From c0699101712ef4def09864f2a092e23e6e85fc28 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\tshahi" Date: Wed, 29 Jan 2014 09:51:33 -0500 Subject: [PATCH 1/8] image md5 hash updated --- .../ExplorerNodeActionVisitor.java | 2 +- .../ewfverify/EwfVerifyIngestModule.java | 20 ++++++++----------- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java b/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java index 0cf73adc5e..8ea28dd457 100755 --- a/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java +++ b/Core/src/org/sleuthkit/autopsy/directorytree/ExplorerNodeActionVisitor.java @@ -256,7 +256,7 @@ public class ExplorerNodeActionVisitor extends ContentVisitor.Default Date: Thu, 30 Jan 2014 14:03:53 -0500 Subject: [PATCH 2/8] added check for null --- .../org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java b/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java index dfbccba458..c6afccff95 100755 --- a/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java +++ b/ewfVerify/src/org/sleuthkit/autopsy/ewfverify/EwfVerifyIngestModule.java @@ -90,7 +90,7 @@ public class EwfVerifyIngestModule extends IngestModuleDataSource { } - if (!img.getMd5().isEmpty()) + if ((img.getMd5()!= null) && !img.getMd5().isEmpty()) { storedHash = img.getMd5().toLowerCase(); logger.info("Hash value stored in " + imgName + ": " + storedHash); From d2d72bd4c8ba8aae11f44e80a20e769ad61905c8 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\tshahi" Date: Fri, 31 Jan 2014 11:50:34 -0500 Subject: [PATCH 3/8] taking Recent Activity out of IE class --- .../autopsy/recentactivity/ExtractIE.java | 57 ------- .../recentactivity/RAImageIngestModule.java | 2 + .../recentactivity/RecentDocuments.java | 153 ++++++++++++++++++ 3 files changed, 155 insertions(+), 57 deletions(-) create mode 100644 RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocuments.java diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 570d14b5cf..1af2322b1c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -100,7 +100,6 @@ class ExtractIE extends Extract { dataFound = false; this.getBookmark(dataSource, controller); this.getCookie(dataSource, controller); - this.getRecentDocuments(dataSource, controller); this.getHistory(dataSource, controller); } @@ -243,62 +242,6 @@ class ExtractIE extends Extract { services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); } - /** - * Find the documents that Windows stores about recent documents and make artifacts. - * @param dataSource - * @param controller - */ - private void getRecentDocuments(Content dataSource, IngestDataSourceWorkerController controller) { - - org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); - List recentFiles = null; - try { - recentFiles = fileManager.findFiles(dataSource, "%.lnk", "Recent"); - } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Error searching for .lnk files."); - this.addErrorMessage(this.getName() + ": Error getting lnk Files."); - return; - } - - if (recentFiles.isEmpty()) { - logger.log(Level.INFO, "Didn't find any IE recent files."); - return; - } - - dataFound = true; - for (AbstractFile recentFile : recentFiles) { - if (controller.isCancelled()) { - break; - } - - if (recentFile.getSize() == 0) { - continue; - } - JLNK lnk = null; - JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize()); - try { - lnk = lnkParser.parse(); - } catch (JLnkParserException e) { - //TODO should throw a specific checked exception - boolean unalloc = recentFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) - || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC); - if (unalloc == false) { - logger.log(Level.SEVERE, "Error lnk parsing the file to get recent files" + recentFile, e); - this.addErrorMessage(this.getName() + ": Error parsing Recent File " + recentFile.getName()); - } - continue; - } - - Collection bbattributes = new ArrayList(); - String path = lnk.getBestPath(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(dataSource, path))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", recentFile.getCrtime())); - this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes); - } - services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); - } - /** * Locates index.dat files, runs Pasco on them, and creates artifacts. * @param dataSource diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index c5565bc3c8..87bc8c538f 