From e8e9bd3558b9b89a6bc88ed79a71f5acdda08ac6 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Tue, 27 Nov 2012 11:31:06 -0500 Subject: [PATCH 01/12] Created Services class in Core module and added a member variable of this type to Case with getter method. Created FileManager class and added member of this type to Services class with getter method. Added method to FileManager for obtaining files and refactored some code in RecentActivity module to use thi new API where applicable. These changes partially satisfy the requirements of AUT-613. --- Core/nbproject/project.xml | 1 + .../sleuthkit/autopsy/casemodule/Case.java | 10 + .../casemodule/services/FileManager.java | 61 +++ .../autopsy/casemodule/services/Services.java | 28 ++ KeywordSearch/nbproject/genfiles.properties | 2 +- RecentActivity/nbproject/genfiles.properties | 4 +- .../autopsy/recentactivity/Chrome.java | 112 +++-- .../autopsy/recentactivity/ExtractIE.java | 84 ++-- .../recentactivity/ExtractRegistry.java | 8 + .../autopsy/recentactivity/Firefox.java | 385 ++++++++++-------- .../autopsy/recentactivity/Util.java | 58 +-- 11 files changed, 461 insertions(+), 292 deletions(-) create mode 100644 Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java create mode 100644 Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java diff --git a/Core/nbproject/project.xml b/Core/nbproject/project.xml index 202fd21824..ff33bd0a36 100644 --- a/Core/nbproject/project.xml +++ b/Core/nbproject/project.xml @@ -183,6 +183,7 @@ org.sleuthkit.autopsy.casemodule + org.sleuthkit.autopsy.casemodule.services org.sleuthkit.autopsy.core org.sleuthkit.autopsy.corecomponentinterfaces org.sleuthkit.autopsy.corecomponents diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java index 5d389844b4..429e85bf37 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java @@ -50,6 +50,7 @@ import org.openide.util.Lookup; import org.openide.util.actions.CallableSystemAction; import org.openide.util.actions.SystemAction; import org.openide.windows.WindowManager; +import org.sleuthkit.autopsy.casemodule.services.Services; import org.sleuthkit.autopsy.corecomponentinterfaces.CoreComponentControl; import org.sleuthkit.autopsy.corecomponents.AdvancedConfigurationCleanDialog; import org.sleuthkit.autopsy.corecomponents.AdvancedConfigurationDialog; @@ -124,6 +125,7 @@ public class Case { private SleuthkitCase db; // Track the current case (only set with changeCase() method) private static Case currentCase = null; + private Services services; private static final Logger logger = Logger.getLogger(Case.class.getName()); @@ -137,6 +139,7 @@ public class Case { this.configFilePath = configFilePath; this.xmlcm = xmlcm; this.db = db; + this.services = new Services(db); } /** @@ -331,6 +334,13 @@ public class Case { throw new CaseActionException("Error adding image to the case", ex); } } + + /** + * @return The Services object for this case. + */ + public Services getServices() { + return services; + } /** * Get the underlying SleuthkitCase instance from the Sleuth Kit bindings diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java new file mode 100644 index 0000000000..2fb61bd002 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java @@ -0,0 +1,61 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +package org.sleuthkit.autopsy.casemodule.services; + +import java.util.List; +import org.sleuthkit.datamodel.FsContent; +import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskCoreException; + +/** + * Abstraction to facilitate access to files and directories. + */ +public class FileManager { + + private SleuthkitCase tskCase; + + public FileManager(SleuthkitCase tskCase) { + this.tskCase = tskCase; + } + + /** + * @param fileName the name of the file or directory to match + * @return a list of FsContent for files/directories whose name matches the + * given fileName + */ + public List findFiles(String fileName) throws TskCoreException { + return tskCase.findFiles(fileName); + } + + /** + * @param fileName the name of the file or directory to match + * @param dirName the name of a parent directory of fileName + * @return a list of FsContent for files/directories whose name matches + * fileName and whose parent directory contains dirName. + */ + public List findFiles(String fileName, String dirName) throws TskCoreException { + return tskCase.findFiles(fileName, dirName); + } + + /** + * @param fileName the name of the file or directory to match + * @param parentFsContent + * @return a list of FsContent for files/directories whose name matches + * fileName and that were inside a directory described by parentFsContent. + */ + public List findFiles(String fileName, FsContent parentFsContent) throws TskCoreException { + return findFiles(fileName, parentFsContent.getName()); + } + + /** + * @param filePath The full path to the file(s) of interest. This can + * optionally include the image and volume names. + * @return a list of FsContent that have the given file path. + */ + public List openFiles(String filePath) throws TskCoreException { + return tskCase.openFiles(filePath); + } + +} diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java new file mode 100644 index 0000000000..af16268207 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java @@ -0,0 +1,28 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +package org.sleuthkit.autopsy.casemodule.services; + +import org.sleuthkit.datamodel.SleuthkitCase; + +/** + * + * @author mciver + */ +public class Services { + + private SleuthkitCase tskCase; + private FileManager fileManager; + + public Services(SleuthkitCase tskCase) { + this.tskCase = tskCase; + } + + public FileManager getFileManager() { + if (fileManager == null) { + fileManager = new FileManager(tskCase); + } + return fileManager; + } +} diff --git a/KeywordSearch/nbproject/genfiles.properties b/KeywordSearch/nbproject/genfiles.properties index b2d8509e82..97886535c8 100644 --- a/KeywordSearch/nbproject/genfiles.properties +++ b/KeywordSearch/nbproject/genfiles.properties @@ -3,6 +3,6 @@ build.xml.script.CRC32=87b97b04 build.xml.stylesheet.CRC32=a56c6a5b@1.46.2 # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. -nbproject/build-impl.xml.data.CRC32=1cff292d +nbproject/build-impl.xml.data.CRC32=8f39548f nbproject/build-impl.xml.script.CRC32=fe1f48d2 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@2.50.1 diff --git a/RecentActivity/nbproject/genfiles.properties b/RecentActivity/nbproject/genfiles.properties index 90aa712a1d..fe69d96298 100644 --- a/RecentActivity/nbproject/genfiles.properties +++ b/RecentActivity/nbproject/genfiles.properties @@ -1,8 +1,8 @@ -build.xml.data.CRC32=320aa38b +build.xml.data.CRC32=bcfe7e87 build.xml.script.CRC32=d323407a build.xml.stylesheet.CRC32=a56c6a5b@2.50.1 # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. -nbproject/build-impl.xml.data.CRC32=320aa38b +nbproject/build-impl.xml.data.CRC32=bcfe7e87 nbproject/build-impl.xml.script.CRC32=aef16a21 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@2.50.1 diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index af2068f2eb..1577fb1ad8 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -37,6 +37,8 @@ import java.io.FileNotFoundException; import java.io.FileReader; import java.io.IOException; import java.io.UnsupportedEncodingException; +import java.sql.SQLException; +import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.EscapeUtil; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestModuleImage; @@ -96,20 +98,25 @@ public class Chrome extends Extract implements IngestModuleImage { } private void getHistory(Image image, IngestImageWorkerController controller) { - //Make these seperate, this is for history - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'"); + FileManager fileManager = currentCase.getServices().getFileManager(); + List historyFiles = null; + try { + historyFiles = fileManager.findFiles("History", "Chrome"); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; + if (historyFiles != null && !historyFiles.isEmpty()) { + while (j < historyFiles.size()) { + String temps = currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); + ContentUtils.writeToFile(historyFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db")); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome web history artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + historyFiles.get(j).getName()); } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -130,7 +137,7 @@ public class Chrome extends Extract implements IngestModuleImage { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "Recent Activity", ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, FFSqlitedb.get(j), bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFiles.get(j), bbattributes); } if (errors > 0) { @@ -145,20 +152,25 @@ public class Chrome extends Extract implements IngestModuleImage { } private void getBookmark(Image image, IngestImageWorkerController controller) { - - //this is for bookmarks - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); + + FileManager fileManager = currentCase.getServices().getFileManager(); + List bookmarkFiles = null; + try { + bookmarkFiles = fileManager.findFiles("Bookmarks", "Chrome"); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; + if (bookmarkFiles != null && !bookmarkFiles.isEmpty()) { + while (j < bookmarkFiles.size()) { + String temps = currentCase.getTempDirectory() + File.separator + bookmarkFiles.get(j).getName().toString() + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); + ContentUtils.writeToFile(bookmarkFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + bookmarkFiles.get(j).getName().toString() + j + ".db")); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome bookmark artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + bookmarkFiles.get(j).getName()); } logger.log(Level.INFO, moduleName + "- Now getting Bookmarks from " + temps); File dbFile = new File(temps); @@ -180,7 +192,7 @@ public class Chrome extends Extract implements IngestModuleImage { String name = address.get("name").getAsString(); Long date = address.get("date_added").getAsLong(); String domain = Util.extractDomain(url); - BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); + BlackboardArtifact bbart = bookmarkFiles.