diff --git a/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java b/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java index d927e5edb8..20de49affd 100755 --- a/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java +++ b/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java @@ -23,6 +23,8 @@ import java.awt.Component; import org.openide.nodes.Node; import org.openide.util.lookup.ServiceProvider; import org.sleuthkit.autopsy.corecomponentinterfaces.DataContentViewer; +import org.sleuthkit.autopsy.datamodel.AbstractAbstractFileNode; +import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; @@ -136,11 +138,10 @@ public class Metadata extends javax.swing.JPanel implements DataContentViewer addRow(sb, "Size", new Long(file.getSize()).toString() ); addRow(sb, "File Name Allocation", file.getDirFlagAsString()); addRow(sb, "Metadata Allocation", file.getMetaFlagsAsString()); - - addRow(sb, "Modified", file.getMtimeAsDate()); - addRow(sb, "Accessed", file.getAtimeAsDate()); - addRow(sb, "Created", file.getCrtimeAsDate()); - addRow(sb, "Changed", file.getCtimeAsDate()); + addRow(sb, "Modified", ContentUtils.getStringTime(file.getMtime(), file)); + addRow(sb, "Accessed", ContentUtils.getStringTime(file.getAtime(), file)); + addRow(sb, "Created", ContentUtils.getStringTime(file.getCrtime(), file)); + addRow(sb, "Changed", ContentUtils.getStringTime(file.getCtime(), file)); String md5 = file.getMd5Hash(); if (md5 == null) { diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java b/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java index 0cf73adc5e..8ea28dd457 100755 --- a/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java +++ b/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java @@ -256,7 +256,7 @@ public class ExplorerNodeActionVisitor extends ContentVisitor.Default recentFiles = null; - try { - recentFiles = fileManager.findFiles(dataSource, "%.lnk", "Recent"); - } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Error searching for .lnk files."); - this.addErrorMessage(this.getName() + ": Error getting lnk Files."); - return; - } - - if (recentFiles.isEmpty()) { - logger.log(Level.INFO, "Didn't find any IE recent files."); - return; - } - - dataFound = true; - for (AbstractFile recentFile : recentFiles) { - if (controller.isCancelled()) { - break; - } - - if (recentFile.getSize() == 0) { - continue; - } - JLNK lnk = null; - JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize()); - try { - lnk = lnkParser.parse(); - } catch (JLnkParserException e) { - //TODO should throw a specific checked exception - boolean unalloc = recentFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) - || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC); - if (unalloc == false) { - logger.log(Level.SEVERE, "Error lnk parsing the file to get recent files" + recentFile, e); - this.addErrorMessage(this.getName() + ": Error parsing Recent File " + recentFile.getName()); - } - continue; - } - - Collection bbattributes = new ArrayList(); - String path = lnk.getBestPath(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(dataSource, path))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", recentFile.getCrtime())); - this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes); - } - services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); - } - /** * Locates index.dat files, runs Pasco on them, and creates artifacts. * @param dataSource diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index c5565bc3c8..e403c78117 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -158,6 +158,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource { final Extract registry = new ExtractRegistry(); final Extract iexplore = new ExtractIE(); + final Extract recentDocuments= new RecentDocumentsByLnk(); final Extract chrome = new Chrome(); final Extract firefox = new Firefox(); final Extract SEUQA = new SearchEngineURLQueryAnalyzer(); @@ -165,6 +166,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource { modules.add(chrome); modules.add(firefox); modules.add(iexplore); + modules.add(recentDocuments); // this needs to run after the web browser modules modules.add(SEUQA); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java new file mode 100644 index 0000000000..880427e832 --- /dev/null +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java @@ -0,0 +1,147 @@ + /* + * + * Autopsy Forensic Browser + * + * Copyright 2012-2013 Basis Technology Corp. + * + * Copyright 2012 42six Solutions. + * Contact: aebadirad 42six com + * Project Contact/Architect: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.recentactivity; + +// imports +import java.util.ArrayList; +import java.util.List; +import java.util.logging.Level; +import org.sleuthkit.autopsy.coreutils.Logger; +import java.util.Collection; +import org.sleuthkit.autopsy.coreutils.JLNK; +import org.sleuthkit.autopsy.coreutils.JLnkParser; +import org.sleuthkit.autopsy.coreutils.JLnkParserException; +import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController; +import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.ingest.ModuleDataEvent; +import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import org.sleuthkit.datamodel.Content; +import org.sleuthkit.autopsy.ingest.PipelineContext; +import org.sleuthkit.autopsy.ingest.IngestModuleDataSource; +import org.sleuthkit.autopsy.ingest.IngestModuleInit; +import org.sleuthkit.datamodel.