mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
Merge pull request #6986 from gdicristofaro/7592-analysisResultsScore
7592 analysis results score
This commit is contained in:
Ann Priestman
GitHub
commit
e5b7c77c94
@ -37,7 +37,6 @@ import org.apache.commons.lang3.StringUtils;
|
||||
import org.openide.util.NbBundle;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoAccount;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil;
|
||||
@ -63,12 +62,9 @@ import org.sleuthkit.datamodel.Image;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.Persona;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.PersonaAccount;
|
||||
import org.sleuthkit.datamodel.Account;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT;
|
||||
import org.sleuthkit.datamodel.CommunicationsUtils;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.Score.MethodCategory;
|
||||
import org.sleuthkit.datamodel.Score.Significance;
|
||||
|
||||
/**
|
||||
* Listen for ingest events and update entries in the Central Repository
|
||||
@ -76,7 +72,7 @@ import org.sleuthkit.datamodel.Score;
|
||||
*/
|
||||
@NbBundle.Messages({"IngestEventsListener.ingestmodule.name=Central Repository"})
|
||||
public class IngestEventsListener {
|
||||
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Significance.LIKELY_NOTABLE, MethodCategory.AUTO);
|
||||
private static final Logger LOGGER = Logger.getLogger(CorrelationAttributeInstance.class.getName());
|
||||
private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.DATA_SOURCE_ANALYSIS_COMPLETED);
|
||||
private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(DATA_ADDED);
|
||||
@ -216,17 +212,17 @@ public class IngestEventsListener {
|
||||
@NbBundle.Messages({"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
|
||||
"IngestEventsListener.prevCaseComment.text=Previous Case: "})
|
||||
static private void makeAndPostPreviousNotableArtifact(BlackboardArtifact originalArtifact, List<String> caseDisplayNames) {
|
||||
|
||||
Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(new BlackboardAttribute(
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevTaggedSet_text()),
|
||||
Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(
|
||||
new BlackboardAttribute(
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevTaggedSet_text()),
|
||||
new BlackboardAttribute(
|
||||
TSK_COMMENT, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(","))),
|
||||
new BlackboardAttribute(
|
||||
TSK_ASSOCIATED_ARTIFACT, MODULE_NAME,
|
||||
originalArtifact.getArtifactID()));
|
||||
makeAndPostInterestingArtifact(originalArtifact, attributesForNewArtifact);
|
||||
makeAndPostInterestingArtifact(originalArtifact, attributesForNewArtifact, Bundle.IngestEventsListener_prevTaggedSet_text());
|
||||
}
|
||||
|
||||
/**
|
||||
@ -251,26 +247,28 @@ public class IngestEventsListener {
|
||||
new BlackboardAttribute(
|
||||
TSK_ASSOCIATED_ARTIFACT, MODULE_NAME,
|
||||
originalArtifact.getArtifactID()));
|
||||
makeAndPostInterestingArtifact(originalArtifact, attributesForNewArtifact);
|
||||
makeAndPostInterestingArtifact(originalArtifact, attributesForNewArtifact, Bundle.IngestEventsListener_prevExists_text());
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Make an interesting item artifact to flag the passed in artifact.
|
||||
*
|
||||
* @param originalArtifact Artifact in current case we want to flag
|
||||
* @param attributesForNewArtifact Attributes to assign to the new
|
||||
* Interesting items artifact
|
||||
* @param configuration The configuration to be specified for the new interesting artifact hit
|
||||
*/
|
||||
private static void makeAndPostInterestingArtifact(BlackboardArtifact originalArtifact, Collection<BlackboardAttribute> attributesForNewArtifact) {
|
||||
private static void makeAndPostInterestingArtifact(BlackboardArtifact originalArtifact, Collection<BlackboardAttribute> attributesForNewArtifact, String configuration) {
|
||||
try {
|
||||
SleuthkitCase tskCase = originalArtifact.getSleuthkitCase();
|
||||
AbstractFile abstractFile = tskCase.getAbstractFileById(originalArtifact.getObjectID());
|
||||
Blackboard blackboard = tskCase.getBlackboard();
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(abstractFile, TSK_INTERESTING_ARTIFACT_HIT, attributesForNewArtifact)) {
|
||||
BlackboardArtifact newInterestingArtifact = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_ARTIFACT_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributesForNewArtifact)
|
||||
BlackboardArtifact newInterestingArtifact = abstractFile.newAnalysisResult(
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, configuration, null, attributesForNewArtifact)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
|
||||
@ -67,7 +67,7 @@ import org.sleuthkit.datamodel.Score;
|
||||
final class CentralRepoIngestModule implements FileIngestModule {
|
||||
|
||||
private static final String MODULE_NAME = CentralRepoIngestModuleFactory.getModuleName();
|
||||
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
static final boolean DEFAULT_FLAG_TAGGED_NOTABLE_ITEMS = false;
|
||||
static final boolean DEFAULT_FLAG_PREVIOUS_DEVICES = false;
|
||||
static final boolean DEFAULT_CREATE_CR_PROPERTIES = true;
|
||||
@ -334,7 +334,6 @@ final class CentralRepoIngestModule implements FileIngestModule {
|
||||
* @param caseDisplayNames Case names to be added to a TSK_COMMON attribute.