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); Collection bbattributes = new ArrayList(); //TODO Revisit usage of deprecated constructor as per TSK-583 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", (date / 10000000))); @@ -213,19 +225,25 @@ public class Chrome extends Extract implements IngestModuleImage { //COOKIES section // This gets the cookie info private void getCookie(Image image, IngestImageWorkerController controller) { - - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); + + FileManager fileManager = currentCase.getServices().getFileManager(); + List cookiesFiles = null; + try { + cookiesFiles = fileManager.findFiles("Cookies", "Chrome"); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; + if (cookiesFiles != null && !cookiesFiles.isEmpty()) { + while (j < cookiesFiles.size()) { + String temps = currentCase.getTempDirectory() + File.separator + cookiesFiles.get(j).getName().toString() + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); + ContentUtils.writeToFile(cookiesFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + cookiesFiles.get(j).getName().toString() + j + ".db")); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome cookie artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + cookiesFiles.get(j).getName()); } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -249,7 +267,7 @@ public class Chrome extends Extract implements IngestModuleImage { String domain = result.get("host_key").toString(); domain = domain.replaceFirst("^\\.+(?!$)", ""); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", domain)); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, FFSqlitedb.get(j), bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFiles.get(j), bbattributes); } if (errors > 0) { @@ -266,19 +284,25 @@ public class Chrome extends Extract implements IngestModuleImage { //Downloads section // This gets the downloads info private void getDownload(Image image, IngestImageWorkerController controller) { - - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); + + FileManager fileManager = currentCase.getServices().getFileManager(); + List historyFiles = null; + try { + historyFiles = fileManager.findFiles("History", "Chrome"); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; + if (historyFiles != null && !historyFiles.isEmpty()) { + while (j < historyFiles.size()) { + String temps = currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); + ContentUtils.writeToFile(historyFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + historyFiles.get(j).getName().toString() + j + ".db")); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + historyFiles.get(j).getName()); } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -303,7 +327,7 @@ public class Chrome extends Extract implements IngestModuleImage { String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "Recent Activity", "Chrome")); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, FFSqlitedb.get(j), bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, historyFiles.get(j), bbattributes); } if (errors > 0) { @@ -320,19 +344,25 @@ public class Chrome extends Extract implements IngestModuleImage { //Login/Password section // This gets the user info private void getLogin(Image image, IngestImageWorkerController controller) { - - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'"); + + FileManager fileManager = currentCase.getServices().getFileManager(); + List signonFiles = null; + try { + signonFiles = fileManager.findFiles("signons.sqlite", "Chrome"); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; + if (signonFiles != null && !signonFiles.isEmpty()) { + while (j < signonFiles.size()) { + String temps = currentCase.getTempDirectory() + File.separator + signonFiles.get(j).getName().toString() + j + ".db"; int errors = 0; try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); + ContentUtils.writeToFile(signonFiles.get(j), new File(currentCase.getTempDirectory() + File.separator + signonFiles.get(j).getName().toString() + j + ".db")); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome login artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + signonFiles.get(j).getName()); } File dbFile = new File(temps); if (controller.isCancelled()) { @@ -354,7 +384,7 @@ public class Chrome extends Extract implements IngestModuleImage { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "Recent Activity", ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", result.get("signon_realm").toString())); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, FFSqlitedb.get(j), bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFiles.get(j), bbattributes); } if (errors > 0) { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 6d557a49e7..db224a4868 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -75,9 +75,6 @@ public class ExtractIE extends Extract implements IngestModuleImage { private static final Logger logger = Logger.getLogger(ExtractIE.class.getName()); private IngestServices services; - private String indexDatQueryStr = "select * from tsk_files where name LIKE '%index.dat%'"; - private String favoriteQuery = "select * from `tsk_files` where parent_path LIKE '%/Favorites%' and name LIKE '%.url'"; - private String cookiesQuery = "select * from `tsk_files` where parent_path LIKE '%/Cookies%' and name LIKE '%.txt'"; private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'"; //sleauthkit db handle SleuthkitCase tempDb; @@ -131,14 +128,21 @@ public class ExtractIE extends Extract implements IngestModuleImage { // This gets the favorite info private void getBookmark(Image image, IngestImageWorkerController controller) { - List FavoriteList = this.extractFiles(image, favoriteQuery); int errors = 0; + + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List favoritesFiles = null; + try { + favoritesFiles = fileManager.findFiles("%.url", "Favorites"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); + } - for (FsContent Favorite : FavoriteList) { + for (FsContent favoritesFile : favoritesFiles) { if (controller.isCancelled()) { break; } - Content fav = Favorite; + Content fav = favoritesFile; byte[] t = new byte[(int) fav.getSize()]; try { final int bytesRead = fav.read(t, 0, fav.getSize()); @@ -154,8 +158,8 @@ public class ExtractIE extends Extract implements IngestModuleImage { if (m.find()) { url = m.group(1); } - String name = Favorite.getName(); - Long datetime = Favorite.getCrtime(); + String name = favoritesFile.getName(); + Long datetime = favoritesFile.getCrtime(); String Tempdate = datetime.toString(); datetime = Long.valueOf(Tempdate); String domain = Util.extractDomain(url); @@ -169,7 +173,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, Favorite, bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, favoritesFile, bbattributes); services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); } @@ -181,14 +185,21 @@ public class ExtractIE extends Extract implements IngestModuleImage { //Cookies section // This gets the cookies info private void getCookie(Image image, IngestImageWorkerController controller) { + + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List cookiesFiles = null; + try { + cookiesFiles = fileManager.findFiles("%.txt", "Cookies"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); + } - List CookiesList = this.extractFiles(image, cookiesQuery); int errors = 0; - for (FsContent Cookie : CookiesList) { + for (FsContent cookiesFile : cookiesFiles) { if (controller.isCancelled()) { break; } - Content fav = Cookie; + Content fav = cookiesFile; byte[] t = new byte[(int) fav.getSize()]; try { final int bytesRead = fav.read(t, 0, fav.getSize()); @@ -200,7 +211,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { String url = values.length > 2 ? values[2] : ""; String value = values.length > 1 ? values[1] : ""; String name = values.length > 0 ? values[0] : ""; - Long datetime = Cookie.getCrtime(); + Long datetime = cookiesFile.getCrtime(); String Tempdate = datetime.toString(); datetime = Long.valueOf(Tempdate); String domain = Util.extractDomain(url); @@ -217,7 +228,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", (name != null) ? name : "")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, Cookie, bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); } if (errors > 0) { this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Internet Explorer cookies."); @@ -229,26 +240,33 @@ public class ExtractIE