mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 18:17:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial commit of new parsing approach

Browse Source
This commit is contained in:
Brian Carrier 2018-03-05 18:23:14 -05:00
parent 6dfc602b7a
commit fb9afff815
1 changed files with 113 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
Core/src/org/sleuthkit/autopsy/datasourceprocessors/VolatilityProcessor.java
View File

@ -27,6 +27,7 @@ import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
@ -97,7 +98,7 @@ class VolatilityProcessor implements Runnable{
fileManager = currentCase.getServices().getFileManager(); fileManager = currentCase.getServices().getFileManager();
// make a unique folder for this image // make a unique folder for this image
moduleOutputPath = currentCase.getModulesOutputDirAbsPath() + File.separator + "Volatility" + File.separator + dataSource.getId(); moduleOutputPath = currentCase.getModulesOutputDirAbsPath() + File.separator + "Volatility" + File.separator + "1"; // @@@ TESTING ONLY
File directory = new File(String.valueOf(moduleOutputPath)); File directory = new File(String.valueOf(moduleOutputPath));
if(!directory.exists()){ if(!directory.exists()){
directory.mkdirs(); directory.mkdirs();
@ -143,11 +144,12 @@ class VolatilityProcessor implements Runnable{
processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err")); processBuilder.redirectError(new File(moduleOutputPath + "\\Volatility_Run.err"));
processBuilder.directory(new File(memoryImage.getParent())); processBuilder.directory(new File(memoryImage.getParent()));
int exitVal = ExecUtil.execute(processBuilder); // @@@ TESTING ONLY
if (exitVal != 0) { //int exitVal = ExecUtil.execute(processBuilder);
logger.log(Level.SEVERE, "Volatility non-0 exit value for module: " + pluginToRun); //if (exitVal != 0) {
return; // logger.log(Level.SEVERE, "Volatility non-0 exit value for module: " + pluginToRun);
} // return;
//}
if (isCancelled) if (isCancelled)
return; return;
@ -206,8 +208,80 @@ class VolatilityProcessor implements Runnable{
return null; return null;
} }
private void lookupFiles(Set<String> fileSet, String pluginName) {
try {
if (isCancelled)
return;
Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard();
for (String file : fileSet) {
File volfile = new File(file);
String fileName = volfile.getName().trim();
// if there is no extension, add a wildcard to the end
if (fileName.contains(".") == false) {
fileName = fileName + ".%";
}
String filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
// strip C:
if (filePath.contains(":")) {
filePath = filePath.substring(filePath.indexOf(":")+1);
}
filePath = filePath.replaceAll("\\\\", "/");
} else {
filePath = "";
}
try {
List<AbstractFile> resolvedFiles;
if (filePath.isEmpty()) {
resolvedFiles = fileManager.findFiles(fileName); //NON-NLS
}
else {
resolvedFiles = fileManager.findFiles(fileName, filePath); //NON-NLS
}
resolvedFiles.forEach((resolvedFile) -> {
try {
String MODULE_NAME = "VOLATILITY";
BlackboardArtifact volArtifact = resolvedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
BlackboardAttribute att1 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
"Volatility Plugin " + pluginName);
BlackboardAttribute att2 = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
"Volatility Plugin " + pluginName);
volArtifact.addAttribute(att1);
volArtifact.addAttribute(att2);
try {
// index the artifact for keyword search
blackboard.indexArtifact(volArtifact);
} catch (Blackboard.BlackboardException ex) {
logger.log(Level.SEVERE, "Unable to index blackboard artifact " + volArtifact.getArtifactID(), ex); //NON-NLS
}
// fire event to notify UI of this new artifact
services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT));
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to create BlackboardArtifact.", ex); // NON-NLS
} catch (IllegalStateException ex) {
logger.log(Level.SEVERE, "Failed to create BlackboardAttribute.", ex); // NON-NLS
}
});
);
} catch (TskCoreException ex) {
//String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
logger.log(Level.SEVERE, "Error in Finding FIles", ex);
return;
}
}
} catch (Exception ex) {
logger.log(Level.SEVERE, "Error in processing List of FIles", ex); //NON-NLS
}
}
private void scanOutputFile(String pluginName, File PluginOutput) { private void scanOutputFile(String pluginName, File PluginOutput) {
List<String> fileNames = new ArrayList<>();
Map<String, Map> fileName = new HashMap<String, Map>(); Map<String, Map> fileName = new HashMap<String, Map>();
Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard(); Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard();
@ -217,7 +291,9 @@ class VolatilityProcessor implements Runnable{
} else if (pluginName.matches("handles")) { } else if (pluginName.matches("handles")) {
fileName = Parse_Handles(PluginOutput); fileName = Parse_Handles(PluginOutput);
} else if (pluginName.matches("cmdline")) { } else if (pluginName.matches("cmdline")) {
fileName = Parse_Cmdline(PluginOutput); Set<String> fileSet = parse_Cmdline(PluginOutput);
lookupFiles(fileSet, pluginName);
return;
} else if (pluginName.matches("psxview")){ } else if (pluginName.matches("psxview")){
fileName = Parse_Psxview(PluginOutput); fileName = Parse_Psxview(PluginOutput);
} else if (pluginName.matches("pslist")) { } else if (pluginName.matches("pslist")) {
@ -291,13 +367,11 @@ class VolatilityProcessor implements Runnable{
} }
private Map<String, Map> Parse_Handles(File PluginFile) { private Map<String, Map> Parse_Handles(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
String line_type; String line_type;
String file_path;
Map<String, Map> fileMap = new HashMap<>(); Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0; int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
@ -306,14 +380,15 @@ class VolatilityProcessor implements Runnable{
Map<String, String> fileNameMap = new HashMap<>(); Map<String, String> fileNameMap = new HashMap<>();
if (line.length() > 65) { if (line.length() > 65) {
line_type = line.substring(64,68); line_type = line.substring(64,68);
// @@@ Should this restrict to line starting with File?
