mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7671 from markmckinnon/add-sam-questions-answers-to-regripper

Browse Source 
Add sam questions answers to regripper
This commit is contained in:
eugene7646 2022-09-21 09:49:00 -04:00 committed by GitHub
commit ef8741e40b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 3327 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED
View File

@ -4,10 +4,6 @@ cannotParseXml=Unable to parse XML file:
ChromeCacheExtract_adding_artifacts_msg=Chrome Cache: Adding %d artifacts for analysis. ChromeCacheExtract_adding_artifacts_msg=Chrome Cache: Adding %d artifacts for analysis.
ChromeCacheExtract_adding_extracted_files_msg=Chrome Cache: Adding %d extracted files for analysis. ChromeCacheExtract_adding_extracted_files_msg=Chrome Cache: Adding %d extracted files for analysis.
ChromeCacheExtract_loading_files_msg=Chrome Cache: Loading files from %s. ChromeCacheExtract_loading_files_msg=Chrome Cache: Loading files from %s.
# {0} - module name
# {1} - row number
# {2} - table length
# {3} - cache path
ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3} ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3}
DataSourceUsage_AndroidMedia=Android Media Card DataSourceUsage_AndroidMedia=Android Media Card
DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card
@ -167,21 +163,15 @@ Firefox.getDlV24.errMsg.errAnalyzeFile={0}: Error while trying to analyze file:{
Firefox.getDlV24.errMsg.errParsingArtifacts={0}: Error parsing {1} Firefox web download artifacts. Firefox.getDlV24.errMsg.errParsingArtifacts={0}: Error parsing {1} Firefox web download artifacts.
Progress_Message_Analyze_Registry=Analyzing Registry Files Progress_Message_Analyze_Registry=Analyzing Registry Files
Progress_Message_Analyze_Usage=Data Sources Usage Analysis Progress_Message_Analyze_Usage=Data Sources Usage Analysis
# {0} - browserName
Progress_Message_Chrome_AutoFill=Chrome Auto Fill Browser {0} Progress_Message_Chrome_AutoFill=Chrome Auto Fill Browser {0}
# {0} - browserName
Progress_Message_Chrome_Bookmarks=Chrome Bookmarks Browser {0} Progress_Message_Chrome_Bookmarks=Chrome Bookmarks Browser {0}
Progress_Message_Chrome_Cache=Chrome Cache Progress_Message_Chrome_Cache=Chrome Cache
# {0} - browserName
Progress_Message_Chrome_Cookies=Chrome Cookies Browser {0} Progress_Message_Chrome_Cookies=Chrome Cookies Browser {0}
# {0} - browserName
Progress_Message_Chrome_Downloads=Chrome Downloads Browser {0} Progress_Message_Chrome_Downloads=Chrome Downloads Browser {0}
Progress_Message_Chrome_Extensions=Chrome Extensions {0} Progress_Message_Chrome_Extensions=Chrome Extensions {0}
Progress_Message_Chrome_Favicons=Chrome Downloads Favicons {0} Progress_Message_Chrome_Favicons=Chrome Downloads Favicons {0}
Progress_Message_Chrome_FormHistory=Chrome Form History Progress_Message_Chrome_FormHistory=Chrome Form History
# {0} - browserName
Progress_Message_Chrome_History=Chrome History Browser {0} Progress_Message_Chrome_History=Chrome History Browser {0}
# {0} - browserName
Progress_Message_Chrome_Logins=Chrome Logins Browser {0} Progress_Message_Chrome_Logins=Chrome Logins Browser {0}
Progress_Message_Chrome_Profiles=Chrome Profiles {0} Progress_Message_Chrome_Profiles=Chrome Profiles {0}
Progress_Message_Edge_Bookmarks=Microsoft Edge Bookmarks Progress_Message_Edge_Bookmarks=Microsoft Edge Bookmarks
@ -238,6 +228,12 @@ Recently_Used_Artifacts_Winrar=Recently opened according to WinRAR MRU
Registry_System_Bam=Recently Executed according to Background Activity Moderator (BAM) Registry_System_Bam=Recently Executed according to Background Activity Moderator (BAM)
RegRipperFullNotFound=Full version RegRipper executable not found. RegRipperFullNotFound=Full version RegRipper executable not found.
RegRipperNotFound=Autopsy RegRipper executable not found. RegRipperNotFound=Autopsy RegRipper executable not found.
Sam_Security_Answer_1_Attribute_Display_Name=Security Answer 1
Sam_Security_Answer_2_Attribute_Display_Name=Security Answer 2
Sam_Security_Answer_3_Attribute_Display_Name=Security Answer 3
Sam_Security_Question_1_Attribute_Display_Name=Security Question 1
Sam_Security_Question_2_Attribute_Display_Name=Security Question 2
Sam_Security_Question_3_Attribute_Display_Name=Security Question 3
SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}. SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}.
SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine Query Analyzer SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine Query Analyzer
SearchEngineURLQueryAnalyzer.engineName.none=NONE SearchEngineURLQueryAnalyzer.engineName.none=NONE