*; + +/** + * Recent documents class that will extract recent documents in the form of + *.lnk files + */ +class RecentDocumentsByLnk extends Extract { + private static final Logger logger = Logger.getLogger(RecentDocumentsByLnk.class.getName()); + private IngestServices services; + final private static String MODULE_VERSION = "1.0"; + + /** + * Find the documents that Windows stores about recent documents and make artifacts. + * @param dataSource + * @param controller + */ + private void getRecentDocuments(Content dataSource, IngestDataSourceWorkerController controller) { + + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List recentFiles = null; + try { + recentFiles = fileManager.findFiles(dataSource, "%.lnk", "Recent"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error searching for .lnk files."); + this.addErrorMessage(this.getName() + ": Error getting lnk Files."); + return; + } + + if (recentFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any recent files."); + return; + } + + dataFound = true; + for (AbstractFile recentFile : recentFiles) { + if (controller.isCancelled()) { + break; + } + + if (recentFile.getSize() == 0) { + continue; + } + JLNK lnk = null; + JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize()); + try { + lnk = lnkParser.parse(); + } catch (JLnkParserException e) { + //TODO should throw a specific checked exception + boolean unalloc = recentFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) + || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC); + if (unalloc == false) { + logger.log(Level.SEVERE, "Error lnk parsing the file to get recent files" + recentFile, e); + this.addErrorMessage(this.getName() + ": Error parsing Recent File " + recentFile.getName()); + } + continue; + } + + Collection bbattributes = new ArrayList(); + String path = lnk.getBestPath(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(dataSource, path))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", recentFile.getCrtime())); + this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes); + } + services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); + } + + @Override + public String getVersion() { + return MODULE_VERSION; + } + + @Override + public void process(PipelineContextpipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { + dataFound = false; + this.getRecentDocuments(dataSource, controller); + } + + @Override + public void init(IngestModuleInit initContext) { + services = IngestServices.getDefault(); + } + + @Override + public void complete() { + } + + @Override + public void stop() { + //call regular cleanup from complete() method + complete(); + } + + @Override + public String getDescription() { + return "Extracts recent documents in windows."; + } + + @Override + public boolean hasBackgroundJobsRunning() { + return false; + } +} diff --git a/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java b/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java index 3da40b3fff..c6afccff95 100755 --- a/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java +++ b/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java @@ -88,19 +88,15 @@ public class EwfVerifyIngestModule extends IngestModuleDataSource { skipped = true; return; } - - // Get the hash stored in the E01 file from the database - if (skCase.imageHasHash(img)) { - try { - storedHash = skCase.getImageHash(img).toLowerCase(); + + + if ((img.getMd5()!= null) && !img.getMd5().isEmpty()) + { + storedHash = img.getMd5().toLowerCase(); logger.info("Hash value stored in " + imgName + ": " + storedHash); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, "Failed to get stored hash from image " + imgName, ex); - services.postMessage(IngestMessage.createMessage(++messageId, MessageType.ERROR, this, - "Error retrieving stored hash value from " + imgName)); - return; - } - } else { + + } + else { services.postMessage(IngestMessage.createMessage(++messageId, MessageType.ERROR, this, "Image " + imgName + " does not have stored hash.")); return; diff --git a/test/script/srcupdater.py b/test/script/srcupdater.py index 168bc7da7c..2fb3a38a93 100755 --- a/test/script/srcupdater.py +++ b/test/script/srcupdater.py @@ -47,7 +47,7 @@ def compile(errore, attachli, parsedin, branch): antBuild("datamodel", False) print("DataModel") if(passed): - antBuild("autopsy", True) + antBuild("autopsy", True, branch) print("Aut") if(passed): redo = False @@ -131,7 +131,7 @@ def vsBuild(): redo = True #Builds Autopsy or the Datamodel -def antBuild(which, Build): +def antBuild(which, Build, branch): print("building: ", which) global redo global passed @@ -165,14 +165,14 @@ def antBuild(which, Build): open(chk) except IOError as e: if(not tryredo): - errorem += "DataModel Java build failed.\n" + errorem += "DataModel Java build failed. on branch " + branch + "\n" attachl.append(antpth) if email_enabled: Emailer.send_email(to, server, subj, errorem, attachl) passed = False tryredo = True elif (succd != 0 and (not tryredo)): - errorem += "Autopsy build failed.\n" + errorem += "Autopsy build failed on branch " + branch + ".\n" attachl.append(antpth) Emailer.send_email(to, server, subj, errorem, attachl) tryredo = True