|
||||
*/
|
||||
private void postCorrelatedBadFileToBlackboard(AbstractFile abstractFile, List<String> caseDisplayNames) {
|
||||
|
||||
Collection<BlackboardAttribute> attributes = Arrays.asList(
|
||||
new BlackboardAttribute(
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
@ -347,8 +346,8 @@ final class CentralRepoIngestModule implements FileIngestModule {
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(abstractFile, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact tifArtifact = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, Bundle.CentralRepoIngestModule_prevTaggedSet_text(), null, attributes)
|
||||
.getAnalysisResult();
|
||||
try {
|
||||
// index the artifact for keyword search
|
||||
|
||||
@ -29,7 +29,6 @@ import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.Iterator;
|
||||
import java.util.List;
|
||||
@ -37,7 +36,6 @@ import java.util.Map;
|
||||
import java.util.logging.Level;
|
||||
import javax.annotation.concurrent.GuardedBy;
|
||||
import org.apache.commons.io.FileUtils;
|
||||
import org.openide.util.Exceptions;
|
||||
import org.openide.util.NbBundle.Messages;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
|
||||
@ -102,6 +100,8 @@ final class AddLogicalImageTask implements Runnable {
|
||||
}
|
||||
}
|
||||
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private final static Logger LOGGER = Logger.getLogger(AddLogicalImageTask.class.getName());
|
||||
private final static String SEARCH_RESULTS_TXT = "SearchResults.txt"; //NON-NLS
|
||||
private final static String USERS_TXT = "_users.txt"; //NON-NLS
|
||||
@ -445,13 +445,9 @@ final class AddLogicalImageTask implements Runnable {
|
||||
BlackboardArtifact artifact;
|
||||
try {
|
||||
artifact = this.blackboard.newAnalysisResult(
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT,
|
||||
fileId,
|
||||
dataSourceId,
|
||||
Score.SCORE_UNKNOWN,
|
||||
null,
|
||||
null,
|
||||
null,
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, fileId, dataSourceId,
|
||||
LIKELY_NOTABLE_SCORE,
|
||||
null, ruleSetName, null,
|
||||
Arrays.asList(
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, ruleSetName),
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, MODULE_NAME, ruleName)
|
||||
|
||||
@ -51,6 +51,7 @@ import org.sleuthkit.datamodel.TskDataException;
|
||||
*/
|
||||
public class DataSourceIntegrityIngestModule implements DataSourceIngestModule {
|
||||
|
||||
private static final Score NOTABLE_SCORE = new Score(Score.Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
private static final Logger logger = Logger.getLogger(DataSourceIntegrityIngestModule.class.getName());
|
||||
private static final long DEFAULT_CHUNK_SIZE = 32 * 1024;
|
||||
private static final IngestServices services = IngestServices.getInstance();
|
||||
@ -294,10 +295,10 @@ public class DataSourceIntegrityIngestModule implements DataSourceIngestModule {
|
||||
if (!verified) {
|
||||
try {
|
||||
BlackboardArtifact verificationFailedArtifact = Case.getCurrentCase().getSleuthkitCase().getBlackboard().newAnalysisResult(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_VERIFICATION_FAILED),
|
||||
BlackboardArtifact.Type.TSK_VERIFICATION_FAILED,
|
||||
img.getId(), img.getId(),
|
||||
Score.SCORE_UNKNOWN,
|
||||
null, null, null,
|
||||
NOTABLE_SCORE,
|
||||
null, null, artifactComment,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
DataSourceIntegrityModuleFactory.getModuleName(), artifactComment)))
|
||||
.getAnalysisResult();
|
||||
|
||||
@ -89,6 +89,8 @@ class SevenZipExtractor {
|
||||
private static final Logger logger = Logger.getLogger(SevenZipExtractor.class.getName());
|
||||
|
||||
private static final String MODULE_NAME = EmbeddedFileExtractorModuleFactory.getModuleName();
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
private static final Score NOTABLE_SCORE = new Score(Score.Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
//encryption type strings
|
||||
private static final String ENCRYPTION_FILE_LEVEL = NbBundle.getMessage(EmbeddedFileExtractorIngestModule.class,
|
||||
@ -302,11 +304,13 @@ class SevenZipExtractor {
|
||||
private void flagRootArchiveAsZipBomb(Archive rootArchive, AbstractFile archiveFile, String details, String escapedFilePath) {
|
||||
rootArchive.flagAsZipBomb();
|
||||
logger.log(Level.INFO, details);
|
||||
|
||||
String setName = "Possible Zip Bomb";
|
||||
try {
|
||||
Collection<BlackboardAttribute> attributes = Arrays.asList(
|
||||
new BlackboardAttribute(
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
"Possible Zip Bomb"),
|
||||
setName),
|
||||
new BlackboardAttribute(
|
||||
TSK_DESCRIPTION, MODULE_NAME,
|
||||
Bundle.SevenZipExtractor_zipBombArtifactCreation_text(archiveFile.getName())),
|
||||
@ -315,9 +319,13 @@ class SevenZipExtractor {
|
||||
details));
|
||||
|
||||
if (!blackboard.artifactExists(archiveFile, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact artifact = rootArchive.getArchiveFile().newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
|
||||
BlackboardArtifact artifact = archiveFile.newAnalysisResult(
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, setName, null,
|
||||
attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
* post the artifact which will index the artifact for
|
||||
@ -855,8 +863,9 @@ class SevenZipExtractor {
|
||||
String encryptionType = fullEncryption ? ENCRYPTION_FULL : ENCRYPTION_FILE_LEVEL;
|
||||
try {
|
||||
BlackboardArtifact artifact = archiveFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED), Score.SCORE_UNKNOWN,
|
||||
null, null, null,
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED),
|
||||
NOTABLE_SCORE,
|
||||
null, null, encryptionType,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, encryptionType)))
|
||||
.getAnalysisResult();
|
||||
|
||||
|
||||
@ -47,6 +47,8 @@ import org.sleuthkit.datamodel.VolumeSystem;
|
||||
*/
|
||||
final class EncryptionDetectionDataSourceIngestModule implements DataSourceIngestModule {
|
||||
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
private static final Score NOTABLE_SCORE = new Score(Score.Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
private final IngestServices services = IngestServices.getInstance();
|
||||
private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName());
|
||||
private Blackboard blackboard;
|
||||
@ -104,14 +106,16 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
if (BitlockerDetection.isBitlockerVolume(volume)) {
|
||||
return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_bitlocker());
|
||||
return flagVolume(volume, BlackboardArtifact.Type.TSK_ENCRYPTION_DETECTED, NOTABLE_SCORE,
|
||||
Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_bitlocker());
|
||||
}
|
||||
|
||||
if (context.dataSourceIngestIsCancelled()) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
if (isVolumeEncrypted(volume)) {
|
||||
return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, String.format(Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_suspected(), calculatedEntropy));
|
||||
return flagVolume(volume, BlackboardArtifact.Type.TSK_ENCRYPTION_SUSPECTED, LIKELY_NOTABLE_SCORE,
|
||||
String.format(Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_suspected(), calculatedEntropy));
|
||||
}
|
||||
}
|
||||
// Update progress bar
|
||||
@ -148,19 +152,20 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges
|
||||
* @param volume The volume to be processed.
|
||||
* @param artifactType The type of artifact to create. This is assumed to be
|
||||
* an analysis result type.
|
||||
* @param score The score of the analysis result.
|
||||
* @param comment A comment to be attached to the artifact.
|
||||
*
|
||||
* @return 'OK' if the volume was processed successfully, or 'ERROR' if
|
||||
* there was a problem.
|
||||
*/
|
||||
private IngestModule.ProcessResult flagVolume(Volume volume, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) {
|
||||
private IngestModule.ProcessResult flagVolume(Volume volume, BlackboardArtifact.Type artifactType, Score score, String comment) {
|
||||
|
||||
if (context.dataSourceIngestIsCancelled()) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
|
||||
try {
|
||||
BlackboardArtifact artifact = volume.newAnalysisResult(new BlackboardArtifact.Type(artifactType), Score.SCORE_UNKNOWN, null, null, null,
|
||||
BlackboardArtifact artifact = volume.newAnalysisResult(artifactType, score, null, null, comment,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment)))
|
||||
.getAnalysisResult();
|
||||
|
||||
|
||||
@ -28,7 +28,6 @@ import com.healthmarketscience.jackcess.util.MemFileChannel;
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.nio.BufferUnderflowException;
|
||||
import java.util.Arrays;
|
||||
import java.util.logging.Level;
|
||||
import org.apache.tika.exception.EncryptedDocumentException;
|
||||
@ -65,6 +64,8 @@ import org.xml.sax.SAXException;
|
||||
final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter {
|
||||
|
||||
private static final int FILE_SIZE_MODULUS = 512;
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
private static final Score NOTABLE_SCORE = new Score(Score.Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private static final String DATABASE_FILE_EXTENSION = "db";
|
||||
private static final int MINIMUM_DATABASE_FILE_SIZE = 65536; //64 KB
|
||||
@ -157,10 +158,11 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
|
||||
*/
|
||||
String mimeType = fileTypeDetector.getMIMEType(file);
|
||||
if (mimeType.equals("application/octet-stream") && isFileEncryptionSuspected(file)) {
|
||||
return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED,
|
||||
return flagFile(file, BlackboardArtifact.Type.TSK_ENCRYPTION_SUSPECTED, LIKELY_NOTABLE_SCORE,
|
||||
String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy));
|
||||
} else if (isFilePasswordProtected(file)) {
|
||||
return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password());
|
||||
return flagFile(file, BlackboardArtifact.Type.TSK_ENCRYPTION_DETECTED, NOTABLE_SCORE,
|
||||
Bundle.EncryptionDetectionFileIngestModule_artifactComment_password());
|
||||
}
|
||||
}
|
||||
} catch (ReadContentInputStreamException | SAXException | TikaException | UnsupportedCodecException ex) {
|
||||
@ -191,18 +193,19 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
|
||||
* @param file The file to be processed.