112
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -120,6 +120,12 @@ import org.sleuthkit.datamodel.TskDataException;
"Shellbag_Artifact_Display_Name=Shell Bags", "Shellbag_Artifact_Display_Name=Shell Bags",
"Shellbag_Key_Attribute_Display_Name=Key", "Shellbag_Key_Attribute_Display_Name=Key",
"Shellbag_Last_Write_Attribute_Display_Name=Last Write", "Shellbag_Last_Write_Attribute_Display_Name=Last Write",
"Sam_Security_Question_1_Attribute_Display_Name=Security Question 1",
"Sam_Security_Answer_1_Attribute_Display_Name=Security Answer 1",
"Sam_Security_Question_2_Attribute_Display_Name=Security Question 2",
"Sam_Security_Answer_2_Attribute_Display_Name=Security Answer 2",
"Sam_Security_Question_3_Attribute_Display_Name=Security Question 3",
"Sam_Security_Answer_3_Attribute_Display_Name=Security Answer 3",
"Recently_Used_Artifacts_Office_Trustrecords=Stored in TrustRecords because Office security exception was granted", "Recently_Used_Artifacts_Office_Trustrecords=Stored in TrustRecords because Office security exception was granted",
"Recently_Used_Artifacts_ArcHistory=Recently opened by 7Zip", "Recently_Used_Artifacts_ArcHistory=Recently opened by 7Zip",
"Recently_Used_Artifacts_Applets=Recently opened according to Applets registry key", "Recently_Used_Artifacts_Applets=Recently opened according to Applets registry key",
@ -157,6 +163,12 @@ class ExtractRegistry extends Extract {
private static final String SERVER_TRUST_ACCOUNT = "Server trust account"; private static final String SERVER_TRUST_ACCOUNT = "Server trust account";
private static final String ACCOUNT_AUTO_LOCKED = "Account auto locked"; private static final String ACCOUNT_AUTO_LOCKED = "Account auto locked";
private static final String PASSWORD_HINT = "Password Hint"; private static final String PASSWORD_HINT = "Password Hint";
private static final String SECURITY_QUESTION_1 = "Question 1";
private static final String SECURITY_ANSWER_1 = "Answer 1";
private static final String SECURITY_QUESTION_2 = "Question 2";
private static final String SECURITY_ANSWER_2 = "Answer 2";
private static final String SECURITY_QUESTION_3 = "Question 3";
private static final String SECURITY_ANSWER_3 = "Answer 3";
private static final String[] PASSWORD_SETTINGS_FLAGS = {PWD_DOES_NOT_EXPIRE_KEY, PWD_NOT_REQUIRED_KEY}; private static final String[] PASSWORD_SETTINGS_FLAGS = {PWD_DOES_NOT_EXPIRE_KEY, PWD_NOT_REQUIRED_KEY};
private static final String[] ACCOUNT_SETTINGS_FLAGS = {ACCOUNT_AUTO_LOCKED, HOME_DIRECTORY_REQUIRED_KEY, ACCOUNT_DISABLED_KEY}; private static final String[] ACCOUNT_SETTINGS_FLAGS = {ACCOUNT_AUTO_LOCKED, HOME_DIRECTORY_REQUIRED_KEY, ACCOUNT_DISABLED_KEY};
@ -185,6 +197,13 @@ class ExtractRegistry extends Extract {
private static final String SHELLBAG_ARTIFACT_NAME = "RA_SHELL_BAG"; //NON-NLS private static final String SHELLBAG_ARTIFACT_NAME = "RA_SHELL_BAG"; //NON-NLS
private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE = "RA_SHELL_BAG_LAST_WRITE"; //NON-NLS private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE = "RA_SHELL_BAG_LAST_WRITE"; //NON-NLS
private static final String SHELLBAG_ATTRIBUTE_KEY = "RA_SHELL_BAG_KEY"; //NON-NLS private static final String SHELLBAG_ATTRIBUTE_KEY = "RA_SHELL_BAG_KEY"; //NON-NLS
private static final String SAM_SECURITY_QUESTION_1 = "RA_SAM_QUESTION_1"; //NON-NLS;
private static final String SAM_SECURITY_ANSWER_1 = "RA_SAM_ANSWER_1"; //NON-NLS;
private static final String SAM_SECURITY_QUESTION_2 = "RA_SAM_QUESTION_2"; //NON-NLS;
private static final String SAM_SECURITY_ANSWER_2 = "RA_SAM_ANSWER_2"; //NON-NLS;
private static final String SAM_SECURITY_QUESTION_3 = "RA_SAM_QUESTION_3"; //NON-NLS;
private static final String SAM_SECURITY_ANSWER_3 = "RA_SAM_ANSWER_3"; //NON-NLS;
private static final SimpleDateFormat REG_RIPPER_TIME_FORMAT = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US); private static final SimpleDateFormat REG_RIPPER_TIME_FORMAT = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US);
@ -2170,6 +2189,84 @@ class ExtractRegistry extends Extract {
} }
} }
value = userInfo.get(SECURITY_QUESTION_1);
if (value != null && !value.isEmpty()) {
BlackboardAttribute.Type securityQuestionAttributeType = null;
try {
securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_1,
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
Bundle.Sam_Security_Question_1_Attribute_Display_Name());
} catch (BlackboardException ex) {
throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_QUESTION_1), ex);
}
attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
}
value = userInfo.get(SECURITY_ANSWER_1);
if (value != null && !value.isEmpty()) {
BlackboardAttribute.Type securityAnswerAttributeType = null;
try {
securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_1,
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
Bundle.Sam_Security_Answer_1_Attribute_Display_Name());
} catch (BlackboardException ex) {
throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_ANSWER_1), ex);
}
attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
}
value = userInfo.get(SECURITY_QUESTION_2);
if (value != null && !value.isEmpty()) {
BlackboardAttribute.Type securityQuestionAttributeType = null;
try {
securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_2,
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
Bundle.Sam_Security_Question_2_Attribute_Display_Name());
} catch (BlackboardException ex) {
throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_QUESTION_2), ex);
}
attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
}
value = userInfo.get(SECURITY_ANSWER_2);
if (value != null && !value.isEmpty()) {
BlackboardAttribute.Type securityAnswerAttributeType = null;
try {
securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_2,
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
Bundle.Sam_Security_Answer_2_Attribute_Display_Name());
} catch (BlackboardException ex) {
throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_ANSWER_2), ex);
}
attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
}
value = userInfo.get(SECURITY_QUESTION_3);
if (value != null && !value.isEmpty()) {
BlackboardAttribute.Type securityQuestionAttributeType = null;
try {
securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_3,
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
Bundle.Sam_Security_Question_2_Attribute_Display_Name());
} catch (BlackboardException ex) {
throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_QUESTION_3), ex);
}
attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
}
value = userInfo.get(SECURITY_ANSWER_3);
if (value != null && !value.isEmpty()) {
BlackboardAttribute.Type securityAnswerAttributeType = null;
try {
securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_3,
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
Bundle.Sam_Security_Answer_3_Attribute_Display_Name());
} catch (BlackboardException ex) {
throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_ANSWER_3), ex);
}
attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
}
value = userInfo.get(PASSWORD_HINT); value = userInfo.get(PASSWORD_HINT);
if (value != null && !value.isEmpty()) { if (value != null && !value.isEmpty()) {
attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_PASSWORD_HINT, attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_PASSWORD_HINT,
@ -2249,6 +2346,21 @@ class ExtractRegistry extends Extract {
return ""; return "";
} }
/**
* Helper for constructing a new OsAccountAttribute
*
* @param type Attribute type
* @param value The value to store
* @param osAccount The OsAccount this attribute belongs to
* @param host The Host related to the OsAccount
* @param file The source where the attribute was found.
*
* @return Newly created OsACcountAttribute
*/
private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.Type type, String value, OsAccount osAccount, Host host, AbstractFile file) {
return osAccount.new OsAccountAttribute(type, value, osAccount, host, file);
}
/** /**
* Helper for constructing a new OsAccountAttribute * Helper for constructing a new OsAccountAttribute
* *

