mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-19 19:14:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert "Revised plugin parsing"

Browse Source 
This reverts commit 8869e18d781eeaac5a1d000d1a9e9de9a424a2ad.
This commit is contained in:
Mark McKinnon 2018-03-06 05:17:33 -08:00
parent 8869e18d78
commit ed9027c65e
1 changed files with 258 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

346
Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java
View File

@ -277,43 +277,90 @@ class VolatilityProcessor implements Runnable{
} }
private void scanOutputFile(String pluginName, File PluginOutput) { private void scanOutputFile(String pluginName, File PluginOutput) {
Map<String, Map> fileName = new HashMap<String, Map>();
Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard();
try { try {
if (pluginName.matches("dlllist")) { if (pluginName.matches("dlllist")) {
Set<String> fileSet = parse_DllList(PluginOutput); Set<String> fileSet = parse_DllList(PluginOutput);
lookupFiles(fileSet, pluginName); lookupFiles(fileSet, pluginName);
return;
} else if (pluginName.matches("handles")) { } else if (pluginName.matches("handles")) {
Set<String> fileSet = Parse_Handles(PluginOutput); fileName = Parse_Handles(PluginOutput);
lookupFiles(fileSet, pluginName);
} else if (pluginName.matches("cmdline")) { } else if (pluginName.matches("cmdline")) {
Set<String> fileSet = parse_Cmdline(PluginOutput); Set<String> fileSet = parse_Cmdline(PluginOutput);
lookupFiles(fileSet, pluginName); lookupFiles(fileSet, pluginName);
return;
} else if (pluginName.matches("psxview")){ } else if (pluginName.matches("psxview")){
Set<String> fileSet = Parse_Psxview(PluginOutput); fileName = Parse_Psxview(PluginOutput);
lookupFiles(fileSet, pluginName);
} else if (pluginName.matches("pslist")) { } else if (pluginName.matches("pslist")) {
Set<String> fileSet = Parse_Pslist(PluginOutput); fileName = Parse_Pslist(PluginOutput);
lookupFiles(fileSet, pluginName);
} else if (pluginName.matches("psscan")) { } else if (pluginName.matches("psscan")) {
Set<String> fileSet = Parse_Psscan(PluginOutput); fileName = Parse_Psscan(PluginOutput);
lookupFiles(fileSet, pluginName);
} else if (pluginName.matches("pstree")) { } else if (pluginName.matches("pstree")) {
Set<String> fileSet = Parse_Pstree(PluginOutput); fileName = Parse_Pstree(PluginOutput);
lookupFiles(fileSet, pluginName);
} else if (pluginName.matches("svcscan")) { } else if (pluginName.matches("svcscan")) {
Set<String> fileSet = Parse_Svcscan(PluginOutput); fileName = Parse_Svcscan(PluginOutput);
lookupFiles(fileSet, pluginName);
} else if (pluginName.matches("filescan")) { } else if (pluginName.matches("filescan")) {
Set<String> fileSet = Parse_Filescan(PluginOutput); fileName = Parse_Filescan(PluginOutput);
lookupFiles(fileSet, pluginName);
} else { } else {
Set<String> fileSet = Parse_Shimcache(PluginOutput); fileName = Parse_Shimcache(PluginOutput);
lookupFiles(fileSet, pluginName);
} }
} catch (Exception ex) { } catch (Exception ex) {
logger.log(Level.SEVERE, "Unable to parse files " + PluginOutput, ex); //NON-NLS logger.log(Level.SEVERE, "Unable to parse files " + PluginOutput, ex); //NON-NLS
//this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName())); //this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
} }
try {
if (isCancelled)
return;
List<AbstractFile> volFiles = new ArrayList<>();
String filename;
String path;
Map<String, String> fileMap = new HashMap<>();
fileMap = dedupeFileList(fileName);
Set<String> keySet = fileMap.keySet();
Iterator<String> keySetIterator = keySet.iterator();
while (keySetIterator.hasNext()) {
path = keySetIterator.next();
filename = fileMap.get(path);
try {
volFiles = fileManager.findFiles(filename.trim(), path); //NON-NLS
} catch (TskCoreException ex) {
//String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
logger.log(Level.SEVERE, "Error in Finding FIles", ex);
return;
}
volFiles.forEach((volFile) -> {
try {
String MODULE_NAME = "VOLATILITY";
BlackboardArtifact volArtifact = volFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
BlackboardAttribute att1 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
"Volatility Plugin " + pluginName);
BlackboardAttribute att2 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
"Volatility Plugin " + pluginName);
volArtifact.addAttribute(att1);
volArtifact.addAttribute(att2);
try {
// index the artifact for keyword search
blackboard.indexArtifact(volArtifact);
} catch (Blackboard.BlackboardException ex) {
logger.log(Level.SEVERE, "Unable to index blackboard artifact " + volArtifact.getArtifactID(), ex); //NON-NLS
