From 1d5815030d3c16e55c11f78fff79bcc0e1798830 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\dgrove" Date: Sat, 5 Jan 2019 01:51:57 -0500 Subject: [PATCH] Tweaked SevenZipExtractor; uncommented test. --- .../SevenZipExtractor.java | 4 +- .../autopsy/ingest/EmbeddedFileTest.java | 90 +++++++++---------- 2 files changed, 47 insertions(+), 47 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java index 8b55988fa7..1fb60cf0cb 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2013-2018 Basis Technology Corp. + * Copyright 2013-2019 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -258,7 +258,7 @@ class SevenZipExtractor { org.sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard(); // Create artifact if it doesn't already exist. if (!tskBlackboard.artifactExists(archiveFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, attributes)) { - BlackboardArtifact artifact = archiveFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); + BlackboardArtifact artifact = rootArchive.getArchiveFile().newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); artifact.addAttributes(attributes); try { diff --git a/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java b/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java index af9266b36f..25d691ddbc 100755 --- a/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java +++ b/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java @@ -90,51 +90,51 @@ public class EmbeddedFileTest extends NbTestCase { CaseUtils.closeCurrentCase(); } -// public void testEncryptionAndZipBomb() { -// try { -// List results = openCase.getSleuthkitCase().findAllFilesWhere("name LIKE '%%'"); -// final String zipBombSetName = "Possible Zip Bomb"; -// final String protectedName1 = "password_protected.zip"; -// final String protectedName2 = "level1_protected.zip"; -// final String protectedName3 = "42.zip"; -// final String depthZipBomb = "DepthTriggerZipBomb.zip"; -// final String ratioZipBomb = "RatioTriggerZipBomb.zip"; -// int zipBombs = 0; -// assertEquals("The number of files in the test image has changed", 2221, results.size()); -// int passwdProtectedZips = 0; -// for (AbstractFile file : results) { -// //.zip file has artifact TSK_ENCRYPTION_DETECTED -// if (file.getName().equalsIgnoreCase(protectedName1) || file.getName().equalsIgnoreCase(protectedName2) || file.getName().equalsIgnoreCase(protectedName3)) { -// ArrayList artifacts = file.getAllArtifacts(); -// assertEquals("Password protected zip file " + file.getName() + " has incorrect number of artifacts", 1, artifacts.size()); -// for (BlackboardArtifact artifact : artifacts) { -// assertEquals("Artifact for password protected zip file " + file.getName() + " has incorrect type ID", artifact.getArtifactTypeID(), BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID()); -// passwdProtectedZips++; -// } -// } else if (file.getName().equalsIgnoreCase(depthZipBomb) || file.getName().equalsIgnoreCase(ratioZipBomb)) { -// ArrayList artifacts = file.getAllArtifacts(); -// assertEquals("Zip bomb " + file.getName() + " has incorrect number of artifacts", 1, artifacts.size()); -// for (BlackboardArtifact artifact : artifacts) { -// assertEquals("Artifact for Zip bomb " + file.getName() + " has incorrect type ID", artifact.getArtifactTypeID(), BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID()); -// BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)); -// assertNotNull("No attribute found for artifact on zip bomb " + file.getName(), attribute); -// assertEquals("Interesting artifact on file, " + file.getName() + ", does not reflect it being a zip bomb", zipBombSetName, attribute.getDisplayString()); -// zipBombs++; -// } -// } else {//No other files have artifact defined -// assertEquals("Unexpected file, " + file.getName() + ", has artifacts", 0, file.getAllArtifacts().size()); -// } -// -// } -// //Make sure 3 password protected zip files have been tested: password_protected.zip, level1_protected.zip and 42.zip that we download for bomb testing. -// assertEquals("Unexpected number of artifacts reflecting password protected zip files found", 3, passwdProtectedZips); -// //Make sure 2 zip bomb files have been tested: DepthTriggerZipBomb.zip and RatioTriggerZipBomb.zip. -// assertEquals("Unexpected number of artifacts reflecting zip bombs found", 2, zipBombs); -// } catch (TskCoreException ex) { -// Exceptions.printStackTrace(ex); -// Assert.fail(ex.getMessage()); -// } -// } + public void testEncryptionAndZipBomb() { + try { + List results = openCase.getSleuthkitCase().findAllFilesWhere("name LIKE '%%'"); + final String zipBombSetName = "Possible Zip Bomb"; + final String protectedName1 = "password_protected.zip"; + final String protectedName2 = "level1_protected.zip"; + final String protectedName3 = "42.zip"; + final String depthZipBomb = "DepthTriggerZipBomb.zip"; + final String ratioZipBomb = "RatioTriggerZipBomb.zip"; + int zipBombs = 0; + assertEquals("The number of files in the test image has changed", 2221, results.size()); + int passwdProtectedZips = 0; + for (AbstractFile file : results) { + //.zip file has artifact TSK_ENCRYPTION_DETECTED + if (file.getName().equalsIgnoreCase(protectedName1) || file.getName().equalsIgnoreCase(protectedName2) || file.getName().equalsIgnoreCase(protectedName3)) { + ArrayList artifacts = file.getAllArtifacts(); + assertEquals("Password protected zip file " + file.getName() + " has incorrect number of artifacts", 1, artifacts.size()); + for (BlackboardArtifact artifact : artifacts) { + assertEquals("Artifact for password protected zip file " + file.getName() + " has incorrect type ID", artifact.getArtifactTypeID(), BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID()); + passwdProtectedZips++; + } + } else if (file.getName().equalsIgnoreCase(depthZipBomb) || file.getName().equalsIgnoreCase(ratioZipBomb)) { + ArrayList artifacts = file.getAllArtifacts(); + assertEquals("Zip bomb " + file.getName() + " has incorrect number of artifacts", 1, artifacts.size()); + for (BlackboardArtifact artifact : artifacts) { + assertEquals("Artifact for Zip bomb " + file.getName() + " has incorrect type ID", artifact.getArtifactTypeID(), BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID()); + BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)); + assertNotNull("No attribute found for artifact on zip bomb " + file.getName(), attribute); + assertEquals("Interesting artifact on file, " + file.getName() + ", does not reflect it being a zip bomb", zipBombSetName, attribute.getDisplayString()); + zipBombs++; + } + } else {//No other files have artifact defined + assertEquals("Unexpected file, " + file.getName() + ", has artifacts", 0, file.getAllArtifacts().size()); + } + + } + //Make sure 3 password protected zip files have been tested: password_protected.zip, level1_protected.zip and 42.zip that we download for bomb testing. + assertEquals("Unexpected number of artifacts reflecting password protected zip files found", 3, passwdProtectedZips); + //Make sure 2 zip bomb files have been tested: DepthTriggerZipBomb.zip and RatioTriggerZipBomb.zip. + assertEquals("Unexpected number of artifacts reflecting zip bombs found", 2, zipBombs); + } catch (TskCoreException ex) { + Exceptions.printStackTrace(ex); + Assert.fail(ex.getMessage()); + } + } public void testBigFolder() { final int numOfFilesToTest = 1000;