mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 09:17:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/sleuthkit/autopsy

Browse Source
This commit is contained in:
adam-m 2012-03-16 09:29:56 -04:00
commit e15d050d4e
16 changed files with 320 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
RecentActivity/nbproject/genfiles.properties
View File

@ -1,8 +1,8 @@
build.xml.data.CRC32=9be4ed01 build.xml.data.CRC32=6b34b285
build.xml.script.CRC32=d323407a build.xml.script.CRC32=d323407a
build.xml.stylesheet.CRC32=a56c6a5b@1.46.1 build.xml.stylesheet.CRC32=a56c6a5b@1.46.1
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
nbproject/build-impl.xml.data.CRC32=9be4ed01 nbproject/build-impl.xml.data.CRC32=6b34b285
nbproject/build-impl.xml.script.CRC32=aef16a21 nbproject/build-impl.xml.script.CRC32=aef16a21
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1

1
RecentActivity/nbproject/project.properties
View File

@ -1,3 +1,4 @@
file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar
file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
javac.source=1.6 javac.source=1.6
javac.compilerargs=-Xlint -Xlint:-serial javac.compilerargs=-Xlint -Xlint:-serial

4
RecentActivity/nbproject/project.xml
View File

@ -190,6 +190,10 @@
<runtime-relative-path>ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</runtime-relative-path> <runtime-relative-path>ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</runtime-relative-path>
<binary-origin>release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</binary-origin> <binary-origin>release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</binary-origin>
</class-path-extension> </class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/jdom-1.1.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jdom-1.1.2.jar</binary-origin>
</class-path-extension>
<class-path-extension> <class-path-extension>
<runtime-relative-path>ext/jcalendarbutton-1.4.5.jar</runtime-relative-path> <runtime-relative-path>ext/jcalendarbutton-1.4.5.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jcalendarbutton-1.4.5.jar</binary-origin> <binary-origin>release/modules/ext/jcalendarbutton-1.4.5.jar</binary-origin>

BIN
RecentActivity/release/modules/ext/jdom-1.1.2.jar Normal file
View File

Binary file not shown.

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -259,10 +259,10 @@ public class ExtractIE { // implements BrowserActivity {
} }
if(!ddtime.isEmpty()){ if(!ddtime.isEmpty()){
ddtime = ddtime.replace("T"," "); ddtime = ddtime.replace("T"," ");
ddtime = ddtime.substring(ddtime.length()-4); ddtime = ddtime.substring(ddtime.length()-5);
} }
if(!actime.isEmpty()){ if(!actime.isEmpty()){
actime = actime.replace("z"," "); actime = actime.replace("T"," ");
actime = actime.substring(0,actime.length()-5); actime = actime.substring(0,actime.length()-5);
} }