|
||||
* @param artifactType The type of artifact to create. Assumed to be an
|
||||
* analysis result type.
|
||||
* @param score The score of the analysis result.
|
||||
* @param comment A comment to be attached to the artifact.
|
||||
*
|
||||
* @return 'OK' if the file was processed successfully, or 'ERROR' if there
|
||||
* was a problem.
|
||||
*/
|
||||
private IngestModule.ProcessResult flagFile(AbstractFile file, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) {
|
||||
private IngestModule.ProcessResult flagFile(AbstractFile file, BlackboardArtifact.Type artifactType, Score score, String comment) {
|
||||
try {
|
||||
if (context.fileIngestIsCancelled()) {
|
||||
return IngestModule.ProcessResult.OK;
|
||||
}
|
||||
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(new BlackboardArtifact.Type(artifactType), Score.SCORE_UNKNOWN, null, null, null,
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(artifactType, score, null, null, comment,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
EncryptionDetectionModuleFactory.getModuleName(), comment)))
|
||||
.getAnalysisResult();
|
||||
|
||||
@ -18,6 +18,7 @@
|
||||
*/
|
||||
package org.sleuthkit.autopsy.modules.fileextmismatch;
|
||||
|
||||
import java.text.MessageFormat;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Set;
|
||||
@ -52,6 +53,7 @@ import org.sleuthkit.datamodel.TskException;
|
||||
"FileExtMismatchIngestModule.readError.message=Could not read settings."
|
||||
})
|
||||
public class FileExtMismatchIngestModule implements FileIngestModule {
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private static final Logger logger = Logger.getLogger(FileExtMismatchIngestModule.class.getName());
|
||||
private final IngestServices services = IngestServices.getInstance();
|
||||
@ -141,9 +143,12 @@ public class FileExtMismatchIngestModule implements FileIngestModule {
|
||||
addToTotals(jobId, System.currentTimeMillis() - startTime);
|
||||
|
||||
if (mismatchDetected) {
|
||||
String justification = MessageFormat.format("File has MIME type of {0}", detector.getMIMEType(abstractFile));
|
||||
|
||||
// add artifact
|
||||
BlackboardArtifact bart = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED), Score.SCORE_UNKNOWN, null, null, null, Collections.emptyList())
|
||||
BlackboardArtifact.Type.TSK_EXT_MISMATCH_DETECTED, LIKELY_NOTABLE_SCORE,
|
||||
null, null, justification, Collections.emptyList())
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
|
||||
@ -49,6 +49,7 @@ import org.sleuthkit.datamodel.TskCoreException;
|
||||
*/
|
||||
@NbBundle.Messages({"CannotRunFileTypeDetection=Unable to run file type detection."})
|
||||
public class FileTypeIdIngestModule implements FileIngestModule {
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private static final Logger logger = Logger.getLogger(FileTypeIdIngestModule.class.getName());
|
||||
private static final HashMap<Long, IngestJobTotals> totalsForIngestJobs = new HashMap<>();
|
||||
@ -164,9 +165,10 @@ public class FileTypeIdIngestModule implements FileIngestModule {
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!tskBlackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, fileType.getInterestingFilesSetName(), null,
|
||||
attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
* post the artifact which will index the artifact for
|
||||
|
||||
@ -49,6 +49,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.HashHitInfo;
|
||||
import org.sleuthkit.datamodel.HashUtility;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.Score.Significance;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
@ -382,9 +383,8 @@ public class HashDbIngestModule implements FileIngestModule {
|
||||
|
||||
totalCount.incrementAndGet();
|
||||
file.setKnown(statusIfFound);
|
||||
String hashSetName = db.getDisplayName();
|
||||
String comment = generateComment(hashInfo);
|
||||
if (!createArtifactIfNotExists(hashSetName, file, comment, db)) {
|
||||
if (!createArtifactIfNotExists(file, comment, db)) {
|
||||
wasError = true;
|
||||
}
|
||||
}
|
||||
@ -427,24 +427,23 @@ public class HashDbIngestModule implements FileIngestModule {
|
||||
/**
|
||||
* Creates a BlackboardArtifact if artifact does not already exist.
