mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/tmciver-basis/autopsy

Browse Source
This commit is contained in:
adam-m 2012-12-03 17:49:00 -05:00
commit f08d15a4ed
11 changed files with 563 additions and 355 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Core/nbproject/project.xml
View File

@ -183,6 +183,7 @@
</module-dependencies> </module-dependencies>
<public-packages> <public-packages>
<package>org.sleuthkit.autopsy.casemodule</package> <package>org.sleuthkit.autopsy.casemodule</package>
<package>org.sleuthkit.autopsy.casemodule.services</package>
<package>org.sleuthkit.autopsy.core</package> <package>org.sleuthkit.autopsy.core</package>
<package>org.sleuthkit.autopsy.corecomponentinterfaces</package> <package>org.sleuthkit.autopsy.corecomponentinterfaces</package>
<package>org.sleuthkit.autopsy.corecomponents</package> <package>org.sleuthkit.autopsy.corecomponents</package>

22
Core/src/org/sleuthkit/autopsy/casemodule/Case.java
View File

@ -19,10 +19,6 @@
package org.sleuthkit.autopsy.casemodule; package org.sleuthkit.autopsy.casemodule;
import java.awt.Frame; import java.awt.Frame;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.awt.event.WindowAdapter;
import java.awt.event.WindowEvent;
import java.beans.PropertyChangeListener; import java.beans.PropertyChangeListener;
import java.beans.PropertyChangeSupport; import java.beans.PropertyChangeSupport;
import java.io.BufferedInputStream; import java.io.BufferedInputStream;
@ -31,7 +27,6 @@ import java.io.FileInputStream;
import java.io.IOException; import java.io.IOException;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.Arrays;
import java.util.GregorianCalendar; import java.util.GregorianCalendar;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
@ -40,19 +35,14 @@ import java.util.Map;
import java.util.Set; import java.util.Set;
import java.util.TimeZone; import java.util.TimeZone;
import java.util.logging.Level; import java.util.logging.Level;
import javax.swing.JDialog;
import javax.swing.JFileChooser;
import javax.swing.JOptionPane; import javax.swing.JOptionPane;
import javax.swing.SwingUtilities; import javax.swing.SwingUtilities;
import javax.swing.filechooser.FileFilter;
import org.openide.util.Exceptions;
import org.openide.util.Lookup; import org.openide.util.Lookup;
import org.openide.util.actions.CallableSystemAction; import org.openide.util.actions.CallableSystemAction;
import org.openide.util.actions.SystemAction; import org.openide.util.actions.SystemAction;
import org.openide.windows.WindowManager; import org.openide.windows.WindowManager;
import org.sleuthkit.autopsy.casemodule.services.Services;
import org.sleuthkit.autopsy.corecomponentinterfaces.CoreComponentControl; import org.sleuthkit.autopsy.corecomponentinterfaces.CoreComponentControl;
import org.sleuthkit.autopsy.corecomponents.AdvancedConfigurationCleanDialog;
import org.sleuthkit.autopsy.corecomponents.AdvancedConfigurationDialog;
import org.sleuthkit.autopsy.coreutils.FileUtil; import org.sleuthkit.autopsy.coreutils.FileUtil;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.Version; import org.sleuthkit.autopsy.coreutils.Version;
@ -124,6 +114,7 @@ public class Case {
private SleuthkitCase db; private SleuthkitCase db;
// Track the current case (only set with changeCase() method) // Track the current case (only set with changeCase() method)
private static Case currentCase = null; private static Case currentCase = null;
private Services services;
private static final Logger logger = Logger.getLogger(Case.class.getName()); private static final Logger logger = Logger.getLogger(Case.class.getName());
@ -137,6 +128,7 @@ public class Case {
this.configFilePath = configFilePath; this.configFilePath = configFilePath;
this.xmlcm = xmlcm; this.xmlcm = xmlcm;
this.db = db; this.db = db;
this.services = new Services(db);
} }
/** /**
@ -334,6 +326,13 @@ public class Case {
} }
} }
/**
* @return The Services object for this case.
*/
public Services getServices() {
return services;
}
/** /**
* Get the underlying SleuthkitCase instance from the Sleuth Kit bindings * Get the underlying SleuthkitCase instance from the Sleuth Kit bindings
* library. * library.
@ -350,6 +349,7 @@ public class Case {
changeCase(null); changeCase(null);
try { try {
services.close();
this.xmlcm.close(); // close the xmlcm this.xmlcm.close(); // close the xmlcm
this.db.close(); this.db.close();
} catch (Exception e) { } catch (Exception e) {

99
Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java Normal file
View File