extends Extract implements IngestModuleImage { //Recent Documents section // This gets the recent object info private void getRecentDocuments(Image image, IngestImageWorkerController controller) { + + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List recentFiles = null; + try { + recentFiles = fileManager.findFiles("%.lnk", "Recent"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); + } - List RecentList = this.extractFiles(image, recentQuery); - - for (FsContent Recent : RecentList) { + for (FsContent recentFile : recentFiles) { if (controller.isCancelled()) { break; } - Content fav = Recent; + Content fav = recentFile; JLNK lnk = new JLnkParser(new ReadContentInputStream(fav), (int) fav.getSize()).parse(); String path = lnk.getBestPath(); - Long datetime = Recent.getCrtime(); + Long datetime = recentFile.getCrtime(); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(path))); + long id = Util.findID(path); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", id)); //TODO Revisit usage of deprecated constructor as per TSK-583 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", datetime)); - this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, Recent, bbattributes); + this.addArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT, recentFile, bbattributes); } services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); @@ -286,7 +304,6 @@ public class ExtractIE extends Extract implements IngestModuleImage { File resultsDir = new File(PASCO_RESULTS_PATH); resultsDir.mkdirs(); - Collection FsContentCollection = null; tempDb = currentCase.getSleuthkitCase(); Collection imageFS = tempDb.getFileSystems(image); List fsIds = new LinkedList(); @@ -305,24 +322,25 @@ public class ExtractIE extends Extract implements IngestModuleImage { allFS += ")"; } } + + // get index.dat files + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List indexFiles = null; try { - ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS); - FsContentCollection = tempDb.resultSetToFsContents(rs); - rs.close(); - rs.getStatement().close(); - } catch (SQLException ex) { - logger.log(Level.SEVERE, "Error reading database for Internet Explorer history artifacts: {0}", ex); + indexFiles = fileManager.findFiles("index.dat"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } + String temps; String indexFileName; - - for (FsContent fsc : FsContentCollection) { + for (FsContent indexFile : indexFiles) { // Since each result represent an index.dat file, // just create these files with the following notation: // index.dat (i.e. index0.dat, index1.dat,..., indexN.dat) // Write each index.dat file to a temp directory. //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); - indexFileName = "index" + Integer.toString((int) fsc.getId()) + ".dat"; + indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat"; temps = currentCase.getTempDirectory() + File.separator + indexFileName; File datFile = new File(temps); @@ -331,12 +349,12 @@ public class ExtractIE extends Extract implements IngestModuleImage { break; } try { - ContentUtils.writeToFile(fsc, datFile); + ContentUtils.writeToFile(indexFile, datFile); } catch (IOException e) { logger.log(Level.SEVERE, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); } - String filename = "pasco2Result." + fsc.getId() + ".txt"; + String filename = "pasco2Result." + indexFile.getId() + ".txt"; boolean bPascProcSuccess = executePasco(temps, filename); pascoResults.add(filename); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 3e11cde6a5..66210a1e6c 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -133,6 +133,14 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { } catch (SQLException ex) { logger.log(Level.SEVERE, "Error querying the database for registry files: {0}", ex); } + +// org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); +// List Regfiles = null; +// try { +// Regfiles = fileManager.findFiles("ntuser.dat", "Recent"); +// } catch (TskCoreException ex) { +// logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); +// } int j = 0; diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 74d6c46d6e..41699f56f4 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -31,6 +31,7 @@ import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.logging.Level; +import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.autopsy.coreutils.EscapeUtil; import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; @@ -44,6 +45,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.Image; +import org.sleuthkit.datamodel.TskCoreException; /** * Firefox recent activity extraction @@ -91,216 +93,255 @@ public class Firefox extends Extract implements IngestModuleImage { private void getHistory(Image image, IngestImageWorkerController controller) { //Make these seperate, this is for history - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); + //List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); + + FileManager fileManager = currentCase.getServices().getFileManager(); + List historyFiles = null; + try { + historyFiles = fileManager.findFiles("%places.sqlite%", "Firefox"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching internet history files for Firefox."); + } + + if (historyFiles == null) { + return; + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; - int errors = 0; - try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); - } catch (IOException ex) { - logger.log(Level.SEVERE, "Error writing the sqlite db for firefox web history artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); - } - File dbFile = new File(temps); - if (controller.isCancelled()) { - dbFile.delete(); - break; - } - List> tempList = this.dbConnect(temps, ffquery); - logger.log(Level.INFO, moduleName + "- Now getting history from " + temps + " with " + tempList.size() + "artifacts identified."); - for (HashMap result : tempList) { - Collection bbattributes = new ArrayList(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); - //TODO Revisit usage of deprecated constructor as per TSK-583 - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("visit_date").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("visit_date").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", ((result.get("ref").toString() != null) ? result.get("ref").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, FFSqlitedb.get(j), bbattributes); - - } - if (errors > 0) { - this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); - } - j++; - dbFile.delete(); + for (FsContent historyFile : historyFiles) { + String fileName = historyFile.getName(); + String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + int errors = 0; + try { + ContentUtils.writeToFile(historyFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Error writing the sqlite db for firefox web history artifacts.{0}", ex); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); } + File dbFile = new File(temps); + if (controller.isCancelled()) { + dbFile.delete(); + break; + } + List> tempList = this.dbConnect(temps, ffquery); + logger.log(Level.INFO, moduleName + "- Now getting history from " + temps + " with " + tempList.size() + "artifacts identified."); + for (HashMap result : tempList) { + Collection bbattributes = new ArrayList(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); + //TODO Revisit usage of deprecated constructor as per TSK-583 + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("visit_date").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("visit_date").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", ((result.get("ref").toString() != null) ? result.get("ref").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes); - services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); + } + if (errors > 0) { + this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); + } + ++j; + dbFile.delete(); } + + services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); } private void getBookmark(Image image, IngestImageWorkerController controller) { - //this is for bookmarks - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); + FileManager fileManager = currentCase.getServices().getFileManager(); + List bookmarkFiles = null; + try { + bookmarkFiles = fileManager.findFiles("%places.sqlite%", "Firefox"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching bookmark files for Firefox."); + } + + if (bookmarkFiles == null) { + return; + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; - int errors = 0; - try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); - } catch (IOException ex) { - logger.log(Level.SEVERE, "Error writing the sqlite db for firefox bookmark artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); - } - File dbFile = new File(temps); - if (controller.isCancelled()) { - dbFile.delete(); - break; - } - List> tempList = this.dbConnect(temps, ffbookmarkquery); - logger.log(Level.INFO, moduleName + "- Now getting bookmarks from " + temps + " with " + tempList.size() + "artifacts identified."); - for (HashMap result : tempList) { - - Collection bbattributes = new ArrayList(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, FFSqlitedb.get(j), bbattributes); - - } - if (errors > 0) { - this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); - } - j++; - dbFile.delete(); + for (FsContent bookmarkFile : bookmarkFiles) { + String fileName = bookmarkFile.getName(); + String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + int errors = 0; + try { + ContentUtils.writeToFile(bookmarkFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Error writing the sqlite db for firefox bookmark artifacts.