|
||||
*
|
||||
* @param hashSetName The name of the hashset found.
|
||||
* @param file The file that had a hash hit.
|
||||
* @param comment The comment to associate with this artifact.
|
||||
* @param db the database in which this file was found.
|
||||
*
|
||||
* @return True if the operation occurred successfully and without error.
|
||||
*/
|
||||
private boolean createArtifactIfNotExists(String hashSetName, AbstractFile file, String comment, HashDb db) {
|
||||
private boolean createArtifactIfNotExists(AbstractFile file, String comment, HashDb db) {
|
||||
/*
|
||||
* We have a match. Now create an artifact if it is determined that one
|
||||
* hasn't been created yet.
|
||||
*/
|
||||
List<BlackboardAttribute> attributesList = new ArrayList<>();
|
||||
attributesList.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, HashLookupModuleFactory.getModuleName(), hashSetName));
|
||||
attributesList.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, HashLookupModuleFactory.getModuleName(), db.getDisplayName()));
|
||||
try {
|
||||
Blackboard tskBlackboard = skCase.getBlackboard();
|
||||
if (tskBlackboard.artifactExists(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT, attributesList) == false) {
|
||||
postHashSetHitToBlackboard(file, file.getMd5Hash(), hashSetName, comment, db.getSendIngestMessages());
|
||||
postHashSetHitToBlackboard(file, file.getMd5Hash(), db, comment);
|
||||
}
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, String.format(
|
||||
@ -501,33 +500,53 @@ public class HashDbIngestModule implements FileIngestModule {
|
||||
totals.totalCalctime.addAndGet(delta);
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts HashDb.KnownFilesType to a Score to be used to create an analysis result.
|
||||
* @param knownFilesType The HashDb KnownFilesType to convert.
|
||||
* @return The Score to use when creating an AnalysisResult.
|
||||
*/
|
||||
private Score getScore(HashDb.KnownFilesType knownFilesType) {
|
||||
if (knownFilesType == null) {
|
||||
return Score.SCORE_UNKNOWN;
|
||||
}
|
||||
switch (knownFilesType) {
|
||||
case KNOWN:
|
||||
return new Score(Significance.NONE, Score.MethodCategory.AUTO);
|
||||
case KNOWN_BAD:
|
||||
return new Score(Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
default:
|
||||
case NO_CHANGE:
|
||||
return Score.SCORE_UNKNOWN;
|
||||
}
|
||||
}
|
||||
/**
|
||||
* Post a hash set hit to the blackboard.
|
||||
*
|
||||
* @param abstractFile The file to be processed.
|
||||
* @param md5Hash The MD5 hash value of the file.
|
||||
* @param hashSetName The name of the hash set with which to associate
|
||||
* the hit.
|
||||
* @param db The database in which this file was found.
|
||||
* @param comment A comment to be attached to the artifact.
|
||||
* @param showInboxMessage Show a message in the inbox?
|
||||
*/
|
||||
@Messages({
|
||||
"HashDbIngestModule.indexError.message=Failed to index hashset hit artifact for keyword search."
|
||||
})
|
||||
private void postHashSetHitToBlackboard(AbstractFile abstractFile, String md5Hash, String hashSetName, String comment, boolean showInboxMessage) {
|
||||
private void postHashSetHitToBlackboard(AbstractFile abstractFile, String md5Hash, HashDb db, String comment) {
|
||||
try {
|
||||
String moduleName = HashLookupModuleFactory.getModuleName();
|
||||
|
||||
Collection<BlackboardAttribute> attributes = new ArrayList<>();
|
||||
//TODO Revisit usage of deprecated constructor as per TSK-583
|
||||
//BlackboardAttribute att2 = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), MODULE_NAME, "Known Bad", hashSetName);
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, moduleName, hashSetName));
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HASH_MD5, moduleName, md5Hash));
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, comment));
|
||||
List<BlackboardAttribute> attributes = Arrays.asList(
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, moduleName, db.getDisplayName()),
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HASH_MD5, moduleName, md5Hash),
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, comment)
|
||||
);
|
||||
|
||||
// BlackboardArtifact.Type artifactType, Score score, String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList
|
||||
BlackboardArtifact badFile = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_HASHSET_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
BlackboardArtifact.Type.TSK_HASHSET_HIT, getScore(db.getKnownFilesType()),
|
||||
null, db.getDisplayName(), null,
|
||||
attributes
|
||||
).getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
* post the artifact which will index the artifact for keyword
|
||||
@ -540,7 +559,7 @@ public class HashDbIngestModule implements FileIngestModule {
|
||||
Bundle.HashDbIngestModule_indexError_message(), badFile.getDisplayName());
|
||||
}
|
||||
|
||||
if (showInboxMessage) {
|
||||
if (db.getSendIngestMessages()) {
|
||||
StringBuilder detailsSb = new StringBuilder();
|
||||
//details
|
||||
detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
|
||||
@ -565,7 +584,7 @@ public class HashDbIngestModule implements FileIngestModule {
|
||||
detailsSb.append("<th>") //NON-NLS
|
||||
.append(NbBundle.getMessage(this.getClass(), "HashDbIngestModule.postToBB.hashsetName"))
|
||||
.append("</th>"); //NON-NLS
|
||||
detailsSb.append("<td>").append(hashSetName).append("</td>"); //NON-NLS
|
||||
detailsSb.append("<td>").append(db.getDisplayName()).append("</td>"); //NON-NLS
|
||||
detailsSb.append("</tr>"); //NON-NLS
|
||||
|
||||
detailsSb.append("</table>"); //NON-NLS
|
||||
|
||||
@ -53,6 +53,7 @@ import org.sleuthkit.datamodel.TskData;
|
||||
*/
|
||||
@NbBundle.Messages({"FilesIdentifierIngestModule.getFilesError=Error getting interesting files sets from file."})
|
||||
final class FilesIdentifierIngestModule implements FileIngestModule {
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private static final Object sharedResourcesLock = new Object();
|
||||
private static final Logger logger = Logger.getLogger(FilesIdentifierIngestModule.class.getName());
|
||||
@ -144,9 +145,10 @@ final class FilesIdentifierIngestModule implements FileIngestModule {
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, filesSet.getName(), null,
|
||||
attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
|
||||
// Post thet artifact to the blackboard.