@ -0,0 +1,99 @@
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 Basis Technology Corp.
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.casemodule.services;
import java.io.Closeable;
import java.io.IOException;
import java.util.List;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
/**
* Abstraction to facilitate access to files and directories.
*/
public class FileManager implements Closeable {
private SleuthkitCase tskCase;
public FileManager(SleuthkitCase tskCase) {
this.tskCase = tskCase;
}
/**
* @param fileName the name of the file or directory to match
* @return a list of FsContent for files/directories whose name matches the
* given fileName
*/
public synchronized List<FsContent> findFiles(Image image, String fileName) throws TskCoreException {
if (tskCase == null) {
throw new TskCoreException("Attemtped to use FileManager after it was closed.");
}
return tskCase.findFiles(image, fileName);
}
/**
* @param fileName the name of the file or directory to match
* @param dirName the name of a parent directory of fileName
* @return a list of FsContent for files/directories whose name matches
* fileName and whose parent directory contains dirName.
*/
public synchronized List<FsContent> findFiles(Image image, String fileName, String dirName) throws TskCoreException {
if (tskCase == null) {
throw new TskCoreException("Attemtped to use FileManager after it was closed.");
}
return tskCase.findFiles(image, fileName, dirName);
}
/**
* @param fileName the name of the file or directory to match
* @param parentFsContent
* @return a list of FsContent for files/directories whose name matches
* fileName and that were inside a directory described by parentFsContent.
*/
public synchronized List<FsContent> findFiles(Image image, String fileName, FsContent parentFsContent) throws TskCoreException {
if (tskCase == null) {
throw new TskCoreException("Attemtped to use FileManager after it was closed.");
}
return findFiles(image, fileName, parentFsContent.getName());
}
/**
* @param filePath The full path to the file(s) of interest. This can
* optionally include the image and volume names.
* @return a list of FsContent that have the given file path.
*/
public synchronized List<FsContent> openFiles(Image image, String filePath) throws TskCoreException {
if (tskCase == null) {
throw new TskCoreException("Attemtped to use FileManager after it was closed.");
}
return tskCase.openFiles(image, filePath);
}
@Override
public synchronized void close() throws IOException {
tskCase = null;
}
}

64
Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java Normal file
View File

@ -0,0 +1,64 @@
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 Basis Technology Corp.
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.casemodule.services;
import java.io.Closeable;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
* A class to manage various services.
*/
public class Services implements Closeable {
private SleuthkitCase tskCase;
// NOTE: all new services added to Services class must be added to this list
// of services.
private List<Closeable> services = new ArrayList<Closeable>();
// services
private FileManager fileManager;
public Services(SleuthkitCase tskCase) {
this.tskCase = tskCase;
}
public synchronized FileManager getFileManager() {
if (fileManager == null) {
fileManager = new FileManager(tskCase);
services.add(fileManager);
}
return fileManager;
}
@Override
public void close() throws IOException {
// close all services
for (Closeable service : services) {
service.close();
}
}
}

2
KeywordSearch/nbproject/genfiles.properties
View File

@ -3,6 +3,6 @@ build.xml.script.CRC32=87b97b04
build.xml.stylesheet.CRC32=a56c6a5b@1.46.2 build.xml.stylesheet.CRC32=a56c6a5b@1.46.2
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
nbproject/build-impl.xml.data.CRC32=1cff292d nbproject/build-impl.xml.data.CRC32=8f39548f
nbproject/build-impl.xml.script.CRC32=fe1f48d2 nbproject/build-impl.xml.script.CRC32=fe1f48d2
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@2.50.1 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@2.50.1

4
RecentActivity/nbproject/genfiles.properties
View File

@ -1,8 +1,8 @@
build.xml.data.CRC32=320aa38b build.xml.data.CRC32=bcfe7e87
build.xml.script.CRC32=d323407a build.xml.script.CRC32=d323407a
build.xml.stylesheet.CRC32=a56c6a5b@2.50.1 build.xml.stylesheet.CRC32=a56c6a5b@2.50.1
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
nbproject/build-impl.xml.data.CRC32=320aa38b nbproject/build-impl.xml.data.CRC32=bcfe7e87
nbproject/build-impl.xml.script.CRC32=aef16a21 nbproject/build-impl.xml.script.CRC32=aef16a21
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@2.50.1 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@2.50.1