3147
thirdparty/rr-full/JSON/PP.pm vendored Normal file
View File

File diff suppressed because it is too large Load Diff

42
thirdparty/rr-full/JSON/PP/Boolean.pm vendored Normal file
View File

@ -0,0 +1,42 @@
package JSON::PP::Boolean;
use strict;
require overload;
local $^W;
overload::import('overload',
"0+" => sub { ${$_[0]} },
"++" => sub { $_[0] = ${$_[0]} + 1 },
"--" => sub { $_[0] = ${$_[0]} - 1 },
fallback => 1,
);
$JSON::PP::Boolean::VERSION = '4.05';
1;
__END__
=head1 NAME
JSON::PP::Boolean - dummy module providing JSON::PP::Boolean
=head1 SYNOPSIS
# do not "use" yourself
=head1 DESCRIPTION
This module exists only to provide overload resolution for Storable and similar modules. See
L<JSON::PP> for more info about this class.
=head1 AUTHOR
This idea is from L<JSON::XS::Boolean> written by Marc Lehmann <schmorp[at]schmorp.de>
=head1 LICENSE
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself.
=cut

18
thirdparty/rr-full/plugins/samparse.pl vendored
View File

@ -24,6 +24,7 @@
package samparse; package samparse;
use strict; use strict;
use Encode::Unicode; use Encode::Unicode;
use JSON::PP;
my %config = (hive => "SAM", my %config = (hive => "SAM",
hivemask => 2, hivemask => 2,
@ -131,6 +132,23 @@ sub pluginmain {
my $f = $f_value->get_data(); my $f = $f_value->get_data();
my %f_val = parseF($f); my %f_val = parseF($f);
eval {
my $reset_data_value = $u->get_value("ResetData");
my $reset_data = $reset_data_value->get_data();
my $reset_data_hash = decode_json($reset_data);
my $reset_data_question_1 = $reset_data_hash->{'questions'}[0];
my $reset_data_question_2 = $reset_data_hash->{'questions'}[1];
my $reset_data_question_3 = $reset_data_hash->{'questions'}[2];
my $question_1 = $reset_data_question_1->{'question'};
::rptMsg("Security Questions:");
::rptMsg(" Question 1 : ".$question_1);
::rptMsg(" Answer 1 : ".$reset_data_question_1->{'answer'});
::rptMsg(" Question 2 : ".$reset_data_question_2->{'question'});
::rptMsg(" Answer 2 : ".$reset_data_question_2->{'answer'});
::rptMsg(" Question 3 : ".$reset_data_question_3->{'question'});
::rptMsg(" Answer 3 : ".$reset_data_question_3->{'answer'});
};
my $lastlogin; my $lastlogin;
my $pwdreset; my $pwdreset;
my $pwdfail; my $pwdfail;