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -158,6 +158,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource { final Extract registry = new ExtractRegistry(); final Extract iexplore = new ExtractIE(); + final Extract recentDocuments= new RecentDocuments(); final Extract chrome = new Chrome(); final Extract firefox = new Firefox(); final Extract SEUQA = new SearchEngineURLQueryAnalyzer(); @@ -165,6 +166,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource { modules.add(chrome); modules.add(firefox); modules.add(iexplore); + modules.add(recentDocuments); // this needs to run after the web browser modules modules.add(SEUQA); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocuments.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocuments.java new file mode 100644 index 0000000000..5cbd11f9d3 --- /dev/null +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocuments.java @@ -0,0 +1,153 @@ + /* + * + * Autopsy Forensic Browser + * + * Copyright 2012-2013 Basis Technology Corp. + * + * Copyright 2012 42six Solutions. + * Contact: aebadirad 42six com + * Project Contact/Architect: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.recentactivity; + +// imports +import org.sleuthkit.autopsy.coreutils.ExecUtil; +import java.util.ArrayList; +import java.util.List; +import java.util.logging.Level; +import org.sleuthkit.autopsy.coreutils.Logger; +import java.util.Collection; +import org.sleuthkit.autopsy.coreutils.JLNK; +import org.sleuthkit.autopsy.coreutils.JLnkParser; +import org.sleuthkit.autopsy.coreutils.JLnkParserException; +import org.sleuthkit.autopsy.ingest.IngestDataSourceWorkerController; +import org.sleuthkit.autopsy.ingest.IngestServices; +import org.sleuthkit.autopsy.ingest.ModuleDataEvent; +import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; +import org.sleuthkit.datamodel.Content; +import org.sleuthkit.autopsy.ingest.PipelineContext; +import org.sleuthkit.autopsy.ingest.IngestModuleDataSource; +import org.sleuthkit.autopsy.ingest.IngestModuleInit; +import org.sleuthkit.datamodel.*; + +/** + * Recent documents class that will extract recent documents in the form of + *.lnk files + */ +class RecentDocuments extends Extract { + private static final Logger logger = Logger.getLogger(RecentDocuments.class.getName()); + private IngestServices services; + final private static String MODULE_VERSION = "1.0"; + private ExecUtil execPasco; + + /** + * Find the documents that Windows stores about recent documents and make artifacts. + * @param dataSource + * @param controller + */ + private void getRecentDocuments(Content dataSource, IngestDataSourceWorkerController controller) { + + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List recentFiles = null; + try { + recentFiles = fileManager.findFiles(dataSource, "%.lnk", "Recent"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error searching for .lnk files."); + this.addErrorMessage(this.getName() + ": Error getting lnk Files."); + return; + } + + if (recentFiles.isEmpty()) { + logger.log(Level.INFO, "Didn't find any recent files."); + return; + } + + dataFound = true; + for (AbstractFile recentFile : recentFiles) { + if (controller.isCancelled()) { + break; + } + + if (recentFile.getSize() == 0) { + continue; + } + JLNK lnk = null; + JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize()); + try { + lnk = lnkParser.parse(); + } catch (JLnkParserException e) { + //TODO should throw a specific checked exception + boolean unalloc = recentFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) + || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC); + if (unalloc == false) { + logger.log(Level.SEVERE, "Error lnk parsing the file to get recent files" + recentFile, e); + this.addErrorMessage(this.getName() + ": Error parsing Recent File " + recentFile.getName()); + } + continue; + } + + Collection bbattributes = new ArrayList(); + String path = lnk.getBestPath(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(dataSource, path))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", recentFile.getCrtime())); + this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes); + } + services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); + } + + @Override + public String getVersion() { + return MODULE_VERSION; + } + + @Override + public void process(PipelineContextpipelineContext, Content dataSource, IngestDataSourceWorkerController controller) { + dataFound = false; + this.getRecentDocuments(dataSource, controller); + } + + @Override + public void init(IngestModuleInit initContext) { + services = IngestServices.getDefault(); + } + + @Override + public void complete() { + } + + @Override + public void stop() { + if (execPasco != null) { + execPasco.stop(); + execPasco = null; + } + //call regular cleanup from complete() method + complete(); + } + + @Override + public String getDescription() { + return "Extracts recent documents in windows."; + } + + @Override + public boolean hasBackgroundJobsRunning() { + return false; + } +} From c4698cc443598add86266baf0629bdf80d7193c2 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\tshahi" Date: Mon, 3 Feb 2014 13:14:22 -0500 Subject: [PATCH 4/8] renamed class, removed execPasco stuff --- .../autopsy/recentactivity/RAImageIngestModule.java | 2 +- ...{RecentDocuments.java => RecentDocumentsByLnk.java} | 10 ++-------- 2 files changed, 3 insertions(+), 9 deletions(-) rename RecentActivity/src/org/sleuthkit/autopsy/recentactivity/{RecentDocuments.java => RecentDocumentsByLnk.java} (95%) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java index 87bc8c538f..e403c78117 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestModule.java @@ -158,7 +158,7 @@ public final class RAImageIngestModule extends IngestModuleDataSource { final Extract registry = new ExtractRegistry(); final Extract iexplore = new ExtractIE(); - final Extract recentDocuments= new RecentDocuments(); + final Extract recentDocuments= new RecentDocumentsByLnk(); final Extract chrome = new Chrome(); final Extract firefox = new Firefox(); final Extract SEUQA = new SearchEngineURLQueryAnalyzer(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocuments.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java similarity index 95% rename from RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocuments.java rename to RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java index 5cbd11f9d3..880427e832 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocuments.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RecentDocumentsByLnk.java @@ -23,7 +23,6 @@ package org.sleuthkit.autopsy.recentactivity; // imports -import org.sleuthkit.autopsy.coreutils.ExecUtil; import java.util.ArrayList; import java.util.List; import java.util.logging.Level; @@ -49,11 +48,10 @@ import org.sleuthkit.datamodel.*; * Recent documents class that will extract recent documents in the form of *.lnk files */ -class RecentDocuments extends Extract { - private static final Logger logger = Logger.getLogger(RecentDocuments.class.getName()); +class RecentDocumentsByLnk extends Extract { + private static final Logger logger = Logger.getLogger(RecentDocumentsByLnk.class.getName()); private IngestServices services; final private static String MODULE_VERSION = "1.0"; - private ExecUtil execPasco; /** * Find the documents that Windows stores about recent documents and make artifacts. @@ -133,10 +131,6 @@ class RecentDocuments extends Extract { @Override public void stop() { - if (execPasco != null) { - execPasco.stop(); - execPasco = null; - } //call regular cleanup from complete() method complete(); } From 5e9078cfa1ccd0bfb1265b83991201d49fc270cd Mon Sep 17 00:00:00 2001 From: alexjacks92 Date: Mon, 3 Feb 2014 16:32:24 -0500 Subject: [PATCH 5/8] Another mismatched title - a button this time. --- .../src/org/sleuthkit/autopsy/testing/RegressionTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java b/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java index aa318570ca..bcbf907848 100644 --- a/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java +++ b/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java @@ -192,7 +192,7 @@ public class RegressionTest extends TestCase { importButtonOperator.pushNoBlock(); JDialog addDatabaseDialog = JDialogOperator.waitJDialog("Import Hash Database", false, false); JDialogOperator addDatabaseDialogOperator = new JDialogOperator(addDatabaseDialog); - JButtonOperator browseButtonOperator = new JButtonOperator(addDatabaseDialogOperator, "Browse", 0); + JButtonOperator browseButtonOperator = new JButtonOperator(addDatabaseDialogOperator, "Add...", 0); browseButtonOperator.pushNoBlock(); JFileChooserOperator fileChooserOperator = new JFileChooserOperator(); fileChooserOperator.chooseFile(database); From 