}
// fire event to notify UI of this new artifact
services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT));
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to create BlackboardArtifact.", ex); // NON-NLS
} catch (IllegalStateException ex) {
logger.log(Level.SEVERE, "Failed to create BlackboardAttribute.", ex); // NON-NLS
}
});
}
} catch (Exception ex) {
logger.log(Level.SEVERE, "Error in processing List of FIles", ex); //NON-NLS
}
} }
private String normalizePath(String filePath) { private String normalizePath(String filePath) {
@ -333,33 +380,45 @@ class VolatilityProcessor implements Runnable{
return filePath; return filePath;
} }
private Set<String> Parse_Handles(File PluginFile) { private Map<String, Map> Parse_Handles(File PluginFile) {
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
Map<String, Map> fileMap = new HashMap<>();
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
String TAG = " File "; Map<String, String> fileNameMap = new HashMap<>();
String file_path = null; if (line.length() > 65) {
if (line.contains(TAG)) { line_type = line.substring(64,68);
file_path = line.substring(82); // @@@ Should this restrict to line starting with File?
file_path = file_path.replaceAll("Device\\\\",""); if (line_type.matches("File")) {
file_path = file_path.replaceAll("HarddiskVolume[0-9]\\\\", ""); counter = counter + 1;
if (file_path.contains("\"")) { String file_path = line.substring(82);
file_path = file_path.substring(0, file_path.indexOf("\"")); file_path = file_path.replaceAll("Device\\\\","");
file_path = file_path.replaceAll("HarddiskVolume[0-9]\\\\", "");
File volfile = new File(file_path);
String fileName = volfile.getName();
String filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
}
fileNameMap.put(filePath, fileName);
fileMap.put(file_path, fileNameMap);
} }
else {
// ERROR
}
fileSet.add(file_path.toLowerCase());
} }
} }
br.close(); br.close();
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Set<String> parse_DllList(File PluginFile) { private Set<String> parse_DllList(File PluginFile) {
@ -412,19 +471,36 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Filescan(File PluginFile) { private Map<String, Map> Parse_Filescan(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
try { try {
String file_path; Map<String, String> fileNameMap = new HashMap<>();
counter = counter + 1;
file_path = line.substring(41); file_path = line.substring(41);
file_path = file_path.replaceAll("Device\\\\",""); file_path = file_path.replaceAll("Device\\\\","");
file_path = file_path.replaceAll("HarddiskVolume[0-9]\\\\", ""); file_path = file_path.replaceAll("HarddiskVolume[0-9]\\\\", "");
fileSet.add(file_path.toLowerCase()); File volfile = new File(file_path);
fileName = volfile.getName();
filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
}
fileNameMap.put(filePath, fileName);
fileMap.put(file_path, fileNameMap);
} catch (StringIndexOutOfBoundsException ex) { } catch (StringIndexOutOfBoundsException ex) {
// TO DO Catch exception // TO DO Catch exception
} }
@ -433,11 +509,12 @@ class VolatilityProcessor implements Runnable{
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Set<String> parse_Cmdline(File PluginFile) { private Set<String> parse_Cmdline(File PluginFile) {
Set<String> fileSet = new HashSet<>(); Set<String> fileSet = new HashSet<>();
int counter = 0;
// read the first line from the text file // read the first line from the text file
try (BufferedReader br = new BufferedReader(new FileReader(PluginFile))) { try (BufferedReader br = new BufferedReader(new FileReader(PluginFile))) {
String line; String line;
@ -445,6 +522,7 @@ class VolatilityProcessor implements Runnable{
if (line.length() > 16) { if (line.length() > 16) {
String TAG = "Command line : "; String TAG = "Command line : ";
if (line.startsWith(TAG)) { if (line.startsWith(TAG)) {
counter = counter + 1;
String file_path; String file_path;
// Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe" // Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
@ -477,142 +555,226 @@ class VolatilityProcessor implements Runnable{
return fileSet; return fileSet;
} }
private Set<String> Parse_Shimcache(File PluginFile) { private Map<String, Map> Parse_Shimcache(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
String file_path; Map<String, String> fileNameMap = new HashMap<>();
if (line.length() > 36) { if (line.length() > 36) {
counter = counter + 1;
file_path = line.substring(38); file_path = line.substring(38);
if (file_path.contains("\"")) { File volfile = new File(file_path);
file_path = file_path.substring(0, file_path.indexOf("\"")); fileName = volfile.getName();
filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
} }
else { fileNameMap.put(filePath, fileName);
// ERROR fileMap.put(file_path, fileNameMap);
} }
fileSet.add(file_path.toLowerCase());
}
} }
br.close(); br.close();
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Set<String> Parse_Psscan(File PluginFile) { private Map<String, Map> Parse_Psscan(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
String file_path; Map<String, String> fileNameMap = new HashMap<>();
counter = counter + 1;
file_path = line.substring(19, 37); file_path = line.substring(19, 37);
fileSet.add(file_path.toLowerCase()); File volfile = new File(file_path);
fileName = volfile.getName();
filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
}
fileNameMap.put(filePath, fileName);
fileMap.put(file_path, fileNameMap);
} }
br.close(); br.close();
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Set<String> Parse_Pslist(File PluginFile) { private Map<String, Map> Parse_Pslist(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
String file_path; Map<String, String> fileNameMap = new HashMap<>();
counter = counter + 1;
file_path = line.substring(19, 41); file_path = line.substring(19, 41);
fileSet.add(file_path.toLowerCase()); File volfile = new File(file_path);
fileName = volfile.getName();
filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
}
fileNameMap.put(filePath, fileName);
fileMap.put(file_path, fileNameMap);
} }
br.close(); br.close();
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Set<String> Parse_Psxview(File PluginFile) { private Map<String, Map> Parse_Psxview(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
String file_path; Map<String, String> fileNameMap = new HashMap<>();
counter = counter + 1;
file_path = line.substring(19, 41); file_path = line.substring(19, 41);
fileSet.add(file_path.toLowerCase()); File volfile = new File(file_path);
fileName = volfile.getName();
filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
}
fileNameMap.put(filePath, fileName);
fileMap.put(file_path, fileNameMap);
} }
br.close(); br.close();
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Set<String> Parse_Pstree(File PluginFile) { private Map<String, Map> Parse_Pstree(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
String file_path; Map<String, String> fileNameMap = new HashMap<>();
String TAG = ":"; counter = counter + 1;
if (line.contains(TAG)) { if (line.contains(":")) {
file_path = line.substring(line.indexOf(":") + 1, 52); file_path = line.substring(line.indexOf(":") + 1, 52);
fileSet.add(file_path.toLowerCase()); File volfile = new File(file_path);
fileName = volfile.getName();
filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
}
fileNameMap.put(filePath, fileName);
fileMap.put(file_path, fileNameMap);
} }
} }
br.close(); br.close();
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Set<String> Parse_Svcscan(File PluginFile) { private Map<String, Map> Parse_Svcscan(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
Set<String> fileSet = new HashSet<>(); String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
String file_path; Map<String, String> fileNameMap = new HashMap<>();
String TAG = "Binary Path: "; if (line.startsWith("Binary Path: ")) {
if (line.startsWith(TAG)) { counter = counter + 1;
file_path = line.substring(13); file_path = line.substring(13);
if (line.charAt(TAG.length()) == '\"') { File volfile = new File(file_path);
file_path = line.substring(TAG.length()+1); fileName = volfile.getName();
if (file_path.contains("\"")) { if ((fileName.lastIndexOf(".") + 3) < fileName.length()) {
file_path = file_path.substring(0, file_path.indexOf("\"")); fileName = fileName.substring(0, fileName.lastIndexOf(".")+4);
}
else {
// ERROR
}
} }
// Command line : C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted filePath = volfile.getParent();
else { if (filePath != null && !filePath.isEmpty()) {
file_path = line.substring(TAG.length()); if (filePath.contains(":")) {
if (file_path.contains(" ")) { filePath = filePath.substring(filePath.indexOf(":")+1);
file_path = file_path.substring(0, file_path.indexOf(" "));
} }
filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%";
} else {
filePath = "%";
} }
fileSet.add(file_path.toLowerCase()); fileNameMap.put(filePath, fileName);
} fileMap.put(file_path, fileNameMap);
}
} }
br.close(); br.close();
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileSet; return fileMap;
} }
private Map<String, String> dedupeFileList(Map<String, Map> fileList) { private Map<String, String> dedupeFileList(Map<String, Map> fileList) {