94
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -6,13 +6,19 @@ package org.sleuthkit.autopsy.recentactivity;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.io.StringReader;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Scanner;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
import java.util.regex.Matcher; import org.jdom.Document;
import java.util.regex.Pattern; import org.jdom.Element;
import org.jdom.input.SAXBuilder;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@ -24,6 +30,8 @@ import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* *
* @author Alex \System32\Config * @author Alex \System32\Config
@ -76,7 +84,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
if(Success) if(Success)
{ {
//Delete dat file since it was succcessfully by Pasco //Delete dat file since it was succcessfully by Pasco
//regFile.delete(); regFile.delete();
} }
j++; j++;
@ -134,7 +142,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
type = "security"; type = "security";
} }
String command = rrpath + "rip.exe -r " + regFilePath +" -f " + type + " >> " + txtPath; String command = rrpath + "rip.exe -r " + regFilePath +" -f " + type + "> " + txtPath;
JavaSystemCaller.Exec.execute(command); JavaSystemCaller.Exec.execute(command);
@ -153,49 +161,53 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
{ {
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
String[] result = regRecord.split("----------------------------------------"); String regString = new Scanner(new File(regRecord)).useDelimiter("\\Z").next();
for(String tempresult : result) String startdoc = "<document>";
{ String result = regString.replaceAll("----------------------------------------","");
try{ String enddoc = "</document>";
String stringdoc = startdoc + result + enddoc;
SAXBuilder sb = new SAXBuilder();
Document document = sb.build(new StringReader(stringdoc));
Element root = document.getRootElement();
List types = root.getChildren();
Iterator iterator = types.iterator();
//for(int i = 0; i < types.size(); i++)
//for(Element tempnode : types)
while (iterator.hasNext()) {
String time = "";
String context = "";
Element tempnode = (Element) iterator.next();
// Element tempnode = types.get(i);
context = tempnode.getName();
Element timenode = tempnode.getChild("time");
time = timenode.getTextTrim();
Element artroot = tempnode.getChild("artifacts");
List artlist = artroot.getChildren();
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
Iterator aiterator = artlist.iterator();
while (aiterator.hasNext()) {
Element artnode = (Element) aiterator.next();
String name = artnode.getAttributeValue("name");
String value = artnode.getTextTrim();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
}
if(tempresult.contains("not found") || tempresult.contains("no values"))
{
} bbart.addAttributes(bbattributes);
else }
{
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
if(tempresult.contains("Username"))
{
Pattern p = Pattern.compile("Username\\[.*?\\]");
Matcher m = p.matcher(tempresult);
while (m.find()) {
String s = m.group(1);
BlackboardAttribute bbatturl = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "Registry", s);
bbart.addAttribute(bbatturl);
}
}
if(tempresult.contains("Time["))
{
Pattern p = Pattern.compile("Time\\[.*?\\]");
Matcher m = p.matcher(tempresult);
while (m.find()) {
String s = m.group(1);
BlackboardAttribute bbattdate = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Registry", s);
bbart.addAttribute(bbattdate);
}
}
}
} }
catch (Exception ex) catch (Exception ex)
{ {
String hi = "";
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + ex);
} }
}

