKey;