From 69257c9a746546c0ec69b5f8061b812667fd2b18 Mon Sep 17 00:00:00 2001 From: Raman Date: Tue, 10 Sep 2019 09:36:58 -0400 Subject: [PATCH 1/7] File transfer apps --- InternalPythonModules/android/general.py | 14 ++++++++++++++ InternalPythonModules/android/module.py | 4 +++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/InternalPythonModules/android/general.py b/InternalPythonModules/android/general.py index 28c96be9b9..73efa086e0 100644 --- a/InternalPythonModules/android/general.py +++ b/InternalPythonModules/android/general.py @@ -26,3 +26,17 @@ class AndroidComponentAnalyzer: # The Analyzer should implement this method def analyze(self, dataSource, fileManager, context): raise NotImplementedError + + +""" +A utility method to append list of attachments to msg body +""" +def appendAttachmentList(msgBody, attachmentsList): + body = msgBody + if attachmentsList: + body = body + '\n\n' + "Attachments:" + 'n' + "------------" + 'n' + body = body + '\n'.join(attachmentsList) + + return body + + diff --git a/InternalPythonModules/android/module.py b/InternalPythonModules/android/module.py index 6430ec82be..56e702068c 100644 --- a/InternalPythonModules/android/module.py +++ b/InternalPythonModules/android/module.py @@ -47,6 +47,7 @@ import tangomessage import textmessage import wwfmessage import imo +import xender class AndroidModuleFactory(IngestModuleFactoryAdapter): @@ -91,7 +92,8 @@ class AndroidIngestModule(DataSourceIngestModule): analyzers = [contact.ContactAnalyzer(), calllog.CallLogAnalyzer(), textmessage.TextMessageAnalyzer(), tangomessage.TangoMessageAnalyzer(), wwfmessage.WWFMessageAnalyzer(), googlemaplocation.GoogleMapLocationAnalyzer(), browserlocation.BrowserLocationAnalyzer(), - cachelocation.CacheLocationAnalyzer(), imo.IMOAnalyzer()] + cachelocation.CacheLocationAnalyzer(), imo.IMOAnalyzer(), + xender.XenderAnalyzer()] self.log(Level.INFO, "running " + str(len(analyzers)) + " analyzers") progressBar.switchToDeterminate(len(analyzers)) From 32ddf8dfe789493988b5035e82d669e8ba567a17 Mon Sep 17 00:00:00 2001 From: Raman Date: Tue, 10 Sep 2019 10:44:42 -0400 Subject: [PATCH 2/7] Revert "File transfer apps" This reverts commit 69257c9a746546c0ec69b5f8061b812667fd2b18. --- InternalPythonModules/android/general.py | 14 -------------- InternalPythonModules/android/module.py | 4 +--- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/InternalPythonModules/android/general.py b/InternalPythonModules/android/general.py index 73efa086e0..28c96be9b9 100644 --- a/InternalPythonModules/android/general.py +++ b/InternalPythonModules/android/general.py @@ -26,17 +26,3 @@ class AndroidComponentAnalyzer: # The Analyzer should implement this method def analyze(self, dataSource, fileManager, context): raise NotImplementedError - - -""" -A utility method to append list of attachments to msg body -""" -def appendAttachmentList(msgBody, attachmentsList): - body = msgBody - if attachmentsList: - body = body + '\n\n' + "Attachments:" + 'n' + "------------" + 'n' - body = body + '\n'.join(attachmentsList) - - return body - - diff --git a/InternalPythonModules/android/module.py b/InternalPythonModules/android/module.py index 56e702068c..6430ec82be 100644 --- a/InternalPythonModules/android/module.py +++ b/InternalPythonModules/android/module.py @@ -47,7 +47,6 @@ import tangomessage import textmessage import wwfmessage import imo -import xender class AndroidModuleFactory(IngestModuleFactoryAdapter): @@ -92,8 +91,7 @@ class AndroidIngestModule(DataSourceIngestModule): analyzers = [contact.ContactAnalyzer(), calllog.CallLogAnalyzer(), textmessage.TextMessageAnalyzer(), tangomessage.TangoMessageAnalyzer(), wwfmessage.WWFMessageAnalyzer(), googlemaplocation.GoogleMapLocationAnalyzer(), browserlocation.BrowserLocationAnalyzer(), - cachelocation.CacheLocationAnalyzer(), imo.IMOAnalyzer(), - xender.XenderAnalyzer()] + cachelocation.CacheLocationAnalyzer(), imo.IMOAnalyzer()] self.log(Level.INFO, "running " + str(len(analyzers)) + " analyzers") progressBar.switchToDeterminate(len(analyzers)) From bf383af0664ec94c3463c3dbee0a38bbf8189a43 Mon Sep 17 00:00:00 2001 From: Raman Date: Thu, 12 Sep 2019 07:45:19 -0400 Subject: [PATCH 3/7] 5446: Xender 5447: Zapya 5448: ShareIt --- InternalPythonModules/android/general.py | 15 +++ InternalPythonModules/android/module.py | 6 +- InternalPythonModules/android/shareit.py | 109 +++++++++++++++++++++ InternalPythonModules/android/xender.py | 117 +++++++++++++++++++++++ InternalPythonModules/android/zapya.py | 110 +++++++++++++++++++++ 5 files changed, 356 insertions(+), 1 deletion(-) create mode 100644 InternalPythonModules/android/shareit.py create mode 100644 InternalPythonModules/android/xender.py create mode 100644 InternalPythonModules/android/zapya.py diff --git a/InternalPythonModules/android/general.py b/InternalPythonModules/android/general.py index 28c96be9b9..1d0832362b 100644 --- a/InternalPythonModules/android/general.py +++ b/InternalPythonModules/android/general.py @@ -26,3 +26,18 @@ class AndroidComponentAnalyzer: # The Analyzer should implement this method def analyze(self, dataSource, fileManager, context): raise NotImplementedError + + + +""" +A utility method to append list of attachments to msg body +""" +def appendAttachmentList(msgBody, attachmentsList): + body = msgBody + if attachmentsList: + body = body + "\n\n------------Attachments------------\n" + body = body + "\n".join(attachmentsList) + + return body + + diff --git a/InternalPythonModules/android/module.py b/InternalPythonModules/android/module.py index 6430ec82be..996059adbc 100644 --- a/InternalPythonModules/android/module.py +++ b/InternalPythonModules/android/module.py @@ -47,6 +47,9 @@ import tangomessage import textmessage import wwfmessage import imo +import xender +import zapya +import shareit class AndroidModuleFactory(IngestModuleFactoryAdapter): @@ -91,7 +94,8 @@ class AndroidIngestModule(DataSourceIngestModule): analyzers = [contact.ContactAnalyzer(), calllog.CallLogAnalyzer(), textmessage.TextMessageAnalyzer(), tangomessage.TangoMessageAnalyzer(), wwfmessage.WWFMessageAnalyzer(), googlemaplocation.GoogleMapLocationAnalyzer(), browserlocation.BrowserLocationAnalyzer(), - cachelocation.CacheLocationAnalyzer(), imo.IMOAnalyzer()] + cachelocation.CacheLocationAnalyzer(), imo.IMOAnalyzer(), + xender.XenderAnalyzer(), zapya.ZapyaAnalyzer(), shareit.ShareItAnalyzer()] self.log(Level.INFO, "running " + str(len(analyzers)) + " analyzers") progressBar.switchToDeterminate(len(analyzers)) diff --git a/InternalPythonModules/android/shareit.py b/InternalPythonModules/android/shareit.py new file mode 100644 index 0000000000..9d661fb9c0 --- /dev/null +++ b/InternalPythonModules/android/shareit.py @@ -0,0 +1,109 @@ +""" +Autopsy Forensic Browser + +Copyright 2019 Basis Technology Corp. +Contact: carrier sleuthkit org + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +from java.io import File +from java.lang import Class +from java.lang import ClassNotFoundException +from java.lang import Long +from java.lang import String +from java.sql import ResultSet +from java.sql import SQLException +from java.sql import Statement +from java.util.logging import Level +from java.util import ArrayList +from org.apache.commons.codec.binary import Base64 +from org.sleuthkit.autopsy.casemodule import Case +from org.sleuthkit.autopsy.coreutils import Logger +from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil +from org.sleuthkit.autopsy.coreutils import AppSQLiteDB +from org.sleuthkit.autopsy.coreutils import AppDBParserHelper +from org.sleuthkit.autopsy.coreutils.AppDBParserHelper import CommunicationDirection +from org.sleuthkit.autopsy.datamodel import ContentUtils +from org.sleuthkit.autopsy.ingest import IngestJobContext +from org.sleuthkit.datamodel import AbstractFile +from org.sleuthkit.datamodel import BlackboardArtifact +from org.sleuthkit.datamodel import BlackboardAttribute +from org.sleuthkit.datamodel import Content +from org.sleuthkit.datamodel import TskCoreException +from org.sleuthkit.datamodel import Account + +import traceback +import general + +""" +Finds the SQLite DB for ShareIt, parses the DB for contacts & messages, +and adds artifacts to the case. +""" +class ShareItAnalyzer(general.AndroidComponentAnalyzer): + + moduleName = "ShareIT Analyzer" + progName = "ShareIt" + + def __init__(self): + self._logger = Logger.getLogger(self.__class__.__name__) + + def analyze(self, dataSource, fileManager, context): + historyDbs = AppSQLiteDB.findAppDatabases(dataSource, "history.db", True, "com.lenovo.anyshare.gps") + for historyDb in historyDbs: + try: + historyDbHelper = AppDBParserHelper(self.moduleName, historyDb.getDBFile(), + Account.Type.SHAREIT) + + queryString = "SELECT history_type, device_id, device_name, description, timestamp, import_path FROM history" + historyResultSet = historyDb.runQuery(queryString) + if historyResultSet is not None: + while historyResultSet.next(): + direction = "" + fromAddress = None + toAdddress = None + + if (historyResultSet.getInt("history_type") == 1): + direction = CommunicationDirection.OUTGOING + toAddress = Account.Address(historyResultSet.getString("device_id"), historyResultSet.getString("device_name") ) + else: + direction = CommunicationDirection.INCOMING + fromAddress = Account.Address(historyResultSet.getString("device_id"), historyResultSet.getString("device_name") ) + + msgBody = "" # there is no body. + attachments = [historyResultSet.getString("import_path")] + msgBody = general.appendAttachmentList(msgBody, attachments) + + timeStamp = historyResultSet.getLong("timestamp") / 1000 + messageArtifact = transferDbHelper.addMessage( + "ShareIt Message", + direction, + fromAddress, + toAddress, + timeStamp, + AppDBParserHelper.MessageReadStatusEnum.UNKNOWN, + None, # subject + msgBody, + "" ) + + # TBD: add the file as attachment ?? + + except SQLException as ex: + self._logger.log(Level.SEVERE, "Error processing query result for ShareIt history.", ex) + except TskCoreException as ex: + self._logger.log(Level.SEVERE, "Failed to create AppDBParserHelper for adding artifacts.", ex) + finally: + historyDb.close() + + + diff --git a/InternalPythonModules/android/xender.py b/InternalPythonModules/android/xender.py new file mode 100644 index 0000000000..f3ea2ad2f3 --- /dev/null +++ b/InternalPythonModules/android/xender.py @@ -0,0 +1,117 @@ +""" +Autopsy Forensic Browser + +Copyright 2019 Basis Technology Corp. +Contact: carrier sleuthkit org + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +from java.io import File +from java.lang import Class +from java.lang import ClassNotFoundException +from java.lang import Long +from java.lang import String +from java.sql import ResultSet +from java.sql import SQLException +from java.sql import Statement +from java.util.logging import Level +from java.util import ArrayList +from org.apache.commons.codec.binary import Base64 +from org.sleuthkit.autopsy.casemodule import Case +from org.sleuthkit.autopsy.coreutils import Logger +from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil +from org.sleuthkit.autopsy.coreutils import AppSQLiteDB +from org.sleuthkit.autopsy.coreutils import AppDBParserHelper +from org.sleuthkit.autopsy.coreutils.AppDBParserHelper import CommunicationDirection +from org.sleuthkit.autopsy.datamodel import ContentUtils +from org.sleuthkit.autopsy.ingest import IngestJobContext +from org.sleuthkit.datamodel import AbstractFile +from org.sleuthkit.datamodel import BlackboardArtifact +from org.sleuthkit.datamodel import BlackboardAttribute +from org.sleuthkit.datamodel import Content +from org.sleuthkit.datamodel import TskCoreException +from org.sleuthkit.datamodel import Account + +import traceback +import general + +""" +Finds the SQLite DB for Xender, parses the DB for contacts & messages, +and adds artifacts to the case. +""" +class XenderAnalyzer(general.AndroidComponentAnalyzer): + + moduleName = "Xender Analyzer" + progName = "Xender" + + def __init__(self): + self._logger = Logger.getLogger(self.__class__.__name__) + + def analyze(self, dataSource, fileManager, context): + selfAccountAddress = None + transactionDbs = AppSQLiteDB.findAppDatabases(dataSource, "trans-history-db", True, "cn.xender") + for transactionDb in transactionDbs: + try: + # get the profile with connection_times 0, that's the self account. + profilesResultSet = transactionDb.runQuery("SELECT device_id, nick_name FROM profile WHERE connect_times = 0") + if profilesResultSet: + while profilesResultSet.next(): + if not selfAccountAddress: + selfAccountAddress = Account.Address(profilesResultSet.getString("device_id"), profilesResultSet.getString("nick_name")) + + transactionDbHelper = AppDBParserHelper(self.moduleName, transactionDb.getDBFile(), + Account.Type.XENDER, Account.Type.XENDER, selfAccountAddress ) + + queryString = "SELECT f_path, f_display_name, f_size_str, f_create_time, c_direction, c_session_id, s_name, s_device_id, r_name, r_device_id FROM new_history " + messagesResultSet = transactionDb.runQuery(queryString) + if messagesResultSet is not None: + while messagesResultSet.next(): + direction = CommunicationDirection.UNKNOWN + fromAddress = None + toAdddress = None + + if (messagesResultSet.getInt("c_direction") == 1): + direction = CommunicationDirection.OUTGOING + toAddress = Account.Address(messagesResultSet.getString("r_device_id"), messagesResultSet.getString("r_name")) + else: + direction = CommunicationDirection.INCOMING + fromAddress = Account.Address(messagesResultSet.getString("s_device_id"), messagesResultSet.getString("s_name")) + + msgBody = "" # there is no body. + attachments = [messagesResultSet.getString("f_path")] + msgBody = general.appendAttachmentList(msgBody, attachments) + + timeStamp = messagesResultSet.getLong("f_create_time") / 1000 + messageArtifact = transactionDbHelper.addMessage( + "Xender Message", + direction, + fromAddress, + toAddress, + timeStamp, + AppDBParserHelper.MessageReadStatusEnum.UNKNOWN, + None, + msgBody, + messagesResultSet.getString("c_session_id") ) + + # TBD: add the file as attachment ?? + + except SQLException as ex: + self._logger.log(Level.SEVERE, "Error processing query result for profiles", ex) + except TskCoreException as ex: + self._logger.log(Level.SEVERE, "Failed to create AppDBParserHelper for adding artifacts.", ex) + finally: + transactionDb.close() + + + diff --git a/InternalPythonModules/android/zapya.py b/InternalPythonModules/android/zapya.py new file mode 100644 index 0000000000..9338e47440 --- /dev/null +++ b/InternalPythonModules/android/zapya.py @@ -0,0 +1,110 @@ +""" +Autopsy Forensic Browser + +Copyright 2019 Basis Technology Corp. +Contact: carrier sleuthkit org + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +""" + +from java.io import File +from java.lang import Class +from java.lang import ClassNotFoundException +from java.lang import Long +from java.lang import String +from java.sql import ResultSet +from java.sql import SQLException +from java.sql import Statement +from java.util.logging import Level +from java.util import ArrayList +from org.apache.commons.codec.binary import Base64 +from org.sleuthkit.autopsy.casemodule import Case +from org.sleuthkit.autopsy.coreutils import Logger +from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil +from org.sleuthkit.autopsy.coreutils import AppSQLiteDB +from org.sleuthkit.autopsy.coreutils import AppDBParserHelper +from org.sleuthkit.autopsy.coreutils.AppDBParserHelper import CommunicationDirection +from org.sleuthkit.autopsy.datamodel import ContentUtils +from org.sleuthkit.autopsy.ingest import IngestJobContext +from org.sleuthkit.datamodel import AbstractFile +from org.sleuthkit.datamodel import BlackboardArtifact +from org.sleuthkit.datamodel import BlackboardAttribute +from org.sleuthkit.datamodel import Content +from org.sleuthkit.datamodel import TskCoreException +from org.sleuthkit.datamodel import Account + +import traceback +import general + +""" +Finds the SQLite DB for Zapya, parses the DB for contacts & messages, +and adds artifacts to the case. +""" +class ZapyaAnalyzer(general.AndroidComponentAnalyzer): + + moduleName = "Zapya Analyzer" + progName = "Zapya" + + def __init__(self): + self._logger = Logger.getLogger(self.