106
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -37,6 +37,8 @@ import java.io.FileNotFoundException;
import java.io.FileReader; import java.io.FileReader;
import java.io.IOException; import java.io.IOException;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.sql.SQLException;
import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.autopsy.coreutils.EscapeUtil; import org.sleuthkit.autopsy.coreutils.EscapeUtil;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.autopsy.ingest.IngestModuleImage; import org.sleuthkit.autopsy.ingest.IngestModuleImage;
@ -96,20 +98,25 @@ public class Chrome extends Extract implements IngestModuleImage {
} }
private void getHistory(Image image, IngestImageWorkerController controller) { private void getHistory(Image image, IngestImageWorkerController controller) {
//Make these seperate, this is for history
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'"); FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> historyFiles = null;
try {
historyFiles = fileManager.findFiles(image, "History", "Chrome");
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex);
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { if (historyFiles != null && !historyFiles.isEmpty()) {
while (j < FFSqlitedb.size()) { while (j < historyFiles.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(historyFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome web history artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome web history artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + historyFiles.get(j).getName());
} }
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
@ -130,7 +137,7 @@ public class Chrome extends Extract implements IngestModuleImage {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "Recent Activity", ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "Recent Activity", ((result.get("title").toString() != null) ? result.get("title").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""))));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, FFSqlitedb.get(j), bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFiles.get(j), bbattributes);
} }
if (errors > 0) { if (errors > 0) {
@ -146,19 +153,24 @@ public class Chrome extends Extract implements IngestModuleImage {
private void getBookmark(Image image, IngestImageWorkerController controller) { private void getBookmark(Image image, IngestImageWorkerController controller) {
//this is for bookmarks FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); List<FsContent> bookmarkFiles = null;
try {
bookmarkFiles = fileManager.findFiles(image, "Bookmarks", "Chrome");
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex);
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { if (bookmarkFiles != null && !bookmarkFiles.isEmpty()) {
while (j < FFSqlitedb.size()) { while (j < bookmarkFiles.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + bookmarkFiles.get(j).getName().toString() + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(bookmarkFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + bookmarkFiles.get(j).getName().toString() + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome bookmark artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome bookmark artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + bookmarkFiles.get(j).getName());
} }
logger.log(Level.INFO, moduleName + "- Now getting Bookmarks from " + temps); logger.log(Level.INFO, moduleName + "- Now getting Bookmarks from " + temps);
File dbFile = new File(temps); File dbFile = new File(temps);
@ -180,7 +192,7 @@ public class Chrome extends Extract implements IngestModuleImage {
String name = address.get("name").getAsString(); String name = address.get("name").getAsString();
Long date = address.get("date_added").getAsLong(); Long date = address.get("date_added").getAsLong();
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); BlackboardArtifact bbart = bookmarkFiles.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
//TODO Revisit usage of deprecated constructor as per TSK-583 //TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", (date / 10000000))); //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", (date / 10000000)));
@ -214,18 +226,24 @@ public class Chrome extends Extract implements IngestModuleImage {
// This gets the cookie info // This gets the cookie info
private void getCookie(Image image, IngestImageWorkerController controller) { private void getCookie(Image image, IngestImageWorkerController controller) {
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> cookiesFiles = null;
try {
cookiesFiles = fileManager.findFiles(image, "Cookies", "Chrome");
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex);
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { if (cookiesFiles != null && !cookiesFiles.isEmpty()) {
while (j < FFSqlitedb.size()) { while (j < cookiesFiles.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + cookiesFiles.get(j).getName().toString() + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(cookiesFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + cookiesFiles.get(j).getName().toString() + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome cookie artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome cookie artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + cookiesFiles.get(j).getName());
} }
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
@ -249,7 +267,7 @@ public class Chrome extends Extract implements IngestModuleImage {
String domain = result.get("host_key").toString(); String domain = result.get("host_key").toString();
domain = domain.replaceFirst("^\\.+(?!$)", ""); domain = domain.replaceFirst("^\\.+(?!$)", "");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, FFSqlitedb.get(j), bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFiles.get(j), bbattributes);
} }
if (errors > 0) { if (errors > 0) {
@ -267,18 +285,24 @@ public class Chrome extends Extract implements IngestModuleImage {
// This gets the downloads info // This gets the downloads info
private void getDownload(Image image, IngestImageWorkerController controller) { private void getDownload(Image image, IngestImageWorkerController controller) {
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> historyFiles = null;
try {
historyFiles = fileManager.findFiles(image, "History", "Chrome");
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex);
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { if (historyFiles != null && !historyFiles.isEmpty()) {
while (j < FFSqlitedb.size()) { while (j < historyFiles.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(historyFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + historyFiles.get(j).getName());
} }
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
@ -291,7 +315,7 @@ public class Chrome extends Extract implements IngestModuleImage {
for (HashMap<String, Object> result : tempList) { for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", (result.get("full_path").toString()))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", (result.get("full_path").toString())));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "Recent Activity", Util.findID((result.get("full_path").toString())))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "Recent Activity", Util.findID(image, (result.get("full_path").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? result.get("url").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
Long time = (Long.valueOf(result.get("start_time").toString())); Long time = (Long.valueOf(result.get("start_time").toString()));
@ -303,7 +327,7 @@ public class Chrome extends Extract implements IngestModuleImage {
String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome"));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, FFSqlitedb.get(j), bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, historyFiles.get(j), bbattributes);
} }
if (errors > 0) { if (errors > 0) {
@ -321,18 +345,24 @@ public class Chrome extends Extract implements IngestModuleImage {
// This gets the user info // This gets the user info
private void getLogin(Image image, IngestImageWorkerController controller) { private void getLogin(Image image, IngestImageWorkerController controller) {
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> signonFiles = null;
try {
signonFiles = fileManager.findFiles(image, "signons.sqlite", "Chrome");
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex);
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { if (signonFiles != null && !signonFiles.isEmpty()) {
while (j < FFSqlitedb.size()) { while (j < signonFiles.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + signonFiles.get(j).getName().toString() + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(signonFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + signonFiles.get(j).getName().toString() + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome login artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome login artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + signonFiles.get(j).getName());
} }
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
@ -354,7 +384,7 @@ public class Chrome extends Extract implements IngestModuleImage {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "Recent Activity", ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "Recent Activity", ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", result.get("signon_realm").toString())); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", result.get("signon_realm").toString()));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, FFSqlitedb.get(j), bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFiles.get(j), bbattributes);
} }
if (errors > 0) { if (errors > 0) {