102
Report/src/org/sleuthkit/autopsy/report/reportHTML.java
View File

@ -4,7 +4,9 @@
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.io.BufferedWriter;
import java.io.File; import java.io.File;
import java.io.FileWriter;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.ArrayList; import java.util.ArrayList;
@ -26,8 +28,8 @@ import org.sleuthkit.datamodel.SleuthkitCase;
public class reportHTML { public class reportHTML {
//Declare our publically accessible formatted report, this will change everytime they run a report //Declare our publically accessible formatted report, this will change everytime they run a report
public StringBuilder formatted_Report = new StringBuilder(); public static StringBuilder formatted_Report = new StringBuilder();
public static String htmlPath = "";
public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
@ -35,6 +37,9 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase(); SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName(); String caseName = currentCase.getName();
String rrpath = System.getProperty("user.dir");
rrpath = rrpath.substring(0, rrpath.length()-14);
rrpath = rrpath + "autopsy\\thirdparty\\";
Integer imagecount = currentCase.getImageIDs().length; Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount(); Integer filesystemcount = currentCase.getRootObjectsCount();
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
@ -42,41 +47,42 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
Date date = new Date(); Date date = new Date();
String datetime = datetimeFormat.format(date); String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date); String datenotime = dateFormat.format(date);
// String CSS = "<replaceme>" String CSS = "<style>"
// + "body {padding: 30px; margin: 0; background: #FFFFFF; font: 13px/20px Arial, Helvetica, sans-serif; color: #535353;} " + "body {padding: 30px; margin: 0; background: #FFFFFF; font: 13px/20px Arial, Helvetica, sans-serif; color: #535353;} "
// + "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} " + "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} "
// + "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} " + "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} "
// + "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} " + "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} "
// + "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} " + "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} "
// + "table thead th {display: table-cell; text-align: left; padding: 8px 16px; background: #e5e5e5; color: #777;font-size: 11px;text-shadow: #e9f9fd 0 1px 0; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} " + "table thead th {display: table-cell; text-align: left; padding: 8px 16px; background: #e5e5e5; color: #777;font-size: 11px;text-shadow: #e9f9fd 0 1px 0; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} "
// + "table tr th:nth-child(1) {text-align: center; width: 60px;} table td {display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;} " + "table tr th:nth-child(1) {text-align: center; width: 60px;} "
// + "table tr:nth-child(even) td {background: #f3f3f3;} " + "table td {display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;} "
// + "table tr td:nth-child(1) {text-align: center; width: 60px; background: #f3f3f3;} " + "table tr:nth-child(even) td {background: #f3f3f3;} "
// + "table tr:nth-child(even) td:nth-child(1) {background: #eaeaea;}" + "table tr td:nth-child(1) {text-align: center; width: 60px; background: #f3f3f3;} "
// + "</replaceme>"; + "table tr:nth-child(even) td:nth-child(1) {background: #eaeaea;}"
+ "</style>";
//Add additional header information //Add additional header information
formatted_Report.append("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case:").append(caseName).append("</title>"); formatted_Report.append("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case:").append(caseName).append("</title>");
formatted_Report.append(CSS);
//formatted_Report.append("<link rel=\"stylesheet\" href=\"" + rrpath + "report.css\" type=\"text/css\" />"); //formatted_Report.append("<link rel=\"stylesheet\" href=\"" + rrpath + "report.css\" type=\"text/css\" />");
formatted_Report.append("</head><body style=\"padding: 30px; margin: 0; background: #FFFFFF; font: 13px/20px Arial, Helvetica, sans-serif; color: #535353;\"><div id=\"main\"><div id=\"content\">"); formatted_Report.append("</head><body><div id=\"main\"><div id=\"content\">");
// Add summary information now // Add summary information now
// formatted_Report.append("<style>" + CSS + "</style>");
formatted_Report.append("<h1 style=\"font-size: 26px; color: #005577; margin: 0 0 20px 0;\">Report for Case: ").append(caseName).append("</h1>"); formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>");
formatted_Report.append("<h2 style=\"font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;\">Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<br /><ul>"); formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<br /><ul>");
formatted_Report.append("<li># of Images: ").append(imagecount).append("</li>"); formatted_Report.append("<li># of Images: ").append(imagecount).append("</li>");
formatted_Report.append("<li>FileSystems: ").append(filesystemcount).append("</li>"); formatted_Report.append("<li>FileSystems: ").append(filesystemcount).append("</li>");
String tableHeader = "<table><thead style=\"display: table-cell; text-align: left; padding: 8px 16px; background: #e5e5e5; color: #777;font-size: 11px;text-shadow: #e9f9fd 0 1px 0; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede; \"><tr><th style=\"text-align: center; width: 60px; \">Artifact ID</th><th style=\"text-align: center; width: 60px; \">Name</th><th style=\"text-align: center; width: 60px; \">Size</th><th style=\"text-align: center; width: 60px; \">Attribute</th><th style=\"text-align: center; width: 60px; \">Value</th></tr></thead><tbody>"; String tableHeader = "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>";