{0}", ex); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); } + File dbFile = new File(temps); + if (controller.isCancelled()) { + dbFile.delete(); + break; + } + List> tempList = this.dbConnect(temps, ffbookmarkquery); + logger.log(Level.INFO, moduleName + "- Now getting bookmarks from " + temps + " with " + tempList.size() + "artifacts identified."); + for (HashMap result : tempList) { - services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); + Collection bbattributes = new ArrayList(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes); + + } + if (errors > 0) { + this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); + } + ++j; + dbFile.delete(); } + + services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); } //COOKIES section // This gets the cookie info private void getCookie(Image image, IngestImageWorkerController controller) { - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); + FileManager fileManager = currentCase.getServices().getFileManager(); + List cookiesFiles = null; + try { + cookiesFiles = fileManager.findFiles("%cookies.sqlite%", "Firefox"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching cookies files for Firefox."); + } + + if (cookiesFiles == null) { + return; + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; - int errors = 0; - try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); - } catch (IOException ex) { - logger.log(Level.SEVERE, "Error writing the sqlite db for firefox cookie artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); - } - File dbFile = new File(temps); - if (controller.isCancelled()) { - dbFile.delete(); - break; - } - boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", temps); - String query = null; - if (checkColumn) { - query = ffcookiequery; - } else { - query = ff3cookiequery; - } - - List> tempList = this.dbConnect(temps, query); - logger.log(Level.INFO, moduleName + "- Now getting cookies from " + temps + " with " + tempList.size() + "artifacts identified."); - for (HashMap result : tempList) { - - Collection bbattributes = new ArrayList(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? EscapeUtil.decodeURL(result.get("host").toString()) : ""))); - //TODO Revisit usage of deprecated constructor as per TSK-583 - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("lastAccessed").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("lastAccessed").toString())))); - if (checkColumn == true) { - //TODO Revisit usage of deprecated constructor as per TSK-583 - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", (Long.valueOf(result.get("creationTime").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("creationTime").toString())))); - } - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); - String domain = Util.extractDomain(result.get("host").toString()); - domain = domain.replaceFirst("^\\.+(?!$)", ""); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, FFSqlitedb.get(j), bbattributes); - - } - if (errors > 0) { - this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); - } - j++; + for (FsContent cookiesFile : cookiesFiles) { + String fileName = cookiesFile.getName(); + String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + int errors = 0; + try { + ContentUtils.writeToFile(cookiesFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Error writing the sqlite db for firefox cookie artifacts.{0}", ex); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); + } + File dbFile = new File(temps); + if (controller.isCancelled()) { dbFile.delete(); + break; + } + boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", temps); + String query = null; + if (checkColumn) { + query = ffcookiequery; + } else { + query = ff3cookiequery; } - services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); + List> tempList = this.dbConnect(temps, query); + logger.log(Level.INFO, moduleName + "- Now getting cookies from " + temps + " with " + tempList.size() + "artifacts identified."); + for (HashMap result : tempList) { + + Collection bbattributes = new ArrayList(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? EscapeUtil.decodeURL(result.get("host").toString()) : ""))); + //TODO Revisit usage of deprecated constructor as per TSK-583 + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("lastAccessed").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("lastAccessed").toString())))); + if (checkColumn == true) { + //TODO Revisit usage of deprecated constructor as per TSK-583 + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", (Long.valueOf(result.get("creationTime").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", (Long.valueOf(result.get("creationTime").toString())))); + } + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", ((result.get("host").toString() != null) ? result.get("host").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); + String domain = Util.extractDomain(result.get("host").toString()); + domain = domain.replaceFirst("^\\.+(?!$)", ""); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", domain)); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes); + + } + if (errors > 0) { + this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); + } + ++j; + dbFile.delete(); } + + services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); } //Downloads section // This gets the downloads info private void getDownload(Image image, IngestImageWorkerController controller) { - List FFSqlitedb = this.extractFiles(image, "select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); + //List downloadsFiles = this.extractFiles(image, "select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'"); + + FileManager fileManager = currentCase.getServices().getFileManager(); + List downloadsFiles = null; + try { + downloadsFiles = fileManager.findFiles("%cookies.sqlite%", "Firefox"); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'downloads' files for Firefox."); + } + + if (downloadsFiles == null) { + return; + } int j = 0; - if (FFSqlitedb != null && !FFSqlitedb.isEmpty()) { - while (j < FFSqlitedb.size()) { - String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; - int errors = 0; - try { - ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); - } catch (IOException ex) { - logger.log(Level.SEVERE, "Error writing the sqlite db for firefox download artifacts.{0}", ex); - this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + FFSqlitedb.get(j).getName()); - } - File dbFile = new File(temps); - if (controller.isCancelled()) { - dbFile.delete(); - break; - } - - List> tempList = this.dbConnect(temps, ffdownloadquery); - logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified."); - for (HashMap result : tempList) { - try { - Collection bbattributes = new ArrayList(); - String urldecodedtarget = URLDecoder.decode(result.get("source").toString().replaceAll("file:///", ""), "UTF-8"); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? result.get("source").toString() : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? EscapeUtil.decodeURL(result.get("source").toString()) : ""))); - //TODO Revisit usage of deprecated constructor as per TSK-583 - //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("startTime").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(urldecodedtarget))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", urldecodedtarget)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("source").toString() != null) ? result.get("source").toString() : "")))); - this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, FFSqlitedb.get(j), bbattributes); - } catch (UnsupportedEncodingException ex) { - logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex); - errors++; - } - } - if (errors > 0) { - this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); - } - j++; + for (FsContent downloadsFile : downloadsFiles) { + String fileName = downloadsFile.getName(); + String temps = currentCase.getTempDirectory() + File.separator + fileName + j + ".db"; + int errors = 0; + try { + ContentUtils.writeToFile(downloadsFile, new File(currentCase.getTempDirectory() + File.separator + fileName + j + ".db")); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Error writing the sqlite db for firefox download artifacts.{0}", ex); + this.addErrorMessage(this.getName() + ": Error while trying to analyze file:" + fileName); + } + File dbFile = new File(temps); + if (controller.isCancelled()) { dbFile.delete(); + break; } - services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); + List> tempList = this.dbConnect(temps, ffdownloadquery); + logger.log(Level.INFO, moduleName + "- Now getting downloads from " + temps + " with " + tempList.size() + "artifacts identified."); + for (HashMap result : tempList) { + try { + Collection bbattributes = new ArrayList(); + String urldecodedtarget = URLDecoder.decode(result.get("source").toString().replaceAll("file:///", ""), "UTF-8"); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? result.get("source").toString() : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", ((result.get("source").toString() != null) ? EscapeUtil.decodeURL(result.get("source").toString()) : ""))); + //TODO Revisit usage of deprecated constructor as per TSK-583 + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("startTime").