82
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -75,9 +75,6 @@ public class ExtractIE extends Extract implements IngestModuleImage {
private static final Logger logger = Logger.getLogger(ExtractIE.class.getName()); private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
private IngestServices services; private IngestServices services;
private String indexDatQueryStr = "select * from tsk_files where name LIKE '%index.dat%'";
private String favoriteQuery = "select * from `tsk_files` where parent_path LIKE '%/Favorites%' and name LIKE '%.url'";
private String cookiesQuery = "select * from `tsk_files` where parent_path LIKE '%/Cookies%' and name LIKE '%.txt'";
private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'"; private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'";
//sleauthkit db handle //sleauthkit db handle
SleuthkitCase tempDb; SleuthkitCase tempDb;
@ -131,14 +128,21 @@ public class ExtractIE extends Extract implements IngestModuleImage {
// This gets the favorite info // This gets the favorite info
private void getBookmark(Image image, IngestImageWorkerController controller) { private void getBookmark(Image image, IngestImageWorkerController controller) {
List<FsContent> FavoriteList = this.extractFiles(image, favoriteQuery);
int errors = 0; int errors = 0;
for (FsContent Favorite : FavoriteList) { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> favoritesFiles = null;
try {
favoritesFiles = fileManager.findFiles(image, "%.url", "Favorites");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.");
}
for (FsContent favoritesFile : favoritesFiles) {
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
Content fav = Favorite; Content fav = favoritesFile;
byte[] t = new byte[(int) fav.getSize()]; byte[] t = new byte[(int) fav.getSize()];
try { try {
final int bytesRead = fav.read(t, 0, fav.getSize()); final int bytesRead = fav.read(t, 0, fav.getSize());
@ -154,8 +158,8 @@ public class ExtractIE extends Extract implements IngestModuleImage {
if (m.find()) { if (m.find()) {
url = m.group(1); url = m.group(1);
} }
String name = Favorite.getName(); String name = favoritesFile.getName();
Long datetime = Favorite.getCrtime(); Long datetime = favoritesFile.getCrtime();
String Tempdate = datetime.toString(); String Tempdate = datetime.toString();
datetime = Long.valueOf(Tempdate); datetime = Long.valueOf(Tempdate);
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
@ -169,7 +173,7 @@ public class ExtractIE extends Extract implements IngestModuleImage {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, Favorite, bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, favoritesFile, bbattributes);
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} }
@ -182,13 +186,20 @@ public class ExtractIE extends Extract implements IngestModuleImage {
// This gets the cookies info // This gets the cookies info
private void getCookie(Image image, IngestImageWorkerController controller) { private void getCookie(Image image, IngestImageWorkerController controller) {
List<FsContent> CookiesList = this.extractFiles(image, cookiesQuery); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> cookiesFiles = null;
try {
cookiesFiles = fileManager.findFiles(image, "%.txt", "Cookies");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.");
}
int errors = 0; int errors = 0;
for (FsContent Cookie : CookiesList) { for (FsContent cookiesFile : cookiesFiles) {
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
Content fav = Cookie; Content fav = cookiesFile;
byte[] t = new byte[(int) fav.getSize()]; byte[] t = new byte[(int) fav.getSize()];
try { try {
final int bytesRead = fav.read(t, 0, fav.getSize()); final int bytesRead = fav.read(t, 0, fav.getSize());
@ -200,7 +211,7 @@ public class ExtractIE extends Extract implements IngestModuleImage {
String url = values.length > 2 ? values[2] : ""; String url = values.length > 2 ? values[2] : "";
String value = values.length > 1 ? values[1] : ""; String value = values.length > 1 ? values[1] : "";
String name = values.length > 0 ? values[0] : ""; String name = values.length > 0 ? values[0] : "";
Long datetime = Cookie.getCrtime(); Long datetime = cookiesFile.getCrtime();
String Tempdate = datetime.toString(); String Tempdate = datetime.toString();
datetime = Long.valueOf(Tempdate); datetime = Long.valueOf(Tempdate);
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
@ -217,7 +228,7 @@ public class ExtractIE extends Extract implements IngestModuleImage {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", (name != null) ? name : "")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, Cookie, bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
} }
if (errors > 0) { if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Internet Explorer cookies."); this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Internet Explorer cookies.");