01761ebc092979f97a5f7a124b5491cc5a6ee836 Mon Sep 17 00:00:00 2001 From: alexjacks92 Date: Mon, 3 Feb 2014 16:44:39 -0500 Subject: [PATCH 6/8] Another button fix - mistyped the last fix. --- .../src/org/sleuthkit/autopsy/testing/RegressionTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java b/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java index bcbf907848..811398df45 100644 --- a/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java +++ b/Testing/test/qa-functional/src/org/sleuthkit/autopsy/testing/RegressionTest.java @@ -192,7 +192,7 @@ public class RegressionTest extends TestCase { importButtonOperator.pushNoBlock(); JDialog addDatabaseDialog = JDialogOperator.waitJDialog("Import Hash Database", false, false); JDialogOperator addDatabaseDialogOperator = new JDialogOperator(addDatabaseDialog); - JButtonOperator browseButtonOperator = new JButtonOperator(addDatabaseDialogOperator, "Add...", 0); + JButtonOperator browseButtonOperator = new JButtonOperator(addDatabaseDialogOperator, "Open...", 0); browseButtonOperator.pushNoBlock(); JFileChooserOperator fileChooserOperator = new JFileChooserOperator(); fileChooserOperator.chooseFile(database); From aacd44cc0a76ceddf0779caf9b93c7168ae476f5 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\tshahi" Date: Thu, 6 Feb 2014 13:07:50 -0500 Subject: [PATCH 7/8] changed timezone of metadata to reflect global settings --- .../sleuthkit/autopsy/contentviewers/Metadata.java | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java b/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java index d927e5edb8..20de49affd 100755 --- a/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java +++ b/Core/src/org/sleuthkit/autopsy/contentviewers/Metadata.java @@ -23,6 +23,8 @@ import java.awt.Component; import org.openide.nodes.Node; import org.openide.util.lookup.ServiceProvider; import org.sleuthkit.autopsy.corecomponentinterfaces.DataContentViewer; +import org.sleuthkit.autopsy.datamodel.AbstractAbstractFileNode; +import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; @@ -136,11 +138,10 @@ public class Metadata extends javax.swing.JPanel implements DataContentViewer addRow(sb, "Size", new Long(file.getSize()).toString() ); addRow(sb, "File Name Allocation", file.getDirFlagAsString()); addRow(sb, "Metadata Allocation", file.getMetaFlagsAsString()); - - addRow(sb, "Modified", file.getMtimeAsDate()); - addRow(sb, "Accessed", file.getAtimeAsDate()); - addRow(sb, "Created", file.getCrtimeAsDate()); - addRow(sb, "Changed", file.getCtimeAsDate()); + addRow(sb, "Modified", ContentUtils.getStringTime(file.getMtime(), file)); + addRow(sb, "Accessed", ContentUtils.getStringTime(file.getAtime(), file)); + addRow(sb, "Created", ContentUtils.getStringTime(file.getCrtime(), file)); + addRow(sb, "Changed", ContentUtils.getStringTime(file.getCtime(), file)); String md5 = file.getMd5Hash(); if (md5 == null) { From 8d875bec20b6439a18a28a90899a59528ed3012e Mon Sep 17 00:00:00 2001 From: alexjacks92 Date: Fri, 7 Feb 2014 12:49:02 -0500 Subject: [PATCH 8/8] Added branch information to build failure emails for DataModel and Autopsy. --- test/script/srcupdater.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/test/script/srcupdater.py b/test/script/srcupdater.py index 168bc7da7c..2fb3a38a93 100755 --- a/test/script/srcupdater.py +++ b/test/script/srcupdater.py @@ -47,7 +47,7 @@ def compile(errore, attachli, parsedin, branch): antBuild("datamodel", False) print("DataModel") if(passed): - antBuild("autopsy", True) + antBuild("autopsy", True, branch) print("Aut") if(passed): redo = False @@ -131,7 +131,7 @@ def vsBuild(): redo = True #Builds Autopsy or the Datamodel -def antBuild(which, Build): +def antBuild(which, Build, branch): print("building: ", which) global redo global passed @@ -165,14 +165,14 @@ def antBuild(which, Build): open(chk) except IOError as e: if(not tryredo): - errorem += "DataModel Java build failed.\n" + errorem += "DataModel Java build failed. on branch " + branch + "\n" attachl.append(antpth) if email_enabled: Emailer.send_email(to, server, subj, errorem, attachl) passed = False tryredo = True elif (succd != 0 and (not tryredo)): - errorem += "Autopsy build failed.\n" + errorem += "Autopsy build failed on branch " + branch + ".\n" attachl.append(antpth) Emailer.send_email(to, server, subj, errorem, attachl) tryredo = True