mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 18:17:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'vm_extractor_module' of https://github.com/rcordovano/autopsy into vm_detection

Browse Source
This commit is contained in:
Eugene Livis 2016-01-05 16:29:09 -05:00
commit df304effa8
7 changed files with 399 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Core/src/org/sleuthkit/autopsy/ingest/DataSourceIngestJob.java
View File

@ -280,6 +280,15 @@ final class DataSourceIngestJob {
return this.id;
}
/**
* Get the ingest execution context identifier.
*
* @return The context string.
*/
String getExecutionContext() {
return this.settings.getExecutionContext();
}
/**
* Gets the data source to be ingested by this job.
*

9
Core/src/org/sleuthkit/autopsy/ingest/IngestJobContext.java
View File

@ -34,6 +34,15 @@ public final class IngestJobContext {
this.ingestJob = ingestJob;
}
/**
* Gets the ingest job execution context identifier.
*
* @return The context string.
*/
public String getExecutionContext() {
return this.ingestJob.getExecutionContext();
}
/**
* Gets the data source associated with this context.
*

53
Core/src/org/sleuthkit/autopsy/ingest/IngestJobSettings.java
View File

@ -52,7 +52,7 @@ public class IngestJobSettings {
private static final String MODULE_SETTINGS_FOLDER_PATH = Paths.get(PlatformUtil.getUserConfigDirectory(), IngestJobSettings.MODULE_SETTINGS_FOLDER).toAbsolutePath().toString();
private static final String MODULE_SETTINGS_FILE_EXT = ".settings"; //NON-NLS
private static final Logger logger = Logger.getLogger(IngestJobSettings.class.getName());
private final String context;
private final String executionContext;
private final IngestType ingestType;
private String moduleSettingsFolderPath;
private static final CharSequence pythonModuleSettingsPrefixCS = "org.python.proxies.".subSequence(0, "org.python.proxies.".length() - 1);
@ -74,10 +74,10 @@ public class IngestJobSettings {
/**
* Constructs an ingest job settings object for a given context.
*
* @param context The context identifier string.
* @param executionContext The ingest execution context identifier.
*/
public IngestJobSettings(String context) {
this.context = context;
public IngestJobSettings(String executionContext) {
this.executionContext = executionContext;
this.ingestType = IngestType.ALL_MODULES;
this.moduleTemplates = new ArrayList<>();
this.processUnallocatedSpace = Boolean.parseBoolean(IngestJobSettings.PROCESS_UNALLOC_SPACE_DEFAULT);
@ -96,9 +96,9 @@ public class IngestJobSettings {
this.ingestType = ingestType;
if (this.ingestType.equals(IngestType.ALL_MODULES)) {
this.context = context;
this.executionContext = context;
} else {
this.context = context + "." + this.ingestType.name();
this.executionContext = context + "." + this.ingestType.name();
}
this.moduleTemplates = new ArrayList<>();
@ -115,6 +115,15 @@ public class IngestJobSettings {
this.store();
}
/**
* Get the ingest execution context identifier.
*
* @return The context string.
*/
String getExecutionContext() {
return this.executionContext;
}
/**
* Gets and clears any accumulated warnings associated with these ingest job
* settings.
@ -186,8 +195,8 @@ public class IngestJobSettings {
*
* @return path to the module settings folder
*/
public Path getSavedModuleSettingsFolder(){
return Paths.get(IngestJobSettings.MODULE_SETTINGS_FOLDER_PATH, context);
public Path getSavedModuleSettingsFolder() {
return Paths.get(IngestJobSettings.MODULE_SETTINGS_FOLDER_PATH, executionContext);
}
/**
@ -286,15 +295,15 @@ public class IngestJobSettings {
* Update the enabled/disabled ingest module settings for this context
* to reflect any missing modules or newly discovered modules.
*/
ModuleSettings.setConfigSetting(this.context, IngestJobSettings.ENABLED_MODULES_KEY, makeCommaSeparatedValuesList(enabledModuleNames));
ModuleSettings.setConfigSetting(this.context, IngestJobSettings.DISABLED_MODULES_KEY, makeCommaSeparatedValuesList(disabledModuleNames));
ModuleSettings.setConfigSetting(this.executionContext, IngestJobSettings.ENABLED_MODULES_KEY, makeCommaSeparatedValuesList(enabledModuleNames));
ModuleSettings.setConfigSetting(this.executionContext, IngestJobSettings.DISABLED_MODULES_KEY, makeCommaSeparatedValuesList(disabledModuleNames));