if (line_type.matches("File")) { if (line_type.matches("File")) {
counter = counter + 1; counter = counter + 1;
file_path = line.substring(82); String file_path = line.substring(82);
file_path = file_path.replaceAll("Device\\\\",""); file_path = file_path.replaceAll("Device\\\\","");
file_path = file_path.replaceAll("HarddiskVolume[0-9]\\\\", ""); file_path = file_path.replaceAll("HarddiskVolume[0-9]\\\\", "");
File volfile = new File(file_path); File volfile = new File(file_path);
fileName = volfile.getName(); String fileName = volfile.getName();
filePath = volfile.getParent(); String filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) { if (filePath != null && !filePath.isEmpty()) {
filePath = filePath.replaceAll("\\\\", "%"); filePath = filePath.replaceAll("\\\\", "%");
filePath = "%" + filePath + "%"; filePath = "%" + filePath + "%";
@ -436,42 +511,37 @@ class VolatilityProcessor implements Runnable{
return fileMap; return fileMap;
} }
private Map<String, Map> Parse_Cmdline(File PluginFile) { private Set<String> parse_Cmdline(File PluginFile) {
List<String> fileNames = new ArrayList<>();
String line; String line;
String line_type; Set<String> fileSet = new HashSet<>();
String file_path;
Map<String, Map> fileMap = new HashMap<>();
String filePath;
String fileName;
int counter = 0; int counter = 0;
try { try {
BufferedReader br = new BufferedReader(new FileReader(PluginFile)); BufferedReader br = new BufferedReader(new FileReader(PluginFile));
// read the first line from the text file // read the first line from the text file
while ((line = br.readLine()) != null) { while ((line = br.readLine()) != null) {
Map<String, String> fileNameMap = new HashMap<>();
if (line.length() > 16) { if (line.length() > 16) {
line_type = line.substring(0,15); String TAG = "Command line : ";
if (line_type.startsWith("Command line : ")) { if (line.startsWith(TAG)) {
counter = counter + 1; counter = counter + 1;
file_path = line.substring(15); // Command line : "C:\Program Files\VMware\VMware Tools\vmacthlp.exe"
File volfile = new File(file_path); String file_path;
fileName = volfile.getName(); if (line.charAt(TAG.length()) == '\"') {
if ((fileName.lastIndexOf(".") + 3) < fileName.length()) { file_path = line.substring(TAG.length()+1);
fileName = fileName.substring(0, fileName.lastIndexOf(".")+4); if (file_path.contains("\"")) {
} file_path = file_path.substring(0, file_path.indexOf("\""));
filePath = volfile.getParent();
if (filePath != null && !filePath.isEmpty()) {
if (filePath.contains(":")) {
filePath = filePath.substring(filePath.indexOf(":")+1);
} }
filePath = filePath.replaceAll("\\\\", "%"); else {
filePath = "%" + filePath + "%"; // ERROR
} else { }
filePath = "%"; }
} // Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512
fileNameMap.put(filePath, fileName); else {
fileMap.put(file_path, fileNameMap); file_path = line.substring(TAG.length());
if (file_path.contains(" ")) {
file_path = file_path.substring(0, file_path.indexOf(" "));
}
}
fileSet.add(file_path.toLowerCase());
} }
} }
} }
@ -479,7 +549,7 @@ class VolatilityProcessor implements Runnable{
} catch (IOException ex) { } catch (IOException ex) {
//Exceptions.printStackTrace(ex); //Exceptions.printStackTrace(ex);
} }
return fileMap; return fileSet;
} }
private Map<String, Map> Parse_Shimcache(File PluginFile) { private Map<String, Map> Parse_Shimcache(File PluginFile) {