mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/sleuthkit/autopsy

Browse Source 
- fix previous merge
This commit is contained in:
adam-m 2012-05-02 00:26:43 -04:00
parent a38d546ecb
commit ff96ae6f13
26 changed files with 3407 additions and 3169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivity.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera
*/
public enum BrowserActivity {
IE(0),
FF(1),
CH(2);
private static final Map<Integer,BrowserActivity> lookup
= new HashMap<Integer,BrowserActivity>();
IE(0),
FF(1),
CH(2);
private static final Map<Integer, BrowserActivity> lookup = new HashMap<Integer, BrowserActivity>();
static {
for(BrowserActivity bat : values())
for (BrowserActivity bat : values()) {
lookup.put(bat.type, bat);
}
}
private int type;
private BrowserActivity(int type) {
this.type = type;
}
private int type;
private BrowserActivity(int type)
{
this.type = type;
}
public int getType() { return type; }
public int getType() {
return type;
}
public static BrowserActivity get(int type) {
switch(type) {
case 0: return IE;
case 1: return FF;
case 2: return CH;
switch (type) {
case 0:
return IE;
case 1:
return FF;
case 2:
return CH;
}
return null;
}
}

64
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivityType.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera
*/
public enum BrowserActivityType {
Cookies(0),
Url(1),
Bookmarks(2);
private static final Map<Integer,BrowserActivityType> lookup
= new HashMap<Integer,BrowserActivityType>();
Cookies(0),
Url(1),
Bookmarks(2);
private static final Map<Integer, BrowserActivityType> lookup = new HashMap<Integer, BrowserActivityType>();
static {
for(BrowserActivityType bat : values())
for (BrowserActivityType bat : values()) {
lookup.put(bat.type, bat);
}
}
private int type;
private BrowserActivityType(int type) {
this.type = type;
}
private int type;
private BrowserActivityType(int type)
{
this.type = type;
}
public int getType() { return type; }
public int getType() {
return type;
}
public static BrowserActivityType get(int type) {
switch(type) {
case 0: return Cookies;
case 1: return Url;
case 2: return Bookmarks;
switch (type) {
case 0:
return Cookies;
case 1:
return Url;
case 2:
return Bookmarks;
}
return null;
}
}

64
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserType.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -12,34 +28,36 @@ import java.util.Map;
* @author arivera
*/
public enum BrowserType {
IE(0), //Internet Explorer
FF(1), //Firefox
CH(2); //Chrome
private static final Map<Integer,BrowserType> lookup
= new HashMap<Integer,BrowserType>();
IE(0), //Internet Explorer
FF(1), //Firefox
CH(2); //Chrome
private static final Map<Integer, BrowserType> lookup = new HashMap<Integer, BrowserType>();
static {
for(BrowserType bt : values())
for (BrowserType bt : values()) {
lookup.put(bt.type, bt);
}
}
private int type;
private BrowserType(int type) {
this.type = type;
}
private int type;
private BrowserType(int type)
{
this.type = type;
}
public int getType() { return type; }
public int getType() {
return type;
}
public static BrowserType get(int type) {
switch(type) {
case 0: return IE;
case 1: return FF;
case 2: return CH;
switch (type) {
case 0:
return IE;
case 1:
return FF;
case 2:
return CH;
}
return null;
}
}

677
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -1,8 +1,25 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
@ -25,398 +42,410 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
/**
*
* @author Alex
*/
public class Chrome {
public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies";
public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id";
public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads";
public static final String chloginquery = "select origin_url, username_value, signon_realm from logins";
private final Logger logger = Logger.getLogger(this.getClass().getName());
public int ChromeCount = 0;
public Chrome(){
}
public void getchdb(List<String> image, IngestImageWorkerController controller){
try
{
public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies";
public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id";
public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads";
public static final String chloginquery = "select origin_url, username_value, signon_realm from logins";
private final Logger logger = Logger.getLogger(this.getClass().getName());
public int ChromeCount = 0;
public Chrome() {
}
public void getchdb(List<String> image, IngestImageWorkerController controller) {
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb;
Map<String, Object> kvs = new LinkedHashMap<String, Object>();
List<FsContent> FFSqlitedb = null;
Map<String, Object> kvs = new LinkedHashMap<String, Object>();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
ChromeCount = FFSqlitedb.size();
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
ChromeCount = FFSqlitedb.size();
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write to disk.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(chquery);
while(temprs.next())
{
String domain = Util.extractDomain(temprs.getString("url"));
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",temprs.getString("url")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Accessed",(temprs.getLong("last_visit_time")/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",temprs.getString("from_visit")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//COOKIES section
// This gets the cookie info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
allFS += " AND (0";
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
allFS += ")";
}
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
{
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(chcookiequery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = temprs.getString("host_key");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",(temprs.getLong("last_access_utc")/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chquery);
while (temprs.next()) {
try {
String domain = Util.extractDomain(temprs.getString("url"));
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("url")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Accessed", (temprs.getLong("last_visit_time") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", temprs.getString("from_visit")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to insert BB artifact.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//BOokmarks section
// This gets the bm info
try
{
//COOKIES section
// This gets the cookie info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chcookiequery);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = temprs.getString("host_key");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", (temprs.getLong("last_access_utc") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
//BOokmarks section
// This gets the bm info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO {0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try {
final JsonParser parser = new JsonParser();
JsonElement jsonElement = parser.parse(new FileReader(temps));
JsonElement jsonElement = parser.parse(new FileReader(temps));
JsonObject test = jsonElement.getAsJsonObject();
JsonObject whatever = test.get("roots").getAsJsonObject();
JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject();
JsonArray whatever3 = whatever2.getAsJsonArray("children");
// JsonArray results = parser.parse(new FileReader(temps)).getAsJsonObject().getAsJsonArray("roots").getAsJsonObject().getAsJsonArray("bookmark_bar").get(0).getAsJsonObject().getAsJsonArray("children");
for (JsonElement result : whatever3) {
JsonObject address = result.getAsJsonObject();
String url = address.get("url").getAsString();
String name = address.get("name").getAsString();
Long date = address.get("date_added").getAsLong();
String domain = Util.extractDomain(url);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",(date/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
for (JsonElement result : whatever3) {
try {
JsonObject address = result.getAsJsonObject();
String url = address.get("url").getAsString();
String name = address.get("name").getAsString();
Long date = address.get("date_added").getAsLong();
String domain = Util.extractDomain(url);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (date / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to insert BB artifact{0}", ex);
}
}
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex);
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section
// This gets the downloads info
try
{
//Downloads section
// This gets the downloads info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb;
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
List<FsContent> FFSqlitedb = null;
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(chdownloadquery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = Util.extractDomain(temprs.getString("url"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",(temprs.getLong("start_time")/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(temprs.getString("full_path"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
temprs.close();
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chdownloadquery);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = Util.extractDomain(temprs.getString("url"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (temprs.getLong("start_time") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(temprs.getString("full_path"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Login/Password section
// This gets the user info
try
{
//Login/Password section
// This gets the user info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(chloginquery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity","", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chloginquery);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
}

111
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java
View File

@ -1,9 +1,26 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.sql.SQLException;
import java.util.List;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@ -12,49 +29,51 @@ import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
* @author Alex
*/
public class ExtractAll {
void ExtractAll(){
}
public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds){
controller.switchToDeterminate(3);
try{
// Will make registry entries later, comment out for DEMO ONLY
controller.switchToDeterminate(4);
controller.progress(0);
ExtractRegistry eree = new ExtractRegistry();
eree.getregistryfiles(imgIds, controller);
controller.progress(1);
if (controller.isCancelled())
return true;
Firefox ffre = new Firefox();
ffre.getffdb(imgIds, controller);
controller.progress(2);
if (controller.isCancelled())
return true;
Chrome chre = new Chrome();
chre.getchdb(imgIds, controller);
controller.progress(3);
if (controller.isCancelled())
return true;
ExtractIE eere = new ExtractIE(imgIds, controller);
eere.parsePascoResults();
controller.progress(4);
if (controller.isCancelled())
return true;
//Find a way to put these results into BB
void ExtractAll() {
}
public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds) {
controller.switchToDeterminate(3);
try {
// Will make registry entries later, comment out for DEMO ONLY
controller.switchToDeterminate(4);
controller.progress(0);
ExtractRegistry eree = new ExtractRegistry();
eree.getregistryfiles(imgIds, controller);
controller.progress(1);
if (controller.isCancelled()) {
return true;
}
catch(Error e){
return false;
}
}
}
Firefox ffre = new Firefox();
ffre.getffdb(imgIds, controller);
controller.progress(2);
if (controller.isCancelled()) {
return true;
}
Chrome chre = new Chrome();
chre.getchdb(imgIds, controller);
controller.progress(3);
if (controller.isCancelled()) {
return true;
}
ExtractIE eere = new ExtractIE(imgIds, controller);
eere.parsePascoResults();
controller.progress(4);
if (controller.isCancelled()) {
return true;
}
//Find a way to put these results into BB
return true;
} catch (SQLException e) {
return false;
} catch (Error e) {
return false;
}
}
}