// Get the process unallocated space flag setting. If the setting does
// not exist yet, default it to true.
if (ModuleSettings.settingExists(this.context, IngestJobSettings.PARSE_UNALLOC_SPACE_KEY) == false) {
ModuleSettings.setConfigSetting(this.context, IngestJobSettings.PARSE_UNALLOC_SPACE_KEY, IngestJobSettings.PROCESS_UNALLOC_SPACE_DEFAULT);
if (ModuleSettings.settingExists(this.executionContext, IngestJobSettings.PARSE_UNALLOC_SPACE_KEY) == false) {
ModuleSettings.setConfigSetting(this.executionContext, IngestJobSettings.PARSE_UNALLOC_SPACE_KEY, IngestJobSettings.PROCESS_UNALLOC_SPACE_DEFAULT);
}
this.processUnallocatedSpace = Boolean.parseBoolean(ModuleSettings.getConfigSetting(this.context, IngestJobSettings.PARSE_UNALLOC_SPACE_KEY));
this.processUnallocatedSpace = Boolean.parseBoolean(ModuleSettings.getConfigSetting(this.executionContext, IngestJobSettings.PARSE_UNALLOC_SPACE_KEY));
}
/**
@ -306,11 +315,11 @@ public class IngestJobSettings {
* @return The list of module names associated with the key.
*/
private HashSet<String> getModulesNamesFromSetting(String key, String defaultSetting) {
if (ModuleSettings.settingExists(this.context, key) == false) {
ModuleSettings.setConfigSetting(this.context, key, defaultSetting);
if (ModuleSettings.settingExists(this.executionContext, key) == false) {
ModuleSettings.setConfigSetting(this.executionContext, key, defaultSetting);
}
HashSet<String> moduleNames = new HashSet<>();
String modulesSetting = ModuleSettings.getConfigSetting(this.context, key);
String modulesSetting = ModuleSettings.getConfigSetting(this.executionContext, key);
if (!modulesSetting.isEmpty()) {
String[] settingNames = modulesSetting.split(", ");
for (String name : settingNames) {
@ -369,7 +378,7 @@ public class IngestJobSettings {
try (NbObjectInputStream in = new NbObjectInputStream(new FileInputStream(settingsFile.getAbsolutePath()))) {
settings = (IngestModuleIngestJobSettings) in.readObject();
} catch (IOException | ClassNotFoundException ex) {
String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.context); //NON-NLS
String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.executionContext); //NON-NLS
logger.log(Level.WARNING, warning, ex);
this.warnings.add(warning);
}
@ -377,7 +386,7 @@ public class IngestJobSettings {
try (PythonObjectInputStream in = new PythonObjectInputStream(new FileInputStream(settingsFile.getAbsolutePath()))) {
settings = (IngestModuleIngestJobSettings) in.readObject();
} catch (IOException | ClassNotFoundException exception) {
String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.context); //NON-NLS
String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsLoad.warning", factory.getModuleDisplayName(), this.executionContext); //NON-NLS
logger.log(Level.WARNING, warning, exception);
this.warnings.add(warning);
}
@ -421,14 +430,14 @@ public class IngestJobSettings {
disabledModuleNames.add(moduleName);
}
}
ModuleSettings.setConfigSetting(this.context, ENABLED_MODULES_KEY, makeCommaSeparatedValuesList(enabledModuleNames));
ModuleSettings.setConfigSetting(this.context, DISABLED_MODULES_KEY, makeCommaSeparatedValuesList(disabledModuleNames));
ModuleSettings.setConfigSetting(this.executionContext, ENABLED_MODULES_KEY, makeCommaSeparatedValuesList(enabledModuleNames));
ModuleSettings.setConfigSetting(this.executionContext, DISABLED_MODULES_KEY, makeCommaSeparatedValuesList(disabledModuleNames));
/**
* Save the process unallocated space setting.
*/
String processUnalloc = Boolean.toString(this.processUnallocatedSpace);
ModuleSettings.setConfigSetting(this.context, PARSE_UNALLOC_SPACE_KEY, processUnalloc);
ModuleSettings.setConfigSetting(this.executionContext, PARSE_UNALLOC_SPACE_KEY, processUnalloc);
}
/**
@ -451,7 +460,7 @@ public class IngestJobSettings {
out.writeObject(settings);
}
} catch (IOException ex) {
String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsSave.warning", factory.getModuleDisplayName(), this.context); //NON-NLS
String warning = NbBundle.getMessage(IngestJobSettings.class, "IngestJobSettings.moduleSettingsSave.warning", factory.getModuleDisplayName(), this.executionContext); //NON-NLS
logger.log(Level.SEVERE, warning, ex);
this.warnings.add(warning);
}