__class__.__name__) + + def analyze(self, dataSource, fileManager, context): + transferDbs = AppSQLiteDB.findAppDatabases(dataSource, "transfer20.db", True, "com.dewmobile.kuaiya.play") + for transferDb in transferDbs: + try: + transferDbHelper = AppDBParserHelper(self.moduleName, transferDb.getDBFile(), + Account.Type.ZAPYA) + + queryString = "SELECT device, name, direction, createtime, path, title FROM transfer" + transfersResultSet = transferDb.runQuery(queryString) + if transfersResultSet is not None: + while transfersResultSet.next(): + direction = CommunicationDirection.UNKNOWN + fromAddress = None + toAdddress = None + + if (transfersResultSet.getInt("direction") == 1): + direction = CommunicationDirection.OUTGOING + toAddress = Account.Address(transfersResultSet.getString("device"), transfersResultSet.getString("name") ) + else: + direction = CommunicationDirection.INCOMING + fromAddress = Account.Address(transfersResultSet.getString("device"), transfersResultSet.getString("name") ) + + msgBody = "" # there is no body. + attachments = [transfersResultSet.getString("path")] + msgBody = general.appendAttachmentList(msgBody, attachments) + + timeStamp = transfersResultSet.getLong("createtime") / 1000 + messageArtifact = transferDbHelper.addMessage( + "Zapya Message", + direction, + fromAddress, + toAddress, + timeStamp, + AppDBParserHelper.MessageReadStatusEnum.UNKNOWN, + None, + msgBody, + "" ) + + # TBD: add the file as attachment ?? + + except SQLException as ex: + self._logger.log(Level.SEVERE, "Error processing query result for transfer", ex) + except TskCoreException as ex: + self._logger.log(Level.SEVERE, "Failed to create AppDBParserHelper for adding artifacts.", ex) + + finally: + transferDb.close() + + + From cd38f57e4fd1f9c87df6391c6f06b0ab3c7851da Mon Sep 17 00:00:00 2001 From: Raman Date: Tue, 17 Sep 2019 12:47:29 -0400 Subject: [PATCH 4/7] 5446: Updated the Xender, Zapya & ShareIt parsers to match the latest helper definition and api. --- InternalPythonModules/android/shareit.py | 16 +++++++++------- InternalPythonModules/android/xender.py | 17 +++++++++-------- InternalPythonModules/android/zapya.py | 18 ++++++++++-------- 3 files changed, 28 insertions(+), 23 deletions(-) diff --git a/InternalPythonModules/android/shareit.py b/InternalPythonModules/android/shareit.py index 9d661fb9c0..ac359f51a3 100644 --- a/InternalPythonModules/android/shareit.py +++ b/InternalPythonModules/android/shareit.py @@ -32,8 +32,6 @@ from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil from org.sleuthkit.autopsy.coreutils import AppSQLiteDB -from org.sleuthkit.autopsy.coreutils import AppDBParserHelper -from org.sleuthkit.autopsy.coreutils.AppDBParserHelper import CommunicationDirection from org.sleuthkit.autopsy.datamodel import ContentUtils from org.sleuthkit.autopsy.ingest import IngestJobContext from org.sleuthkit.datamodel import AbstractFile @@ -42,6 +40,9 @@ from org.sleuthkit.datamodel import BlackboardAttribute from org.sleuthkit.datamodel import Content from org.sleuthkit.datamodel import TskCoreException from org.sleuthkit.datamodel import Account +from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper +from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import MessageReadStatus +from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import CommunicationDirection import traceback import general @@ -62,8 +63,9 @@ class ShareItAnalyzer(general.AndroidComponentAnalyzer): historyDbs = AppSQLiteDB.findAppDatabases(dataSource, "history.db", True, "com.lenovo.anyshare.gps") for historyDb in historyDbs: try: - historyDbHelper = AppDBParserHelper(self.moduleName, historyDb.getDBFile(), - Account.Type.SHAREIT) + historyDbHelper = CommunicationArtifactsHelper(Case.getCurrentCase().getSleuthkitCase(), + self.moduleName, historyDb.getDBFile(), + Account.Type.SHAREIT) queryString = "SELECT history_type, device_id, device_name, description, timestamp, import_path FROM history" historyResultSet = historyDb.runQuery(queryString) @@ -91,7 +93,7 @@ class ShareItAnalyzer(general.AndroidComponentAnalyzer): fromAddress, toAddress, timeStamp, - AppDBParserHelper.MessageReadStatusEnum.UNKNOWN, + MessageReadStatus.UNKNOWN, None, # subject msgBody, "" ) @@ -99,9 +101,9 @@ class ShareItAnalyzer(general.AndroidComponentAnalyzer): # TBD: add the file as attachment ?? except SQLException as ex: - self._logger.log(Level.SEVERE, "Error processing query result for ShareIt history.", ex) + self._logger.log(Level.WARNING, "Error processing query result for ShareIt history.", ex) except TskCoreException as ex: - self._logger.log(Level.SEVERE, "Failed to create AppDBParserHelper for adding artifacts.", ex) + self._logger.log(Level.WARNING, "Failed to create CommunicationArtifactsHelper for adding artifacts.", ex) finally: historyDb.close() diff --git a/InternalPythonModules/android/xender.py b/InternalPythonModules/android/xender.py