StringBuilder nodeGen = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">General Information</h3>" + tableHeader); StringBuilder nodeGen = new StringBuilder("<h3>General Information</h3>" + tableHeader);
StringBuilder nodeWebBookmark = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Web Bookmarks</h3>" + tableHeader); StringBuilder nodeWebBookmark = new StringBuilder("<h3>Web Bookmarks</h3>" + tableHeader);
StringBuilder nodeWebCookie = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Web Cookies</h3>" + tableHeader); StringBuilder nodeWebCookie = new StringBuilder("<h3>Web Cookies</h3>" + tableHeader);
StringBuilder nodeWebHistory = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Web History</h3>" + tableHeader); StringBuilder nodeWebHistory = new StringBuilder("<h3>Web History</h3>" + tableHeader);
StringBuilder nodeWebDownload = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Web Downloads</h3>" + tableHeader); StringBuilder nodeWebDownload = new StringBuilder("<h3>Web Downloads</h3>" + tableHeader);
StringBuilder nodeRecentObjects = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Recent Documents</h3>" + tableHeader); StringBuilder nodeRecentObjects = new StringBuilder("<h3>Recent Documents</h3>" + tableHeader);
StringBuilder nodeTrackPoint = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Track Points</h3>" + tableHeader); StringBuilder nodeTrackPoint = new StringBuilder("<h3>Track Points</h3>" + tableHeader);
StringBuilder nodeInstalled = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Installed Programs</h3>" + tableHeader); StringBuilder nodeInstalled = new StringBuilder("<h3>Installed Programs</h3>" + tableHeader);
StringBuilder nodeKeyword = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Keyword Search Hits</h3>" + tableHeader); StringBuilder nodeKeyword = new StringBuilder("<h3>Keyword Search Hits</h3>" + tableHeader);
StringBuilder nodeHash = new StringBuilder("<h3 style=\"font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;\">Hashset Hits</h3>" + tableHeader); StringBuilder nodeHash = new StringBuilder("<h3>Hashset Hits</h3>" + tableHeader);
int pp = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) { for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){ if(reportFilter.cancel == true){
break; break;
@ -86,7 +92,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
Long objId = entry.getKey().getObjectID(); Long objId = entry.getKey().getObjectID();
//Content file = skCase.getContentById(objId); //Content file = skCase.getContentById(objId);
FsContent file = skCase.getFsContentById(objId); FsContent file = skCase.getFsContentById(objId);
String tdcolor = "";
Long filesize = file.getSize(); Long filesize = file.getSize();
@ -94,31 +100,19 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
// Get all the attributes for this guy // Get all the attributes for this guy
for (BlackboardAttribute tempatt : entry.getValue()) for (BlackboardAttribute tempatt : entry.getValue())
{ {
if(reportFilter.cancel == true){ if(reportFilter.cancel == true){
break; break;
} }
if(pp > 0) artifact.append("<tr><td>").append(objId.toString());
{ artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
pp = 0;
tdcolor = "background: #eaeaea;";
}
else
{
tdcolor = "";
pp = 1;
}
artifact.append("<tr><td style=\"display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif; " + tdcolor + " \">").append(objId.toString());
artifact.append("</td><td style=\"display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;" + tdcolor + " \"><strong>").append(file.getName().toString()).append("</strong></td>");
//artifact.append("Path: ").append(file.getParentPath()); //artifact.append("Path: ").append(file.getParentPath());
artifact.append("<td style=\"display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;" + tdcolor + " \">").append(filesize.toString()).append("</td>"); artifact.append("<td>").append(filesize.toString()).append("</td>");
StringBuilder attribute = new StringBuilder("<td style=\"display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif; " + tdcolor + " \">").append(tempatt.getAttributeTypeDisplayName()).append("</td>"); StringBuilder attribute = new StringBuilder("<td>").append(tempatt.getAttributeTypeDisplayName()).append("</td>");
attribute.append("<td style=\"display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;" + tdcolor + " \">").append(tempatt.getValueString()).append("</td></tr>"); attribute.append("<td>").append(tempatt.getValueString()).append("</td></tr>");
//attribute.append("<li style=\"list-style-type: none;\"> Context: ").append(tempatt.getContext()).append("</li>"); //attribute.append("<li style=\"list-style-type: none;\"> Context: ").append(tempatt.getContext()).append("</li>");
artifact.append(attribute); artifact.append(attribute);
cc++; cc++;
} }
//artifact.append("</tr>"); //artifact.append("</tr>");
if(entry.getKey().getArtifactTypeID() == 1){ if(entry.getKey().getArtifactTypeID() == 1){
@ -180,7 +174,15 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
//end of master loop //end of master loop
formatted_Report.append("</div></div></body></html>"); formatted_Report.append("</div></div></body></html>");
}
htmlPath = currentCase.getCaseDirectory()+"/Temp/" + caseName + "-" + datenotime + ".html";
BufferedWriter out = new BufferedWriter(new FileWriter(htmlPath));
out.write(formatted_Report.toString());
out.flush();
out.close();
}
catch(Exception e) catch(Exception e)
{ {