@ -230,25 +241,32 @@ public class ExtractIE extends Extract implements IngestModuleImage {
// This gets the recent object info // This gets the recent object info
private void getRecentDocuments(Image image, IngestImageWorkerController controller) { private void getRecentDocuments(Image image, IngestImageWorkerController controller) {
List<FsContent> RecentList = this.extractFiles(image, recentQuery); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> recentFiles = null;
try {
recentFiles = fileManager.findFiles(image, "%.lnk", "Recent");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.");
}
for (FsContent Recent : RecentList) { for (FsContent recentFile : recentFiles) {
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
Content fav = Recent; Content fav = recentFile;
JLNK lnk = new JLnkParser(new ReadContentInputStream(fav), (int) fav.getSize()).parse(); JLNK lnk = new JLnkParser(new ReadContentInputStream(fav), (int) fav.getSize()).parse();
String path = lnk.getBestPath(); String path = lnk.getBestPath();
Long datetime = Recent.getCrtime(); Long datetime = recentFile.getCrtime();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(path))); long id = Util.findID(image, path);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", id));
//TODO Revisit usage of deprecated constructor as per TSK-583 //TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime)); //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime));
this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, Recent, bbattributes); this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes);
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
@ -286,7 +304,6 @@ public class ExtractIE extends Extract implements IngestModuleImage {
File resultsDir = new File(PASCO_RESULTS_PATH); File resultsDir = new File(PASCO_RESULTS_PATH);
resultsDir.mkdirs(); resultsDir.mkdirs();
Collection<FsContent> FsContentCollection = null;
tempDb = currentCase.getSleuthkitCase(); tempDb = currentCase.getSleuthkitCase();
Collection<FileSystem> imageFS = tempDb.getFileSystems(image); Collection<FileSystem> imageFS = tempDb.getFileSystems(image);
List<String> fsIds = new LinkedList<String>(); List<String> fsIds = new LinkedList<String>();
@ -305,24 +322,25 @@ public class ExtractIE extends Extract implements IngestModuleImage {
allFS += ")"; allFS += ")";
} }
} }
// get index.dat files
org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> indexFiles = null;
try { try {
ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS); indexFiles = fileManager.findFiles(image, "index.dat");
FsContentCollection = tempDb.resultSetToFsContents(rs); } catch (TskCoreException ex) {
rs.close(); logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.");
rs.getStatement().close();
} catch (SQLException ex) {
logger.log(Level.SEVERE, "Error reading database for Internet Explorer history artifacts: {0}", ex);
} }
String temps; String temps;
String indexFileName; String indexFileName;
for (FsContent indexFile : indexFiles) {
for (FsContent fsc : FsContentCollection) {
// Since each result represent an index.dat file, // Since each result represent an index.dat file,
// just create these files with the following notation: // just create these files with the following notation:
// index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat) // index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
// Write each index.dat file to a temp directory. // Write each index.dat file to a temp directory.
//BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
indexFileName = "index" + Integer.toString((int) fsc.getId()) + ".dat"; indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat";
//indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat"; //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
temps = currentCase.getTempDirectory() + File.separator + indexFileName; temps = currentCase.getTempDirectory() + File.separator + indexFileName;
File datFile = new File(temps); File datFile = new File(temps);
@ -331,12 +349,12 @@ public class ExtractIE extends Extract implements IngestModuleImage {
break; break;
} }
try { try {
ContentUtils.writeToFile(fsc, datFile); ContentUtils.writeToFile(indexFile, datFile);
} catch (IOException e) { } catch (IOException e) {
logger.log(Level.SEVERE, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); logger.log(Level.SEVERE, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e);
} }
String filename = "pasco2Result." + fsc.getId() + ".txt"; String filename = "pasco2Result." + indexFile.getId() + ".txt";
boolean bPascProcSuccess = executePasco(temps, filename); boolean bPascProcSuccess = executePasco(temps, filename);
pascoResults.add(filename); pascoResults.add(filename);