486
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -1,15 +1,17 @@
/*
/*
*
* Autopsy Forensic Browser
*
* Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -27,7 +29,6 @@ import java.io.IOException;
import java.sql.ResultSet;
//Util Imports
import java.sql.SQLException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
@ -43,7 +44,6 @@ import java.util.regex.Pattern;
// TSK Imports
import org.openide.modules.InstalledFileLocator;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.datamodel.DataConversion;
@ -58,7 +58,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.autopsy.coreutils.PlatformUtil;
public class ExtractIE { // implements BrowserActivity {
@ -69,220 +69,223 @@ public class ExtractIE { // implements BrowserActivity {
private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'";
//sleauthkit db handle
SleuthkitCase tempDb;
//paths set in init()
private String PASCO_RESULTS_PATH;
private String PASCO_LIB_PATH;
private String JAVA_PATH;
//Results List to be referenced/used outside the class
public ArrayList<HashMap<String, Object>> PASCO_RESULTS_LIST = new ArrayList<HashMap<String, Object>>();
//Look Up Table that holds Pasco2 results
private HashMap<String, Object> PASCO_RESULTS_LUT;
private KeyValue IE_PASCO_LUT = new KeyValue(BrowserType.IE.name(), BrowserType.IE.getType());
public LinkedHashMap<String, Object> IE_OBJ;
boolean pascoFound = false;
public ExtractIE(List<String> image, IngestImageWorkerController controller) {
init(image, controller);
//Favorites section
// This gets the favorite info
try
{
// This gets the favorite info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> FavoriteList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(favoriteQuery + allFS);
FavoriteList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
List<FsContent> FavoriteList;
ResultSet rs = tempDb.runQuery(favoriteQuery + allFS);
FavoriteList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
for(FsContent Favorite : FavoriteList)
{
if (controller.isCancelled() ) {
break;
}
for (FsContent Favorite : FavoriteList) {
if (controller.isCancelled()) {
break;
}
Content fav = Favorite;
byte[] t = new byte[(int) fav.getSize()];
final int bytesRead = fav.read(t, 0, fav.getSize());
String bookmarkString = new String(t);
String re1=".*?"; // Non-greedy match on filler
String re2="((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1
String re1 = ".*?"; // Non-greedy match on filler
String re2 = "((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1
String url = "";
Pattern p = Pattern.compile(re1+re2,Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Pattern p = Pattern.compile(re1 + re2, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m = p.matcher(bookmarkString);
if (m.find())
{
url = m.group(1);
if (m.find()) {
url = m.group(1);
}
String name = Favorite.getName();
String datetime = Favorite.getCrtimeAsDate();
Long datetime = Favorite.getCrtime();
String domain = Util.extractDomain(url);
BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
try {
BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
}
catch(TskException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
}
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
//Cookies section
// This gets the cookies info
try
{
//Cookies section
// This gets the cookies info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> CookiesList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(cookiesQuery + allFS);
CookiesList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
List<FsContent> CookiesList;
ResultSet rs = tempDb.runQuery(cookiesQuery + allFS);
CookiesList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
for(FsContent Cookie : CookiesList)
{
if (controller.isCancelled() ) {
break;
}
for (FsContent Cookie : CookiesList) {
if (controller.isCancelled()) {
break;
}
Content fav = Cookie;
byte[] t = new byte[(int) fav.getSize()];
final int bytesRead = fav.read(t, 0, fav.getSize());
String cookieString = new String(t);
String[] values = cookieString.split("\n");
String[] values = cookieString.split("\n");
String url = values.length > 2 ? values[2] : "";
String value = values.length > 1 ? values[1] : "";
String name = values.length > 0 ? values[0] : "";
String datetime = Cookie.getCrtimeAsDate();
String domain = Util.extractDomain(url);
BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
Long datetime = Cookie.getCrtime();
String domain = Util.extractDomain(url);
try {
BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
catch(TskException ex)
{
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
}
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
//Recent Documents section
// This gets the recent object info
try
{
//Recent Documents section
// This gets the recent object info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> RecentList;
List<FsContent> RecentList = new ArrayList<FsContent>();
ResultSet rs = tempDb.runQuery(recentQuery + allFS);
RecentList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
for(FsContent Recent : RecentList)
{
if (controller.isCancelled() ) {
break;
}
try {
ResultSet rs = tempDb.runQuery(recentQuery + allFS);
RecentList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
for (FsContent Recent : RecentList) {
if (controller.isCancelled()) {
break;
}
Content fav = Recent;
byte[] t = new byte[(int) fav.getSize()];
byte[] t = new byte[(int) fav.getSize()];
int bytesRead = 0;
if (fav.getSize() > 0) {
bytesRead = fav.read(t, 0, fav.getSize()); // read the data
}
}
// set the data on the bottom and show it
String recentString = new String();
String recentString = new String();
if (bytesRead > 0) {
recentString = DataConversion.getString(t, bytesRead, 4);
recentString = DataConversion.getString(t, bytesRead, 4);
}
String path = Util.getPath(recentString);
String name = Util.getFileName(path);
String datetime = Recent.getCrtimeAsDate();
BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),"RecentActivity","Last Visited",path));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(path)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity","Date Created",datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Windows Explorer"));
bbart.addAttributes(bbattributes);
Long datetime = Recent.getCrtime();
try {
BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", "Last Visited", path));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(path)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Windows Explorer"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
}
catch(TskException ex)
{
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
}
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
}
//@Override
@ -293,44 +296,52 @@ public class ExtractIE { // implements BrowserActivity {
private void init(List<String> image, IngestImageWorkerController controller) {
final Case currentCase = Case.getCurrentCase();
final String caseDir = Case.getCurrentCase().getCaseDirectory();
PASCO_RESULTS_PATH = caseDir + File.separator + "recentactivity" + File.separator + "results";
PASCO_RESULTS_PATH = Case.getCurrentCase().getTempDirectory() + File.separator + "results";
JAVA_PATH = PlatformUtil.getJavaPath();
if (JAVA_PATH.isEmpty() || JAVA_PATH == null) {
JAVA_PATH = "java";
}
logger.log(Level.INFO, "Pasco results path: " + PASCO_RESULTS_PATH);
final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false);
if (pascoRoot == null) {
logger.log(Level.SEVERE, "Pasco2 not found");
pascoFound = false;
return;
}
else {
pascoFound = true;
}
final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false);
if (pascoRoot == null) {
logger.log(Level.SEVERE, "Pasco2 not found");
pascoFound = false;
return;
} else {
pascoFound = true;
}
final String pascoHome = pascoRoot.getAbsolutePath();
logger.log(Level.INFO, "Pasco2 home: " + pascoHome);
PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator
+ pascoHome + File.separator + "*";
PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator
+ pascoHome + File.separator + "*";
try {
File resultsDir = new File(PASCO_RESULTS_PATH);
resultsDir.mkdirs();
Collection<FsContent> FsContentCollection;
Collection<FsContent> FsContentCollection = null;
tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS);
FsContentCollection = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS);
FsContentCollection = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
String temps;
String indexFileName;
@ -340,22 +351,21 @@ public class ExtractIE { // implements BrowserActivity {
// index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
// Write each index.dat file to a temp directory.
//BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
indexFileName = "index" + Integer.toString((int)fsc.getId()) + ".dat";
indexFileName = "index" + Integer.toString((int) fsc.getId()) + ".dat";
//indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
temps = currentCase.getTempDirectory() + File.separator + indexFileName;
File datFile = new File(temps);
if (controller.isCancelled() ) {
datFile.delete();
break;
}
if (controller.isCancelled()) {
datFile.delete();
break;
}
try {
ContentUtils.writeToFile(fsc, datFile);
}
catch (IOException e) {
} catch (IOException e) {
logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e);
}
boolean bPascProcSuccess = executePasco(temps, (int)fsc.getId());
boolean bPascProcSuccess = executePasco(temps, (int) fsc.getId());
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
@ -368,9 +378,9 @@ public class ExtractIE { // implements BrowserActivity {
} catch (Exception ioex) {
logger.log(Level.SEVERE, "Error while trying to write index.dat files.", ioex);
}
//bookmarks
//cookies
}
@ -378,8 +388,9 @@ public class ExtractIE { // implements BrowserActivity {
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private boolean executePasco(String indexFilePath, int fileIndex) {
if (pascoFound == false)
if (pascoFound == false) {
return false;
}
boolean success = true;
try {
@ -391,9 +402,9 @@ public class ExtractIE { // implements BrowserActivity {
command.append(" -T history");
command.append(" \"").append(indexFilePath).append("\"");
command.append(" > \"").append(PASCO_RESULTS_PATH).append("\\pasco2Result.").append(Integer.toString(fileIndex)).append(".txt\"");
// command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\"");
// command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\"");
String cmd = command.toString();
JavaSystemCaller.Exec.execute("\"java "+cmd+ "\"");
JavaSystemCaller.Exec.execute("\"" + JAVA_PATH + " " + cmd + "\"");
} catch (Exception e) {
success = false;
@ -404,8 +415,9 @@ public class ExtractIE { // implements BrowserActivity {
}
public void parsePascoResults() {
if (pascoFound == false)
if (pascoFound == false) {
return;
}
// First thing we want to do is check to make sure the results directory
// is not empty.
File rFile = new File(PASCO_RESULTS_PATH);
@ -421,8 +433,8 @@ public class ExtractIE { // implements BrowserActivity {
if (pascoFiles.length > 0) {
try {
for (File file : pascoFiles) {
String fileName = file.getName();
long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".")+1, fileName.lastIndexOf(".")));
String fileName = file.getName();
long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".") + 1, fileName.lastIndexOf(".")));
//bbartname = bbartname.substring(0, 4);
// Make sure the file the is not empty or the Scanner will
@ -433,7 +445,7 @@ public class ExtractIE { // implements BrowserActivity {
fileScanner.nextLine();
fileScanner.nextLine();
fileScanner.nextLine();
// long inIndexId = 0;
// long inIndexId = 0;
while (fileScanner.hasNext()) {
//long bbartId = Long.parseLong(bbartname + inIndexId++);
@ -449,56 +461,58 @@ public class ExtractIE { // implements BrowserActivity {
try {
String[] lineBuff = line.split("\\t");
PASCO_RESULTS_LUT = new HashMap<String, Object>();
String url[] = lineBuff[1].split("@",2);
String url[] = lineBuff[1].split("@", 2);
String ddtime = lineBuff[2];
String actime = lineBuff[3];
Long ftime = (long)0;
Long ftime = (long) 0;
String user = "";
String realurl = "";
String domain = "";
if(url.length > 1)
{
user = url[0];
user = user.replace("Visited:", "");
user = user.replace(":Host:", "");
user = user.replaceAll("(:)(.*?)(:)", "");
user = user.trim();
realurl = url[1];
realurl = realurl.replace("Visited:", "");
realurl = realurl.replaceAll(":(.*?):", "");
realurl = realurl.replace(":Host:", "");
realurl = realurl.trim();
domain = Util.extractDomain(realurl);
}
if(!ddtime.isEmpty()){
ddtime = ddtime.replace("T"," ");
ddtime = ddtime.substring(ddtime.length()-5);
}
if(!actime.isEmpty()){
try{
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime();
ftime = epochtime.longValue();
if (url.length > 1) {
user = url[0];
user = user.replace("Visited:", "");
user = user.replace(":Host:", "");
user = user.replaceAll("(:)(.*?)(:)", "");
user = user.trim();
realurl = url[1];
realurl = realurl.replace("Visited:", "");
realurl = realurl.replaceAll(":(.*?):", "");
realurl = realurl.replace(":Host:", "");
realurl = realurl.trim();
domain = Util.extractDomain(realurl);
}
catch(ParseException e){
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
if (!ddtime.isEmpty()) {
ddtime = ddtime.replace("T", " ");
ddtime = ddtime.substring(ddtime.length() - 5);
}
}
if (!actime.isEmpty()) {
try {
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime();
ftime = epochtime.longValue();
} catch (ParseException e) {
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
}
}
// TODO: Need to fix this so we have the right obj_id
BlackboardArtifact bbart = tempDb.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", realurl));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "", ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", ""));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(),"RecentActivity","",user));
bbart.addAttributes(bbattributes);
try {
BlackboardArtifact bbart = tempDb.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", realurl));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "", ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", ""));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", user));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
//KeyValueThing
//This will be redundant in terms IE.name() because of
@ -508,9 +522,9 @@ public class ExtractIE { // implements BrowserActivity {
IE_PASCO_LUT.addMap(IE_OBJ);
PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT);
} catch (TskException ex) {
Exceptions.printStackTrace(ex);
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
}
@ -524,7 +538,7 @@ public class ExtractIE { // implements BrowserActivity {
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
}

465
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -4,22 +4,14 @@
*/
package org.sleuthkit.autopsy.recentactivity;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.io.*;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Scanner;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.*;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang3.StringEscapeUtils;
import org.jdom.Document;
import org.jdom.Element;
import org.jdom.input.SAXBuilder;
@ -27,15 +19,9 @@ import org.openide.modules.InstalledFileLocator;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.*;
/**
*
@ -43,271 +29,232 @@ import org.sleuthkit.datamodel.SleuthkitCase;
*/
public class ExtractRegistry {
public Logger logger = Logger.getLogger(this.getClass().getName());
private String RR_PATH;
boolean rrFound = false;
private int sysid;
ExtractRegistry(){
public Logger logger = Logger.getLogger(this.getClass().getName());
private String RR_PATH;
boolean rrFound = false;
private int sysid;
ExtractRegistry() {
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false);
if (rrRoot == null) {
logger.log(Level.SEVERE, "RegRipper not found");
rrFound = false;
return;
}
else {
rrFound = true;
}
try{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
while (artset.next()){
sysid = artset.getInt("artifact_type_id");
}
}
catch(Exception e){
}
final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome);
RR_PATH = rrHome + File.separator + "rip.exe";
}
public void getregistryfiles(List<String> image, IngestImageWorkerController controller){
try
{
if (rrRoot == null) {
logger.log(Level.SEVERE, "RegRipper not found");
rrFound = false;
return;
} else {
rrFound = true;
}
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
allFS += " AND (0";
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
allFS += ")";
ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
while (artset.next()) {
sysid = artset.getInt("artifact_type_id");
}
List<FsContent> Regfiles;
ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS);
Regfiles = tempDb.resultSetToFsContents(rs);
} catch (Exception e) {
}
final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome);
RR_PATH = rrHome + File.separator + "rip.exe";
}
public void getregistryfiles(List<String> image, IngestImageWorkerController controller) {
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> Regfiles = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS);
Regfiles = tempDb.resultSetToFsContents(rs);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < Regfiles.size())
{
while (j < Regfiles.size()) {
boolean Success;
Content orgFS = Regfiles.get(j);
long orgId = orgFS.getId();
String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString();
ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName()));
try {
ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName()));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File regFile = new File(temps);
String txtPath = executeRegRip(temps, j);
if(txtPath.length() > 0)
{
Success = parseReg(txtPath,orgId);
}
else
{
Success = false;
}
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
if(Success)
{
//Delete dat file since it was succcessful
regFile.delete();
}
j++;
}
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Registry files", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
String txtPath = executeRegRip(temps, j);
if (txtPath.length() > 0) {
Success = parseReg(txtPath, orgId);
} else {
Success = false;
}
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
if (Success) {
//Delete dat file since it was succcessful
regFile.delete();
}
j++;
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Registry files", ex);
}
}
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private String executeRegRip(String regFilePath, int fileIndex)
{
String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt";
String type = "";
private String executeRegRip(String regFilePath, int fileIndex) {
String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt";
String type = "";
try
{
if(regFilePath.toLowerCase().contains("system"))
{
type = "autopsysystem";
}
if(regFilePath.toLowerCase().contains("software"))
{
type = "autopsysoftware";
}
if(regFilePath.toLowerCase().contains("ntuser"))
{
type = "autopsy";
}
if(regFilePath.toLowerCase().contains("default"))
{
type = "1default";
}
if(regFilePath.toLowerCase().contains("sam"))
{
type = "1sam";
}
if(regFilePath.toLowerCase().contains("security"))
{
type = "1security";
}
String command = "\"" + RR_PATH + "\" -r \"" + regFilePath +"\" -f " + type + " > \"" + txtPath + "\" 2> NUL";
JavaSystemCaller.Exec.execute("\""+command + "\"");
try {
}
catch(Exception e)
{
logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> " ,e.getMessage() );
}
if (regFilePath.toLowerCase().contains("system")) {
type = "autopsysystem";
}
if (regFilePath.toLowerCase().contains("software")) {
type = "autopsysoftware";
}
if (regFilePath.toLowerCase().contains("ntuser")) {
type = "autopsy";
}
if (regFilePath.toLowerCase().contains("default")) {
type = "1default";
}
if (regFilePath.toLowerCase().contains("sam")) {
type = "1sam";
}
if (regFilePath.toLowerCase().contains("security")) {
type = "1security";
}
return txtPath;
String command = "\"" + RR_PATH + "\" -r \"" + regFilePath + "\" -f " + type + " > \"" + txtPath + "\" 2> NUL";
JavaSystemCaller.Exec.execute("\"" + command + "\"");
} catch (Exception e) {
logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> ", e.getMessage());
}
return txtPath;
}
private boolean parseReg(String regRecord, long orgId)
{
private boolean parseReg(String regRecord, long orgId) {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
File regfile = new File(regRecord);
FileInputStream fstream = new FileInputStream(regfile);
InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8");
BufferedReader input = new BufferedReader(fstreamReader);
//logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding());
String regString = new Scanner(input).useDelimiter("\\Z").next();
regfile.delete();
String startdoc = "<?xml version=\"1.0\"?><document>";
String result = regString.replaceAll("----------------------------------------","");
result = result.replaceAll("\\n", "");
result = result.replaceAll("\\r","");
result = result.replaceAll("'","&apos;");
result = result.replaceAll("&", "&amp;");
String enddoc = "</document>";
String stringdoc = startdoc + result + enddoc;
SAXBuilder sb = new SAXBuilder();
Document document = sb.build(new StringReader(stringdoc));
Element root = document.getRootElement();
List<Element> types = root.getChildren();
Iterator<Element> iterator = types.iterator();
//for(int i = 0; i < types.size(); i++)
//for(Element tempnode : types)
try {
File regfile = new File(regRecord);
FileInputStream fstream = new FileInputStream(regfile);
InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8");
BufferedReader input = new BufferedReader(fstreamReader);
//logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding());
String regString = new Scanner(input).useDelimiter("\\Z").next();
regfile.delete();
String startdoc = "<?xml version=\"1.0\"?><document>";
String result = regString.replaceAll("----------------------------------------", "");
result = result.replaceAll("\\n", "");
result = result.replaceAll("\\r", "");
result = result.replaceAll("'", "&apos;");
result = result.replaceAll("&", "&amp;");
String enddoc = "</document>";
String stringdoc = startdoc + result + enddoc;
SAXBuilder sb = new SAXBuilder();
Document document = sb.build(new StringReader(stringdoc));
Element root = document.getRootElement();
List<Element> types = root.getChildren();
Iterator<Element> iterator = types.iterator();
while (iterator.hasNext()) {
String time = "";
String context = "";
Element tempnode = iterator.next();
// Element tempnode = types.get(i);
context = tempnode.getName();
Element timenode = tempnode.getChild("time");
time = timenode.getTextTrim();
Element artroot = tempnode.getChild("artifacts");
List<Element> artlist = artroot.getChildren();
String winver = "";
String installdate = "";
if(artlist.isEmpty()){
}
else{
Iterator<Element> aiterator = artlist.iterator();
while (aiterator.hasNext()) {
Element artnode = aiterator.next();
String name = artnode.getAttributeValue("name");
String value = artnode.getTextTrim();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
if("recentdocs".equals(context)){
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
// bbart.addAttributes(bbattributes);
}
else if("usb".equals(context)){
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
String dev = artnode.getAttributeValue("dev");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
bbart.addAttributes(bbattributes);
}
else if("uninstall".equals(context)){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
String etime = "";
String context = "";
Element tempnode = iterator.next();
// Element tempnode = types.get(i);
context = tempnode.getName();
Element timenode = tempnode.getChild("time");
etime = timenode.getTextTrim();
Long time = null;
try {
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(etime).getTime();
time = epochtime.longValue();
} catch (ParseException e) {
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
}
else if("WinVersion".equals(context)){
if(name.contains("ProductName"))
{
winver = value;
}
if(name.contains("CSDVersion")){
winver = winver + " " + value;
}
if(name.contains("InstallDate"))
{
installdate = value;
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
Element artroot = tempnode.getChild("artifacts");
List<Element> artlist = artroot.getChildren();
String winver = "";
String installdate = "";
if (artlist.isEmpty()) {
} else {
Iterator<Element> aiterator = artlist.iterator();
while (aiterator.hasNext()) {
Element artnode = aiterator.next();
String name = artnode.getAttributeValue("name");
String value = artnode.getTextTrim();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
if ("recentdocs".equals(context)) {
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
// bbart.addAttributes(bbattributes);
} else if ("usb".equals(context)) {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
String dev = artnode.getAttributeValue("dev");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
bbart.addAttributes(bbattributes);
} else if ("uninstall".equals(context)) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
} else if ("WinVersion".equals(context)) {
if (name.contains("ProductName")) {
winver = value;
}
if (name.contains("CSDVersion")) {
winver = winver + " " + value;
}
if (name.contains("InstallDate")) {
installdate = value;
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
}
} else {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes);
}
}
}
else
{
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes);
}
}
}
}
}
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
String sadafd = "";
}
} catch (Exception ex) {
return true;
logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
}
return true;
}
}

490
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -1,30 +1,49 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import java.sql.*;
import java.util.logging.Level;
import java.util.logging.Logger;
//<editor-fold defaultstate="collapsed" desc="comment">
import java.lang.*;
//</editor-fold>
import java.util.*;
import java.io.File;
import java.io.IOException;
import java.net.URLDecoder;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.ServiceDataEvent;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.*;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
*
* @author Alex
@ -33,282 +52,275 @@ public class Firefox {
private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
private static final String ffcookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed,(creationTime/1000) as creationTime FROM moz_cookies";
private static final String ff3cookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed FROM moz_cookies";
private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id";
private static final String ffdownloadquery = "select target, source,(startTime/1000) as startTime, maxBytes from moz_downloads";
public Logger logger = Logger.getLogger(this.getClass().getName());
public int FireFoxCount = 0;
public Firefox(){
}
public void getffdb(List<String> image, IngestImageWorkerController controller){
//Make these seperate, this is for history
try
{
public Firefox() {
}
public void getffdb(List<String> image, IngestImageWorkerController controller) throws SQLException {
//Make these seperate, this is for history
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement();
rs.close();
if (s != null)
s.close();
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement();
rs.close();
if (s != null) {
s.close();
FireFoxCount = FFSqlitedb.size();
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
}
rs.close();
rs.getStatement().close();
} catch (SQLException ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
}
{
int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffquery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getLong("visit_date")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",((temprs.getString("ref") != null) ? temprs.getString("ref") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",(Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : ""))));
bbart.addAttributes(bbattributes);
}
temprs.close();
tempdbconnect.closeConnection();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
try
{
dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery);
while(tempbm.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((tempbm.getString("url") != null) ? tempbm.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(tempbm.getString("url"))));
bbart.addAttributes(bbattributes);
}
tempbm.close();
tempdbconnect2.closeConnection();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
if (controller.isCancelled()) {
dbFile.delete();
break;
}
ResultSet temprs = Util.runQuery(ffquery, connectionString);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("visit_date")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", ((temprs.getString("ref") != null) ? temprs.getString("ref") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", (Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : ""))));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
}
temprs.close();
try {
dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery);
while (tempbm.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((tempbm.getString("url") != null) ? tempbm.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(tempbm.getString("url"))));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempbm.close();
tempdbconnect2.closeConnection();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
}
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//COOKIES section
// This gets the cookie info
try
{
// This gets the cookie info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffcookiequery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("lastAccessed")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",temprs.getString("host")));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
if (controller.isCancelled()) {
dbFile.delete();
break;
}
boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", connectionString);
String query;
if (checkColumn) {
query = ffcookiequery;
} else {
query = ff3cookiequery;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(query);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("lastAccessed")));
if (checkColumn == true) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", temprs.getLong("creationTime")));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section
// This gets the downloads info
try
{
//Downloads section
// This gets the downloads info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getLong("startTime")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("source") != null) ? temprs.getString("source") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(urldecodedtarget)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(temprs.getString("source"))));
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("startTime")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("source") != null) ? temprs.getString("source") : "")));
String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(urldecodedtarget)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(temprs.getString("source"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex);
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
}
}
//@Override
// public HashMap<String,String> ExtractActivity() {
// return ExtractActivity;
//
// }

688
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/JavaSystemCaller.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -11,332 +27,372 @@ import java.io.InputStreamReader;
import java.util.ArrayList;
/**
* Make a system call through a system shell in a platform-independent manner in Java. <br />
* This class only demonstrate a 'dir' or 'ls' within current (execution) path, if no parameters are used.
* If parameters are used, the first one is the system command to execute, the others are its system command parameters. <br />
* To be system independent, an <b><a href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm">
* Abstract Factory Pattern</a></b> will be used to build the right underlying system shell in which the system command will be executed.
* Make a system call through a system shell in a platform-independent manner in
* Java. <br /> This class only demonstrate a 'dir' or 'ls' within current
* (execution) path, if no parameters are used. If parameters are used, the
* first one is the system command to execute, the others are its system command
* parameters. <br /> To be system independent, an <b><a
* href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm">
* Abstract Factory Pattern</a></b> will be used to build the right underlying
* system shell in which the system command will be executed.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
* @see <a href="http://stackoverflow.com/questions/236737#236873">
How to make a system call that returns the stdout output as a string in various languages?</a>
* @see <a href="http://stackoverflow.com/questions/236737#236873"> How to make
* a system call that returns the stdout output as a string in various
* languages?</a>
*/
public final class JavaSystemCaller
{
/**
* Execute a system command. <br />
* Default is 'ls' in current directory if no parameters, or a system command (if Windows, it is automatically translated to 'dir')
* @param args first element is the system command, the others are its parameters (NOT NULL)
* @throws IllegalArgumentException if one parameters is null or empty.
* 'args' can be empty (default 'ls' performed then)
*/
public static void main(final String[] args)
{
String anOutput = "";
if(args.length == 0)
{
anOutput = Exec.execute("ls");
}
else
{
String[] someParameters = null;
anOutput = Exec.execute(args[0],someParameters);
}
System.out.println("Final output: " + anOutput);
}
/**
* Asynchronously read the output of a given input stream. <br />
* Any exception during execution of the command in managed in this thread.
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class StreamGobbler extends Thread
{
private InputStream is;
private String type;
private StringBuffer output = new StringBuffer();
public final class JavaSystemCaller {
StreamGobbler(final InputStream anIs, final String aType)
{
this.is = anIs;
this.type = aType;
}
/**
* Execute a system command. <br /> Default is 'ls' in current directory if
* no parameters, or a system command (if Windows, it is automatically
* translated to 'dir')
*
* @param args first element is the system command, the others are its
* parameters (NOT NULL)
* @throws IllegalArgumentException if one parameters is null or empty.
* 'args' can be empty (default 'ls' performed then)
*/
public static void main(final String[] args) {
String anOutput = "";
if (args.length == 0) {
anOutput = Exec.execute("ls");
} else {
String[] someParameters = null;
anOutput = Exec.execute(args[0], someParameters);
}
System.out.println("Final output: " + anOutput);
}
/**
* Asynchronous read of the input stream. <br />
* Will report output as its its displayed.
* @see java.lang.Thread#run()
*/
@Override
public final void run()
{
try
{
final InputStreamReader isr = new InputStreamReader(this.is);
final BufferedReader br = new BufferedReader(isr);
String line=null;
while ( (line = br.readLine()) != null)
{
System.out.println(this.type + ">" + line);
this.output.append(line+System.getProperty("line.separator"));
}
} catch (final IOException ioe)
{
ioe.printStackTrace();
}
}
/**
* Get output filled asynchronously. <br />
* Should be called after execution
* @return final output
*/
public final String getOutput()
{
return this.output.toString();
}
}
/**
* Execute a system command in the appropriate shell. <br />
* Read asynchronously stdout and stderr to report any result.
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec
{
/**
* Execute a system command. <br />
* Listen asynchronously to stdout and stderr
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
* @return final output (stdout only)
*/
public static String execute(final String aCommand, final String... someParameters)
{
String output = "";
try
{
ExecEnvironmentFactory anExecEnvFactory = getExecEnvironmentFactory(aCommand, someParameters);
final IShell aShell = anExecEnvFactory.createShell();
final String aCommandLine = anExecEnvFactory.createCommandLine();
/**
* Asynchronously read the output of a given input stream. <br /> Any
* exception during execution of the command in managed in this thread.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class StreamGobbler extends Thread {
final Runtime rt = Runtime.getRuntime();
System.out.println("Executing " + aShell.getShellCommand() + " " + aCommandLine);
private InputStream is;
private String type;
private StringBuffer output = new StringBuffer();
final Process proc = rt.exec(aShell.getShellCommand() + " " + aCommandLine);
// any error message?
final StreamGobbler errorGobbler = new
StreamGobbler(proc.getErrorStream(), "ERROR");
StreamGobbler(final InputStream anIs, final String aType) {
this.is = anIs;
this.type = aType;
}
// any output?
final StreamGobbler outputGobbler = new
StreamGobbler(proc.getInputStream(), "OUTPUT");
/**
* Asynchronous read of the input stream. <br /> Will report output as
* its its displayed.
*
* @see java.lang.Thread#run()
*/
@Override
public final void run() {
try {
final InputStreamReader isr = new InputStreamReader(this.is);
final BufferedReader br = new BufferedReader(isr);
String line = null;
while ((line = br.readLine()) != null) {
System.out.println(this.type + ">" + line);
this.output.append(line + System.getProperty("line.separator"));
}
} catch (final IOException ioe) {
ioe.printStackTrace();
}
}
// kick them off
errorGobbler.start();
outputGobbler.start();
/**
* Get output filled asynchronously. <br /> Should be called after
* execution
*
* @return final output
*/
public final String getOutput() {
return this.output.toString();
}
}
// any error???
final int exitVal = proc.waitFor();
System.out.println("ExitValue: " + exitVal);
/**
* Execute a system command in the appropriate shell. <br /> Read
* asynchronously stdout and stderr to report any result.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec {
output = outputGobbler.getOutput();
/**
* Execute a system command. <br /> Listen asynchronously to stdout and
* stderr
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
* @return final output (stdout only)
*/
public static String execute(final String aCommand, final String... someParameters) {
String output = "";
try {
ExecEnvironmentFactory anExecEnvFactory = getExecEnvironmentFactory(aCommand, someParameters);
final IShell aShell = anExecEnvFactory.createShell();
final String aCommandLine = anExecEnvFactory.createCommandLine();
} catch (final Throwable t)
{
t.printStackTrace();
}
return output;
}
private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters)
{
final String anOSName = System.getProperty("os.name" );
if(anOSName.toLowerCase().startsWith("windows"))
{
return new WindowsExecEnvFactory(aCommand, someParameters);
}
return new UnixExecEnvFactory(aCommand, someParameters);
// TODO be more specific for other OS.
}
private Exec() { /**/ }
}
private JavaSystemCaller() { /**/ }
/*
* ABSTRACT FACTORY PATTERN
*/
/**
* Environment needed to be build for the Exec class to be able to execute the system command. <br />
* Must have the right shell and the right command line. <br />
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public abstract static class ExecEnvironmentFactory
{
private String command = null;
private ArrayList<String> parameters = new ArrayList<String>();
final String getCommand() { return this.command; }
final ArrayList<String> getParameters() { return this.parameters; }
/**
* Builds an execution environment for a system command to be played. <br />
* Independent from the OS.
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
*/
public ExecEnvironmentFactory(final String aCommand, final String... someParameters)
{
if(aCommand == null || aCommand.length() == 0) { throw new IllegalArgumentException("Command must not be empty"); }
this.command = aCommand;
for (int i = 0; i < someParameters.length; i++) {
final String aParameter = someParameters[i];
if(aParameter == null || aParameter.length() == 0) { throw new IllegalArgumentException("Parameter n° '"+i+"' must not be empty"); }
this.parameters.add(aParameter);
}
}
/**
* Builds the right Shell for the current OS. <br />
* Allow for independent platform execution.
* @return right shell, NEVER NULL
*/
public abstract IShell createShell();
/**
* Builds the right command line for the current OS. <br />
* Means that a command might be translated, if it does not fit the right OS ('dir' => 'ls' on unix)
* @return right complete command line, with parameters added (NEVER NULL)
*/
public abstract String createCommandLine();
protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters)
{
final StringBuilder aCommandLine = new StringBuilder();
aCommandLine.append(aCommand);
for (String aParameter : someParameters) {
aCommandLine.append(" ");
aCommandLine.append(aParameter);
}
return aCommandLine.toString();
}
}
/**
* Builds a Execution Environment for Windows. <br />
* Cmd with windows commands
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory
{
final Runtime rt = Runtime.getRuntime();
System.out.println("Executing " + aShell.getShellCommand() + " " + aCommandLine);
/**
* Builds an execution environment for a Windows system command to be played. <br />
* Any command not from windows will be translated in its windows equivalent if possible.
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
*/
public WindowsExecEnvFactory(final String aCommand, final String... someParameters)
{
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new WindowsShell();
}
final Process proc = rt.exec(aShell.getShellCommand() + " " + aCommandLine);
// any error message?
final StreamGobbler errorGobbler = new StreamGobbler(proc.getErrorStream(), "ERROR");
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine()
*/
@Override
public String createCommandLine() {
String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("ls")) { aCommand = "dir"; }
// TODO translates other Unix commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* Builds a Execution Environment for Unix. <br />
* Sh with Unix commands
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class UnixExecEnvFactory extends ExecEnvironmentFactory
{
// any output?
final StreamGobbler outputGobbler = new StreamGobbler(proc.getInputStream(), "OUTPUT");
/**
* Builds an execution environment for a Unix system command to be played. <br />
* Any command not from Unix will be translated in its Unix equivalent if possible.
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
*/
public UnixExecEnvFactory(final String aCommand, final String... someParameters)
{
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new UnixShell();
}
// kick them off
errorGobbler.start();
outputGobbler.start();
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine()
*/
@Override
public String createCommandLine() {
String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("dir")) { aCommand = "ls"; }
// TODO translates other Windows commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* System Shell with its right OS command. <br />
* 'cmd' for Windows or 'sh' for Unix, ...
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public interface IShell
{
/**
* Get the right shell command. <br />
* Used to launch a new shell
* @return command used to launch a Shell (NEVEL NULL)
*/
String getShellCommand();
}
/**
* Windows shell (cmd). <br />
* More accurately 'cmd /C'
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class WindowsShell implements IShell
{
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/
@Override
public final String getShellCommand() {
final String osName = System.getProperty("os.name" );
if( osName.equals( "Windows 95" ) ) { return "command.com /C"; }
return "cmd.exe /C";
}
}
/**
* Unix shell (sh). <br />
* More accurately 'sh -C'
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class UnixShell implements IShell
{
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/
@Override
public final String getShellCommand() {
return "/bin/sh -c";
}
}
// any error???
final int exitVal = proc.waitFor();
System.out.println("ExitValue: " + exitVal);
output = outputGobbler.getOutput();
} catch (final Throwable t) {
t.printStackTrace();
}
return output;
}
private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters) {
final String anOSName = System.getProperty("os.name");
if (anOSName.toLowerCase().startsWith("windows")) {
return new WindowsExecEnvFactory(aCommand, someParameters);
}
return new UnixExecEnvFactory(aCommand, someParameters);
// TODO be more specific for other OS.
}
private Exec() { /*
*
*/ }
}
private JavaSystemCaller() { /*
*
*/ }
/*
* ABSTRACT FACTORY PATTERN
*/
/**
* Environment needed to be build for the Exec class to be able to execute
* the system command. <br /> Must have the right shell and the right
* command line. <br />
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public abstract static class ExecEnvironmentFactory {
private String command = null;
private ArrayList<String> parameters = new ArrayList<String>();
final String getCommand() {
return this.command;
}
final ArrayList<String> getParameters() {
return this.parameters;
}
/**
* Builds an execution environment for a system command to be played.
* <br /> Independent from the OS.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public ExecEnvironmentFactory(final String aCommand, final String... someParameters) {
if (aCommand == null || aCommand.length() == 0) {
throw new IllegalArgumentException("Command must not be empty");
}
this.command = aCommand;
for (int i = 0; i < someParameters.length; i++) {
final String aParameter = someParameters[i];
if (aParameter == null || aParameter.length() == 0) {
throw new IllegalArgumentException("Parameter n° '" + i + "' must not be empty");
}
this.parameters.add(aParameter);
}
}
/**
* Builds the right Shell for the current OS. <br /> Allow for
* independent platform execution.
*
* @return right shell, NEVER NULL
*/
public abstract IShell createShell();
/**
* Builds the right command line for the current OS. <br /> Means that a
* command might be translated, if it does not fit the right OS ('dir'
* => 'ls' on unix)
*
* @return right complete command line, with parameters added (NEVER
* NULL)
*/
public abstract String createCommandLine();
protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters) {
final StringBuilder aCommandLine = new StringBuilder();
aCommandLine.append(aCommand);
for (String aParameter : someParameters) {
aCommandLine.append(" ");
aCommandLine.append(aParameter);
}
return aCommandLine.toString();
}
}
/**
* Builds a Execution Environment for Windows. <br /> Cmd with windows
* commands
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory {
/**
* Builds an execution environment for a Windows system command to be
* played. <br /> Any command not from windows will be translated in its
* windows equivalent if possible.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public WindowsExecEnvFactory(final String aCommand, final String... someParameters) {
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new WindowsShell();
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine()
*/
@Override
public String createCommandLine() {
String aCommand = getCommand();
if (aCommand.toLowerCase().trim().equals("ls")) {
aCommand = "dir";
}
// TODO translates other Unix commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* Builds a Execution Environment for Unix. <br /> Sh with Unix commands
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class UnixExecEnvFactory extends ExecEnvironmentFactory {
/**
* Builds an execution environment for a Unix system command to be
* played. <br /> Any command not from Unix will be translated in its
* Unix equivalent if possible.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public UnixExecEnvFactory(final String aCommand, final String... someParameters) {
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new UnixShell();
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine()
*/
@Override
public String createCommandLine() {
String aCommand = getCommand();
if (aCommand.toLowerCase().trim().equals("dir")) {
aCommand = "ls";
}
// TODO translates other Windows commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* System Shell with its right OS command. <br /> 'cmd' for Windows or 'sh'
* for Unix, ...
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public interface IShell {
/**
* Get the right shell command. <br /> Used to launch a new shell
*
* @return command used to launch a Shell (NEVEL NULL)
*/
String getShellCommand();
}
/**
* Windows shell (cmd). <br /> More accurately 'cmd /C'
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class WindowsShell implements IShell {
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/
@Override
public final String getShellCommand() {
final String osName = System.getProperty("os.name");
if (osName.equals("Windows 95")) {
return "command.com /C";
}
return "cmd.exe /C";
}
}
/**
* Unix shell (sh). <br /> More accurately 'sh -C'
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class UnixShell implements IShell {
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/
@Override
public final String getShellCommand() {
return "/bin/sh -c";
}
}
}

