From fa8ff3365a00c0591fbb6c37aedae174a4aff75a Mon Sep 17 00:00:00 2001 From: Alex Ebadirad Date: Wed, 21 Mar 2012 12:46:50 -0700 Subject: [PATCH] Cleaned up web downloads and it's associated html format Signed-off-by: Alex Ebadirad --- .../autopsy/recentactivity/Chrome.java | 126 ++++++++++++++++++ .../autopsy/recentactivity/Firefox.java | 64 +++++++++ .../sleuthkit/autopsy/report/reportHTML.java | 15 ++- 3 files changed, 198 insertions(+), 7 deletions(-) diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 790e280220..8bdee2792b 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -31,6 +31,8 @@ public class Chrome { + "datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; public static final String chcookiequery = "select name, value, host, expires_utc, datetime(last_access_utc/1000000-11644473600,'unixepoch','localtime') as last_access_utc, creation_utc from cookies"; public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count, datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id"; + public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from `downloads`"; + public static final String chloginquery = "select origin_url, username_value, signon_realm from `logins`"; private final Logger logger = Logger.getLogger(this.getClass().getName()); public int ChromeCount = 0; @@ -229,5 +231,129 @@ public class Chrome { logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex); } + //Downloads section + // This gets the downloads info + try + { + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + List FFSqlitedb; + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and parent_path LIKE '%Chrome%' and fs_obj_id = '" + image + "'"); + FFSqlitedb = tempDb.resultSetToFsContents(rs); + rs.close(); + rs.getStatement().close(); + + int j = 0; + + while (j < FFSqlitedb.size()) + { + String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; + String connectionString = "jdbc:sqlite:" + temps; + ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); + File dbFile = new File(temps); + if (controller.isCancelled() ) { + dbFile.delete(); + break; + } + try + { + dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); + ResultSet temprs = tempdbconnect.executeQry(chdownloadquery); + while(temprs.next()) + { + BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); + Collection bbattributes = new ArrayList(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time"))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path"))); + + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbart.addAttributes(bbattributes); + + } + tempdbconnect.closeConnection(); + temprs.close(); + + } + catch (Exception ex) + { + logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); + } + j++; + dbFile.delete(); + } + } + catch (SQLException ex) + { + logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); + } + catch(IOException ioex) + { + logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex); + } + + //Login/Password section + // This gets the user info + try + { + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + List FFSqlitedb; + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and parent_path LIKE '%Chrome%' and fs_obj_id = '" + image + "'"); + FFSqlitedb = tempDb.resultSetToFsContents(rs); + rs.close(); + rs.getStatement().close(); + + int j = 0; + + while (j < FFSqlitedb.size()) + { + String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; + String connectionString = "jdbc:sqlite:" + temps; + ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); + File dbFile = new File(temps); + if (controller.isCancelled() ) { + dbFile.delete(); + break; + } + try + { + dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); + ResultSet temprs = tempdbconnect.executeQry(chloginquery); + while(temprs.next()) + { + BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); + Collection bbattributes = new ArrayList(); + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time"))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity","", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm"))); + + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbart.addAttributes(bbattributes); + + } + tempdbconnect.closeConnection(); + temprs.close(); + + } + catch (Exception ex) + { + logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); + } + j++; + dbFile.delete(); + } + } + catch (SQLException ex) + { + logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); + } + catch(IOException ioex) + { + logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex); + } + } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index bcf36cb82a..47c27467ff 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -31,6 +31,7 @@ public class Firefox { private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,datetime(moz_historyvisits.visit_date/1000000,'unixepoch','localtime') as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; private static final String ffcookiequery = "SELECT name,value,host,expiry,datetime(moz_cookies.lastAccessed/1000000,'unixepoch','localtime') as lastAccessed,creationTime FROM moz_cookies"; private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; + private static final String ffdownloadquery = "select target, source, startTime, maxBytes from `moz_downloads`"; public Logger logger = Logger.getLogger(this.getClass().getName()); @@ -193,6 +194,69 @@ public class Firefox { { logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex); } + + + //Downloads section + // This gets the downloads info + try + { + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + List FFSqlitedb; + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and parent_path LIKE '%Firefox%' and fs_obj_id = '" + image + "'"); + FFSqlitedb = tempDb.resultSetToFsContents(rs); + rs.close(); + rs.getStatement().close(); + + int j = 0; + + while (j < FFSqlitedb.size()) + { + String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; + String connectionString = "jdbc:sqlite:" + temps; + ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); + File dbFile = new File(temps); + if (controller.isCancelled() ) { + dbFile.delete(); + break; + } + try + { + dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); + ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery); + while(temprs.next()) + { + BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); + Collection bbattributes = new ArrayList(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("startTime"))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("source") != null) ? temprs.getString("source") : ""))); + //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("target"))); + + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbart.addAttributes(bbattributes); + + } + tempdbconnect.closeConnection(); + temprs.close(); + + } + catch (Exception ex) + { + logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); + } + j++; + dbFile.delete(); + } + } + catch (SQLException ex) + { + logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex); + } + catch(IOException ioex) + { + logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex); + } } } //@Override diff --git a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java index 435d19193c..350ac7300d 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java @@ -134,7 +134,7 @@ public reportHTML (HashMap> re StringBuilder nodeWebBookmark = new StringBuilder("

