mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-19 19:14:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5140 from kellykelly3/1324-recycle-bin

Browse Source 
1324 recycle bin changes
This commit is contained in:
Richard Cordovano 2019-09-12 14:06:38 -04:00 committed by GitHub
commit f7b0eb607d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 25 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Bundle.properties-MERGED
View File

@ -2,9 +2,14 @@ cannotBuildXmlParser=Unable to build XML parser:
cannotLoadSEUQA=Unable to load Search Engine URL Query Analyzer settings file, SEUQAMappings.xml:
cannotParseXml=Unable to parse XML file:
ChromeCacheExtractor.moduleName=ChromeCacheExtractor
# {0} - module name
# {1} - row number
# {2} - table length
# {3} - cache path
ChromeCacheExtractor.progressMsg={0}: Extracting cache entry {1} of {2} entries from {3}
DataSourceUsage_AndroidMedia=Android Media Card
DataSourceUsage_FlashDrive=Flash Drive
# {0} - OS name
DataSourceUsageAnalyzer.customVolume.label=OS Drive ({0})
DataSourceUsageAnalyzer.parentModuleName=Recent Activity
Extract.indexError.message=Failed to index artifact for keyword search.
@ -60,7 +65,7 @@ ExtractZone_progress_Msg=Extracting :Zone.Identifer files
ExtractZone_Restricted=Restricted Sites Zone
ExtractZone_Trusted=Trusted Sites Zone
OpenIDE-Module-Display-Category=Ingest Module
OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\nThe module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web activity (sites visited, stored cookies, book marked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy.
OpenIDE-Module-Long-Description=Recent Activity ingest module.\n\n\The module extracts useful information about the recent user activity on the disk image being ingested, such as:\n\n- Recently open documents,\n- Web activity (sites visited, stored cookies, book marked sites, search engine queries, file downloads),\n- Recently attached devices,\n- Installed programs.\n\nThe module currently supports Windows only disk images.\nThe plugin is also fully functional when deployed on Windows version of Autopsy.
OpenIDE-Module-Name=RecentActivity
OpenIDE-Module-Short-Description=Recent Activity finder ingest module
Chrome.moduleName=Chrome
@ -183,6 +188,7 @@ RecentDocumentsByLnk.parentModuleName.noSpace=RecentActivity
RecentDocumentsByLnk.parentModuleName=Recent Activity
RegRipperFullNotFound=Full version RegRipper executable not found.
RegRipperNotFound=Autopsy RegRipper executable not found.
# {0} - file name
SearchEngineURLQueryAnalyzer.init.exception.msg=Unable to find {0}.
SearchEngineURLQueryAnalyzer.moduleName.text=Search Engine
SearchEngineURLQueryAnalyzer.engineName.none=NONE

34
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRecycleBin.java
View File