70
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java
View File

@ -1,15 +1,17 @@
/*
/*
*
* Autopsy Forensic Browser
*
* Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
*
* http://www.apache.org/licenses/LICENSE-2.0
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -35,8 +37,8 @@ import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.FileSystem;
/**
* Recent activity image ingest service
*
* Recent activity image ingest service
*
*/
public final class RAImageIngestService implements IngestServiceImage {
@ -77,27 +79,20 @@ public final class RAImageIngestService implements IngestServiceImage {
try {
//do the work for(FileSystem img : imageFS )
try{
ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
int artcount = 0;
while (artset.next()){
artcount++;
}
// artset.beforeFirst();
if(artcount > 0)
{
try {
ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
int artcount = 0;
while (artset.next()) {
artcount++;
}
}
else
{
int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information");
}
}
catch(Exception e)
{
// artset.beforeFirst();
if (artcount > 0) {
} else {
int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information");
}
} catch (Exception e) {
}
ext.extractToBlackboard(controller, fsIds);
@ -123,7 +118,7 @@ public final class RAImageIngestService implements IngestServiceImage {
public String getName() {
return "Recent Activity";
}
@Override
public String getDescription() {
return "Extracts recent user activity, such as Internet browsing, recently used documents and installed programs.";
@ -149,12 +144,12 @@ public final class RAImageIngestService implements IngestServiceImage {
public ServiceType getType() {
return ServiceType.Image;
}
@Override
@Override
public boolean hasSimpleConfiguration() {
return false;
}
@Override
public boolean hasAdvancedConfiguration() {
return false;
@ -164,23 +159,22 @@ public final class RAImageIngestService implements IngestServiceImage {
public javax.swing.JPanel getSimpleConfiguration() {
return null;
}
@Override
public javax.swing.JPanel getAdvancedConfiguration() {
return null;
}
@Override
public void saveAdvancedConfiguration() {
}
@Override
public void saveSimpleConfiguration() {
}
@Override
public boolean hasBackgroundJobsRunning() {
return false;
}
}

269
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
View File

@ -1,8 +1,25 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@ -24,138 +41,133 @@ import java.util.regex.Pattern;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
*
* @author Alex
*/
public class Util {
private static Logger logger = Logger.getLogger(Util.class.getName());
private Util(){
}
public static boolean pathexists(String path){
File file=new File(path);
boolean exists = file.exists();
return exists;
}
private static Logger logger = Logger.getLogger(Util.class.getName());
public static String utcConvert(String utc){
SimpleDateFormat formatter = new SimpleDateFormat("MM-dd-yyyy HH:mm");
String tempconvert = formatter.format(new Date(Long.parseLong(utc)));
return tempconvert;
}
public static String readFile(String path) throws IOException {
FileInputStream stream = new FileInputStream(new File(path));
try {
FileChannel fc = stream.getChannel();
MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size());
/* Instead of using default, pass in a decoder. */
return Charset.defaultCharset().decode(bb).toString();
}
finally {
stream.close();
}
}
public static boolean imgpathexists(String path){
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
Boolean rt = false;
int count = 0;
try {
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%"+ path + "%'");
FFSqlitedb = tempDb.resultSetToFsContents(rs);
count = FFSqlitedb.size();
final Statement s = rs.getStatement();
rs.close();
if (s != null){
s.close();
}
if(count > 0)
{
rt = true;
}
else
{
rt = false;
}
private Util() {
}
catch (SQLException ex)
{
//logger.log(Level.WARNING, "Error while trying to contact SQLite db.", ex);
public static boolean pathexists(String path) {
File file = new File(path);
boolean exists = file.exists();
return exists;
}
public static String utcConvert(String utc) {
SimpleDateFormat formatter = new SimpleDateFormat("MM-dd-yyyy HH:mm");
String tempconvert = formatter.format(new Date(Long.parseLong(utc)));
return tempconvert;
}
public static String readFile(String path) throws IOException {
FileInputStream stream = new FileInputStream(new File(path));
try {
FileChannel fc = stream.getChannel();
MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size());
/*
* Instead of using default, pass in a decoder.
*/
return Charset.defaultCharset().decode(bb).toString();
} finally {
stream.close();
}
return rt;
}
public static String extractDomain(String value){
if (value == null) throw new java.lang.NullPointerException("domains to extract");
public static boolean imgpathexists(String path) {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
Boolean rt = false;
int count = 0;
try {
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%" + path + "%'");
FFSqlitedb = tempDb.resultSetToFsContents(rs);
count = FFSqlitedb.size();
final Statement s = rs.getStatement();
rs.close();
if (s != null) {
s.close();
}
if (count > 0) {
rt = true;
} else {
rt = false;
}
} catch (SQLException ex) {
//logger.log(Level.WARNING, "Error while trying to contact SQLite db.", ex);
}
return rt;
}
public static String extractDomain(String value) {
if (value == null) {
throw new java.lang.NullPointerException("domains to extract");
}
String result = "";
// String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))";
// Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE);
// Matcher m = p.matcher(value);
// while (m.find()) {
// result = value.substring(m.start(0),m.end(0));
// }
try{
URL url = new URL(value);
result = url.getHost();
// String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))";
// Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE);
// Matcher m = p.matcher(value);
// while (m.find()) {
// result = value.substring(m.start(0),m.end(0));
// }
try {
URL url = new URL(value);
result = url.getHost();
} catch (Exception e) {
}
catch(Exception e){
return result;
}
public static String getFileName(String value) {
String filename = "";
String filematch = "^([a-zA-Z]\\:)(\\\\[^\\\\/:*?<>\"|]*(?<!\\[ \\]))*(\\.[a-zA-Z]{2,6})$";
Pattern p = Pattern.compile(filematch, Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS);
Matcher m = p.matcher(value);
if (m.find()) {
filename = m.group(1);
}
return result;
int lastPos = value.lastIndexOf('\\');
filename = (lastPos < 0) ? value : value.substring(lastPos + 1);
return filename.toString();
}
public static String getFileName(String value){
String filename = "";
String filematch = "^([a-zA-Z]\\:)(\\\\[^\\\\/:*?<>\"|]*(?<!\\[ \\]))*(\\.[a-zA-Z]{2,6})$";
public static String getPath(String txt) {
String path = "";
Pattern p = Pattern.compile(filematch,Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS);
Matcher m = p.matcher(value);
if (m.find())
{
filename = m.group(1);
}
int lastPos = value.lastIndexOf('\\');
filename = (lastPos < 0) ? value : value.substring(lastPos + 1);
return filename.toString();
}
//String drive ="([a-z]:\\\\(?:[-\\w\\.\\d]+\\\\)*(?:[-\\w\\.\\d]+)?)"; // Windows drive
String drive = "([a-z]:\\\\\\S.+)";
Pattern p = Pattern.compile(drive, Pattern.CASE_INSENSITIVE | Pattern.COMMENTS);
Matcher m = p.matcher(txt);
if (m.find()) {
path = m.group(1);
public static String getPath(String txt){
String path = "";
} else {
//String drive ="([a-z]:\\\\(?:[-\\w\\.\\d]+\\\\)*(?:[-\\w\\.\\d]+)?)"; // Windows drive
String drive = "([a-z]:\\\\\\S.+)";
Pattern p = Pattern.compile(drive,Pattern.CASE_INSENSITIVE | Pattern.COMMENTS);
Matcher m = p.matcher(txt);
if (m.find())
{
path = m.group(1);
}else{
String network ="(\\\\(?:\\\\[^:\\s?*\"<>|]+)+)"; // Windows network
String network = "(\\\\(?:\\\\[^:\\s?*\"<>|]+)+)"; // Windows network
Pattern p2 = Pattern.compile(network,Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m2 = p2.matcher(txt);
if (m2.find())
{
path = m2.group(1);
Pattern p2 = Pattern.compile(network, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m2 = p2.matcher(txt);
if (m2.find()) {
path = m2.group(1);
}
}
}
return path;
return path;
}
public static long findID(String path) {
public static long findID(String path) {
String parent_path = path.replace('\\', '/'); // fix Chrome paths
if(parent_path.length() > 2 && parent_path.charAt(1) == ':')
if (parent_path.length() > 2 && parent_path.charAt(1) == ':') {
parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:')
}
int index = parent_path.lastIndexOf('/');
String name = parent_path.substring(++index);
parent_path = parent_path.substring(0, index);
@ -167,14 +179,45 @@ public static long findID(String path) {
List<FsContent> results = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement();
rs.close();
if (s != null)
if (s != null) {
s.close();
if(results.size() > 0) {
}
if (results.size() > 0) {
return results.get(0).getId();
}
} catch (Exception ex) {
// logger.log(Level.WARNING, "Error retrieving content from DB", ex);
// logger.log(Level.WARNING, "Error retrieving content from DB", ex);
}
return -1;
}
public static boolean checkColumn(String column, String tablename, String connection) {
String query = "PRAGMA table_info(" + tablename + ")";
boolean found = false;
ResultSet temprs;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
temprs = tempdbconnect.executeQry(query);
while (temprs.next()) {
if (temprs.getString("name") == null ? column == null : temprs.getString("name").equals(column)) {
found = true;
}
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return found;
}
public static ResultSet runQuery(String query, String connection) {
ResultSet results = null;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
results = tempdbconnect.executeQry(query);
tempdbconnect.closeConnection();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return results;
}
}

47
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/dbconnect.java
View File

@ -1,25 +1,40 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.sql.*;
/**
*
* @author Alex
*/
public class dbconnect extends sqlitedbconnect{
private String sDriverForclass = "org.sqlite.JDBC";
public dbconnect(String sDriverForClass, String sUrlKey) throws Exception
{
init(sDriverForClass, sUrlKey);
//Statement stmt = conn.createStatement();
//String selecthistory = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,rev_host FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
// ResultSet rs = stmt.executeQuery(selecthistory);
}
public class dbconnect extends sqlitedbconnect {
private String sDriverForclass = "org.sqlite.JDBC";
public dbconnect(String sDriverForClass, String sUrlKey) throws Exception {
init(sDriverForClass, sUrlKey);
//Statement stmt = conn.createStatement();
//String selecthistory = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,rev_host FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
// ResultSet rs = stmt.executeQuery(selecthistory);
}
}

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/layer.xml
View File

@ -1,11 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE filesystem PUBLIC "-//NetBeans//DTD Filesystem 1.2//EN" "http://www.netbeans.org/dtds/filesystem-1_2.dtd">
<filesystem>
<folder name="Services">
<folder name="Services">
<file name="org-sleuthkit-autopsy-recentactivity-RAImageIngestService.instance">
<attr name="instanceOf" stringvalue="org.sleuthkit.autopsy.ingest.IngestServiceImage"/>
<attr name="instanceCreate" methodvalue="org.sleuthkit.autopsy.recentactivity.RAImageIngestService.getDefault"/>
<attr name="position" intvalue="100"/>
</file>
</folder>
</folder>
</filesystem>

190
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/sqlitedbconnect.java
View File