index f3ea2ad2f3..b59f18dce3 100644 --- a/InternalPythonModules/android/xender.py +++ b/InternalPythonModules/android/xender.py @@ -32,8 +32,6 @@ from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil from org.sleuthkit.autopsy.coreutils import AppSQLiteDB -from org.sleuthkit.autopsy.coreutils import AppDBParserHelper -from org.sleuthkit.autopsy.coreutils.AppDBParserHelper import CommunicationDirection from org.sleuthkit.autopsy.datamodel import ContentUtils from org.sleuthkit.autopsy.ingest import IngestJobContext from org.sleuthkit.datamodel import AbstractFile @@ -42,7 +40,9 @@ from org.sleuthkit.datamodel import BlackboardAttribute from org.sleuthkit.datamodel import Content from org.sleuthkit.datamodel import TskCoreException from org.sleuthkit.datamodel import Account - +from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper +from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import MessageReadStatus +from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import CommunicationDirection import traceback import general @@ -70,8 +70,9 @@ class XenderAnalyzer(general.AndroidComponentAnalyzer): if not selfAccountAddress: selfAccountAddress = Account.Address(profilesResultSet.getString("device_id"), profilesResultSet.getString("nick_name")) - transactionDbHelper = AppDBParserHelper(self.moduleName, transactionDb.getDBFile(), - Account.Type.XENDER, Account.Type.XENDER, selfAccountAddress ) + transactionDbHelper = CommunicationArtifactsHelper(Case.getCurrentCase().getSleuthkitCase(), + self.moduleName, transactionDb.getDBFile(), + Account.Type.XENDER, Account.Type.XENDER, selfAccountAddress ) queryString = "SELECT f_path, f_display_name, f_size_str, f_create_time, c_direction, c_session_id, s_name, s_device_id, r_name, r_device_id FROM new_history " messagesResultSet = transactionDb.runQuery(queryString) @@ -99,7 +100,7 @@ class XenderAnalyzer(general.AndroidComponentAnalyzer): fromAddress, toAddress, timeStamp, - AppDBParserHelper.MessageReadStatusEnum.UNKNOWN, + MessageReadStatus.UNKNOWN, None, msgBody, messagesResultSet.getString("c_session_id") ) @@ -107,9 +108,9 @@ class XenderAnalyzer(general.AndroidComponentAnalyzer): # TBD: add the file as attachment ?? except SQLException as ex: - self._logger.log(Level.SEVERE, "Error processing query result for profiles", ex) + self._logger.log(Level.WARNING, "Error processing query result for profiles", ex) except TskCoreException as ex: - self._logger.log(Level.SEVERE, "Failed to create AppDBParserHelper for adding artifacts.", ex) + self._logger.log(Level.WARNING, "Failed to create CommunicationArtifactsHelper for adding artifacts.", ex) finally: transactionDb.close() diff --git a/InternalPythonModules/android/zapya.py b/InternalPythonModules/android/zapya.py index 9338e47440..fed51dd27d 100644 --- a/InternalPythonModules/android/zapya.py +++ b/InternalPythonModules/android/zapya.py @@ -32,8 +32,6 @@ from org.sleuthkit.autopsy.casemodule import Case from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil from org.sleuthkit.autopsy.coreutils import AppSQLiteDB -from org.sleuthkit.autopsy.coreutils import AppDBParserHelper -from org.sleuthkit.autopsy.coreutils.AppDBParserHelper import CommunicationDirection from org.sleuthkit.autopsy.datamodel import ContentUtils from org.sleuthkit.autopsy.ingest import IngestJobContext from org.sleuthkit.datamodel import AbstractFile @@ -42,6 +40,9 @@ from org.sleuthkit.datamodel import BlackboardAttribute from org.sleuthkit.datamodel import Content from org.sleuthkit.datamodel import TskCoreException from org.sleuthkit.datamodel import Account +from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper +from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import MessageReadStatus +from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import CommunicationDirection import traceback import general @@ -62,8 +63,9 @@ class ZapyaAnalyzer(general.AndroidComponentAnalyzer): transferDbs = AppSQLiteDB.findAppDatabases(dataSource, "transfer20.db", True, "com.dewmobile.kuaiya.play") for transferDb in transferDbs: try: - transferDbHelper = AppDBParserHelper(self.moduleName, transferDb.getDBFile(), - Account.Type.ZAPYA) + transferDbHelper = CommunicationArtifactsHelper(Case.getCurrentCase().getSleuthkitCase(), + self.moduleName, transferDb.getDBFile(), + Account.Type.ZAPYA) queryString = "SELECT device, name, direction, createtime, path, title FROM transfer" transfersResultSet = transferDb.runQuery(queryString) @@ -71,7 +73,7 @@ class ZapyaAnalyzer(general.AndroidComponentAnalyzer): while transfersResultSet.next(): direction = CommunicationDirection.UNKNOWN fromAddress = None - toAdddress = None + toAddress = None if (transfersResultSet.getInt("direction") == 1): direction = CommunicationDirection.OUTGOING @@ -91,7 +93,7 @@ class ZapyaAnalyzer(general.AndroidComponentAnalyzer): fromAddress, toAddress, timeStamp, - AppDBParserHelper.MessageReadStatusEnum.UNKNOWN, + MessageReadStatus.UNKNOWN, None, msgBody, "" ) @@ -99,9 +101,9 @@ class ZapyaAnalyzer(general.AndroidComponentAnalyzer): # TBD: add the file as attachment ?? except SQLException as ex: - self._logger.log(Level.SEVERE, "Error processing query result for transfer", ex) + self._logger.log(Level.WARNING, "Error processing query result for transfer", ex) except