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(urldecodedtarget))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", urldecodedtarget)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("source").toString() != null) ? result.get("source").toString() : "")))); + this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadsFile, bbattributes); + } catch (UnsupportedEncodingException ex) { + logger.log(Level.SEVERE, "Error decoding Firefox download URL in " + temps, ex); + errors++; + } + } + if (errors > 0) { + this.addErrorMessage(this.getName() + ": Error parsing " + errors + " Firefox web history artifacts."); + } + ++j; + dbFile.delete(); } + + services.fireModuleDataEvent(new ModuleDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); } @Override diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java index 15f001b848..f5ceb9b059 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java @@ -43,9 +43,11 @@ import org.sleuthkit.autopsy.coreutils.Logger; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.autopsy.report.SQLiteDBConnect; +import org.sleuthkit.datamodel.TskCoreException; /** * @@ -84,32 +86,6 @@ public class Util { } } - public static boolean imgpathexists(String path) { - Case currentCase = Case.getCurrentCase(); // get the most updated case - SleuthkitCase tempDb = currentCase.getSleuthkitCase(); - Boolean rt = false; - int count = 0; - try { - List FFSqlitedb; - ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%" + path + "%'"); - FFSqlitedb = tempDb.resultSetToFsContents(rs); - count = FFSqlitedb.size(); - final Statement s = rs.getStatement(); - rs.close(); - if (s != null) { - s.close(); - } - if (count > 0) { - rt = true; - } else { - rt = false; - } - } catch (SQLException ex) { - logger.log(Level.WARNING, "Error checking if image exists, unable to contact sqlite database.", ex); - } - return rt; - } - public static String getBaseDomain(String url) { String host = null; //strip protocol @@ -213,7 +189,7 @@ public class Util { } return path; } - + public static long findID(String path) { String parent_path = path.replace('\\', '/'); // fix Chrome paths if (parent_path.length() > 2 && parent_path.charAt(1) == ':') { @@ -222,24 +198,20 @@ public class Util { int index = parent_path.lastIndexOf('/'); String name = parent_path.substring(++index); parent_path = parent_path.substring(0, index); - String query = "select * from tsk_files where parent_path like \"" + parent_path + "\" AND name like \"" + name + "\""; - Case currentCase = Case.getCurrentCase(); - SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + //String query = "select * from tsk_files where parent_path like \"" + parent_path + "\" AND name like \"" + name + "\""; + + FileManager fileManager = Case.getCurrentCase().getServices().getFileManager(); + List files = null; try { - ResultSet rs = tempDb.runQuery(query); - List results = tempDb.resultSetToFsContents(rs); - Statement s = rs.getStatement(); - rs.close(); - if (s != null) { - s.close(); - } - if (results.size() > 0) { - return results.get(0).getId(); - } - } catch (SQLException ex) { - logger.log(Level.WARNING, "Error finding ID, unable to contact sqlite database", ex); + files = fileManager.findFiles(name, parent_path); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } - return -1; + + if (files == null || files.isEmpty()) { + return -1; + } + return files.get(0).getId(); } public static boolean checkColumn(String column, String tablename, String connection) { From 3824f90a0ee2770843a6894ab6ad3ad7dd40aea6 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Tue, 27 Nov 2012 17:34:38 -0500 Subject: [PATCH 02/12] Refactored ExtractRegistry.getregistryfiles() to use several FileManager.findFiles calls in order to remove the raw SQL used to retrieve registry files. Also renamed method to getRegistryFiles(). --- .../recentactivity/ExtractRegistry.java | 93 +++++++++---------- 1 file changed, 42 insertions(+), 51 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 66210a1e6c..67e6db6c80 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -105,70 +105,61 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { public void setArguments(String args) { this.args = args; } - - private void getregistryfiles(Image image, IngestImageWorkerController controller) { - Case currentCase = Case.getCurrentCase(); // get the most updated case - SleuthkitCase tempDb = currentCase.getSleuthkitCase(); - Collection imageFS = tempDb.getFileSystems(image); - List fsIds = new LinkedList(); - for (FileSystem img : imageFS) { - Long tempID = img.getId(); - fsIds.add(tempID.toString()); - } - - String allFS = new String(); - for (int i = 0; i < fsIds.size(); i++) { - if (i == 0) { - allFS += " AND (0"; - } - allFS += " OR fs_obj_id = '" + fsIds.get(i) + "'"; - if (i == fsIds.size() - 1) { - allFS += ")"; - } - } - List Regfiles = new ArrayList(); + + private void getRegistryFiles(Image image, IngestImageWorkerController controller) { + + org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); + List allRegistryFiles = new ArrayList(); try { - ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS); - Regfiles = tempDb.resultSetToFsContents(rs); - } catch (SQLException ex) { - logger.log(Level.SEVERE, "Error querying the database for registry files: {0}", ex); + allRegistryFiles.addAll(fileManager.findFiles("ntuser.dat")); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); } -// org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); -// List Regfiles = null; -// try { -// Regfiles = fileManager.findFiles("ntuser.dat", "Recent"); -// } catch (TskCoreException ex) { -// logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); -// } + // try to find each of the listed registry files whose parent directory + // is like '%/system32/config%' + String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"}; + for (String regFileName : regFileNames) { + try { + allRegistryFiles.addAll(fileManager.findFiles(regFileName, "%/system32/config%")); + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error fetching registry file: " + regFileName); + } + } + + // filter out those registry files that are not from this image + List regFiles = new ArrayList(); + for (FsContent regFile : allRegistryFiles) { + try { + if (regFile.getImage().equals(image)) { + regFiles.add(regFile); + } + } catch (TskCoreException ex) { + logger.log(Level.WARNING, "Error when trying to get image from FsContent object."); + } + } int j = 0; - - while (j < Regfiles.size()) { - boolean Success; - Content orgFS = Regfiles.get(j); - long orgId = orgFS.getId(); - String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString(); + for (FsContent regFile : regFiles) { + String regFileName = regFile.getName(); + String temps = currentCase.getTempDirectory() + "\\" + regFileName; try { - ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName())); + ContentUtils.writeToFile(regFile, new File(currentCase.getTempDirectory() + "\\" + regFileName)); } catch (IOException ex) { logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); } - File regFile = new File(temps); + File aRegFile = new File(temps); logger.log(Level.INFO, moduleName + "- Now getting registry information from " + temps); - String txtPath = executeRegRip(temps, j); + String txtPath = executeRegRip(temps, j++); if (txtPath.length() > 0) { - Success = parseReg(txtPath, orgId); - } else { - Success = false; + if (parseReg(txtPath, regFile.getId()) == false) { + continue; + } } + //At this point pasco2 proccessed the index files. //Now fetch the results, parse them and the delete the files. - if (Success) { - //Delete dat file since it was succcessful - regFile.delete(); - } - j++; + aRegFile.delete(); } } @@ -404,7 +395,7 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { @Override public void process(Image image, IngestImageWorkerController controller) { - this.getregistryfiles(image, controller); + this.getRegistryFiles(image, controller); } @Override From 0949fb13d12f93723ddcd55b2a185bcd5ec57e74 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Wed, 28 Nov 2012 11:14:17 -0500 Subject: [PATCH 03/12] Updated Services and FileManager to implement the java.io.Closeable interface and updated FileManager to throw TskCoreException when its API is used after it has been closed. Closing is propagated to all services when the Case object is closed. These changes are in support of AUT-613. --- .../sleuthkit/autopsy/casemodule/Case.java | 1 + .../casemodule/services/FileManager.java | 30 +++++++++++++++---- .../autopsy/casemodule/services/Services.java | 21 ++++++++++++- 3 files changed, 46 insertions(+), 6 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java index 429e85bf37..3bb87f96b6 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java @@ -360,6 +360,7 @@ public class Case { try { this.xmlcm.close(); // close the xmlcm this.db.close(); + services.close(); } catch (Exception e) { throw new CaseActionException("Error while trying to close the current case.", e); } diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java index 2fb61bd002..786370e9d2 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java @@ -4,6 +4,9 @@ */ package org.sleuthkit.autopsy.casemodule.services; +import java.io.Closeable; +import java.io.IOException; +import java.util.Collections; import java.util.List; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; @@ -12,7 +15,7 @@ import org.sleuthkit.datamodel.TskCoreException; /** * Abstraction to facilitate access to files and directories. */ -public class FileManager { +public class FileManager implements Closeable { private SleuthkitCase tskCase; @@ -26,7 +29,10 @@ public class FileManager { * given fileName */ public List findFiles(String fileName) throws TskCoreException { - return tskCase.findFiles(fileName); + if (tskCase == null) { + throw new TskCoreException("Attemtped to use FileManager after it was closed."); + } + return tskCase.findFiles(fileName); } /** @@ -36,7 +42,10 @@ public class FileManager { * fileName and whose parent directory contains dirName. */ public List findFiles(String fileName, String dirName) throws TskCoreException { - return tskCase.findFiles(fileName, dirName); + if (tskCase == null) { + throw new TskCoreException("Attemtped to use FileManager after it was closed."); + } + return tskCase.findFiles(fileName, dirName); } /** @@ -46,7 +55,10 @@ public class FileManager { * fileName and that were inside a directory described by parentFsContent. */ public List findFiles(String fileName, FsContent parentFsContent) throws TskCoreException { - return findFiles(fileName, parentFsContent.getName()); + if (tskCase == null) { + throw new TskCoreException("Attemtped to use FileManager after it was closed."); + } + return findFiles(fileName, parentFsContent.getName()); } /** @@ -55,7 +67,15 @@ public class FileManager { * @return a list of FsContent that have the given file path. */ public List openFiles(String filePath) throws TskCoreException { - return tskCase.openFiles(filePath); + if (tskCase == null) { + throw new TskCoreException("Attemtped to use FileManager after it was closed."); + } + return tskCase.openFiles(filePath); } + + @Override + public void close() throws IOException { + tskCase = null; + } } diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java index af16268207..d1844b7c7f 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java @@ -4,15 +4,25 @@ */ package org.sleuthkit.autopsy.casemodule.services; +import java.io.Closeable; +import java.io.IOException; +import java.util.ArrayList; +import java.util.List; import org.sleuthkit.datamodel.SleuthkitCase; /** * * @author mciver */ -public class Services { +public class Services implements Closeable { private SleuthkitCase tskCase; + + // NOTE: all new services added to Services class must be added to this list + // of services. + List services = new ArrayList(); + + // services private FileManager fileManager; public Services(SleuthkitCase tskCase) { @@ -22,7 +32,16 @@ public class Services { public FileManager getFileManager() { if (fileManager == null) { fileManager = new FileManager(tskCase); + services.add(fileManager); } return fileManager; } + + @Override + public void close() throws IOException { + // close all services + for (Closeable service : services) { + service.close(); + } + } } From f43d072bcf139dee00a732fc8a97cbb92cad7d5a Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Thu, 29 Nov 2012 16:37:37 -0500 Subject: [PATCH 04/12] Updated FileManager API methods to take an Image as argument so that only files for that image is returned. These changes in support of AUT-613. --- .../casemodule/services/FileManager.java | 17 +++++++++-------- .../autopsy/recentactivity/Chrome.java | 12 ++++++------ .../autopsy/recentactivity/ExtractIE.java | 10 +++++----- .../recentactivity/ExtractRegistry.java | 18 +++--------------- .../autopsy/recentactivity/Firefox.java | 10 +++++----- .../sleuthkit/autopsy/recentactivity/Util.java | 9 +++------ 6 files changed, 31 insertions(+), 45 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java index 786370e9d2..a805aa6d1a 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java @@ -9,6 +9,7 @@ import java.io.IOException; import java.util.Collections; import java.util.List; import org.sleuthkit.datamodel.FsContent; +import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; @@ -28,11 +29,11 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches the * given fileName */ - public List findFiles(String fileName) throws TskCoreException { + public List findFiles(Image image, String fileName) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return tskCase.findFiles(fileName); + return tskCase.findFiles(image, fileName); } /** @@ -41,11 +42,11 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches * fileName and whose parent directory contains dirName. */ - public List findFiles(String fileName, String dirName) throws TskCoreException { + public List findFiles(Image image, String fileName, String dirName) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return tskCase.findFiles(fileName, dirName); + return tskCase.findFiles(image, fileName, dirName); } /** @@ -54,11 +55,11 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches * fileName and that were inside a directory described by parentFsContent. */ - public List findFiles(String fileName, FsContent parentFsContent) throws TskCoreException { + public List findFiles(Image image, String fileName, FsContent parentFsContent) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return findFiles(fileName, parentFsContent.getName()); + return findFiles(image, fileName, parentFsContent.getName()); } /** @@ -66,11 +67,11 @@ public class FileManager implements Closeable { * optionally include the image and volume names. * @return a list of FsContent that have the given file path. */ - public List openFiles(String filePath) throws TskCoreException { + public List openFiles(Image image, String filePath) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } - return tskCase.openFiles(filePath); + return tskCase.openFiles(image, filePath); } @Override diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 1577fb1ad8..153d2989b0 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -102,7 +102,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles = null; try { - historyFiles = fileManager.findFiles("History", "Chrome"); + historyFiles = fileManager.findFiles(image, "History", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -156,7 +156,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles = null; try { - bookmarkFiles = fileManager.findFiles("Bookmarks", "Chrome"); + bookmarkFiles = fileManager.findFiles(image, "Bookmarks", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -229,7 +229,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles = null; try { - cookiesFiles = fileManager.findFiles("Cookies", "Chrome"); + cookiesFiles = fileManager.findFiles(image, "Cookies", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -288,7 +288,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles = null; try { - historyFiles = fileManager.findFiles("History", "Chrome"); + historyFiles = fileManager.findFiles(image, "History", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } @@ -315,7 +315,7 @@ public class Chrome extends Extract implements IngestModuleImage { for (HashMap result : tempList) { Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", (result.get("full_path").toString()))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "Recent Activity", Util.findID((result.get("full_path").toString())))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "Recent Activity", Util.findID(image, (result.get("full_path").toString())))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : ""))); Long time = (Long.valueOf(result.get("start_time").toString())); @@ -348,7 +348,7 @@ public class Chrome extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List signonFiles = null; try { - signonFiles = fileManager.findFiles("signons.sqlite", "Chrome"); + signonFiles = fileManager.findFiles(image, "signons.sqlite", "Chrome"); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error when trying to get Chrome history files.", ex); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index db224a4868..202b1b7c30 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -133,7 +133,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List favoritesFiles = null; try { - favoritesFiles = fileManager.findFiles("%.url", "Favorites"); + favoritesFiles = fileManager.findFiles(image, "%.url", "Favorites"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } @@ -189,7 +189,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles = null; try { - cookiesFiles = fileManager.findFiles("%.txt", "Cookies"); + cookiesFiles = fileManager.findFiles(image, "%.txt", "Cookies"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } @@ -244,7 +244,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List recentFiles = null; try { - recentFiles = fileManager.findFiles("%.lnk", "Recent"); + recentFiles = fileManager.findFiles(image, "%.lnk", "Recent"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } @@ -261,7 +261,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", path)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", Util.getFileName(path))); - long id = Util.findID(path); + long id = Util.findID(image, path); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", id)); //TODO Revisit usage of deprecated constructor