@ -1,5 +1,22 @@
/*
* General C&P class that we need to figure out a better way to integrate, replace after demo
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -7,96 +24,99 @@ package org.sleuthkit.autopsy.recentactivity;
*
* @author Alex
*/
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/** Database connection class & utilities **/
/**
* Database connection class & utilities *
*/
abstract class sqlitedbconnect {
public String sDriver = "";
public String sUrl = null;
public int iTimeout = 30;
public Connection conn = null;
public Statement statement = null;
/* Stub constructor for quick instantiation o/t fly for using some of the ancillary stuff */
public sqlitedbconnect()
{}
/* quick and dirty constructor to test the database passing the DriverManager name and the fully loaded url to handle */
/* NB this will typically be available if you make this class concrete and not abstract */
public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception
{
init(sDriverToLoad, sUrlToLoad);
}
public void init(String sDriverVar, String sUrlVar) throws Exception
{
setDriver(sDriverVar);
setUrl(sUrlVar);
setConnection();
setStatement();
}
private void setDriver(String sDriverVar)
{
sDriver = sDriverVar;
}
private void setUrl(String sUrlVar)
{
sUrl = sUrlVar;
}
public void setConnection() throws Exception {
Class.forName(sDriver);
conn = DriverManager.getConnection(sUrl);
}
public Connection getConnection() {
return conn;
}
public void setStatement() throws Exception {
if (conn == null) {
setConnection();
}
statement = conn.createStatement();
statement.setQueryTimeout(iTimeout); // set timeout to 30 sec.
}
public Statement getStatement() {
return statement;
}
public void executeStmt(String instruction) throws SQLException {
statement.executeUpdate(instruction);
}
public String sDriver = "";
public String sUrl = null;
public int iTimeout = 30;
public Connection conn = null;
public Statement statement = null;
/*
* Stub constructor for quick instantiation o/t fly for using some of the
* ancillary stuff
*/
public sqlitedbconnect() {
}
/*
* quick and dirty constructor to test the database passing the
* DriverManager name and the fully loaded url to handle
*/
/*
* NB this will typically be available if you make this class concrete and
* not abstract
*/
public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception {
init(sDriverToLoad, sUrlToLoad);
}
public void init(String sDriverVar, String sUrlVar) throws Exception {
setDriver(sDriverVar);
setUrl(sUrlVar);
setConnection();
setStatement();
}
private void setDriver(String sDriverVar) {
sDriver = sDriverVar;
}
private void setUrl(String sUrlVar) {
sUrl = sUrlVar;
}
public void setConnection() throws Exception {
Class.forName(sDriver);
conn = DriverManager.getConnection(sUrl);
}
public Connection getConnection() {
return conn;
}
public void setStatement() throws Exception {
if (conn == null) {
setConnection();
}
statement = conn.createStatement();
statement.setQueryTimeout(iTimeout); // set timeout to 30 sec.
}
public Statement getStatement() {
return statement;
}
public void executeStmt(String instruction) throws SQLException {
statement.executeUpdate(instruction);
}
// processes an array of instructions e.g. a set of SQL command strings passed from a file
//NB you should ensure you either handle empty lines in files by either removing them or parsing them out
// since they will generate spurious SQLExceptions when they are encountered during the iteration....
public void executeStmt(String[] instructionSet) throws SQLException {
for (int i = 0; i < instructionSet.length; i++) {
executeStmt(instructionSet[i]);
}
}
public ResultSet executeQry(String instruction) throws SQLException {
return statement.executeQuery(instruction);
}
public void closeConnection() {
try { conn.close(); } catch (Exception ignore) {}
}
public void executeStmt(String[] instructionSet) throws SQLException {
for (int i = 0; i < instructionSet.length; i++) {
executeStmt(instructionSet[i]);
}
}
public ResultSet executeQry(String instruction) throws SQLException {
return statement.executeQuery(instruction);
}
public void closeConnection() {
try {
conn.close();
} catch (Exception ignore) {
}
}
}

489
Report/src/org/sleuthkit/autopsy/report/report.java
View File

@ -1,12 +1,29 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.sql.ResultSet;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.sleuthkit.autopsy.casemodule.Case;
@ -18,278 +35,242 @@ import org.sleuthkit.datamodel.SleuthkitCase;
*
* @author Alex
*/
public class report implements reportInterface {
private void report(){
public class report {
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getGenInfo() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(1);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
private void report() {
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebHistory() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(4);
for (BlackboardArtifact artifact : bbart)
{
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getGenInfo() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebCookie() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(3);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebBookmark() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(2);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebDownload() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(5);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
return reportMap;
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getRecentObject() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(6);
for (BlackboardArtifact artifact : bbart)
{
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebHistory() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getKeywordHit() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(9);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
return reportMap;
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getHashHit() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(10);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getInstalledProg() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(8);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getDevices() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(11);
for (BlackboardArtifact artifact : bbart)
{
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebCookie() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
@Override
public String getGroupedKeywordHit() {
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC");
while(uniqueresults.next())
{
table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>();
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") +"'");
while(tempresults.next())
{
artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id")));
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebBookmark() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
for(BlackboardArtifact art : artlist)
{
String filename = tempDb.getFsContentById(art.getObjectID()).getName();
String preview = "";
String set = "";
table.append("<tr><td>").append(filename).append("</td>");
ArrayList<BlackboardAttribute> tempatts = art.getAttributes();
for(BlackboardAttribute att : tempatts)
{
if(att.getAttributeTypeID() == 12)
{
preview = "<td>" + att.getValueString() + "</td>";
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebDownload() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getRecentObject() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getKeywordHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getHashHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getInstalledProg() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getDevices() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public String getGroupedKeywordHit() {
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC");
while (uniqueresults.next()) {
table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>();
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") + "'");
while (tempresults.next()) {
artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id")));
}
for (BlackboardArtifact art : artlist) {
String filename = tempDb.getFsContentById(art.getObjectID()).getName();
String preview = "";
String set = "";
table.append("<tr><td>").append(filename).append("</td>");
ArrayList<BlackboardAttribute> tempatts = art.getAttributes();
for (BlackboardAttribute att : tempatts) {
if (att.getAttributeTypeID() == 12) {
preview = "<td>" + att.getValueString() + "</td>";
}
if (att.getAttributeTypeID() == 13) {
set = "<td>" + att.getValueString() + "</td>";
}
}
if(att.getAttributeTypeID() == 13)
{
set = "<td>" + att.getValueString() + "</td>";
table.append(preview).append(set).append("</tr>");
}
table.append("</tbody></table><br /><br />");
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
String result = table.toString();
return result;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getAllTypes(ReportConfiguration config) {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
for (Map.Entry<BlackboardArtifact.ARTIFACT_TYPE, Boolean> entry : config.config.entrySet()) {
if (entry.getValue()) {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(entry.getKey());
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
table.append(preview).append(set).append("</tr>");
}
table.append("</tbody></table><br /><br />");
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
String result = table.toString();
return result;
}
return reportMap;
}
}

119
Report/src/org/sleuthkit/autopsy/report/reportAction.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -12,22 +28,22 @@ import java.awt.event.ActionListener;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
import javax.swing.JButton;
import javax.swing.JDialog;
import javax.swing.JFrame;
import org.openide.awt.ActionRegistration;
import org.openide.awt.ActionID;
import org.openide.awt.ActionReference;
import org.openide.awt.ActionReferences;
import org.openide.awt.ActionID;
import org.openide.awt.ActionRegistration;
import org.openide.util.HelpCtx;
import org.openide.util.NbBundle.Messages;
import org.openide.util.actions.CallableSystemAction;
import org.openide.util.actions.Presenter;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Log;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
@ActionID(category = "Tools",
id = "org.sleuthkit.autopsy.report.reportAction")
@ -36,53 +52,50 @@ id = "org.sleuthkit.autopsy.report.reportAction")
@ActionReference(path = "Menu/Tools", position = 80)
})
@Messages("CTL_reportAction=Run Report")
public final class reportAction extends CallableSystemAction implements Presenter.Toolbar{
public final class reportAction extends CallableSystemAction implements Presenter.Toolbar {
private JButton toolbarButton = new JButton();
private static final String ACTION_NAME = "Generate Report";
Logger logger = Logger.getLogger(reportAction.class.getName());
static final Logger logger = Logger.getLogger(reportAction.class.getName());
public reportAction() {
setEnabled(false);
Case.addPropertyChangeListener(new PropertyChangeListener() {
@Override
public void propertyChange(PropertyChangeEvent evt) {
if(evt.getPropertyName().equals(Case.CASE_CURRENT_CASE)){
if (evt.getPropertyName().equals(Case.CASE_CURRENT_CASE)) {
setEnabled(evt.getNewValue() != null);
}
}
});
//attempt to create a report folder if a case is active
Case.addPropertyChangeListener(new PropertyChangeListener () {
Case.addPropertyChangeListener(new PropertyChangeListener() {
@Override
public void propertyChange(PropertyChangeEvent evt) {
String changed = evt.getPropertyName();
@Override
public void propertyChange(PropertyChangeEvent evt) {
String changed = evt.getPropertyName();
//case has been changed
if (changed.equals(Case.CASE_CURRENT_CASE)) {
Case newCase = (Case)evt.getNewValue();
//case has been changed
if (changed.equals(Case.CASE_CURRENT_CASE)) {
Case newCase = (Case) evt.getNewValue();
if (newCase != null) {
boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists();
if (exists) {
// report directory exists -- don't need to do anything
} else {
// report directory does not exist -- create it
boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs();
if(!reportCreate){
logger.log(Level.WARNING, "Could not create Reports directory for case. It does not exist.");
if (newCase != null) {
boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists();
if (exists) {
// report directory exists -- don't need to do anything
} else {
// report directory does not exist -- create it
boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs();
if (!reportCreate) {
logger.log(Level.WARNING, "Could not create Reports directory for case. It does not exist.");
}
}
}
}
}
}
}
});
});
// set action of the toolbar button
toolbarButton.addActionListener(new ActionListener() {
@ -93,24 +106,25 @@ public final class reportAction extends CallableSystemAction implements Presente
});
}
@Override
public void actionPerformed(ActionEvent e) {
try {
// create the popUp window for it
final JFrame frame = new JFrame(ACTION_NAME);
final JDialog popUpWindow = new JDialog(frame, ACTION_NAME, true); // to make the popUp Window to be modal
// initialize panel with loaded settings
final reportFilter panel = new reportFilter();
panel.setjButton2ActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e) {
popUpWindow.dispose();
}
});
final reportFilter panel = new reportFilter();
panel.setjButton2ActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e) {
popUpWindow.dispose();
}
});
// add the panel to the popup window
popUpWindow.add(panel);
popUpWindow.pack();
@ -125,16 +139,15 @@ public final class reportAction extends CallableSystemAction implements Presente
// display the window
popUpWindow.setVisible(true);
// add the command to close the window to the button on the Case Properties form / panel
} catch (Exception ex) {
Log.get(reportFilterAction.class).log(Level.WARNING, "Error displaying " + ACTION_NAME + " window.", ex);
}
}
@Override
public void performAction() {
}
@Override
@ -146,11 +159,11 @@ public final class reportAction extends CallableSystemAction implements Presente
public HelpCtx getHelpCtx() {
return HelpCtx.DEFAULT_HELP;
}
/**
* Returns the toolbar component of this action
*
* @return component the toolbar button
* @return component the toolbar button
*/
@Override
public Component getToolbarPresenter() {
@ -163,10 +176,10 @@ public final class reportAction extends CallableSystemAction implements Presente
/**
* Set this action to be enabled/disabled
*
* @param value whether to enable this action or not
* @param value whether to enable this action or not
*/
@Override
public void setEnabled(boolean value){
public void setEnabled(boolean value) {
super.setEnabled(value);
toolbarButton.setEnabled(value);
}

31
Report/src/org/sleuthkit/autopsy/report/reportFilter.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?>
<?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents>
@ -39,29 +39,24 @@
<Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox3" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox2" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox1" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox5" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox4" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
</Group>
<EmptySpace min="-2" pref="69" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="jButton1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="cancelButton" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="156" max="-2" attributes="0"/>
</Group>
<Component id="jCheckBox3" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox2" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox1" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox5" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox4" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
<Component id="progBar" alignment="0" min="-2" pref="231" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>