69
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -106,61 +106,48 @@ public class ExtractRegistry extends Extract implements IngestModuleImage {
this.args = args; this.args = args;
} }
private void getregistryfiles(Image image, IngestImageWorkerController controller) { private void getRegistryFiles(Image image, IngestImageWorkerController controller) {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
Collection<FileSystem> imageFS = tempDb.getFileSystems(image); List<FsContent> allRegistryFiles = new ArrayList<FsContent>();
List<String> fsIds = new LinkedList<String>(); try {
for (FileSystem img : imageFS) { allRegistryFiles.addAll(fileManager.findFiles(image, "ntuser.dat"));
Long tempID = img.getId(); } catch (TskCoreException ex) {
fsIds.add(tempID.toString()); logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file.");
} }
String allFS = new String(); // try to find each of the listed registry files whose parent directory
for (int i = 0; i < fsIds.size(); i++) { // is like '%/system32/config%'
if (i == 0) { String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"};
allFS += " AND (0"; for (String regFileName : regFileNames) {
try {
allRegistryFiles.addAll(fileManager.findFiles(image, regFileName, "%/system32/config%"));
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching registry file: " + regFileName);
} }
allFS += " OR fs_obj_id = '" + fsIds.get(i) + "'";
if (i == fsIds.size() - 1) {
allFS += ")";
}
}
List<FsContent> Regfiles = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS);
Regfiles = tempDb.resultSetToFsContents(rs);
} catch (SQLException ex) {
logger.log(Level.SEVERE, "Error querying the database for registry files: {0}", ex);
} }
int j = 0; int j = 0;
for (FsContent regFile : allRegistryFiles) {
while (j < Regfiles.size()) { String regFileName = regFile.getName();
boolean Success; String temps = currentCase.getTempDirectory() + "\\" + regFileName;
Content orgFS = Regfiles.get(j);
long orgId = orgFS.getId();
String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString();
try { try {
ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName())); ContentUtils.writeToFile(regFile, new File(currentCase.getTempDirectory() + "\\" + regFileName));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex);
} }
File regFile = new File(temps); File aRegFile = new File(temps);
logger.log(Level.INFO, moduleName + "- Now getting registry information from " + temps); logger.log(Level.INFO, moduleName + "- Now getting registry information from " + temps);
String txtPath = executeRegRip(temps, j); String txtPath = executeRegRip(temps, j++);
if (txtPath.length() > 0) { if (txtPath.length() > 0) {
Success = parseReg(txtPath, orgId); if (parseReg(txtPath, regFile.getId()) == false) {
} else { continue;
Success = false; }
} }
//At this point pasco2 proccessed the index files. //At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files. //Now fetch the results, parse them and the delete the files.
if (Success) { aRegFile.delete();
//Delete dat file since it was succcessful
regFile.delete();
}
j++;
} }
} }
@ -396,7 +383,7 @@ public class ExtractRegistry extends Extract implements IngestModuleImage {
@Override @Override
public void process(Image image, IngestImageWorkerController controller) { public void process(Image image, IngestImageWorkerController controller) {
this.getregistryfiles(image, controller); this.getRegistryFiles(image, controller);
} }
@Override @Override