2
Report/src/org/sleuthkit/autopsy/report/reportPanel.java
View File

@ -124,7 +124,7 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
path = reportUtils.changeExtension(path, ".html"); path = reportUtils.changeExtension(path, ".html");
try { try {
FileOutputStream out = new FileOutputStream(path); FileOutputStream out = new FileOutputStream(path);
out.write(jEditorPane1.getText().getBytes()); out.write(reportHTML.formatted_Report.toString().getBytes());
out.flush(); out.flush();
out.close(); out.close();

21
thirdparty/rr/plugins/arunmru.pl vendored
View File

@ -43,9 +43,12 @@ sub pluginmain {
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RunMru"); #::rptMsg("RunMru");
::rptMsg($key_path); #::rptMsg($key_path);
#::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values(); my @vals = $key->get_list_of_values();
::rptMsg("<runMRU>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
::rptMsg("<artifacts>");
my %runvals; my %runvals;
my $mru; my $mru;
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
@ -53,20 +56,22 @@ sub pluginmain {
$runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i);
$mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i);
} }
::rptMsg("MRUList = ".$mru); ::rptMsg("<MRUList>".$mru."</MRUList>");
foreach my $r (sort keys %runvals) { foreach my $r (sort keys %runvals) {
::rptMsg($r." ".$runvals{$r}); ::rptMsg("<MRU>".$r." ".$runvals{$r}."</MRU>");
} }
} }
else { else {
::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values."); #::logMsg($key_path." has no values.");
} }
::rptMsg("</artifacts>");
} }
else { else {
::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
::rptMsg("</runMRU>");
} }
1; 1;

5
thirdparty/rr/plugins/autopsy vendored
View File

@ -2,6 +2,7 @@
#------------------------------------- #-------------------------------------
# NTUSER.DAT # NTUSER.DAT
autopsy autopsylogin
autopsyrecentdocs autopsyrecentdocs
arunmru arunmru
autopsyshellfolders

18
thirdparty/rr/plugins/autopsy.pl → thirdparty/rr/plugins/autopsylogin.pl vendored
View File

@ -10,7 +10,7 @@
# #
# copyright 2008 H. Carvey # copyright 2008 H. Carvey
#----------------------------------------------------------- #-----------------------------------------------------------
package autopsy; package autopsylogin;
use strict; use strict;
my %config = (hive => "NTUSER\.DAT", my %config = (hive => "NTUSER\.DAT",
@ -34,7 +34,7 @@ my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("||logonusername||"); #::logMsg("||logonusername||");
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
@ -47,21 +47,23 @@ sub pluginmain {
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
#::rptMsg("Logon User Name"); #::rptMsg("Logon User Name");
#::rptMsg($key_path); #::rptMsg($key_path);
::rptMsg("Time[".gmtime($key->get_timestamp())."]"); ::rptMsg("<logon>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time><artifacts>");
foreach my $v (@vals) { foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) { if ($v->get_name() eq $logon_name) {
::rptMsg($logon_name."[".$v->get_data() ."]"); ::rptMsg("<user name=\"".$logon_name."\"> ".$v->get_data() ."</user>");
} }
} }
::rptMsg("</artifacts></logon>");
} }
else { else {
::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values."); #::logMsg($key_path." has no values.");
} }
} }
else { else {
::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
} }

22
thirdparty/rr/plugins/autopsyrecentdocs.pl vendored
View File

@ -40,17 +40,16 @@ my $VERSION = getVersion();
sub pluginmain { sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
::logMsg("||recentdocs||"); #::logMsg("||recentdocs||");
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
my $key; my $key;
if ($key = $root_key->get_subkey($key_path)) { if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("RecentDocs"); #::rptMsg("RecentDocs");
#::rptMsg("**All values printed in MRUList\\MRUListEx order."); #::rptMsg("**All values printed in MRUList\\MRUListEx order.");
::rptMsg($key_path); #::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); ::rptMsg("<recentdocs><time>".gmtime($key->get_timestamp())."</time><artifacts>");
# Get RecentDocs values # Get RecentDocs values
my %rdvals = getRDValues($key); my %rdvals = getRDValues($key);
if (%rdvals) { if (%rdvals) {
@ -67,14 +66,15 @@ sub pluginmain {
my @list = split(/,/,$rdvals{$tag}); my @list = split(/,/,$rdvals{$tag});
foreach my $i (@list) { foreach my $i (@list) {
::rptMsg(" ".$i." = ".$rdvals{$i}); ::rptMsg("<doc>".$i." = ".$rdvals{$i} . "</doc>");
} }
::rptMsg("");
} }
else { else {
::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
::logMsg("Error: ".$key_path." has no values."); #::logMsg("Error: ".$key_path." has no values.");
} }
::rptMsg("</artifacts></recentdocs>");
# Get RecentDocs subkeys' values # Get RecentDocs subkeys' values
my @subkeys = $key->get_list_of_subkeys(); my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) { if (scalar(@subkeys) > 0) {
@ -104,16 +104,16 @@ sub pluginmain {
::rptMsg(""); ::rptMsg("");
} }
else { else {
::rptMsg($key_path." has no values."); #::rptMsg($key_path." has no values.");
} }
} }
} }
else { else {
::rptMsg($key_path." has no subkeys."); #::rptMsg($key_path." has no subkeys.");
} }
} }
else { else {
::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
} }
} }