|
||||
|
||||
@ -153,7 +153,7 @@ public class EXIFProcessor implements PictureProcessor {
|
||||
final BlackboardArtifact exifArtifact = file.newDataArtifact(new BlackboardArtifact.Type(TSK_METADATA_EXIF), attributes);
|
||||
|
||||
final BlackboardArtifact userSuspectedArtifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_USER_CONTENT_SUSPECTED), Score.SCORE_UNKNOWN, null, null, null,
|
||||
BlackboardArtifact.Type.TSK_USER_CONTENT_SUSPECTED, Score.SCORE_UNKNOWN, null, null, null,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, Bundle.ExifProcessor_userContent_description())))
|
||||
.getAnalysisResult();
|
||||
|
||||
|
||||
@ -35,7 +35,6 @@ import org.sleuthkit.autopsy.yara.YaraJNIWrapper;
|
||||
import org.sleuthkit.autopsy.yara.YaraWrapperException;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_YARA_HIT;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
@ -47,6 +46,7 @@ import org.sleuthkit.datamodel.TskCoreException;
|
||||
*/
|
||||
final class YaraIngestHelper {
|
||||
|
||||
private static final Score NOTABLE_SCORE = new Score(Score.Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
private static final String YARA_DIR = "yara";
|
||||
private static final String YARA_C_EXE = "yarac64.exe";
|
||||
private static final String MODULE_NAME = YaraIngestModuleFactory.getModuleName();
|
||||
@ -207,7 +207,7 @@ final class YaraIngestHelper {
|
||||
attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
|
||||
attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));
|
||||
|
||||
BlackboardArtifact artifact = abstractFile.newAnalysisResult(new BlackboardArtifact.Type(TSK_YARA_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
BlackboardArtifact artifact = abstractFile.newAnalysisResult(BlackboardArtifact.Type.TSK_YARA_HIT, NOTABLE_SCORE, null, ruleSetName, rule, attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
artifacts.add(artifact);
|
||||
|
||||
@ -42,7 +42,7 @@ import org.sleuthkit.datamodel.TskCoreException;
|
||||
*
|
||||
*/
|
||||
class StixArtifactData {
|
||||
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
private static final String MODULE_NAME = "Stix";
|
||||
|
||||
private AbstractFile file;
|
||||
@ -89,8 +89,10 @@ class StixArtifactData {
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact bba = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributes).getAnalysisResult();
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, setName, null,
|
||||
attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
|
||||
@ -47,7 +47,6 @@ import org.sleuthkit.autopsy.ingest.IngestServices;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OBJECT_DETECTED;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
@ -171,7 +170,7 @@ public class ObjectDetectectionFileIngestModule extends FileIngestModuleAdapter
|
||||
);
|
||||
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_OBJECT_DETECTED), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
BlackboardArtifact.Type.TSK_OBJECT_DETECTED, Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
|
||||
@ -56,6 +56,7 @@ import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM;
|
||||
* artifacts.