286
Report/src/org/sleuthkit/autopsy/report/reportFilter.java
View File

@ -1,43 +1,63 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportFilter.java
/*
*
* Created on Feb 22, 2012, 11:12:12 AM
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener;
import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.SwingUtilities;
import javax.swing.SwingWorker;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException;
/**
*
* @author Alex
*/
public class reportFilter extends javax.swing.JPanel {
public static ArrayList<Integer> filters = new ArrayList<Integer>();
public final reportFilter panel = this;
reportPanelAction rpa = new reportPanelAction();
public static boolean cancel = false;
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
/** Creates new form reportFilter */
public reportFilter() {
public static ArrayList<Integer> filters = new ArrayList<Integer>();
public static ReportConfiguration config = new ReportConfiguration();
private final Logger logger = Logger.getLogger(this.getClass().getName());
public final reportFilter panel = this;
reportPanelAction rpa = new reportPanelAction();
public static boolean cancel = false;
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
/**
* Creates new form reportFilter
*/
public reportFilter() {
initComponents();
cancel = false;
}
/** This method is called from within the constructor to
* initialize the form.
* WARNING: Do NOT modify this code. The content of this method is
* always regenerated by the Form Editor.
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
* regenerated by the Form Editor.
*/
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -162,65 +182,94 @@ public class reportFilter extends javax.swing.JPanel {
}// </editor-fold>//GEN-END:initComponents
private void jCheckBox1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jCheckBox1ActionPerformed
}//GEN-LAST:event_jCheckBox1ActionPerformed
public void getfilters(java.awt.event.ActionEvent evt)
{
jButton1ActionPerformed(evt);
}
public void getfilters(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButton1ActionPerformed
jButton1.setEnabled(false);
jButton1.setEnabled(false);
progBar.setEnabled(true);
cancelButton.setEnabled(true);
progBar.setStringPainted(true);
progBar.setValue(0);
progBar.setValue(0);
filters.clear();
if(jCheckBox1.isSelected())
{
filters.add(2);
filters.add(3);
filters.add(4);
filters.add(5);
if (jCheckBox1.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, true);
filters.add(2);
filters.add(3);
filters.add(4);
filters.add(5);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
}
if(jCheckBox2.isSelected())
{
filters.add(1);
if (jCheckBox2.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO, true);
filters.add(1);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
}
if(jCheckBox3.isSelected())
{
filters.add(9);
if (jCheckBox3.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT, true);
filters.add(9);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
}
if(jCheckBox4.isSelected())
{
filters.add(10);
if (jCheckBox4.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT, true);
filters.add(10);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
}
if(jCheckBox5.isSelected())
{
filters.add(6);
filters.add(8);
filters.add(11);
if (jCheckBox5.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, true);
filters.add(6);
filters.add(8);
filters.add(11);
} catch (ReportModuleException ex) {
}
}
getReports();
getReports();
}//GEN-LAST:event_jButton1ActionPerformed
public void getReports() {
new SwingWorker<Void, Void>() {
protected Void doInBackground() throws Exception {
rpa.reportGenerate(filters, panel);
return null;
};
public void getReports() {
new SwingWorker<Void, Void>() {
@Override
protected Void doInBackground() throws Exception {
rpa.reportGenerate(config, panel);
return null;
}
;
// this is called when the SwingWorker's doInBackground finishes
protected void done() {
progBar.setVisible(false); // hide my progress bar JFrame
};
}.execute();
@Override
protected void done() {
progBar.setVisible(false); // hide my progress bar JFrame
}
;
}.execute();
progBar.setVisible(true);
}
}
private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_cancelButtonActionPerformed
cancelButton.setText("Cancelled!");
@ -228,67 +277,69 @@ private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-
}//GEN-LAST:event_cancelButtonActionPerformed
private void jButton1MouseReleased(java.awt.event.MouseEvent evt) {//GEN-FIRST:event_jButton1MouseReleased
}//GEN-LAST:event_jButton1MouseReleased
public void progBarSet(int cc)
{
final int count = cc;
SwingUtilities.invokeLater(new Runnable() {
public void run() {
int start = progBar.getValue();
int end = start + count;
progBar.setValue(end);
progBar.setString(null);
progBar.setString(progBar.getString());
progBar.setStringPainted(true);
if(progBar.getPercentComplete() == 1.0){
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.setIndeterminate(true);
}
}});
}
public void progBarSet(int cc) {
final int count = cc;
SwingUtilities.invokeLater(new Runnable() {
public void progBarDone(){
int max = progBar.getMaximum();
progBar.setValue(max);
jButton2.doClick();
}
public void progBarStartText(){
progBar.setIndeterminate(true);
progBar.setString("Querying Database for Report Results...");
}
public void progBarText(){
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.repaint();
progBar.setIndeterminate(true);
}
public void progBarCount(int count){
progBar.setIndeterminate(false);
progBar.setString(null);
progBar.setMinimum(0);
progBar.setMaximum(count);
progBar.setValue(0);
//Double bper = progBar.getPercentComplete();
progBar.setString(progBar.getString());
}
public void setjButton1ActionListener(ActionListener e){
jButton1.addActionListener(e);
@Override
public void run() {
int start = progBar.getValue();
int end = start + count;
progBar.setValue(end);
progBar.setString(null);
progBar.setString(progBar.getString());
progBar.setStringPainted(true);
if (progBar.getPercentComplete() == 1.0) {
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.setIndeterminate(true);
}
}
});
}
public void setjButton2ActionListener(ActionListener e){
jButton2.addActionListener(e);
cancelButton.addActionListener(e);
public void progBarDone() {
int max = progBar.getMaximum();
progBar.setValue(max);
jButton2.doClick();
}
public void progBarStartText() {
progBar.setIndeterminate(true);
progBar.setString("Querying Database for Report Results...");
}
public void progBarText() {
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.repaint();
progBar.setIndeterminate(true);
}
public void progBarCount(int count) {
progBar.setIndeterminate(false);
progBar.setString(null);
progBar.setMinimum(0);
progBar.setMaximum(count);
progBar.setValue(0);
//Double bper = progBar.getPercentComplete();
progBar.setString(progBar.getString());
}
public void setjButton1ActionListener(ActionListener e) {
jButton1.addActionListener(e);
}
public void setjButton2ActionListener(ActionListener e) {
jButton2.addActionListener(e);
cancelButton.addActionListener(e);
}
// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton cancelButton;
private javax.swing.JButton jButton1;
@ -300,5 +351,4 @@ public void setjButton2ActionListener(ActionListener e){
private javax.swing.JCheckBox jCheckBox5;
private javax.swing.JProgressBar progBar;
// End of variables declaration//GEN-END:variables
}

13
Report/src/org/sleuthkit/autopsy/report/reportFilterAction.java
View File

@ -16,7 +16,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.awt.Container;
@ -31,6 +30,7 @@ import org.sleuthkit.autopsy.coreutils.Log;
/**
* The reportFilterAction opens the reportFilterPanel in a dialog, and saves the
* settings of the panel if the Apply button is clicked.
*
* @author pmartel
*/
class reportFilterAction {
@ -44,10 +44,10 @@ class reportFilterAction {
try {
// create the popUp window for it
Container cpane;
Container cpane;
final JFrame frame = new JFrame(ACTION_NAME);
final JDialog popUpWindow = new JDialog(frame, ACTION_NAME, true); // to make the popUp Window to be modal
cpane = frame.getContentPane();
cpane = frame.getContentPane();
// initialize panel with loaded settings
final reportFilter panel = new reportFilter();
@ -64,8 +64,8 @@ class reportFilterAction {
// display the window
popUpWindow.setVisible(true);
} catch (Exception ex) {
Log.get(reportFilterAction.class).log(Level.WARNING, "Error displaying " + ACTION_NAME + " window.", ex);
}
@ -76,9 +76,8 @@ class reportFilterAction {
return ACTION_NAME;
}
// @Override
// @Override
public HelpCtx getHelpCtx() {
return HelpCtx.DEFAULT_HELP;
}
}