as per TSK-583 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime)); @@ -327,7 +327,7 @@ public class ExtractIE extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List indexFiles = null; try { - indexFiles = fileManager.findFiles("index.dat"); + indexFiles = fileManager.findFiles(image, "index.dat"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 67e6db6c80..3432d17ea8 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -111,7 +111,7 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager(); List allRegistryFiles = new ArrayList(); try { - allRegistryFiles.addAll(fileManager.findFiles("ntuser.dat")); + allRegistryFiles.addAll(fileManager.findFiles(image, "ntuser.dat")); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); } @@ -121,26 +121,14 @@ public class ExtractRegistry extends Extract implements IngestModuleImage { String[] regFileNames = new String[] {"system", "software", "security", "sam", "default"}; for (String regFileName : regFileNames) { try { - allRegistryFiles.addAll(fileManager.findFiles(regFileName, "%/system32/config%")); + allRegistryFiles.addAll(fileManager.findFiles(image, regFileName, "%/system32/config%")); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching registry file: " + regFileName); } } - // filter out those registry files that are not from this image - List regFiles = new ArrayList(); - for (FsContent regFile : allRegistryFiles) { - try { - if (regFile.getImage().equals(image)) { - regFiles.add(regFile); - } - } catch (TskCoreException ex) { - logger.log(Level.WARNING, "Error when trying to get image from FsContent object."); - } - } - int j = 0; - for (FsContent regFile : regFiles) { + for (FsContent regFile : allRegistryFiles) { String regFileName = regFile.getName(); String temps = currentCase.getTempDirectory() + "\\" + regFileName; try { diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 41699f56f4..e09927499b 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -98,7 +98,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List historyFiles = null; try { - historyFiles = fileManager.findFiles("%places.sqlite%", "Firefox"); + historyFiles = fileManager.findFiles(image, "%places.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching internet history files for Firefox."); } @@ -154,7 +154,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles = null; try { - bookmarkFiles = fileManager.findFiles("%places.sqlite%", "Firefox"); + bookmarkFiles = fileManager.findFiles(image, "%places.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching bookmark files for Firefox."); } @@ -209,7 +209,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles = null; try { - cookiesFiles = fileManager.findFiles("%cookies.sqlite%", "Firefox"); + cookiesFiles = fileManager.findFiles(image, "%cookies.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching cookies files for Firefox."); } @@ -287,7 +287,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List downloadsFiles = null; try { - downloadsFiles = fileManager.findFiles("%cookies.sqlite%", "Firefox"); + downloadsFiles = fileManager.findFiles(image, "%cookies.sqlite%", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'downloads' files for Firefox."); } @@ -324,7 +324,7 @@ public class Firefox extends Extract implements IngestModuleImage { //TODO Revisit usage of deprecated constructor as per TSK-583 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (Long.valueOf(result.get("startTime").toString())))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", (Long.valueOf(result.get("startTime").toString())))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(urldecodedtarget))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", Util.findID(image, urldecodedtarget))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", urldecodedtarget)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "FireFox")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", (Util.extractDomain((result.get("source").toString() != null) ? result.get("source").toString() : "")))); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java index f5ceb9b059..f14ac6bb72 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java @@ -31,22 +31,19 @@ import java.nio.MappedByteBuffer; import java.nio.channels.FileChannel; import java.nio.charset.Charset; import java.sql.ResultSet; -import java.sql.SQLException; -import java.sql.Statement; import java.text.SimpleDateFormat; import java.util.Date; import java.util.List; import java.util.StringTokenizer; import java.util.logging.Level; import org.sleuthkit.autopsy.coreutils.Logger; -//import org.apache.commons.lang.NullArgumentException; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.services.FileManager; import org.sleuthkit.datamodel.FsContent; -import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.autopsy.report.SQLiteDBConnect; +import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.TskCoreException; /** @@ -190,7 +187,7 @@ public class Util { return path; } - public static long findID(String path) { + public static long findID(Image image, String path) { String parent_path = path.replace('\\', '/'); // fix Chrome paths if (parent_path.length() > 2 && parent_path.charAt(1) == ':') { parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:') @@ -203,7 +200,7 @@ public class Util { FileManager fileManager = Case.getCurrentCase().getServices().getFileManager(); List files = null; try { - files = fileManager.findFiles(name, parent_path); + files = fileManager.findFiles(image, name, parent_path); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); } From 1b944bfa56796b0983d21586f9709f9afd78d2ae Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Fri, 30 Nov 2012 15:32:38 -0500 Subject: [PATCH 05/12] Made FileManager methods synchronized so as to avoid concurrency issues caused by the Case being closed while other threads continue to access SleuthkitCase. Move the call to services.close in Case.closeCase to the top of the try block toward this end as well. --- Core/src/org/sleuthkit/autopsy/casemodule/Case.java | 13 +------------ .../autopsy/casemodule/services/FileManager.java | 11 +++++------ 2 files changed, 6 insertions(+), 18 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java index 3bb87f96b6..fb89e36299 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/Case.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/Case.java @@ -19,10 +19,6 @@ package org.sleuthkit.autopsy.casemodule; import java.awt.Frame; -import java.awt.event.ActionEvent; -import java.awt.event.ActionListener; -import java.awt.event.WindowAdapter; -import java.awt.event.WindowEvent; import java.beans.PropertyChangeListener; import java.beans.PropertyChangeSupport; import java.io.BufferedInputStream; @@ -31,7 +27,6 @@ import java.io.FileInputStream; import java.io.IOException; import java.text.DateFormat; import java.text.SimpleDateFormat; -import java.util.Arrays; import java.util.GregorianCalendar; import java.util.HashMap; import java.util.HashSet; @@ -40,20 +35,14 @@ import java.util.Map; import java.util.Set; import java.util.TimeZone; import java.util.logging.Level; -import javax.swing.JDialog; -import javax.swing.JFileChooser; import javax.swing.JOptionPane; import javax.swing.SwingUtilities; -import javax.swing.filechooser.FileFilter; -import org.openide.util.Exceptions; import org.openide.util.Lookup; import org.openide.util.actions.CallableSystemAction; import org.openide.util.actions.SystemAction; import org.openide.windows.WindowManager; import org.sleuthkit.autopsy.casemodule.services.Services; import org.sleuthkit.autopsy.corecomponentinterfaces.CoreComponentControl; -import org.sleuthkit.autopsy.corecomponents.AdvancedConfigurationCleanDialog; -import org.sleuthkit.autopsy.corecomponents.AdvancedConfigurationDialog; import org.sleuthkit.autopsy.coreutils.FileUtil; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.coreutils.Version; @@ -358,9 +347,9 @@ public class Case { changeCase(null); try { + services.close(); this.xmlcm.close(); // close the xmlcm this.db.close(); - services.close(); } catch (Exception e) { throw new CaseActionException("Error while trying to close the current case.", e); } diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java index a805aa6d1a..f716dd1ef8 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java @@ -6,7 +6,6 @@ package org.sleuthkit.autopsy.casemodule.services; import java.io.Closeable; import java.io.IOException; -import java.util.Collections; import java.util.List; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.Image; @@ -29,7 +28,7 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches the * given fileName */ - public List findFiles(Image image, String fileName) throws TskCoreException { + public synchronized List findFiles(Image image, String fileName) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } @@ -42,7 +41,7 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches * fileName and whose parent directory contains dirName. */ - public List findFiles(Image image, String fileName, String dirName) throws TskCoreException { + public synchronized List findFiles(Image image, String fileName, String dirName) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } @@ -55,7 +54,7 @@ public class FileManager implements Closeable { * @return a list of FsContent for files/directories whose name matches * fileName and that were inside a directory described by parentFsContent. */ - public List findFiles(Image image, String fileName, FsContent parentFsContent) throws TskCoreException { + public synchronized List findFiles(Image image, String fileName, FsContent parentFsContent) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } @@ -67,7 +66,7 @@ public class FileManager implements Closeable { * optionally include the image and volume names. * @return a list of FsContent that have the given file path. */ - public List openFiles(Image image, String filePath) throws TskCoreException { + public synchronized List openFiles(Image image, String filePath) throws TskCoreException { if (tskCase == null) { throw new TskCoreException("Attemtped to use FileManager after it was closed."); } @@ -75,7 +74,7 @@ public class FileManager implements Closeable { } @Override - public void close() throws IOException { + public synchronized void close() throws IOException { tskCase = null; } From f2465f3dd306ace7eab718614f7893eb0bb64c0e Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Fri, 30 Nov 2012 15:36:20 -0500 Subject: [PATCH 06/12] Added private access modifier to Services.services member that was mistakenly left out. --- .../src/org/sleuthkit/autopsy/casemodule/services/Services.