|
||||
*/
|
||||
class VolatilityProcessor {
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private static final Logger logger = Logger.getLogger(VolatilityProcessor.class.getName());
|
||||
private static final String VOLATILITY = "Volatility"; //NON-NLS
|
||||
@ -377,17 +378,15 @@ class VolatilityProcessor {
|
||||
}
|
||||
try {
|
||||
|
||||
Collection<BlackboardAttribute> attributes = singleton(
|
||||
new BlackboardAttribute(
|
||||
TSK_SET_NAME, VOLATILITY,
|
||||
Bundle.VolatilityProcessor_artifactAttribute_interestingFileSet(pluginName))
|
||||
);
|
||||
String setName = Bundle.VolatilityProcessor_artifactAttribute_interestingFileSet(pluginName);
|
||||
Collection<BlackboardAttribute> attributes = singleton(new BlackboardAttribute(TSK_SET_NAME, VOLATILITY, setName));
|
||||
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(resolvedFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact volArtifact = resolvedFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, setName, null,
|
||||
attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
|
||||
@ -61,6 +61,7 @@ class LuceneQuery implements KeywordSearchQuery {
|
||||
static final int SNIPPET_LENGTH = 50;
|
||||
static final String HIGHLIGHT_FIELD = Server.Schema.TEXT.toString();
|
||||
|
||||
private static final Score KEYWORD_SEARCH_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
private static final boolean DEBUG = (Version.getBuildType() == Version.Type.DEVELOPMENT);
|
||||
|
||||
/**
|
||||
@ -263,7 +264,10 @@ class LuceneQuery implements KeywordSearchQuery {
|
||||
);
|
||||
|
||||
try {
|
||||
return content.newAnalysisResult(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_KEYWORD_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
return content.newAnalysisResult(
|
||||
BlackboardArtifact.Type.TSK_KEYWORD_HIT, KEYWORD_SEARCH_SCORE,
|
||||
null, listName, null,
|
||||
attributes)
|
||||
.getAnalysisResult();
|
||||
} catch (TskCoreException e) {
|
||||
logger.log(Level.WARNING, "Error adding bb artifact for keyword hit", e); //NON-NLS
|
||||
|
||||
@ -48,7 +48,6 @@ import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Account;
|
||||
import org.sleuthkit.datamodel.AccountFileInstance;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
@ -73,6 +72,7 @@ import org.sleuthkit.datamodel.TskData;
|
||||
final class RegexQuery implements KeywordSearchQuery {
|
||||
|
||||
public static final Logger LOGGER = Logger.getLogger(RegexQuery.class.getName());
|
||||
private static final Score LIKELY_NOTABLE_SCORE = new Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
/**
|
||||
* Lucene regular expressions do not support the following Java predefined
|
||||
@ -614,7 +614,9 @@ final class RegexQuery implements KeywordSearchQuery {
|
||||
}
|
||||
|
||||
try {
|
||||
return content.newAnalysisResult(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_KEYWORD_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
return content.newAnalysisResult(
|
||||
BlackboardArtifact.Type.TSK_KEYWORD_HIT, LIKELY_NOTABLE_SCORE,
|
||||
null, listName, null, attributes)
|
||||
.getAnalysisResult();
|
||||
} catch (TskCoreException e) {
|
||||
LOGGER.log(Level.SEVERE, "Error adding bb attributes for terms search artifact", e); //NON-NLS
|
||||
|
||||
@ -41,6 +41,7 @@ import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.HashMap;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import org.apache.commons.io.FilenameUtils;
|
||||
import org.openide.util.NbBundle.Messages;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
@ -59,6 +60,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
import org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper;
|
||||
@ -67,6 +69,7 @@ import org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper;
|
||||
* Chromium recent activity extraction
|
||||
*/
|
||||
class Chromium extends Extract {
|
||||
private static final Score NOTABLE_SCORE = new Score(Score.Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private static final String HISTORY_QUERY = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS
|
||||
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS
|
||||
@ -823,11 +826,15 @@ class Chromium extends Extract {
|
||||
// get form address atifacts
|
||||
getFormAddressArtifacts(webDataFile, tempFilePath, isSchemaV8X);
|
||||
if (databaseEncrypted) {
|
||||
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(),
|
||||
String.format("%s Autofill Database Encryption Detected", browser)));
|
||||
bbartifacts.add(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, webDataFile, bbattributes));
|
||||
String comment = String.format("%s Autofill Database Encryption Detected", browser);
|
||||
Collection<BlackboardAttribute> bbattributes = Arrays.asList(
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
RecentActivityExtracterModuleFactory.getModuleName(), comment));
|
||||
|
||||
bbartifacts.add(
|
||||
webDataFile.newAnalysisResult(
|
||||
BlackboardArtifact.Type.TSK_ENCRYPTION_DETECTED, NOTABLE_SCORE,
|
||||
null, null, comment, bbattributes).getAnalysisResult());
|
||||
}
|
||||
} catch (NoCurrentCaseException | TskCoreException | Blackboard.BlackboardException ex) {
|
||||
logger.log(Level.SEVERE, String.format("Error adding artifacts to the case database "
|
||||
|
||||
@ -34,7 +34,6 @@ import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
import java.util.logging.Level;
|
||||
import org.openide.util.NbBundle.Messages;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
@ -51,7 +50,6 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.OsAccount;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
@ -37,6 +37,7 @@ from java.lang import System
|
||||
from java.util.logging import Level
|
||||
from org.sleuthkit.datamodel import SleuthkitCase
|
||||
from org.sleuthkit.datamodel import AbstractFile
|
||||
from org.sleuthkit.datamodel import Score
|
||||
from org.sleuthkit.datamodel import ReadContentInputStream
|
||||
from org.sleuthkit.datamodel import BlackboardArtifact
|
||||
from org.sleuthkit.datamodel import BlackboardAttribute
|
||||
@ -85,6 +86,7 @@ class SampleJythonDataSourceIngestModuleFactory(IngestModuleFactoryAdapter):
