Merge pull request #7671 from markmckinnon/add-sam-questions-answers-to-regripper

Add sam questions answers to regripper

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED

@@ -4,10 +4,6 @@ cannotParseXml=Unable to parse XML file:
 ChromeCacheExtract_adding_artifacts_msg=Chrome Cache: Adding %d artifacts for analysis.
 ChromeCacheExtract_adding_extracted_files_msg=Chrome Cache: Adding %d extracted files for analysis.
 ChromeCacheExtract_loading_files_msg=Chrome Cache: Loading files from %s.
-# {0} - module name
-# {1} - row number
-# {2} - table length
-# {3} - cache path
 ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3}
 DataSourceUsage_AndroidMedia=Android Media Card
 DataSourceUsage_DJU_Drone_DAT=DJI Internal SD Card
@@ -167,21 +163,15 @@ Firefox.getDlV24.errMsg.errAnalyzeFile={0}: Error while trying to analyze file:{
 Firefox.getDlV24.errMsg.errParsingArtifacts={0}: Error parsing {1} Firefox web download artifacts.
 Progress_Message_Analyze_Registry=Analyzing Registry Files
 Progress_Message_Analyze_Usage=Data Sources Usage Analysis
-# {0} - browserName
 Progress_Message_Chrome_AutoFill=Chrome Auto Fill Browser {0}
-# {0} - browserName
 Progress_Message_Chrome_Bookmarks=Chrome Bookmarks Browser {0}
 Progress_Message_Chrome_Cache=Chrome Cache
-# {0} - browserName
 Progress_Message_Chrome_Cookies=Chrome Cookies Browser {0}
-# {0} - browserName
 Progress_Message_Chrome_Downloads=Chrome Downloads Browser {0}
 Progress_Message_Chrome_Extensions=Chrome Extensions {0}
 Progress_Message_Chrome_Favicons=Chrome Downloads Favicons {0}
 Progress_Message_Chrome_FormHistory=Chrome Form History
-# {0} - browserName
 Progress_Message_Chrome_History=Chrome History Browser {0}
-# {0} - browserName
 Progress_Message_Chrome_Logins=Chrome Logins Browser {0}
 Progress_Message_Chrome_Profiles=Chrome Profiles {0}
 Progress_Message_Edge_Bookmarks=Microsoft Edge Bookmarks
@@ -238,6 +228,12 @@ Recently_Used_Artifacts_Winrar=Recently opened according to WinRAR MRU
 Registry_System_Bam=Recently Executed according to Background Activity Moderator (BAM)
 RegRipperFullNotFound=Full version RegRipper executable not found.
 RegRipperNotFound=Autopsy RegRipper executable not found.
+Sam_Security_Answer_1_Attribute_Display_Name=Security Answer 1
+Sam_Security_Answer_2_Attribute_Display_Name=Security Answer 2
+Sam_Security_Answer_3_Attribute_Display_Name=Security Answer 3
+Sam_Security_Question_1_Attribute_Display_Name=Security Question 1
+Sam_Security_Question_2_Attribute_Display_Name=Security Question 2
+Sam_Security_Question_3_Attribute_Display_Name=Security Question 3
 SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}.
 SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine Query Analyzer
 SearchEngineURLQueryAnalyzer.engineName.none=NONE

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java

@@ -120,6 +120,12 @@ import org.sleuthkit.datamodel.TskDataException;
     "Shellbag_Artifact_Display_Name=Shell Bags",
     "Shellbag_Key_Attribute_Display_Name=Key",
     "Shellbag_Last_Write_Attribute_Display_Name=Last Write",
+    "Sam_Security_Question_1_Attribute_Display_Name=Security Question 1",
+    "Sam_Security_Answer_1_Attribute_Display_Name=Security Answer 1",
+    "Sam_Security_Question_2_Attribute_Display_Name=Security Question 2",
+    "Sam_Security_Answer_2_Attribute_Display_Name=Security Answer 2",
+    "Sam_Security_Question_3_Attribute_Display_Name=Security Question 3",
+    "Sam_Security_Answer_3_Attribute_Display_Name=Security Answer 3",
     "Recently_Used_Artifacts_Office_Trustrecords=Stored in TrustRecords because Office security exception was granted",
     "Recently_Used_Artifacts_ArcHistory=Recently opened by 7Zip",
     "Recently_Used_Artifacts_Applets=Recently opened according to Applets registry key",
@@ -157,7 +163,13 @@ class ExtractRegistry extends Extract {
     private static final String SERVER_TRUST_ACCOUNT = "Server trust account";
     private static final String ACCOUNT_AUTO_LOCKED = "Account auto locked";
     private static final String PASSWORD_HINT = "Password Hint";
-
+    private static final String SECURITY_QUESTION_1 = "Question 1";
+    private static final String SECURITY_ANSWER_1 = "Answer 1";
+    private static final String SECURITY_QUESTION_2 = "Question 2";
+    private static final String SECURITY_ANSWER_2 = "Answer 2";
+    private static final String SECURITY_QUESTION_3 = "Question 3";
+    private static final String SECURITY_ANSWER_3 = "Answer 3";
+    
     private static final String[] PASSWORD_SETTINGS_FLAGS = {PWD_DOES_NOT_EXPIRE_KEY, PWD_NOT_REQUIRED_KEY};
     private static final String[] ACCOUNT_SETTINGS_FLAGS = {ACCOUNT_AUTO_LOCKED, HOME_DIRECTORY_REQUIRED_KEY, ACCOUNT_DISABLED_KEY};
     private static final String[] ACCOUNT_TYPE_FLAGS = {NORMAL_ACCOUNT_KEY, SERVER_TRUST_ACCOUNT, WORKSTATION_TRUST_ACCOUNT, INTERDOMAIN_TRUST_ACCOUNT_KEY, MNS_LOGON_ACCOUNT_KEY, TEMPORARY_DUPLICATE_ACCOUNT};
@@ -185,6 +197,13 @@ class ExtractRegistry extends Extract {
     private static final String SHELLBAG_ARTIFACT_NAME = "RA_SHELL_BAG"; //NON-NLS
     private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE = "RA_SHELL_BAG_LAST_WRITE"; //NON-NLS
     private static final String SHELLBAG_ATTRIBUTE_KEY = "RA_SHELL_BAG_KEY"; //NON-NLS
+    private static final String SAM_SECURITY_QUESTION_1 = "RA_SAM_QUESTION_1"; //NON-NLS;
+    private static final String SAM_SECURITY_ANSWER_1 = "RA_SAM_ANSWER_1"; //NON-NLS;
+    private static final String SAM_SECURITY_QUESTION_2 = "RA_SAM_QUESTION_2"; //NON-NLS;
+    private static final String SAM_SECURITY_ANSWER_2 = "RA_SAM_ANSWER_2"; //NON-NLS;
+    private static final String SAM_SECURITY_QUESTION_3 = "RA_SAM_QUESTION_3"; //NON-NLS;
+    private static final String SAM_SECURITY_ANSWER_3 = "RA_SAM_ANSWER_3"; //NON-NLS;
+    
 
     private static final SimpleDateFormat REG_RIPPER_TIME_FORMAT = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyy 'Z'", US);
 
@@ -2169,7 +2188,85 @@ class ExtractRegistry extends Extract {
                         time, osAccount, host, regFile));
             }
         }
-
+        
+        value = userInfo.get(SECURITY_QUESTION_1);
+        if (value != null && !value.isEmpty()) {
+            BlackboardAttribute.Type securityQuestionAttributeType = null;
+            try {
+                    securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_1,
+                            BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
+                            Bundle.Sam_Security_Question_1_Attribute_Display_Name());
+            } catch (BlackboardException ex) {
+                    throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_QUESTION_1), ex);
+            }
+            attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
+        }
+        
+        value = userInfo.get(SECURITY_ANSWER_1);
+        if (value != null && !value.isEmpty()) {
+            BlackboardAttribute.Type securityAnswerAttributeType = null;
+            try {
+                    securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_1,
+                            BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
+                            Bundle.Sam_Security_Answer_1_Attribute_Display_Name());
+            } catch (BlackboardException ex) {
+                    throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_ANSWER_1), ex);
+            }
+            attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
+        }
+        
+        value = userInfo.get(SECURITY_QUESTION_2);
+        if (value != null && !value.isEmpty()) {
+            BlackboardAttribute.Type securityQuestionAttributeType = null;
+            try {
+                    securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_2,
+                            BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
+                            Bundle.Sam_Security_Question_2_Attribute_Display_Name());
+            } catch (BlackboardException ex) {
+                    throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_QUESTION_2), ex);
+            }
+            attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
+        }
+        
+        value = userInfo.get(SECURITY_ANSWER_2);
+        if (value != null && !value.isEmpty()) {
+            BlackboardAttribute.Type securityAnswerAttributeType = null;
+            try {
+                    securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_2,
+                            BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
+                            Bundle.Sam_Security_Answer_2_Attribute_Display_Name());
+            } catch (BlackboardException ex) {
+                    throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_ANSWER_2), ex);
+            }
+            attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
+        }
+        
+        value = userInfo.get(SECURITY_QUESTION_3);
+        if (value != null && !value.isEmpty()) {
+            BlackboardAttribute.Type securityQuestionAttributeType = null;
+            try {
+                    securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_3,
+                            BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
+                            Bundle.Sam_Security_Question_2_Attribute_Display_Name());
+            } catch (BlackboardException ex) {
+                    throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_QUESTION_3), ex);
+            }
+            attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
+        }
+        
+        value = userInfo.get(SECURITY_ANSWER_3);
+        if (value != null && !value.isEmpty()) {
+            BlackboardAttribute.Type securityAnswerAttributeType = null;
+            try {
+                    securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_3,
+                            BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
+                            Bundle.Sam_Security_Answer_3_Attribute_Display_Name());
+            } catch (BlackboardException ex) {
+                    throw new TskCoreException(String.format("Failed to get key attribute %s", SAM_SECURITY_ANSWER_3), ex);
+            }
+            attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
+        }
+        
         value = userInfo.get(PASSWORD_HINT);
         if (value != null && !value.isEmpty()) {
             attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_PASSWORD_HINT,
@@ -2249,6 +2346,21 @@ class ExtractRegistry extends Extract {
         return "";
     }
 
+    /**
+     * Helper for constructing a new OsAccountAttribute
+     *
+     * @param type      Attribute type
+     * @param value     The value to store
+     * @param osAccount The OsAccount this attribute belongs to
+     * @param host      The Host related to the OsAccount
+     * @param file      The source where the attribute was found.
+     *
+     * @return Newly created OsACcountAttribute
+     */
+    private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.Type type, String value, OsAccount osAccount, Host host, AbstractFile file) {
+        return osAccount.new OsAccountAttribute(type, value, osAccount, host, file);
+    }
+
     /**
      * Helper for constructing a new OsAccountAttribute
      *

thirdparty/rr-full/JSON/PP/Boolean.pm

@@ -0,0 +1,42 @@
+package JSON::PP::Boolean;
+
+use strict;
+require overload;
+local $^W;
+overload::import('overload',
+    "0+"     => sub { ${$_[0]} },
+    "++"     => sub { $_[0] = ${$_[0]} + 1 },
+    "--"     => sub { $_[0] = ${$_[0]} - 1 },
+    fallback => 1,
+);
+
+$JSON::PP::Boolean::VERSION = '4.05';
+
+1;
+
+__END__
+
+=head1 NAME
+
+JSON::PP::Boolean - dummy module providing JSON::PP::Boolean
+
+=head1 SYNOPSIS
+
+ # do not "use" yourself
+
+=head1 DESCRIPTION
+
+This module exists only to provide overload resolution for Storable and similar modules. See
+L<JSON::PP> for more info about this class.
+
+=head1 AUTHOR
+
+This idea is from L<JSON::XS::Boolean> written by Marc Lehmann <schmorp[at]schmorp.de>
+
+=head1 LICENSE
+
+This library is free software; you can redistribute it and/or modify
+it under the same terms as Perl itself.
+
+=cut
+

thirdparty/rr-full/plugins/samparse.pl

@@ -24,6 +24,7 @@
 package samparse;
 use strict;
 use Encode::Unicode;
+use JSON::PP;
 
 my %config = (hive          => "SAM",
               hivemask      => 2,
@@ -131,6 +132,23 @@ sub pluginmain {
 					my $f = $f_value->get_data();
 					my %f_val = parseF($f);
 					
+					eval {
+					    my $reset_data_value = $u->get_value("ResetData");
+						my $reset_data = $reset_data_value->get_data();
+    					my $reset_data_hash = decode_json($reset_data);
+						my $reset_data_question_1 = $reset_data_hash->{'questions'}[0];
+						my $reset_data_question_2 = $reset_data_hash->{'questions'}[1];
+						my $reset_data_question_3 = $reset_data_hash->{'questions'}[2];
+						my $question_1 = $reset_data_question_1->{'question'};
+                        ::rptMsg("Security Questions:");
+						::rptMsg("    Question 1  : ".$question_1);
+						::rptMsg("    Answer 1    : ".$reset_data_question_1->{'answer'});
+						::rptMsg("    Question 2  : ".$reset_data_question_2->{'question'});
+						::rptMsg("    Answer 2    : ".$reset_data_question_2->{'answer'});
+						::rptMsg("    Question 3  : ".$reset_data_question_3->{'question'});
+						::rptMsg("    Answer 3    : ".$reset_data_question_3->{'answer'});
+					};
+										
 					my $lastlogin;
 					my $pwdreset;
 					my $pwdfail;