384
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -31,6 +31,7 @@ import java.util.Collection;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.autopsy.coreutils.EscapeUtil; import org.sleuthkit.autopsy.coreutils.EscapeUtil;
import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@ -44,6 +45,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.TskCoreException;
/** /**
* Firefox recent activity extraction * Firefox recent activity extraction
@ -91,216 +93,254 @@ public class Firefox extends Extract implements IngestModuleImage {
private void getHistory(Image image, IngestImageWorkerController controller) { private void getHistory(Image image, IngestImageWorkerController controller) {
//Make these seperate, this is for history //Make these seperate, this is for history
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); //List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'");
FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> historyFiles = null;
try {
historyFiles = fileManager.findFiles(image, "%places.sqlite%", "Firefox");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching internet history files for Firefox.");
}
if (historyFiles == null) {
return;
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { for (FsContent historyFile : historyFiles) {
while (j < FFSqlitedb.size()) { String fileName = historyFile.getName();
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(historyFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing the sqlite db for firefox web history artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing the sqlite db for firefox web history artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName);
}
File dbFile = new File(temps);
if (controller.isCancelled()) {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, ffquery);
logger.log(Level.INFO, moduleName + "- Now getting history from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("visit_date").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("visit_date").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", ((result.get("ref").toString() != null) ? result.get("ref").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""))));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, FFSqlitedb.get(j), bbattributes);
}
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
j++;
dbFile.delete();
} }
File dbFile = new File(temps);
if (controller.isCancelled()) {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, ffquery);
logger.log(Level.INFO, moduleName + "- Now getting history from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("visit_date").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("visit_date").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", ((result.get("ref").toString() != null) ? result.get("ref").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""))));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); }
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
++j;
dbFile.delete();
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} }
private void getBookmark(Image image, IngestImageWorkerController controller) { private void getBookmark(Image image, IngestImageWorkerController controller) {
//this is for bookmarks FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); List<FsContent> bookmarkFiles = null;
try {
bookmarkFiles = fileManager.findFiles(image, "places.sqlite", "Firefox");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching bookmark files for Firefox.");
}
if (bookmarkFiles == null) {
return;
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { for (FsContent bookmarkFile : bookmarkFiles) {
while (j < FFSqlitedb.size()) { String fileName = bookmarkFile.getName();
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(bookmarkFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing the sqlite db for firefox bookmark artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing the sqlite db for firefox bookmark artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName);
}
File dbFile = new File(temps);
if (controller.isCancelled()) {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, ffbookmarkquery);
logger.log(Level.INFO, moduleName + "- Now getting bookmarks from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""))));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, FFSqlitedb.get(j), bbattributes);
}
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
j++;
dbFile.delete();
} }
File dbFile = new File(temps);
if (controller.isCancelled()) {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, ffbookmarkquery);
logger.log(Level.INFO, moduleName + "- Now getting bookmarks from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""))));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes);
}
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
++j;
dbFile.delete();
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} }
//COOKIES section //COOKIES section
// This gets the cookie info // This gets the cookie info
private void getCookie(Image image, IngestImageWorkerController controller) { private void getCookie(Image image, IngestImageWorkerController controller) {
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> cookiesFiles = null;
try {
cookiesFiles = fileManager.findFiles(image, "cookies.sqlite", "Firefox");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching cookies files for Firefox.");
}
if (cookiesFiles == null) {
return;
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { for (FsContent cookiesFile : cookiesFiles) {
while (j < FFSqlitedb.size()) { String fileName = cookiesFile.getName();
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(cookiesFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing the sqlite db for firefox cookie artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing the sqlite db for firefox cookie artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName);
} }
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete();
break;
}
boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", temps);
String query = null;
if (checkColumn) {
query = ffcookiequery;
} else {
query = ff3cookiequery;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, query);
logger.log(Level.INFO, moduleName + "- Now getting cookies from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? EscapeUtil.decodeURL(result.get("host").toString()) : "")));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((result.get("name").toString() != null) ? result.get("name").toString() : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("lastAccessed").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("name").toString() != null) ? result.get("name").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("lastAccessed").toString()))));
if (checkColumn == true) {
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", (Long.valueOf(result.get("creationTime").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("creationTime").toString()))));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", ((result.get("value").toString() != null) ? result.get("value").toString() : "")));
String domain = Util.extractDomain(result.get("host").toString());
domain = domain.replaceFirst("^\\.+(?!$)", "");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, FFSqlitedb.get(j), bbattributes);
}
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
j++;
dbFile.delete(); dbFile.delete();
break;
}
boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", temps);
String query = null;
if (checkColumn) {
query = ffcookiequery;
} else {
query = ff3cookiequery;
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); List<HashMap<String, Object>> tempList = this.dbConnect(temps, query);
logger.log(Level.INFO, moduleName + "- Now getting cookies from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? EscapeUtil.decodeURL(result.get("host").toString()) : "")));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((result.get("name").toString() != null) ? result.get("name").toString() : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("lastAccessed").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("name").toString() != null) ? result.get("name").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("lastAccessed").toString()))));
if (checkColumn == true) {
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", (Long.valueOf(result.get("creationTime").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("creationTime").toString()))));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", ((result.get("value").toString() != null) ? result.get("value").toString() : "")));
String domain = Util.extractDomain(result.get("host").toString());
domain = domain.replaceFirst("^\\.+(?!$)", "");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
}
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
++j;
dbFile.delete();
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} }
//Downloads section //Downloads section
// This gets the downloads info // This gets the downloads info
private void getDownload(Image image, IngestImageWorkerController controller) { private void getDownload(Image image, IngestImageWorkerController controller) {
List<FsContent> FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); FileManager fileManager = currentCase.getServices().getFileManager();
List<FsContent> downloadsFiles = null;
try {
downloadsFiles = fileManager.findFiles(image, "downloads.sqlite", "Firefox");
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error fetching 'downloads' files for Firefox.");
}
if (downloadsFiles == null) {
return;
}
int j = 0; int j = 0;
if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { for (FsContent downloadsFile : downloadsFiles) {
while (j < FFSqlitedb.size()) { String fileName = downloadsFile.getName();
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db";
int errors = 0; int errors = 0;
try { try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(downloadsFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db"));
} catch (IOException ex) { } catch (IOException ex) {
logger.log(Level.SEVERE, "Error writing the sqlite db for firefox download artifacts.{0}", ex); logger.log(Level.SEVERE, "Error writing the sqlite db for firefox download artifacts.{0}", ex);
this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName);
} }
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, ffdownloadquery);
logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
try {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String urldecodedtarget = URLDecoder.decode(result.get("source").toString().replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? result.get("source").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? EscapeUtil.decodeURL(result.get("source").toString()) : "")));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("startTime").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(urldecodedtarget)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", ((result.get("target").toString() != null) ? result.get("target").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("source").toString() != null) ? result.get("source").toString() : ""))));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, FFSqlitedb.get(j), bbattributes);
} catch (UnsupportedEncodingException ex) {
logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex);
errors++;
}
}
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
j++;
dbFile.delete(); dbFile.delete();
break;
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); List<HashMap<String, Object>> tempList = this.dbConnect(temps, ffdownloadquery);
logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified.");
for (HashMap<String, Object> result : tempList) {
try {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String urldecodedtarget = URLDecoder.decode(result.get("source").toString().replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? result.get("source").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? EscapeUtil.decodeURL(result.get("source").toString()) : "")));
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("startTime").toString()))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(image, urldecodedtarget)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", ((result.get("target").toString() != null) ? result.get("target").toString() : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("source").toString() != null) ? result.get("source").toString() : ""))));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes);
} catch (UnsupportedEncodingException ex) {
logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex);
errors++;
}
}
if (errors > 0) {
this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts.");
}
j++;
dbFile.delete();
break;
} }
services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
} }
@Override @Override