TskCoreException as ex: - self._logger.log(Level.SEVERE, "Failed to create AppDBParserHelper for adding artifacts.", ex) + self._logger.log(Level.WARNING, "Failed to create CommunicationArtifactsHelper for adding artifacts.", ex) finally: transferDb.close() From f2b8b7775efb71cdc873bf89409851ac6c3be888 Mon Sep 17 00:00:00 2001 From: Raman Date: Thu, 19 Sep 2019 06:38:51 -0400 Subject: [PATCH 5/7] Syncing Xender/Zapya/ShareIt modlues to the latest artifacts helper api definition. --- InternalPythonModules/android/imo.py | 2 +- InternalPythonModules/android/shareit.py | 5 +++-- InternalPythonModules/android/xender.py | 5 +++-- InternalPythonModules/android/zapya.py | 5 +++-- 4 files changed, 10 insertions(+), 7 deletions(-) diff --git a/InternalPythonModules/android/imo.py b/InternalPythonModules/android/imo.py index 5a653ff9d5..aed3b4011c 100644 --- a/InternalPythonModules/android/imo.py +++ b/InternalPythonModules/android/imo.py @@ -138,7 +138,7 @@ class IMOAnalyzer(general.AndroidComponentAnalyzer): except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for IMO friends", ex) except (TskCoreException, BlackboardException) as ex: - self._logger.log(Level.WARNING, "Failed to message artifacts.", ex) + self._logger.log(Level.WARNING, "Failed to create IMO message artifacts.", ex) finally: friendsDb.close() diff --git a/InternalPythonModules/android/shareit.py b/InternalPythonModules/android/shareit.py index ac359f51a3..8e3ebd3823 100644 --- a/InternalPythonModules/android/shareit.py +++ b/InternalPythonModules/android/shareit.py @@ -39,6 +39,7 @@ from org.sleuthkit.datamodel import BlackboardArtifact from org.sleuthkit.datamodel import BlackboardAttribute from org.sleuthkit.datamodel import Content from org.sleuthkit.datamodel import TskCoreException +from org.sleuthkit.datamodel.Blackboard import BlackboardException from org.sleuthkit.datamodel import Account from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import MessageReadStatus @@ -102,8 +103,8 @@ class ShareItAnalyzer(general.AndroidComponentAnalyzer): except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for ShareIt history.", ex) - except TskCoreException as ex: - self._logger.log(Level.WARNING, "Failed to create CommunicationArtifactsHelper for adding artifacts.", ex) + except (TskCoreException, BlackboardException) as ex: + self._logger.log(Level.WARNING, "Failed to create ShareIt message artifacts.", ex) finally: historyDb.close() diff --git a/InternalPythonModules/android/xender.py b/InternalPythonModules/android/xender.py index b59f18dce3..d1cecd3a82 100644 --- a/InternalPythonModules/android/xender.py +++ b/InternalPythonModules/android/xender.py @@ -39,6 +39,7 @@ from org.sleuthkit.datamodel import BlackboardArtifact from org.sleuthkit.datamodel import BlackboardAttribute from org.sleuthkit.datamodel import Content from org.sleuthkit.datamodel import TskCoreException +from org.sleuthkit.datamodel.Blackboard import BlackboardException from org.sleuthkit.datamodel import Account from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import MessageReadStatus @@ -109,8 +110,8 @@ class XenderAnalyzer(general.AndroidComponentAnalyzer): except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for profiles", ex) - except TskCoreException as ex: - self._logger.log(Level.WARNING, "Failed to create CommunicationArtifactsHelper for adding artifacts.", ex) + except (TskCoreException, BlackboardException) as ex: + self._logger.log(Level.WARNING, "Failed to create Xender message artifacts.", ex) finally: transactionDb.close() diff --git a/InternalPythonModules/android/zapya.py b/InternalPythonModules/android/zapya.py index fed51dd27d..9bcb5753d1 100644 --- a/InternalPythonModules/android/zapya.py +++ b/InternalPythonModules/android/zapya.py @@ -39,6 +39,7 @@ from org.sleuthkit.datamodel import BlackboardArtifact from org.sleuthkit.datamodel import BlackboardAttribute from org.sleuthkit.datamodel import Content from org.sleuthkit.datamodel import TskCoreException +from org.sleuthkit.datamodel.Blackboard import BlackboardException from org.sleuthkit.datamodel import Account from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import MessageReadStatus @@ -102,8 +103,8 @@ class ZapyaAnalyzer(general.AndroidComponentAnalyzer): except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for transfer", ex) - except TskCoreException as ex: - self._logger.log(Level.WARNING, "Failed to create CommunicationArtifactsHelper for adding artifacts.", ex) + except (TskCoreException, BlackboardException) as ex: + self._logger.log(Level.WARNING, "Failed to create Zapya message artifacts.", ex) finally: transferDb.close() From 9f4ef71696df1c4688173f238ad90564dbf21deb Mon Sep 17 00:00:00 2001 From: Raman Date: Thu, 19 Sep 2019 17:44:20 -0400 Subject: [PATCH 6/7] Address review comments. --- InternalPythonModules/android/shareit.py | 30 ++++++++++++------ InternalPythonModules/android/xender.py | 40 +++++++++++++++++------- InternalPythonModules/android/zapya.py | 34 +++++++++++++------- 3 files changed, 70 insertions(+), 34 deletions(-) diff --git a/InternalPythonModules/android/shareit.py b/InternalPythonModules/android/shareit.py index 8e3ebd3823..bccc9b9a3b 100644 --- a/InternalPythonModules/android/shareit.py +++ b/InternalPythonModules/android/shareit.py @@ -54,18 +54,20 @@ and adds artifacts to the case. """ class ShareItAnalyzer(general.AndroidComponentAnalyzer): - moduleName = "ShareIT Analyzer" - progName = "ShareIt" - def __init__(self): self._logger = Logger.getLogger(self.