Web Bookmarks (").append(countWebBookmark).append(")

").append(tableHeader).append("URLTitleProgram"); StringBuilder nodeWebCookie = new StringBuilder("

Web Cookies (").append(countWebCookie).append(")

").append(tableHeader).append("URLDateNameValueProgram"); StringBuilder nodeWebHistory = new StringBuilder("

Web History (").append(countWebHistory).append(")

").append(tableHeader).append("URLDateReferrerTitleProgram"); - StringBuilder nodeWebDownload = new StringBuilder("

Web Downloads (").append(countWebDownload).append(")

").append(tableHeader).append("AttributeValue"); + StringBuilder nodeWebDownload = new StringBuilder("

Web Downloads (").append(countWebDownload).append(")

").append(tableHeader).append("FileSourceTimeProgram"); StringBuilder nodeRecentObjects = new StringBuilder("

Recent Documents (").append(countRecentObjects).append(")

").append(tableHeader).append("Artifact IDNameSizeNamePath"); StringBuilder nodeTrackPoint = new StringBuilder("

Track Points (").append(countTrackPoint).append(")

").append(tableHeader).append("Artifact IDNameSizeAttributeValue"); StringBuilder nodeInstalled = new StringBuilder("

Installed Programs (").append(countInstalled).append(")

").append(tableHeader).append("Artifact IDNameSizeAttributeValue"); @@ -175,14 +175,14 @@ public reportHTML (HashMap> re nodeGen.append(artifact); } if(entry.getKey().getArtifactTypeID() == 2){ - artifact.append("").append(attributes.get(1)).append(""); + artifact.append("").append(attributes.get(1)).append(""); artifact.append("").append(attributes.get(3)).append(""); artifact.append("").append(attributes.get(4)).append(""); artifact.append(""); nodeWebBookmark.append(artifact); } if(entry.getKey().getArtifactTypeID() == 3){ - artifact.append("").append(attributes.get(1)).append(""); + artifact.append("").append(attributes.get(1)).append(""); artifact.append("").append(attributes.get(2)).append(""); artifact.append("").append(attributes.get(3)).append(""); artifact.append("").append(attributes.get(6)).append(""); @@ -191,7 +191,7 @@ public reportHTML (HashMap> re nodeWebCookie.append(artifact); } if(entry.getKey().getArtifactTypeID() == 4){ - artifact.append("").append(attributes.get(1)).append(""); + artifact.append("").append(attributes.get(1)).append(""); artifact.append("").append(attributes.get(2)).append(""); artifact.append("").append(attributes.get(32)).append(""); artifact.append("").append(attributes.get(3)).append(""); @@ -200,9 +200,10 @@ public reportHTML (HashMap> re nodeWebHistory.append(artifact); } if(entry.getKey().getArtifactTypeID() == 5){ - artifact.append("").append(objId.toString()); - artifact.append("").append(file.getName().toString()).append(""); - artifact.append("").append(filesize.toString()).append(""); + artifact.append("").append(attributes.get(8)).append(""); + artifact.append("").append(attributes.get(1)).append(""); + artifact.append("").append(attributes.get(2)).append(""); + artifact.append("").append(attributes.get(4)).append(""); artifact.append(""); nodeWebDownload.append(artifact); }