72
thirdparty/rr/plugins/autopsyshellfolders.pl vendored Normal file
View File

@ -0,0 +1,72 @@
#-----------------------------------------------------------
# shellfolders.pl
#
# Retrieve the Shell Folders values from user's hive; while
# this may not be important in every instance, it may give the
# examiner indications as to where to look for certain items;
# for example, if the user's "My Documents" folder has been redirected
# as part of configuration changes (corporate policies, etc.). Also,
# this may be important as part of data leakage exams, as XP and Vista
# allow users to drop and drag files to the CD Burner.
#
# References:
# http://support.microsoft.com/kb/279157
# http://support.microsoft.com/kb/326982
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package autopsyshellfolders;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090115);
sub getConfig{return %config}
sub getShortDescr {
return "Retrieve user Shell Folders values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
#::logMsg("Launching shellfolders v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<shellfolders>");
::rptMsg("<time>".gmtime($key->get_timestamp())."</time>");
my @vals = $key->get_list_of_values();
::rptMsg("<artifacts>");
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>";
::rptMsg($str);
}
::rptMsg("");
}
else {
#::rptMsg($key_path." has no values.");
}
::rptMsg("</artifacts></shellfolders>");
}
else {
#::rptMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
1;

5
thirdparty/rr/plugins/autopsysoftware vendored Normal file
View File

@ -0,0 +1,5 @@
List of plugins for the Registry Ripper
#-------------------------------------
# SOFTWARE
autopsyuninstall

89
thirdparty/rr/plugins/autopsyuninstall.pl vendored Normal file
View File

@ -0,0 +1,89 @@
#-----------------------------------------------------------
# uninstall.pl
# Gets contents of Uninstall key from Software hive; sorts
# display names based on key LastWrite time
#
# References:
# http://support.microsoft.com/kb/247501
# http://support.microsoft.com/kb/314481
# http://msdn.microsoft.com/en-us/library/ms954376.aspx
#
# Change History:
# 20100116 - Minor updates
# 20090413 - Extract DisplayVersion info
# 20090128 - Added references
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package autopsyuninstall;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of Uninstall key from Software hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
#::logMsg("Launching uninstall v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
#::rptMsg("Uninstall");
#::rptMsg($key_path);
#::rptMsg("");
my %uninst;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp();
my $display;
eval {
$display = $s->get_value("DisplayName")->get_data();
};
$display = $s->get_name() if ($display eq "");
my $ver;
eval {
$ver = $s->get_value("DisplayVersion")->get_data();
};
$display .= " v\.".$ver unless ($@);
push(@{$uninst{$lastwrite}},$display);
}
foreach my $t (reverse sort {$a <=> $b} keys %uninst) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$uninst{$t}}) {
::rptMsg("\t$item");
}
::rptMsg("");
}
}
else {
#::rptMsg($key_path." has no subkeys.");
}
}
else {
#::rptMsg($key_path." not found.");
}
}
1;

4
thirdparty/rr/rip.pl vendored
View File

@ -99,7 +99,7 @@ if ($config{file}) {
#logMsg("Parsed Plugins file."); #logMsg("Parsed Plugins file.");
} }
else { else {
logMsg("Plugins file not parsed."); #logMsg("Plugins file not parsed.");
exit; exit;
} }
foreach my $i (sort {$a <=> $b} keys %plugins) { foreach my $i (sort {$a <=> $b} keys %plugins) {
@ -111,7 +111,7 @@ if ($config{file}) {
logMsg("Error in ".$plugins{$i}.": ".$@); logMsg("Error in ".$plugins{$i}.": ".$@);
} }
#logMsg($plugins{$i}." complete."); #logMsg($plugins{$i}." complete.");
#rptMsg("-" x 40);
} }
} }