__class__.__name__) + self._PACKAGE_NAME = "com.lenovo.anyshare.gps" + self._MODULE_NAME = "ShareIt Analyzer" + self._MESSAGE_TYPE = "ShareIt Message" + self._VERSION = "5.0.28_ww" def analyze(self, dataSource, fileManager, context): - historyDbs = AppSQLiteDB.findAppDatabases(dataSource, "history.db", True, "com.lenovo.anyshare.gps") + historyDbs = AppSQLiteDB.findAppDatabases(dataSource, "history.db", True, self._PACKAGE_NAME) for historyDb in historyDbs: try: - historyDbHelper = CommunicationArtifactsHelper(Case.getCurrentCase().getSleuthkitCase(), - self.moduleName, historyDb.getDBFile(), + current_case = Case.getCurrentCaseThrows() + historyDbHelper = CommunicationArtifactsHelper(current_case.getSleuthkitCase(), + self._MODULE_NAME, historyDb.getDBFile(), Account.Type.SHAREIT) queryString = "SELECT history_type, device_id, device_name, description, timestamp, import_path FROM history" @@ -89,7 +91,7 @@ class ShareItAnalyzer(general.AndroidComponentAnalyzer): timeStamp = historyResultSet.getLong("timestamp") / 1000 messageArtifact = transferDbHelper.addMessage( - "ShareIt Message", + self._MESSAGE_TYPE, direction, fromAddress, toAddress, @@ -97,14 +99,22 @@ class ShareItAnalyzer(general.AndroidComponentAnalyzer): MessageReadStatus.UNKNOWN, None, # subject msgBody, - "" ) + None ) # thread id # TBD: add the file as attachment ?? except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for ShareIt history.", ex) - except (TskCoreException, BlackboardException) as ex: - self._logger.log(Level.WARNING, "Failed to create ShareIt message artifacts.", ex) + self._logger.log(Level.SEVERE, traceback.format_exc()) + except TskCoreException as ex: + self._logger.log(Level.SEVERE, "Failed to create ShareIt message artifacts.", ex) + self._logger.log(Level.SEVERE, traceback.format_exc()) + except BlackboardException as ex: + self._logger.log(Level.WARNING, "Failed to post artifacts.", ex) + self._logger.log(Level.WARNING, traceback.format_exc()) + except NoCurrentCaseException as ex: + self._logger.log(Level.WARNING, "No case currently open.", ex) + self._logger.log(Level.WARNING, traceback.format_exc()) finally: historyDb.close() diff --git a/InternalPythonModules/android/xender.py b/InternalPythonModules/android/xender.py index d1cecd3a82..e3c72f33e2 100644 --- a/InternalPythonModules/android/xender.py +++ b/InternalPythonModules/android/xender.py @@ -52,28 +52,36 @@ Finds the SQLite DB for Xender, parses the DB for contacts & messages, and adds artifacts to the case. """ class XenderAnalyzer(general.AndroidComponentAnalyzer): - - moduleName = "Xender Analyzer" - progName = "Xender" - + def __init__(self): self._logger = Logger.getLogger(self.__class__.__name__) + self._PACKAGE_NAME = "cn.xender" + self._MODULE_NAME = "Xender Analyzer" + self._MESSAGE_TYPE = "Xender Message" + self._VERSION = "4.6.5" + def analyze(self, dataSource, fileManager, context): selfAccountAddress = None - transactionDbs = AppSQLiteDB.findAppDatabases(dataSource, "trans-history-db", True, "cn.xender") + transactionDbs = AppSQLiteDB.findAppDatabases(dataSource, "trans-history-db", True, self._PACKAGE_NAME) for transactionDb in transactionDbs: try: + current_case = Case.getCurrentCaseThrows() # get the profile with connection_times 0, that's the self account. profilesResultSet = transactionDb.runQuery("SELECT device_id, nick_name FROM profile WHERE connect_times = 0") if profilesResultSet: while profilesResultSet.next(): if not selfAccountAddress: selfAccountAddress = Account.Address(profilesResultSet.getString("device_id"), profilesResultSet.getString("nick_name")) - - transactionDbHelper = CommunicationArtifactsHelper(Case.getCurrentCase().getSleuthkitCase(), - self.moduleName, transactionDb.getDBFile(), + # create artifacts helper + if selfAccountAddress is not None: + transactionDbHelper = CommunicationArtifactsHelper(current_case.getSleuthkitCase(), + self._MODULE_NAME, transactionDb.getDBFile(), Account.Type.XENDER, Account.Type.XENDER, selfAccountAddress ) + else: + transactionDbHelper = CommunicationArtifactsHelper(current_case.getSleuthkitCase(), + self._MODULE_NAME, transactionDb.getDBFile(), + Account.Type.XENDER) queryString = "SELECT f_path, f_display_name, f_size_str, f_create_time, c_direction, c_session_id, s_name, s_device_id, r_name, r_device_id FROM new_history " messagesResultSet = transactionDb.runQuery(queryString) @@ -96,13 +104,13 @@ class XenderAnalyzer(general.AndroidComponentAnalyzer): timeStamp = messagesResultSet.getLong("f_create_time") / 1000 messageArtifact = transactionDbHelper.addMessage( - "Xender Message", + self._MESSAGE_TYPE, direction, fromAddress, toAddress, timeStamp, MessageReadStatus.UNKNOWN, - None, + None, # subject msgBody, messagesResultSet.getString("c_session_id") ) @@ -110,8 +118,16 @@ class XenderAnalyzer(general.AndroidComponentAnalyzer): except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for profiles", ex) - except (TskCoreException, BlackboardException) as ex: - self._logger.log(Level.WARNING, "Failed to create Xender message