diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java index 786370e9d2..a805aa6d1a 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java @@ -9,6 +9,7 @@ import java.io.IOException; import java.util.Collections; import java.util.List; import org.sleuthkit.datamodel.FsContent; +import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; @@ -28,11 +29,11 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches the * given fileName */ - public List findFiles(String fileName) throws TskCoreException { + public List findFiles(Image image, String fileName) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return tskCase.findFiles(fileName); + return tskCase.findFiles(image, fileName); } /** @@ -41,11 +42,11 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches * fileName and whose parent directory contains dirName. */ - public List findFiles(String fileName, String dirName) throws TskCoreException { + public List findFiles(Image image, String fileName, String dirName) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return tskCase.findFiles(fileName, dirName); + return tskCase.findFiles(image, fileName, dirName); } /** @@ -54,11 +55,11 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches * fileName and that were inside a directory described by parentFsContent. */ - public List findFiles(String fileName, FsContent parentFsContent) throws TskCoreException { + public List findFiles(Image image, String fileName, FsContent parentFsContent) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return findFiles(fileName, parentFsContent.getName()); + return findFiles(image, fileName, parentFsContent.getName()); } /** @@ -66,11 +67,11 @@ public class FileManager implements Closeable { * optionally include the image and volume names. * @return a list of FsContent that have the given file path. */ - public List openFiles(String filePath) throws TskCoreException { + public List openFiles(Image image, String filePath) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return tskCase.openFiles(filePath); + return tskCase.openFiles(image, filePath); } @Override diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 1577fb1ad8..153d2989b0 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -102,7 +102,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles = null; try { - historyFiles = fileManager.findFiles("History", "Chrome"); + historyFiles = fileManager.findFiles(image, "History", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -156,7 +156,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles = null; try { - bookmarkFiles = fileManager.findFiles("Bookmarks", "Chrome"); + bookmarkFiles = fileManager.findFiles(image, "Bookmarks", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -229,7 +229,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles = null; try { - cookiesFiles = fileManager.findFiles("Cookies", "Chrome"); + cookiesFiles = fileManager.findFiles(image, "Cookies", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -288,7 +288,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles = null; try { - historyFiles = fileManager.findFiles("History", "Chrome"); + historyFiles = fileManager.findFiles(image, "History", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -315,7 +315,7 @@ public class Chrome extends Extract implements IngestModuleImage { for (HashMap result : tempList) { Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", (result.get("full_path").toString()))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "Recent Activity", Util.findID((result.get("full_path").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "Recent Activity", Util.findID(image, (result.get("full_path").toString())))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); Long time = (Long.valueOf(result.get("start_time").toString())); @@ -348,7 +348,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List signonFiles = null; try { - signonFiles = fileManager.findFiles("signons.sqlite", "Chrome"); + signonFiles = fileManager.findFiles(image, "signons.sqlite", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index db224a4868..202b1b7c30 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -133,7 +133,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List favoritesFiles = null; try { - favoritesFiles = fileManager.findFiles("%.url", "Favorites"); + favoritesFiles = fileManager.findFiles(image, "%.url", "Favorites"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } @@ -189,7 +189,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles = null; try { - cookiesFiles = fileManager.findFiles("%.txt", "Cookies"); + cookiesFiles = fileManager.findFiles(image, "%.txt", "Cookies"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } @@ -244,7 +244,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List recentFiles = null; try { - recentFiles = fileManager.findFiles("%.lnk", "Recent"); + recentFiles = fileManager.findFiles(image, "%.lnk", "Recent"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } @@ -261,7 +261,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path))); - long id = Util.findID(path); + long id = Util.findID(image, path); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", id)); //TODO Revisit usage of deprecated constructor as per TSK-583 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime)); @@ -327,7 +327,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List indexFiles = null; try { - indexFiles = fileManager.findFiles("index.dat"); + indexFiles = fileManager.findFiles(image, "index.dat"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 67e6db6c80..3432d17ea8 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -111,7 +111,7 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List allRegistryFiles = new ArrayList(); try { - allRegistryFiles.addAll(fileManager.findFiles("ntuser.dat")); + allRegistryFiles.addAll(fileManager.findFiles(image, "ntuser.dat")); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); } @@ -121,26 +121,14 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"}; for (String regFileName : regFileNames) { try { - allRegistryFiles.addAll(fileManager.findFiles(regFileName, "%/system32/config%")); + allRegistryFiles.addAll(fileManager.findFiles(image, regFileName, "%/system32/config%")); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching registry file: " + regFileName); } } - // filter out those registry files that are not from this image - List regFiles = new ArrayList(); - for (FsContent regFile : allRegistryFiles) { - try { - if (regFile.getImage().equals(image)) { - regFiles.add(regFile); - } - } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Error when trying to get image from FsContent object."); - } - } - int j = 0; - for (FsContent regFile : regFiles) { + for (FsContent regFile : allRegistryFiles) { String regFileName = regFile.getName(); String temps = currentCase.getTempDirectory() + "\\" + regFileName; try { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 41699f56f4..e09927499b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -98,7 +98,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles = null; try { - historyFiles = fileManager.findFiles("%places.sqlite%", "Firefox"); + historyFiles = fileManager.findFiles(image, "%places.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching internet history files for Firefox."); } @@ -154,7 +154,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles = null; try { - bookmarkFiles = fileManager.findFiles("%places.sqlite%", "Firefox"); + bookmarkFiles = fileManager.findFiles(image, "%places.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching bookmark files for Firefox."); } @@ -209,7 +209,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles = null; try { - cookiesFiles = fileManager.findFiles("%cookies.sqlite%", "Firefox"); + cookiesFiles = fileManager.findFiles(image, "%cookies.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching cookies files for Firefox."); } @@ -287,7 +287,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List downloadsFiles = null; try { - downloadsFiles = fileManager.findFiles("%cookies.sqlite%", "Firefox"); + downloadsFiles = fileManager.findFiles(image, "%cookies.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'downloads' files for Firefox."); } @@ -324,7 +324,7 @@ public class Firefox extends Extract implements IngestModuleImage { //TODO Revisit usage of deprecated constructor as per TSK-583 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString())))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("startTime").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(urldecodedtarget))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(image, urldecodedtarget))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", urldecodedtarget)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("source").toString() != null) ? result.get("source").toString() : "")))); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java index f5ceb9b059..f14ac6bb72 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java @@ -31,22 +31,19 @@ import java.nio.MappedByteBuffer; import java.nio.channels.FileChannel; import java.nio.charset.Charset; import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; import java.text.SimpleDateFormat; import java.util.Date; import java.util.List; import java.util.StringTokenizer; import java.util.logging.Level; import org.sleuthkit.autopsy.coreutils.Logger; -//import org.apache.commons.lang.NullArgumentException; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.datamodel.FsContent; -import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.autopsy.report.SQLiteDBConnect; +import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.TskCoreException; /** @@ -190,7 +187,7 @@ public class Util { return path; } - public static long findID(String path) { + public static long findID(Image image, String path) { String parent_path = path.replace('\\', '/'); // fix Chrome paths if (parent_path.length() > 2 && parent_path.charAt(1) == ':') { parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:') @@ -203,7 +200,7 @@ public class Util { FileManager fileManager = Case.getCurrentCase().getServices().getFileManager(); List files = null; try { - files = fileManager.findFiles(name, parent_path); + files = fileManager.findFiles(image, name, parent_path); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); }