7
Core/src/org/sleuthkit/autopsy/ingest/IngestManager.java
View File

@ -515,13 +515,6 @@ public class IngestManager {
private boolean startIngestJob(IngestJob job) {
boolean success = false;
if (this.jobCreationIsEnabled) {
/**
* TODO: This is not really reliable.
*/
if (RuntimeProperties.coreComponentsAreActive() && jobsById.size() == 1) {
clearIngestMessageBox();
}
// multi-user cases must have multi-user database service running
if (Case.getCurrentCase().getCaseType() == Case.CaseType.MULTI_USER_CASE) {
try {

6
Core/src/org/sleuthkit/autopsy/modules/vmextractor/Bundle.properties Normal file
View File

@ -0,0 +1,6 @@
VMExtractorIngestModuleFactory.moduleDisplayName=Virtual Machine Extractor
VMExtractorIngestModuleFactory.moduleDescription=Extracts virtual machine files and adds them to a case as data sources.
VMExtractorIngestModuleFactory.version=1.0
VMExtractorIngestModule.cannotCreateOutputDir.message=Unable to create output directory: {0}
VMExtractorIngestModule.addedVirtualMachineImage.message=Added virtual machine image {0}

259
Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModule.java Normal file
View File

@ -0,0 +1,259 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2012-2016 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.modules.vmextractor;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.List;
import java.util.UUID;
import java.util.logging.Level;
import org.openide.util.NbBundle;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.ImageDSProcessor;
import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorCallback;
import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleAdapter;
import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
import org.sleuthkit.autopsy.ingest.IngestJobContext;
import org.sleuthkit.autopsy.ingest.IngestJobSettings;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.IngestMessage;
import org.sleuthkit.autopsy.ingest.IngestModule;
import org.sleuthkit.autopsy.ingest.IngestServices;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.TskCoreException;
/**
* An ingest module that extracts virtual machine files and adds them to a case
* as data sources.
*/
final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter {
private static final Logger logger = Logger.getLogger(VMExtractorIngestModule.class.getName());
private IngestJobContext context;
private Path ingestJobOutputDir;
@Override
public void startUp(IngestJobContext context) throws IngestModuleException {
this.context = context;
SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy_MM_dd_HH_mm_ss");
String timeStamp = dateFormat.format(Calendar.getInstance().getTime());
String ingestJobOutputDirName = context.getDataSource().getName() + "_" + context.getDataSource().getId() + "_" + timeStamp;
ingestJobOutputDir = Paths.get(Case.getCurrentCase().getModuleDirectory(), VMExtractorIngestModuleFactory.getModuleName(), ingestJobOutputDirName);
try {
Files.createDirectories(ingestJobOutputDir);
} catch (IOException | SecurityException | UnsupportedOperationException ex) {
throw new IngestModule.IngestModuleException(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.cannotCreateOutputDir.message", ex.getLocalizedMessage()));
}
}
/**
* @inheritDoc
*/
@Override
public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
try {
List<AbstractFile> vmFiles = findVirtualMachineFiles(dataSource);
/*
* TODO: Configure and start progress bar
*/
for (AbstractFile vmFile : vmFiles) {
if (context.dataSourceIngestIsCancelled()) {
break;
}
try {
ingestVirtualMachineImage(vmFile);
/*
* TODO: Update progress bar
*/
} catch (InterruptedException ex) {
logger.log(Level.INFO, String.format("Interrupted while adding virtual machine file %s (id=%d)", vmFile.getName(), vmFile.getId()), ex);
} catch (IOException ex) {
logger.log(Level.SEVERE, String.format("Failed to write virtual machine file %s (id=%d) to disk", vmFile.getName(), vmFile.getId()), ex);
MessageNotifyUtil.Notify.error("Failed to extract virtual machine file", String.format("Failed to write virtual machine file %s to disk", vmFile.getName()));
}
}
return ProcessResult.OK;
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error querying case database", ex);
return ProcessResult.ERROR;
} finally {
/*
* TODO: Finish progress bar
*/
}
}
/**
* Locate the virtual machine file, if any, contained in a data source.
*
* @param dataSource The data source.