artifacts.", ex) + self._logger.log(Level.WARNING, traceback.format_exc()) + except TskCoreException as ex: + self._logger.log(Level.SEVERE, "Failed to create Xender message artifacts.", ex) + self._logger.log(Level.SEVERE, traceback.format_exc()) + except BlackboardException as ex: + self._logger.log(Level.WARNING, "Failed to post artifacts.", ex) + self._logger.log(Level.WARNING, traceback.format_exc()) + except NoCurrentCaseException as ex: + self._logger.log(Level.WARNING, "No case currently open.", ex) + self._logger.log(Level.WARNING, traceback.format_exc()) finally: transactionDb.close() diff --git a/InternalPythonModules/android/zapya.py b/InternalPythonModules/android/zapya.py index 9bcb5753d1..672795c076 100644 --- a/InternalPythonModules/android/zapya.py +++ b/InternalPythonModules/android/zapya.py @@ -54,18 +54,21 @@ and adds artifacts to the case. """ class ZapyaAnalyzer(general.AndroidComponentAnalyzer): - moduleName = "Zapya Analyzer" - progName = "Zapya" - def __init__(self): self._logger = Logger.getLogger(self.__class__.__name__) + self._PACKAGE_NAME = "com.dewmobile.kuaiya.play" + self._MODULE_NAME = "Zapya Analyzer" + self._MESSAGE_TYPE = "Zapya Message" + self._VERSION = "5.8.3" def analyze(self, dataSource, fileManager, context): - transferDbs = AppSQLiteDB.findAppDatabases(dataSource, "transfer20.db", True, "com.dewmobile.kuaiya.play") + transferDbs = AppSQLiteDB.findAppDatabases(dataSource, "transfer20.db", True, self._PACKAGE_NAME) for transferDb in transferDbs: try: - transferDbHelper = CommunicationArtifactsHelper(Case.getCurrentCase().getSleuthkitCase(), - self.moduleName, transferDb.getDBFile(), + current_case = Case.getCurrentCaseThrows() + # + transferDbHelper = CommunicationArtifactsHelper(current_case.getSleuthkitCase(), + self._MODULE_NAME, transferDb.getDBFile(), Account.Type.ZAPYA) queryString = "SELECT device, name, direction, createtime, path, title FROM transfer" @@ -89,23 +92,30 @@ class ZapyaAnalyzer(general.AndroidComponentAnalyzer): timeStamp = transfersResultSet.getLong("createtime") / 1000 messageArtifact = transferDbHelper.addMessage( - "Zapya Message", + self._MESSAGE_TYPE, direction, fromAddress, toAddress, timeStamp, MessageReadStatus.UNKNOWN, - None, + None, # subject msgBody, - "" ) + None ) # thread id # TBD: add the file as attachment ?? except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for transfer", ex) - except (TskCoreException, BlackboardException) as ex: - self._logger.log(Level.WARNING, "Failed to create Zapya message artifacts.", ex) - + self._logger.log(Level.WARNING, traceback.format_exc()) + except TskCoreException as ex: + self._logger.log(Level.SEVERE, "Failed to create Zapya message artifacts.", ex) + self._logger.log(Level.SEVERE, traceback.format_exc()) + except BlackboardException as ex: + self._logger.log(Level.WARNING, "Failed to post artifacts.", ex) + self._logger.log(Level.WARNING, traceback.format_exc()) + except NoCurrentCaseException as ex: + self._logger.log(Level.WARNING, "No case currently open.", ex) + self._logger.log(Level.WARNING, traceback.format_exc()) finally: transferDb.close() From 4c93fae369e83c1313dfd7d1be059754d6d4012a Mon Sep 17 00:00:00 2001 From: Raman Date: Thu, 19 Sep 2019 20:07:22 -0400 Subject: [PATCH 7/7] Fixed missing import. --- InternalPythonModules/android/shareit.py | 1 + InternalPythonModules/android/xender.py | 1 + InternalPythonModules/android/zapya.py | 1 + 3 files changed, 3 insertions(+) diff --git a/InternalPythonModules/android/shareit.py b/InternalPythonModules/android/shareit.py index bccc9b9a3b..937a663393 100644 --- a/InternalPythonModules/android/shareit.py +++ b/InternalPythonModules/android/shareit.py @@ -29,6 +29,7 @@ from java.util.logging import Level from java.util import ArrayList from org.apache.commons.codec.binary import Base64 from org.sleuthkit.autopsy.casemodule import Case +from org.sleuthkit.autopsy.casemodule import NoCurrentCaseException from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil from org.sleuthkit.autopsy.coreutils import AppSQLiteDB diff --git a/InternalPythonModules/android/xender.py b/InternalPythonModules/android/xender.py index e3c72f33e2..cdc520fb11 100644 --- a/InternalPythonModules/android/xender.py +++ b/InternalPythonModules/android/xender.py @@ -29,6 +29,7 @@ from java.util.logging import Level from java.util import ArrayList from org.apache.commons.codec.binary import Base64 from org.sleuthkit.autopsy.casemodule import Case +from org.sleuthkit.autopsy.casemodule import NoCurrentCaseException from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil from org.sleuthkit.autopsy.coreutils import AppSQLiteDB diff --git a/InternalPythonModules/android/zapya.py b/InternalPythonModules/android/zapya.py index 672795c076..230405075d 100644 --- a/InternalPythonModules/android/zapya.py +++ b/InternalPythonModules/android/zapya.py @@ -29,6 +29,7 @@ from java.util.logging import Level from java.util import ArrayList from org.apache.commons.codec.binary import Base64 from org.sleuthkit.autopsy.casemodule import Case +from org.sleuthkit.autopsy.casemodule import NoCurrentCaseException from org.sleuthkit.autopsy.coreutils import Logger from org.sleuthkit.autopsy.coreutils import MessageNotifyUtil from org.sleuthkit.autopsy.coreutils import AppSQLiteDB