|
||||
# Data Source-level ingest module. One gets created per data source.
|
||||
# TODO: Rename this to something more specific. Could just remove "Factory" from above name.
|
||||
class SampleJythonDataSourceIngestModule(DataSourceIngestModule):
|
||||
LIKELY_NOTABLE_SCORE = Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO)
|
||||
|
||||
_logger = Logger.getLogger(SampleJythonDataSourceIngestModuleFactory.moduleName)
|
||||
|
||||
@ -142,7 +144,7 @@ class SampleJythonDataSourceIngestModule(DataSourceIngestModule):
|
||||
# artfiact. Refer to the developer docs for other examples.
|
||||
attrs = ArrayList()
|
||||
attrs.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file"))
|
||||
art = file.newAnalysisResult(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, Score.SCORE_UNKNOWN, None, None, None, attrs)
|
||||
art = file.newAnalysisResult(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, self.LIKELY_NOTABLE_SCORE, None, "Test file", None, attrs)
|
||||
|
||||
try:
|
||||
# index the artifact for keyword search
|
||||
|
||||
@ -35,6 +35,7 @@ import jarray
|
||||
import inspect
|
||||
from java.lang import System
|
||||
from java.util.logging import Level
|
||||
from org.sleuthkit.datamodel import Score
|
||||
from org.sleuthkit.datamodel import SleuthkitCase
|
||||
from org.sleuthkit.datamodel import AbstractFile
|
||||
from org.sleuthkit.datamodel import ReadContentInputStream
|
||||
@ -88,6 +89,7 @@ class SampleJythonFileIngestModuleFactory(IngestModuleFactoryAdapter):
|
||||
# TODO: Rename this to something more specific. Could just remove "Factory" from above name.
|
||||
# Looks at the attributes of the passed in file.
|
||||
class SampleJythonFileIngestModule(FileIngestModule):
|
||||
LIKELY_NOTABLE_SCORE = Score(Score.Significance.LIKELY_NOTABLE, Score.MethodCategory.AUTO)
|
||||
|
||||
_logger = Logger.getLogger(SampleJythonFileIngestModuleFactory.moduleName)
|
||||
|
||||
@ -130,7 +132,7 @@ class SampleJythonFileIngestModule(FileIngestModule):
|
||||
attrs = ArrayList()
|
||||
attrs.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
|
||||
SampleJythonFileIngestModuleFactory.moduleName, "Text Files"))
|
||||
art = file.newAnalysisResult(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, Score.SCORE_UNKNOWN, None, None, None, attrs)
|
||||
art = file.newAnalysisResult(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, self.LIKELY_NOTABLE_SCORE, None, "Text Files", None, attrs)
|
||||
|
||||
|
||||
try:
|
||||
|
||||
@ -75,6 +75,7 @@ import org.sleuthkit.datamodel.blackboardutils.attributes.MessageAttachments.Fil
|
||||
* structure and metadata.
|
||||
*/
|
||||
public final class ThunderbirdMboxFileIngestModule implements FileIngestModule {
|
||||
private static final Score NOTABLE_SCORE = new Score(Score.Significance.NOTABLE, Score.MethodCategory.AUTO);
|
||||
|
||||
private static final Logger logger = Logger.getLogger(ThunderbirdMboxFileIngestModule.class.getName());
|
||||
private final IngestServices services = IngestServices.getInstance();
|
||||
@ -242,13 +243,14 @@ public final class ThunderbirdMboxFileIngestModule implements FileIngestModule {
|
||||
// encrypted pst: Add encrypted file artifact
|
||||
try {
|
||||
|
||||
String encryptionFileLevel = NbBundle.getMessage(this.getClass(),
|
||||
"ThunderbirdMboxFileIngestModule.encryptionFileLevel");
|
||||
BlackboardArtifact artifact = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED),
|
||||
Score.SCORE_UNKNOWN, null, null, null, Arrays.asList(
|
||||
BlackboardArtifact.Type.TSK_ENCRYPTION_DETECTED,
|
||||
NOTABLE_SCORE, null, null, encryptionFileLevel, Arrays.asList(
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
|
||||
EmailParserModuleFactory.getModuleName(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ThunderbirdMboxFileIngestModule.encryptionFileLevel"))
|
||||
encryptionFileLevel)
|
||||
))
|
||||
.getAnalysisResult();
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user