*
* @return A list of virtual machine files, possibly empty.
*
* @throws TskCoreException if there is a problem querying the case
* database.
*/
private static List<AbstractFile> findVirtualMachineFiles(Content dataSource) throws TskCoreException {
/*
* TODO: Adapt this code as necessary to actual VM files
*/
return Case.getCurrentCase().getServices().getFileManager().findFiles(dataSource, "%.img");
}
/**
* Add a virtual machine file to the case as a data source and analyze it
* with the ingest modules.
*
* @param vmFile A virtual machine file.
*/
private void ingestVirtualMachineImage(AbstractFile vmFile) throws InterruptedException, IOException {
/*
* Write the virtual machine file to disk.
*/
String localFileName = vmFile.getName() + "_" + vmFile.getId();
Path localFilePath = Paths.get(ingestJobOutputDir.toString(), localFileName);
File localFile = localFilePath.toFile();
ContentUtils.writeToFile(vmFile, localFile);
/*
* Try to add the virtual machine file to the case as a data source.
*/
UUID taskId = UUID.randomUUID();
Case.getCurrentCase().notifyAddingDataSource(taskId);
ImageDSProcessor dataSourceProcessor = new ImageDSProcessor();
dataSourceProcessor.setDataSourceOptions(localFile.getAbsolutePath(), "", false);
AddDataSourceCallback dspCallback = new AddDataSourceCallback(vmFile);
synchronized (this) {
dataSourceProcessor.run(new AddDataSourceProgressMonitor(), dspCallback);
/*
* Block the ingest thread until the data source processor finishes.
*/
this.wait();
}
/*
* If the image was added, analyze it with the ingest modules for this
* ingest context.
*/
if (!dspCallback.vmDataSources.isEmpty()) {
Case.getCurrentCase().notifyDataSourceAdded(dspCallback.vmDataSources.get(0), taskId);
List<Content> dataSourceContent = new ArrayList<>(dspCallback.vmDataSources);
IngestJobSettings ingestJobSettings = new IngestJobSettings(context.getExecutionContext());
for (String warning : ingestJobSettings.getWarnings()) {
logger.log(Level.WARNING, String.format("Ingest job settings warning for virtual machine file %s (id=%d): %s", vmFile.getName(), vmFile.getId(), warning));
}
IngestServices.getInstance().postMessage(IngestMessage.createMessage(IngestMessage.MessageType.INFO,
VMExtractorIngestModuleFactory.getModuleName(),
NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.addedVirtualMachineImage.message", localFileName)));
IngestManager.getInstance().queueIngestJob(dataSourceContent, ingestJobSettings);
} else {
Case.getCurrentCase().notifyFailedAddingDataSource(taskId);
}
}
/**
* A do nothing data source processor progress monitor.
*/
private static final class AddDataSourceProgressMonitor implements DataSourceProcessorProgressMonitor {
@Override
public void setIndeterminate(final boolean indeterminate) {
}
@Override
public void setProgress(final int progress) {
}
@Override
public void setProgressText(final String text) {
}
}
/**
* A callback for the data source processor that captures the content
* objects for the data source and unblocks the ingest thread.
*/
private final class AddDataSourceCallback extends DataSourceProcessorCallback {
private final AbstractFile vmFile;
private final List<Content> vmDataSources;
/**
* Constructs a callback for the data source processor.
*
* @param vmFile The virtual machine file to be added as a data source.
*/
private AddDataSourceCallback(AbstractFile vmFile) {
this.vmFile = vmFile;
vmDataSources = new ArrayList<>();
}
/**
* @inheritDoc
*/
@Override
public void done(DataSourceProcessorCallback.DataSourceProcessorResult result, List<String> errList, List<Content> content) {
for (String error : errList) {
String logMessage = String.format("Data source processor error for virtual machine file %s (id=%d): %s", vmFile.getName(), vmFile.getId(), error);
if (DataSourceProcessorCallback.DataSourceProcessorResult.CRITICAL_ERRORS == result) {
logger.log(Level.SEVERE, logMessage);
} else {
logger.log(Level.WARNING, logMessage);
}
}
/*
* Save a reference to the content object so it can be used to
* create a new ingest job.
*/
if (!content.isEmpty()) {
vmDataSources.add(content.get(0));
}
/*
* Unblock the ingest thread.
*/
synchronized (VMExtractorIngestModule.this) {
VMExtractorIngestModule.this.notify();
}
}
/**
* @inheritDoc
*/
@Override
public void doneEDT(DataSourceProcessorResult result, List<String> errList, List<Content> newContents) {
done(result, errList, newContents);
}
}
}