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java index d1844b7c7f..438a2beb25 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java @@ -20,7 +20,7 @@ public class Services implements Closeable { // NOTE: all new services added to Services class must be added to this list // of services. - List services = new ArrayList(); + private List services = new ArrayList(); // services private FileManager fileManager; From a4c66f9cae83a6755eb8c523972db200d7bf866a Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Fri, 30 Nov 2012 17:38:07 -0500 Subject: [PATCH 07/12] Fixed bug in Firefox.getDownload causing no downloads to be found. --- .../src/org/sleuthkit/autopsy/recentactivity/Firefox.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index e09927499b..3b87a9417a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -154,7 +154,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List bookmarkFiles = null; try { - bookmarkFiles = fileManager.findFiles(image, "%places.sqlite%", "Firefox"); + bookmarkFiles = fileManager.findFiles(image, "places.sqlite", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching bookmark files for Firefox."); } @@ -209,7 +209,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List cookiesFiles = null; try { - cookiesFiles = fileManager.findFiles(image, "%cookies.sqlite%", "Firefox"); + cookiesFiles = fileManager.findFiles(image, "cookies.sqlite", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching cookies files for Firefox."); } @@ -287,7 +287,7 @@ public class Firefox extends Extract implements IngestModuleImage { FileManager fileManager = currentCase.getServices().getFileManager(); List downloadsFiles = null; try { - downloadsFiles = fileManager.findFiles(image, "%cookies.sqlite%", "Firefox"); + downloadsFiles = fileManager.findFiles(image, "downloads.sqlite", "Firefox"); } catch (TskCoreException ex) { logger.log(Level.WARNING, "Error fetching 'downloads' files for Firefox."); } From ff49aa461b7caf3a72f75e9ea0e57753681bf572 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Mon, 3 Dec 2012 16:01:52 -0500 Subject: [PATCH 08/12] Made Services.getFileManager synchronized. --- .../org/sleuthkit/autopsy/casemodule/services/Services.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java index 438a2beb25..940a97b16b 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java @@ -11,8 +11,7 @@ import java.util.List; import org.sleuthkit.datamodel.SleuthkitCase; /** - * - * @author mciver + * A class to manage various services. */ public class Services implements Closeable { @@ -29,7 +28,7 @@ public class Services implements Closeable { this.tskCase = tskCase; } - public FileManager getFileManager() { + public synchronized FileManager getFileManager() { if (fileManager == null) { fileManager = new FileManager(tskCase); services.add(fileManager); From b38c7dd80e43f5c192fdb3e20fbfef51651458fd Mon Sep 17 00:00:00 2001 From: adam-m Date: Mon, 3 Dec 2012 16:36:39 -0500 Subject: [PATCH 09/12] updated news --- NEWS.txt | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/NEWS.txt b/NEWS.txt index faafb83b3e..7b5223753b 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -3,11 +3,16 @@ New features: Improvements: -- Add Image Wizard - better work-flow, better device size reporting -- File Ingest: reduced file queuing time and memory usage +- File Ingest: minimized file queuing time and memory usage +- Add Image Wizard - better work-flow, better device size reporting, info on currently processed directory +- Added extraction of all unallocated blocks (from volume, image) as a single file +- Reporting improvements: reorganized columns, sorted by 1st column, added logo to html report Bugfixes: - fixed periodic keyword search during ingest, when it'd run max. 2 times only +- fixed Downloads "target" in Recent Activity +- fixed missing hash and keyword search hits in reports + ---------------- VERSION 3.0.1 -------------- From f50c2da7e4e2f02c736d074ec14bddabd0f280d7 Mon Sep 17 00:00:00 2001 From: Tim McIver Date: Mon, 3 Dec 2012 16:39:32 -0500 Subject: [PATCH 10/12] Replaced header comment in Services.java and FileManager.java with the Basis license text used in other Autopsy source files. --- .../casemodule/services/FileManager.java | 22 +++++++++++++++++-- .../autopsy/casemodule/services/Services.java | 22 +++++++++++++++++-- 2 files changed, 40 insertions(+), 4 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java index f716dd1ef8..4a34625bb4 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/FileManager.java @@ -1,6 +1,24 @@ /* - * To change this template, choose Tools | Templates - * and open the template in the editor. + * + * Autopsy Forensic Browser + * + * Copyright 2012 Basis Technology Corp. + * + * Copyright 2012 42six Solutions. + * Contact: aebadirad 42six com + * Project Contact/Architect: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ package org.sleuthkit.autopsy.casemodule.services; diff --git a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java index 940a97b16b..9371d6d6ea 100644 --- a/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java +++ b/Core/src/org/sleuthkit/autopsy/casemodule/services/Services.java @@ -1,6 +1,24 @@ /* - * To change this template, choose Tools | Templates - * and open the template in the editor. + * + * Autopsy Forensic Browser + * + * Copyright 2012 Basis Technology Corp. + * + * Copyright 2012 42six Solutions. + * Contact: aebadirad 42six com + * Project Contact/Architect: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. */ package org.sleuthkit.autopsy.casemodule.services; From 6ccbe1d8bf40ba94520d30eedbb5eff8958ca2c2 Mon Sep 17 00:00:00 2001 From: adam-m Date: Mon, 3 Dec 2012 17:43:23 -0500 Subject: [PATCH 11/12] fix for AUT-691 Crash --- .../autopsy/corecomponents/DataResultViewerTable.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java index 637729198f..d37fe5406e 100644 --- a/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java +++ b/Core/src/org/sleuthkit/autopsy/corecomponents/DataResultViewerTable.java @@ -404,7 +404,7 @@ public class DataResultViewerTable extends AbstractDataResultViewer { * @param table the object table * @return max the maximum width of the column */ - private int getMaxColumnWidth(int index, FontMetrics metrics, int margin, int padding, String header, Object[][] table) { + private synchronized int getMaxColumnWidth(int index, FontMetrics metrics, int margin, int padding, String header, Object[][] table) { // set the tree (the node / names column) width String headerName = header; int headerWidth = metrics.stringWidth(headerName); // length of the header @@ -412,7 +412,7 @@ public class DataResultViewerTable extends AbstractDataResultViewer { // Get maximum width of column data for (int i = 0; i < table.length; i++) { - if (index >= table[i].length) { + if (table[i] == null || index >= table[i].length) { continue; } String test = table[i][index].toString(); From 99e8dd804488a3a8a5cc61c4af73c3ecc023f9ab Mon Sep 17 00:00:00 2001 From: adam-m Date: Mon, 3 Dec 2012 17:59:15 -0500 Subject: [PATCH 12/12] ingest: do not enqueue tasks that have no modules --- .../org/sleuthkit/autopsy/ingest/IngestScheduler.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java b/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java index c03e37d8ac..5ad1970843 100644 --- a/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java +++ b/Core/src/org/sleuthkit/autopsy/ingest/IngestScheduler.java @@ -394,6 +394,11 @@ class IngestScheduler { * @param task */ synchronized void add(ScheduledTask task) { + //skip if task contains no modules + if (task.modules.isEmpty()) { + return; + } + if (getImages().contains(task.image)) { //reset counters if the same image enqueued twice //Note, not very accurate, because we may have processed some files from @@ -927,6 +932,11 @@ class IngestScheduler { } synchronized void add(Task task) { + //skip if task contains no modules + if (task.modules.isEmpty()) { + return; + } + Task existTask = null; for (Task curTask : tasks) { if (curTask.image.equals(task.image)) {