mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-19 11:07:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Handle different schema versions of moz_formhistory table.

Browse Source
This commit is contained in:
Raman 2019-01-28 09:16:20 -05:00
parent fb27a2964a
commit dd56261cd8
1 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -76,7 +76,8 @@ class Firefox extends Extract {
private static final String BOOKMARK_QUERY = "SELECT fk, moz_bookmarks.title, url, (moz_bookmarks.dateAdded/1000000) AS dateAdded FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; //NON-NLS private static final String BOOKMARK_QUERY = "SELECT fk, moz_bookmarks.title, url, (moz_bookmarks.dateAdded/1000000) AS dateAdded FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; //NON-NLS
private static final String DOWNLOAD_QUERY = "SELECT target, source,(startTime/1000000) AS startTime, maxBytes FROM moz_downloads"; //NON-NLS private static final String DOWNLOAD_QUERY = "SELECT target, source,(startTime/1000000) AS startTime, maxBytes FROM moz_downloads"; //NON-NLS
private static final String DOWNLOAD_QUERY_V24 = "SELECT url, content AS target, (lastModified/1000000) AS lastModified FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND moz_annos.anno_attribute_id = 3"; //NON-NLS private static final String DOWNLOAD_QUERY_V24 = "SELECT url, content AS target, (lastModified/1000000) AS lastModified FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND moz_annos.anno_attribute_id = 3"; //NON-NLS
private static final String FORMHISTORY_QUERY = "SELECT fieldname, value, timesUsed, firstUsed, lastUsed FROM moz_formhistory"; private static final String FORMHISTORY_QUERY = "SELECT fieldname, value FROM moz_formhistory";
private static final String FORMHISTORY_QUERY_V64 = "SELECT fieldname, value, timesUsed, firstUsed, lastUsed FROM moz_formhistory";
private final IngestServices services = IngestServices.getInstance(); private final IngestServices services = IngestServices.getInstance();
private Content dataSource; private Content dataSource;
private IngestJobContext context; private IngestJobContext context;
@ -705,9 +706,9 @@ class Firefox extends Extract {
} }
String fileName = formHistoryFile.getName(); String fileName = formHistoryFile.getName();
String temps = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; //NON-NLS String tempFilePath = RAImageIngestModule.getRATempPath(currentCase, "firefox") + File.separator + fileName + j + ".db"; //NON-NLS
try { try {
ContentUtils.writeToFile(formHistoryFile, new File(temps), context::dataSourceIngestIsCancelled); ContentUtils.writeToFile(formHistoryFile, new File(tempFilePath), context::dataSourceIngestIsCancelled);
} catch (ReadContentInputStreamException ex) { } catch (ReadContentInputStreamException ex) {
logger.log(Level.WARNING, String.format("Error reading Firefox web history artifacts file '%s' (id=%d).", logger.log(Level.WARNING, String.format("Error reading Firefox web history artifacts file '%s' (id=%d).",
fileName, formHistoryFile.getId()), ex); //NON-NLS fileName, formHistoryFile.getId()), ex); //NON-NLS
@ -717,19 +718,24 @@ class Firefox extends Extract {
continue; continue;
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Firefox web history artifacts file '%s' (id=%d).", logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Firefox web history artifacts file '%s' (id=%d).",
temps, fileName, formHistoryFile.getId()), ex); //NON-NLS tempFilePath, fileName, formHistoryFile.getId()), ex); //NON-NLS
this.addErrorMessage( this.addErrorMessage(
NbBundle.getMessage(this.getClass(), "Firefox.getFormsAutofill.errMsg.errAnalyzeFile", this.getName(), NbBundle.getMessage(this.getClass(), "Firefox.getFormsAutofill.errMsg.errAnalyzeFile", this.getName(),
fileName)); fileName));
continue; continue;
} }
File dbFile = new File(temps); File dbFile = new File(tempFilePath);
if (context.dataSourceIngestIsCancelled()) { if (context.dataSourceIngestIsCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
List<HashMap<String, Object>> tempList = this.dbConnect(temps, FORMHISTORY_QUERY);
logger.log(Level.INFO, "{0} - Now getting history from {1} with {2} artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS // The table schema is a little different in newer version of Firefox
boolean isFirefoxV64 = Util.checkColumn("timesUsed", "moz_formhistory", tempFilePath);
String formHistoryQuery = (isFirefoxV64) ? FORMHISTORY_QUERY_V64 : FORMHISTORY_QUERY;
List<HashMap<String, Object>> tempList = this.dbConnect(tempFilePath, formHistoryQuery);
logger.log(Level.INFO, "{0} - Now getting history from {1} with {2} artifacts identified.", new Object[]{moduleName, tempFilePath, tempList.size()}); //NON-NLS
for (HashMap<String, Object> result : tempList) { for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
@ -747,18 +753,21 @@ class Firefox extends Extract {
NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"),
((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, // Newer versions of firefox have additional columns
NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"), if (isFirefoxV64) {
(Long.valueOf(result.get("firstUsed").toString()) / 1000000))); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"),
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, (Long.valueOf(result.get("firstUsed").toString()) / 1000000))); //NON-NLS
NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"),
(Long.valueOf(result.get("lastUsed").toString()) / 1000000))); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"),
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COUNT, (Long.valueOf(result.get("lastUsed").toString()) / 1000000))); //NON-NLS
NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"),
(Integer.valueOf(result.get("timesUsed").toString())))); //NON-NLS bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COUNT,
NbBundle.getMessage(this.getClass(), "Firefox.parentModuleName"),
(Integer.valueOf(result.get("timesUsed").toString())))); //NON-NLS
}
// Add artifact // Add artifact
BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, formHistoryFile, bbattributes); BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL, formHistoryFile, bbattributes);
if (bbart != null) { if (bbart != null) {