diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/ExtractUnallocAction.java b/Core/src/org/sleuthkit/autopsy/directorytree/ExtractUnallocAction.java index 8513140675..02c7a4a1e0 100644 --- a/Core/src/org/sleuthkit/autopsy/directorytree/ExtractUnallocAction.java +++ b/Core/src/org/sleuthkit/autopsy/directorytree/ExtractUnallocAction.java @@ -24,6 +24,7 @@ import java.awt.event.ActionEvent; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; +import java.io.OutputStream; import java.util.ArrayList; import java.util.Collections; import java.util.Comparator; @@ -44,9 +45,9 @@ import org.sleuthkit.datamodel.ContentVisitor; import org.sleuthkit.datamodel.Directory; import org.sleuthkit.datamodel.FileSystem; import org.sleuthkit.datamodel.Image; -import org.sleuthkit.datamodel.VirtualDirectory; import org.sleuthkit.datamodel.LayoutFile; import org.sleuthkit.datamodel.TskCoreException; +import org.sleuthkit.datamodel.VirtualDirectory; import org.sleuthkit.datamodel.Volume; import org.sleuthkit.datamodel.VolumeSystem; @@ -168,22 +169,23 @@ public final class ExtractUnallocAction extends AbstractAction { private List lus = new ArrayList(); private File currentlyProcessing; private int totalSizeinMegs; + long totalBytes = 0; - ExtractUnallocWorker(UnallocStruct us) { - this.lus.add(us); + ExtractUnallocWorker(UnallocStruct us) { //Getting the total megs this worker is going to be doing if (!lockedVols.contains(us.getFileName())) { - totalSizeinMegs = toMb(us.sizeInBytes()); + this.lus.add(us); + totalBytes = us.getSizeInBytes(); + totalSizeinMegs = toMb(totalBytes); lockedVols.add(us.getFileName()); } } ExtractUnallocWorker(List lst) { - //Getting the total megs this worker is going to be doing - long totalBytes = 0; + //Getting the total megs this worker is going to be doing for (UnallocStruct lu : lst) { if (!lockedVols.contains(lu.getFileName())) { - totalBytes += lu.sizeInBytes(); + totalBytes += lu.getSizeInBytes(); lockedVols.add(lu.getFileName()); this.lus.add(lu); } @@ -196,7 +198,7 @@ public final class ExtractUnallocAction extends AbstractAction { if (bytes > 1024 && (bytes / 1024.0) <= Double.MAX_VALUE) { double Mb = ((bytes / 1024.0) / 1024.0);//Bytes -> Megabytes if (Mb <= Integer.MAX_VALUE) { - return (int) Math.floor(Mb); + return (int) Math.ceil(Mb); } } return 0; @@ -222,27 +224,32 @@ public final class ExtractUnallocAction extends AbstractAction { //Begin the actual File IO progress.start(totalSizeinMegs); - int kbs = 0; //Each completion of the while loop adds one to kbs. 8kb * 128 = 1mb. + int kbs = 0; //Each completion of the while loop adds one to kbs. 16kb * 64 = 1mb. int mbs = 0; //Increments every 128th tick of kbs for (UnallocStruct u : this.lus) { currentlyProcessing = u.getFile(); logger.log(Level.INFO, "Writing Unalloc file to " + currentlyProcessing.getPath()); - FileOutputStream fos = new FileOutputStream(currentlyProcessing); - int count = 1; - for (LayoutFile f : u.getLayouts()) { - long offset = 0L; - while (offset != f.getSize() && !canceled) { - offset += f.read(buf, offset, MAX_BYTES); //Offset + Bytes read - fos.write(buf); + OutputStream dos = new FileOutputStream(currentlyProcessing); + long bytes = 0; + int i = 0; + while(i < u.getLayouts().size() && bytes != u.getSizeInBytes()){ + LayoutFile f = u.getLayouts().get(i); + long offsetPerFile = 0L; + int bytesRead; + while(offsetPerFile != f.getSize() && !canceled){ if (++kbs % 128 == 0) { - mbs++; - progress.progress("processing " + mbs + " of " + totalSizeinMegs + " MBs", mbs); + mbs++; + progress.progress("processing " + mbs + " of " + totalSizeinMegs + " MBs", mbs-1); } + bytesRead = f.read(buf, offsetPerFile, MAX_BYTES); + offsetPerFile+= bytesRead; + dos.write(buf, 0, bytesRead); } - count++; + bytes+=f.getSize(); + i++; } - fos.flush(); - fos.close(); + dos.flush(); + dos.close(); if (canceled) { u.getFile().delete(); @@ -420,9 +427,9 @@ public final class ExtractUnallocAction extends AbstractAction { return 0; } if (o1.getId() > o2.getId()) { - return -1; - } else { return 1; + } else { + return -1; } } } @@ -434,6 +441,7 @@ public final class ExtractUnallocAction extends AbstractAction { private class UnallocStruct { private List llf; + private long SizeInBytes; private long VolumeId; private long ImageId; private String ImageName; @@ -453,6 +461,7 @@ public final class ExtractUnallocAction extends AbstractAction { this.ImageName = img.getName(); this.FileName = this.ImageName + "-Unalloc-" + this.ImageId + "-" + 0 + ".dat"; this.FileInstance = new File(Case.getCurrentCase().getCaseDirectory() + File.separator + "Export" + File.separator + this.FileName); + this.SizeInBytes = calcSizeInBytes(); } /** @@ -474,6 +483,7 @@ public final class ExtractUnallocAction extends AbstractAction { this.FileInstance = new File(Case.getCurrentCase().getCaseDirectory() + File.separator + "Export" + File.separator + this.FileName); this.llf = getUnallocFiles(volu); Collections.sort(llf, new SortObjId()); + this.SizeInBytes = calcSizeInBytes(); } //Getters @@ -481,13 +491,17 @@ public final class ExtractUnallocAction extends AbstractAction { return llf.size(); } - long sizeInBytes() { + private long calcSizeInBytes() { long size = 0L; for (LayoutFile f : llf) { size += f.getSize(); } return size; } + + long getSizeInBytes(){ + return this.SizeInBytes; + } long getVolumeId() { return this.VolumeId; diff --git a/Core/src/org/sleuthkit/autopsy/ingest/IngestManager.java b/Core/src/org/sleuthkit/autopsy/ingest/IngestManager.java index df0aec6e8d..2ce44b0003 100644 --- a/Core/src/org/sleuthkit/autopsy/ingest/IngestManager.java +++ b/Core/src/org/sleuthkit/autopsy/ingest/IngestManager.java @@ -814,8 +814,7 @@ public class IngestManager { final AbstractFile fileToProcess = fileTask.file; - //logger.log(Level.INFO, "NEXT FILE: " + fileToProcess.getName()); - + logger.log(Level.INFO, "IngestManager: Processing: {0}", fileToProcess.getName()); progress.progress(fileToProcess.getName(), processedFiles); for (IngestModuleAbstractFile module : fileTask.scheduledTask.modules) { @@ -857,7 +856,7 @@ public class IngestManager { //--totalEnqueuedFiles; } //end of this AbstractFile - logger.log(Level.INFO, "Done background processing"); + logger.log(Level.INFO, "IngestManager: Finished processing files"); return null; } diff --git a/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java b/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java index 482fdd9762..d80ee7d480 100644 --- a/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java +++ b/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java @@ -663,21 +663,31 @@ class IngestScheduler { enum Priority { - LOW, MEDIUM, HIGH + LAST, LOW, MEDIUM, HIGH }; + static final List LAST_PRI_PATHS = new ArrayList(); static final List LOW_PRI_PATHS = new ArrayList(); static final List MEDIUM_PRI_PATHS = new ArrayList(); static final List HIGH_PRI_PATHS = new ArrayList(); + /* prioritize root directory folders based on the assumption that we are + * looking for user content. Other types of investigations may want different + * priorities. */ static { + // these files have no structure, so they go last + LAST_PRI_PATHS.add(Pattern.compile("^\\$Unalloc", Pattern.CASE_INSENSITIVE)); + LAST_PRI_PATHS.add(Pattern.compile("^pagefile", Pattern.CASE_INSENSITIVE)); + LAST_PRI_PATHS.add(Pattern.compile("^hiberfil", Pattern.CASE_INSENSITIVE)); + + // orphan files are often corrupt and windows does not typically have + // user content, so put them towards the bottom + LOW_PRI_PATHS.add(Pattern.compile("^\\$OrphanFiles", Pattern.CASE_INSENSITIVE)); LOW_PRI_PATHS.add(Pattern.compile("^Windows", Pattern.CASE_INSENSITIVE)); + // all other files go into the medium category too MEDIUM_PRI_PATHS.add(Pattern.compile("^Program Files", Pattern.CASE_INSENSITIVE)); - MEDIUM_PRI_PATHS.add(Pattern.compile("^\\$OrphanFiles", Pattern.CASE_INSENSITIVE)); - MEDIUM_PRI_PATHS.add(Pattern.compile("^\\$Unalloc", Pattern.CASE_INSENSITIVE)); - MEDIUM_PRI_PATHS.add(Pattern.compile("^pagefile", Pattern.CASE_INSENSITIVE)); - MEDIUM_PRI_PATHS.add(Pattern.compile("^hiberfil", Pattern.CASE_INSENSITIVE)); + // user content is top priority HIGH_PRI_PATHS.add(Pattern.compile("^Users", Pattern.CASE_INSENSITIVE)); HIGH_PRI_PATHS.add(Pattern.compile("^Documents and Settings", Pattern.CASE_INSENSITIVE)); HIGH_PRI_PATHS.add(Pattern.compile("^home", Pattern.CASE_INSENSITIVE)); @@ -685,10 +695,10 @@ class IngestScheduler { } static AbstractFilePriotity.Priority getPriority(final AbstractFile abstractFile) { - if (!abstractFile.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.FS)) { + //if (!abstractFile.