84
Core/src/org/sleuthkit/autopsy/modules/vmextractor/VMExtractorIngestModuleFactory.java Normal file
View File

@ -0,0 +1,84 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2012-2016 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.modules.vmextractor;
import org.openide.util.NbBundle;
import org.openide.util.lookup.ServiceProvider;
import org.sleuthkit.autopsy.ingest.DataSourceIngestModule;
import org.sleuthkit.autopsy.ingest.IngestModuleFactory;
import org.sleuthkit.autopsy.ingest.IngestModuleFactoryAdapter;
import org.sleuthkit.autopsy.ingest.IngestModuleIngestJobSettings;
/**
* An factory for ingest modules that extracts virtual machine files and adds
* them to a case as data sources.
*/
@ServiceProvider(service = IngestModuleFactory.class)
public final class VMExtractorIngestModuleFactory extends IngestModuleFactoryAdapter {
/**
* Gets the module name.
*
* @return The module name as a string.
*/
static String getModuleName() {
return NbBundle.getMessage(VMExtractorIngestModuleFactory.class, "VMExtractorIngestModuleFactory.moduleDisplayName");
}
/**
* @inheritDoc
*/
@Override
public String getModuleDisplayName() {
return getModuleName();
}
/**
* @inheritDoc
*/
@Override
public String getModuleDescription() {
return NbBundle.getMessage(this.getClass(), "VMExtractorIngestModuleFactory.moduleDescription");
}
/**
* @inheritDoc
*/
@Override
public String getModuleVersionNumber() {
return NbBundle.getMessage(this.getClass(), "VMExtractorIngestModuleFactory.version");
}
/**
* @inheritDoc
*/
@Override
public boolean isDataSourceIngestModuleFactory() {
return true;
}
/**
* @inheritDoc
*/
@Override
public DataSourceIngestModule createDataSourceIngestModule(IngestModuleIngestJobSettings settings) {
return new VMExtractorIngestModule();
}
}