@ -158,7 +158,7 @@ final class ExtractRecycleBin extends Extract {
* @param tempRARecycleBinPath Temp directory path
*/
private void processIFile(IngestJobContext context, BlackboardArtifact.Type recycleBinArtifactType, AbstractFile iFile, Map<String, String> userNameMap, Map<String, List<AbstractFile>> rFileMap, String tempRARecycleBinPath) {
String tempFilePath = tempRARecycleBinPath + File.separator + Instant.now().toString() + iFile.getName();
String tempFilePath = tempRARecycleBinPath + File.separator + Instant.now().getMillis() + iFile.getName();
try {
try {
ContentUtils.writeToFile(iFile, new File(tempFilePath));
@ -205,8 +205,8 @@ final class ExtractRecycleBin extends Extract {
if (iFile.getParentPath().equals(rFile.getParentPath())
&& iFile.getMetaFlagsAsString().equals(rFile.getMetaFlagsAsString())) {
try {
postArtifact(createArtifact(rFile, recycleBinArtifactType, metaData.getFileName(), userName, metaData.getDeletedTimeStamp()));
postArtifact(createArtifact(rFile, recycleBinArtifactType, metaData.getFullWindowsPath(), userName, metaData.getDeletedTimeStamp()));
// If we are processing a disk image, we will also make a deleted file entry so that the user
// sees the deleted file in its original folder. We re-use the metadata address so that the user
// can see the content.
@ -214,12 +214,12 @@ final class ExtractRecycleBin extends Extract {
// if the user deleted a folder, then we need to recusively go into it. Note the contents of the $R folder
// do not have corresponding $I files anymore. Only the $R folder does.
if (rFile.isDir()) {
AbstractFile directory = getOrMakeFolder(Case.getCurrentCase().getSleuthkitCase(), (FsContent) rFile, metaData.getFileName());
popuplateDeletedDirectory(Case.getCurrentCase().getSleuthkitCase(), directory, rFile.getChildren(), metaData.getFileName(), metaData.getDeletedTimeStamp());
AbstractFile directory = getOrMakeFolder(Case.getCurrentCase().getSleuthkitCase(), (FsContent) rFile, metaData.getFullWindowsPath());
popuplateDeletedDirectory(Case.getCurrentCase().getSleuthkitCase(), directory, rFile.getChildren(), metaData.getFullWindowsPath(), metaData.getDeletedTimeStamp());
} else {
AbstractFile folder = getOrMakeFolder(Case.getCurrentCase().getSleuthkitCase(), (FsContent) rFile.getParent(), Paths.get(metaData.getFileName()).getParent().toString());
addFileSystemFile(skCase, (FsContent)rFile, folder, Paths.get(metaData.getFileName()).getFileName().toString(), metaData.getDeletedTimeStamp());
AbstractFile folder = getOrMakeFolder(Case.getCurrentCase().getSleuthkitCase(), (FsContent) rFile.getParent(), Paths.get(metaData.getFullWindowsPath()).getParent().toString());
addFileSystemFile(skCase, (FsContent)rFile, folder, Paths.get(metaData.getFullWindowsPath()).getFileName().toString(), metaData.getDeletedTimeStamp());
}
}
} catch (TskCoreException ex) {
@ -444,7 +444,6 @@ final class ExtractRecycleBin extends Extract {
bba.addAttribute(new BlackboardAttribute(TSK_PATH, getName(), fileName));
bba.addAttribute(new BlackboardAttribute(TSK_DATETIME_DELETED, getName(), dateTime));
bba.addAttribute(new BlackboardAttribute(TSK_USER_NAME, getName(), userName == null || userName.isEmpty() ? "" : userName));
return bba;
}
@ -498,16 +497,18 @@ final class ExtractRecycleBin extends Extract {
* @throws TskCoreException
*/
private void addFileSystemFile(SleuthkitCase skCase, FsContent recycleBinFile, Content parentDir, String fileName, long deletedTime) throws TskCoreException {
skCase.addFileSystemFile(recycleBinFile.getFileSystemId(),
skCase.addFileSystemFile(
recycleBinFile.getDataSourceObjectId(),
recycleBinFile.getAttrType(),
recycleBinFile.getAttributeId(),
recycleBinFile.getFileSystemId(),
fileName,
TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC,
recycleBinFile.getSize(),
0, 0, 0, deletedTime,
recycleBinFile.getMetaAddr(),
(int) recycleBinFile.getMetaSeq(),
recycleBinFile.getAttrType(),
recycleBinFile.getAttributeId(),
TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC,
(short) (TskData.TSK_FS_META_FLAG_ENUM.UNALLOC.getValue() | TskData.TSK_FS_META_FLAG_ENUM.USED.getValue()),
recycleBinFile.getSize(),
recycleBinFile.getCtime(), recycleBinFile.getCrtime(), recycleBinFile.getAtime(), deletedTime,
true, parentDir);
}
@ -607,11 +608,12 @@ final class ExtractRecycleBin extends Extract {
}
/**
* Returns the name of the deleted file.
* Returns the full path to the deleted file or folder. This path will
* include the drive letter, ie C:\
*
* @return String name of the deleted file
*/
String getFileName() {
String getFullWindowsPath() {
return fileName.trim();
}
}