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.FS)) { //non-fs files, such as representing unalloc space - return AbstractFilePriotity.Priority.MEDIUM; - } + //return AbstractFilePriotity.Priority.MEDIUM; + //} final String path = abstractFile.getName(); if (path == null) { @@ -715,6 +725,13 @@ class IngestScheduler { return AbstractFilePriotity.Priority.LOW; } } + + for (Pattern p : LAST_PRI_PATHS) { + Matcher m = p.matcher(path); + if (m.find()) { + return AbstractFilePriotity.Priority.LAST; + } + } //default is medium return AbstractFilePriotity.Priority.MEDIUM; diff --git a/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java b/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java index acc8b0053c..f1b2ed79eb 100644 --- a/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java +++ b/Core/src/org/sleuthkit/autopsy/report/ReportHTML.java @@ -755,7 +755,7 @@ public class ReportHTML implements ReportModule { out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(folder + "downloads.html"), "UTF-8")); out.write(generateHead("Web Download Artifacts (" + countDownloads + ")")); String title = "
Web Downloads (" + countDownloads + ")
\n
\n"; - String tableHeader = getTableHead("URL", "Source URL", "Date Accessed", "Program", "Source File"); + String tableHeader = getTableHead("Destination", "Source URL", "Date Accessed", "Program", "Source File"); out.write(title); out.write(tableHeader); diff --git a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/IndexStatus.java b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/IndexStatus.java index b29fd237e9..cf02a9f326 100644 --- a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/IndexStatus.java +++ b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/IndexStatus.java @@ -28,7 +28,7 @@ enum IndexStatus { /** * The index and database both exist, and the index is older. */ - INDEX_OUTDATED("Index is older than database"), + INDEX_OUTDATED("WARNING: Index is older than database"), /** * The index and database both exist, and the index is not older. */ @@ -40,11 +40,11 @@ enum IndexStatus { /** * The database exists but the index does not. */ - NO_INDEX("Index does not exist"), + NO_INDEX("ERROR: Index does not exist"), /** * Neither the index nor the database exists. */ - NONE("No index or database"), + NONE("ERROR: No index or database"), /** * The index is currently being generated */ diff --git a/README.txt b/README.txt index 29167c3773..f9fe72f1a5 100644 --- a/README.txt +++ b/README.txt @@ -47,7 +47,7 @@ JRE (Java Runtime Environment) 1.6, 32 bit - Web page: http://www.oracle.com/technetwork/java/index.html - License: http://www.oracle.com/technetwork/java/javase/terms/license/index.html -Netbeans 7.0.1 RCP platform and .jar files bundled with the platform +Netbeans 7.2.1 RCP platform and .jar files bundled with the platform - Web page: http://netbeans.org/features/platform/ - License: http://services.netbeans.org/downloads/licence/nb-7.0-final-2011-04-20-license.txt diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 153d2989b0..3151cc22db 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -179,7 +179,7 @@ public class Chrome extends Extract implements IngestModuleImage { break; } try { - final JsonParser parser = new JsonParser(); + final JsonParser parser = new JsonParser(); JsonElement jsonElement = parser.parse(new FileReader(temps)); JsonObject jElement = jsonElement.getAsJsonObject(); JsonObject jRoot = jElement.get("roots").getAsJsonObject(); @@ -188,9 +188,33 @@ public class Chrome extends Extract implements IngestModuleImage { for (JsonElement result : jBookmarkArray) { try { JsonObject address = result.getAsJsonObject(); - String url = address.get("url").getAsString(); - String name = address.get("name").getAsString(); - Long date = address.get("date_added").getAsLong(); + if (address == null) { + continue; + } + JsonElement urlEl = address.get("url"); + String url = null; + if (urlEl != null) { + url = urlEl.getAsString(); + } + else { + url = ""; + } + String name = null; + JsonElement nameEl = address.get("name"); + if (nameEl != null) { + name = nameEl.getAsString(); + } + else { + name = ""; + } + Long date = null; + JsonElement dateEl = address.get("date_added"); + if (dateEl != null) { + date = dateEl.getAsLong(); + } + else { + date = Long.valueOf(0); + } String domain = Util.extractDomain(url); BlackboardArtifact bbart = bookmarkFiles.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); Collection bbattributes = new ArrayList(); diff --git a/build.xml b/build.xml index 55c5a6511d..d4cefd11c4 100644 --- a/build.xml +++ b/build.xml @@ -7,7 +7,7 @@ - +