63
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
View File

@ -31,21 +31,20 @@ import java.nio.MappedByteBuffer;
import java.nio.channels.FileChannel; import java.nio.channels.FileChannel;
import java.nio.charset.Charset; import java.nio.charset.Charset;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.Date; import java.util.Date;
import java.util.List; import java.util.List;
import java.util.StringTokenizer; import java.util.StringTokenizer;
import java.util.logging.Level; import java.util.logging.Level;
import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Logger;
//import org.apache.commons.lang.NullArgumentException;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.services.FileManager;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.autopsy.report.SQLiteDBConnect; import org.sleuthkit.autopsy.report.SQLiteDBConnect;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.TskCoreException;
/** /**
* *
@ -84,32 +83,6 @@ public class Util {
} }
} }
public static boolean imgpathexists(String path) {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
Boolean rt = false;
int count = 0;
try {
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%" + path + "%'");
FFSqlitedb = tempDb.resultSetToFsContents(rs);
count = FFSqlitedb.size();
final Statement s = rs.getStatement();
rs.close();
if (s != null) {
s.close();
}
if (count > 0) {
rt = true;
} else {
rt = false;
}
} catch (SQLException ex) {
logger.log(Level.WARNING, "Error checking if image exists, unable to contact sqlite database.", ex);
}
return rt;
}
public static String getBaseDomain(String url) { public static String getBaseDomain(String url) {
String host = null; String host = null;
//strip protocol //strip protocol
@ -214,7 +187,7 @@ public class Util {
return path; return path;
} }
public static long findID(String path) { public static long findID(Image image, String path) {
String parent_path = path.replace('\\', '/'); // fix Chrome paths String parent_path = path.replace('\\', '/'); // fix Chrome paths
if (parent_path.length() > 2 && parent_path.charAt(1) == ':') { if (parent_path.length() > 2 && parent_path.charAt(1) == ':') {
parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:') parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:')
@ -222,24 +195,20 @@ public class Util {
int index = parent_path.lastIndexOf('/'); int index = parent_path.lastIndexOf('/');
String name = parent_path.substring(++index); String name = parent_path.substring(++index);
parent_path = parent_path.substring(0, index); parent_path = parent_path.substring(0, index);
String query = "select * from tsk_files where parent_path like \"" + parent_path + "\" AND name like \"" + name + "\""; //String query = "select * from tsk_files where parent_path like \"" + parent_path + "\" AND name like \"" + name + "\"";
Case currentCase = Case.getCurrentCase();
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); FileManager fileManager = Case.getCurrentCase().getServices().getFileManager();
List<FsContent> files = null;
try { try {
ResultSet rs = tempDb.runQuery(query); files = fileManager.findFiles(image, name, parent_path);
List<FsContent> results = tempDb.resultSetToFsContents(rs); } catch (TskCoreException ex) {
Statement s = rs.getStatement(); logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history.");
rs.close();
if (s != null) {
s.close();
}
if (results.size() > 0) {
return results.get(0).getId();
}
} catch (SQLException ex) {
logger.log(Level.WARNING, "Error finding ID, unable to contact sqlite database", ex);
} }
return -1;
if (files == null || files.isEmpty()) {
return -1;
}
return files.get(0).getId();
} }
public static boolean checkColumn(String column, String tablename, String connection) { public static boolean checkColumn(String column, String tablename, String connection) {