656
Report/src/org/sleuthkit/autopsy/report/reportHTML.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -30,383 +46,369 @@ import org.sleuthkit.datamodel.TskData;
* @author Alex
*/
public class reportHTML {
//Declare our publically accessible formatted report, this will change everytime they run a report
public static StringBuilder formatted_Report = new StringBuilder();
public static StringBuilder unformatted_header = new StringBuilder();
public static StringBuilder formatted_header = new StringBuilder();
public static String htmlPath = "";
public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
//This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones.
//Unlike the XML report, which is dynamic, this is formatted and needs to be redone later instead of being hardcoded.
//Also, clearing variables to generate new report.
formatted_Report.setLength(0);
unformatted_header.setLength(0);
formatted_header.setLength(0);
int countGen = 0;
int countWebBookmark = 0;
int countWebCookie = 0;
int countWebHistory = 0;
int countWebDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){
countGen++;
}
if(entry.getKey().getArtifactTypeID() == 2){
countWebBookmark++;
}
if(entry.getKey().getArtifactTypeID() == 3){
countWebCookie++;
}
if(entry.getKey().getArtifactTypeID() == 4){
public reportHTML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
countWebHistory++;
}
if(entry.getKey().getArtifactTypeID() == 5){
countWebDownload++;
}
if(entry.getKey().getArtifactTypeID() == 6){
countRecentObjects++;
}
if(entry.getKey().getArtifactTypeID() == 7){
countTrackPoint++;
}
if(entry.getKey().getArtifactTypeID() == 8){
countInstalled++;
}
if(entry.getKey().getArtifactTypeID() == 9){
countKeyword++;
}
if(entry.getKey().getArtifactTypeID() == 10){
countHash++;
}
if(entry.getKey().getArtifactTypeID() == 11){
countDevice++;
}
}
try{
String ingestwarning = "<h2 style=\"color: red;\">Warning, this report was run before ingest services completed!</h2>";
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
int reportsize = report.size();
Integer filesystemcount = currentCase.getRootObjectsCount();
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
String CSS = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><style>"
+ "body {padding: 30px; margin: 0; background: #FFFFFF; font: 13px/20px Arial, Helvetica, sans-serif; color: #535353;} "
+ "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} "
//This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones.
//Unlike the XML report, which is dynamic, this is formatted and needs to be redone later instead of being hardcoded.
//Also, clearing variables to generate new report.
formatted_Report.setLength(0);
unformatted_header.setLength(0);
formatted_header.setLength(0);
int countGen = 0;
int countWebBookmark = 0;
int countWebCookie = 0;
int countWebHistory = 0;
int countWebDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countWebBookmark++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countWebCookie++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countWebHistory++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countWebDownload++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countRecentObjects++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
countTrackPoint++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++;
}
}
try {
String ingestwarning = "<h2 style=\"color: red;\">Warning, this report was run before ingest services completed!</h2>";
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
int reportsize = report.size();
Integer filesystemcount = currentCase.getRootObjectsCount();
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
String CSS = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><style>"
+ "body {padding: 30px; margin: 0; background: #FFFFFF; font: 13px/20px Arial, Helvetica, sans-serif; color: #535353;} "
+ "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} "
+ "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} "
+ "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} "
+ "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} "
+ "table thead th {display: table-cell; text-align: left; padding: 8px 16px; background: #e5e5e5; color: #777;font-size: 11px;text-shadow: #e9f9fd 0 1px 0; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} "
+ "table tr th:nth-child(1) {text-align: center; width: 60px;} "
+ "table td {display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;} "
+ "table tr:nth-child(even) td {background: #f3f3f3;} "
+ "table tr td:nth-child(1) {text-align: left; width: 60px; background: #f3f3f3;} "
+ "table tr:nth-child(even) td:nth-child(1) {background: #eaeaea;}"
+ "</style>";
//Add additional header information
String header = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case: " + caseName + "</title>";
formatted_header.append(header);
formatted_header.append(CSS);
//do for unformatted
+ "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} "
+ "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} "
+ "table thead th {display: table-cell; text-align: left; padding: 8px 16px; background: #e5e5e5; color: #777;font-size: 11px;text-shadow: #e9f9fd 0 1px 0; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} "
+ "table tr th:nth-child(1) {text-align: center; width: 60px;} "
+ "table td {display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;} "
+ "table tr:nth-child(even) td {background: #f3f3f3;} "
+ "table tr td:nth-child(1) {text-align: left; width: 60px; background: #f3f3f3;} "
+ "table tr:nth-child(even) td:nth-child(1) {background: #eaeaea;}"
+ "</style>";
//Add additional header information
String header = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case: " + caseName + "</title>";
formatted_header.append(header);
formatted_header.append(CSS);
//do for unformatted
String simpleCSS = "<style>"
+ "body {padding: 30px; margin: 0; background: #FFFFFF; color: #535353;} "
+ "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} "
+ "body {padding: 30px; margin: 0; background: #FFFFFF; color: #535353;} "
+ "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} "
+ "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} "
+ "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} "
+ "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} "
+ "table thead th {display: table-cell; text-align: left; padding: 4px 8px; background: #e5e5e5; color: #777;font-size: 11px; width: 80px; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} "
+ "table tr th {text-align: left; width: 80px;} "
+ "table td {width: 100px; font-size: 8px; display: table-cell; padding: 4px 8px;} "
+ "table tr {text-align: left; width: 60px; background: #f3f3f3;} "
+ "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} "
+ "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} "
+ "table thead th {display: table-cell; text-align: left; padding: 4px 8px; background: #e5e5e5; color: #777;font-size: 11px; width: 80px; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} "
+ "table tr th {text-align: left; width: 80px;} "
+ "table td {width: 100px; font-size: 8px; display: table-cell; padding: 4px 8px;} "
+ "table tr {text-align: left; width: 60px; background: #f3f3f3;} "
+ "tr.alt td{ background-color: #FFFFFF;}"
+ "</style>";
unformatted_header.append(header);
unformatted_header.append(simpleCSS);
+ "</style>";
unformatted_header.append(header);
unformatted_header.append(simpleCSS);
//formatted_Report.append("<link rel=\"stylesheet\" href=\"" + rrpath + "report.css\" type=\"text/css\" />");
formatted_Report.append("</head><body><div id=\"main\"><div id=\"content\">");
// Add summary information now
formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>");
if(IngestManager.getDefault().isIngestRunning())
{
if (IngestManager.getDefault().isIngestRunning()) {
formatted_Report.append(ingestwarning);
}
formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<ul>");
formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<ul>");
formatted_Report.append("<li># of Images: ").append(imagecount).append("</li>");
formatted_Report.append("<li>FileSystems: ").append(filesystemcount).append("</li>");
formatted_Report.append("<li># of Files: ").append(totalfiles.toString()).append("</li>");
formatted_Report.append("<li># of Dirs: ").append(totaldirs.toString()).append("</li>");
formatted_Report.append("<li># of Artifacts: ").append(reportsize).append("</li></ul>");
formatted_Report.append("<br /><table><thead><tr><th>Section</th><th>Count</th></tr></thead><tbody>");
if(countWebBookmark > 0){
formatted_Report.append("<tr><td><a href=\"#bookmark\">Web Bookmarks</a></td><td>").append(countWebBookmark).append("</td></tr>");
if (countWebBookmark > 0) {
formatted_Report.append("<tr><td><a href=\"#bookmark\">Web Bookmarks</a></td><td>").append(countWebBookmark).append("</td></tr>");
}
if(countWebCookie > 0){
formatted_Report.append("<tr><td><a href=\"#cookie\">Web Cookies</a></td><td>").append(countWebCookie).append("</td></tr>");
if (countWebCookie > 0) {
formatted_Report.append("<tr><td><a href=\"#cookie\">Web Cookies</a></td><td>").append(countWebCookie).append("</td></tr>");
}
if(countWebHistory > 0){
formatted_Report.append("<tr><td><a href=\"#history\">Web History</a></td><td>").append(countWebHistory).append("</td></tr>");
if (countWebHistory > 0) {
formatted_Report.append("<tr><td><a href=\"#history\">Web History</a></td><td>").append(countWebHistory).append("</td></tr>");
}
if(countWebDownload > 0){
formatted_Report.append("<tr><td><a href=\"#download\">Web Downloads</a></td><td>").append(countWebDownload).append("</td></tr>");
if (countWebDownload > 0) {
formatted_Report.append("<tr><td><a href=\"#download\">Web Downloads</a></td><td>").append(countWebDownload).append("</td></tr>");
}
if(countRecentObjects > 0){
formatted_Report.append("<tr><td><a href=\"#recent\">Recent Documents</a></td><td>").append(countRecentObjects).append("</td></tr>");
if (countRecentObjects > 0) {
formatted_Report.append("<tr><td><a href=\"#recent\">Recent Documents</a></td><td>").append(countRecentObjects).append("</td></tr>");
}
if(countInstalled > 0){
formatted_Report.append("<tr><td><a href=\"#installed\">Installed Programs</a></td><td>").append(countInstalled).append("</td></tr>");
if (countInstalled > 0) {
formatted_Report.append("<tr><td><a href=\"#installed\">Installed Programs</a></td><td>").append(countInstalled).append("</td></tr>");
}
if(countKeyword > 0){
formatted_Report.append("<tr><td><a href=\"#keyword\">Keyword Hits</a></td><td>").append(countKeyword).append("</td></tr>");
if (countKeyword > 0) {
formatted_Report.append("<tr><td><a href=\"#keyword\">Keyword Hits</a></td><td>").append(countKeyword).append("</td></tr>");
}
if(countHash > 0){
formatted_Report.append("<tr><td><a href=\"#hash\">Hash Hits</a></td><td>").append(countHash).append("</td></tr>");
if (countHash > 0) {
formatted_Report.append("<tr><td><a href=\"#hash\">Hash Hits</a></td><td>").append(countHash).append("</td></tr>");
}
if(countDevice > 0){
formatted_Report.append("<tr><td><a href=\"#device\">Attached Devices</a></td><td>").append(countDevice).append("</td></tr>");
if (countDevice > 0) {
formatted_Report.append("<tr><td><a href=\"#device\">Attached Devices</a></td><td>").append(countDevice).append("</td></tr>");
}
formatted_Report.append("</tbody></table><br />");
formatted_Report.append("</tbody></table><br />");
String tableHeader = "<table><thead><tr>";
StringBuilder nodeGen = new StringBuilder("<h3>General Information (").append(countGen).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeWebBookmark = new StringBuilder("<h3><a name=\"bookmark\">Web Bookmarks (").append(countWebBookmark).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebCookie = new StringBuilder("<h3><a name=\"cookie\">Web Cookies (").append(countWebCookie).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Name</th><th>Value</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebHistory = new StringBuilder("<h3><a name=\"history\">Web History (").append(countWebHistory).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Referrer</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebDownload = new StringBuilder("<h3><a name=\"download\">Web Downloads (").append(countWebDownload).append(")</h3>").append(tableHeader).append("<th>File</th><th>Source</th><th>Time</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeRecentObjects = new StringBuilder("<h3><a name=\"recent\">Recent Documents (").append(countRecentObjects).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Path</th><th>Related Shortcut</th></tr></thead><tbody>");
StringBuilder nodeTrackPoint = new StringBuilder("<h3><a name=\"track\">Track Points (").append(countTrackPoint).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeInstalled = new StringBuilder("<h3><a name=\"installed\">Installed Programs (").append(countInstalled).append(")</h3>").append(tableHeader).append("<th>Program Name</th><th>Install Date/Time</th></tr></thead><tbody>");
StringBuilder nodeKeyword = new StringBuilder("<h3><a name=\"keyword\">Keyword Search Hits (").append(countKeyword).append(")</h3>");
StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Size</th><th>Hashset Name</th></tr></thead><tbody>");
StringBuilder nodeDevice = new StringBuilder("<h3><a name=\"device\">Attached Devices (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Serial #</th><th>Time</th></tr></thead><tbody>");
int alt = 0;
String altRow = "";
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
break;
}
int cc = 0;
if(alt > 0)
{
altRow = " class=\"alt\"";
alt = 0;
}
else{
altRow="";
alt++;
}
StringBuilder artifact = new StringBuilder("");
StringBuilder nodeGen = new StringBuilder("<h3>General Information (").append(countGen).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeWebBookmark = new StringBuilder("<h3><a name=\"bookmark\">Web Bookmarks (").append(countWebBookmark).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebCookie = new StringBuilder("<h3><a name=\"cookie\">Web Cookies (").append(countWebCookie).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Name</th><th>Value</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebHistory = new StringBuilder("<h3><a name=\"history\">Web History (").append(countWebHistory).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Referrer</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebDownload = new StringBuilder("<h3><a name=\"download\">Web Downloads (").append(countWebDownload).append(")</h3>").append(tableHeader).append("<th>File</th><th>Source</th><th>Time</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeRecentObjects = new StringBuilder("<h3><a name=\"recent\">Recent Documents (").append(countRecentObjects).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Path</th><th>Related Shortcut</th></tr></thead><tbody>");
StringBuilder nodeTrackPoint = new StringBuilder("<h3><a name=\"track\">Track Points (").append(countTrackPoint).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeInstalled = new StringBuilder("<h3><a name=\"installed\">Installed Programs (").append(countInstalled).append(")</h3>").append(tableHeader).append("<th>Program Name</th><th>Install Date/Time</th></tr></thead><tbody>");
StringBuilder nodeKeyword = new StringBuilder("<h3><a name=\"keyword\">Keyword Search Hits (").append(countKeyword).append(")</h3>");
StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Size</th><th>Hashset Name</th></tr></thead><tbody>");
StringBuilder nodeDevice = new StringBuilder("<h3><a name=\"device\">Attached Devices (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Serial #</th><th>Time</th></tr></thead><tbody>");
int alt = 0;
String altRow = "";
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (reportFilter.cancel == true) {
break;
}
int cc = 0;
if (alt > 0) {
altRow = " class=\"alt\"";
alt = 0;
} else {
altRow = "";
alt++;
}
StringBuilder artifact = new StringBuilder("");
Long objId = entry.getKey().getObjectID();
//Content file = skCase.getContentById(objId);
FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer,String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for(n=1;n<=35;n++)
{
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
break;
}
String value = "";
int type = tempatt.getAttributeTypeID();
if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){
}
else if(type == 2 || type == 33 ){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())));
if(value == null || "".equals(value)){
value = tempatt.getValueString();
}
}
else
{
value = tempatt.getValueString();
}
value = reportUtils.insertPeriodically(value, "<br>", 30);
attributes.put(type, value);
cc++;
}
if(entry.getKey().getArtifactTypeID() == 1){
artifact.append("</tr>");
nodeGen.append(artifact);
TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for (n = 1; n <= 35; n++) {
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue()) {
if (reportFilter.cancel == true) {
break;
}
if(entry.getKey().getArtifactTypeID() == 2){
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebBookmark.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 3){
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(6)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebCookie.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 4){
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(32)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebHistory.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 5){
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebDownload.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 6){
//artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(3)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(file.getName()).append("</td>");
artifact.append("</tr>");
nodeRecentObjects.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 7){
artifact.append("<tr").append(altRow).append("><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
artifact.append("</tr>");
nodeTrackPoint.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(4)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeInstalled.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 9){
// artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>");
// artifact.append("</tr></table>");
// nodeKeyword.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 10){
// artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
//artifact.append("<td>").append(attributes.get(31)).append("</td>");
artifact.append("<td>").append(attributes.get(30)).append("</td>");
artifact.append("</tr>");
nodeHash.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 11){
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(18)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(20)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeDevice.append(artifact);
String value = "";
int type = tempatt.getAttributeTypeID();
if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
} else if (type == 2 || type == 33) {
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong())));
if (value == null || "".equals(value)) {
value = tempatt.getValueString();
}
} else {
value = tempatt.getValueString();
}
value = reportUtils.insertPeriodically(value, "<br>", 30);
attributes.put(type, value);
cc++;
rr.progBarSet(cc);
}
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
artifact.append("</tr>");
nodeGen.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebBookmark.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(6)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebCookie.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(32)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebHistory.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebDownload.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
//artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(3)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(file.getName()).append("</td>");
artifact.append("</tr>");
nodeRecentObjects.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
artifact.append("</tr>");
nodeTrackPoint.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(4)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeInstalled.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
// artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>");
// artifact.append("</tr></table>");
// nodeKeyword.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
// artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
//artifact.append("<td>").append(attributes.get(31)).append("</td>");
artifact.append("<td>").append(attributes.get(30)).append("</td>");
artifact.append("</tr>");
nodeHash.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(18)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(20)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeDevice.append(artifact);
}
cc++;
rr.progBarSet(cc);
}
//Add them back in order
//formatted_Report.append(nodeGen);
// formatted_Report.append("</tbody></table>");
if(countWebBookmark > 0){
formatted_Report.append(nodeWebBookmark);
formatted_Report.append("</tbody></table>");
// formatted_Report.append("</tbody></table>");
if (countWebBookmark > 0) {
formatted_Report.append(nodeWebBookmark);
formatted_Report.append("</tbody></table>");
}
if(countWebCookie > 0){
formatted_Report.append(nodeWebCookie);
formatted_Report.append("</tbody></table>");
if (countWebCookie > 0) {
formatted_Report.append(nodeWebCookie);
formatted_Report.append("</tbody></table>");
}
if(countWebHistory > 0){
formatted_Report.append(nodeWebHistory);
formatted_Report.append("</tbody></table>");
if (countWebHistory > 0) {
formatted_Report.append(nodeWebHistory);
formatted_Report.append("</tbody></table>");
}
if(countWebDownload > 0){
formatted_Report.append(nodeWebDownload);
formatted_Report.append("</tbody></table>");
if (countWebDownload > 0) {
formatted_Report.append(nodeWebDownload);
formatted_Report.append("</tbody></table>");
}
if(countRecentObjects > 0){
formatted_Report.append(nodeRecentObjects);
formatted_Report.append("</tbody></table>");
if (countRecentObjects > 0) {
formatted_Report.append(nodeRecentObjects);
formatted_Report.append("</tbody></table>");
}
// formatted_Report.append(nodeTrackPoint);
// formatted_Report.append(nodeTrackPoint);
//formatted_Report.append("</tbody></table>");
if(countInstalled > 0){
formatted_Report.append(nodeInstalled);
formatted_Report.append("</tbody></table>");
if (countInstalled > 0) {
formatted_Report.append(nodeInstalled);
formatted_Report.append("</tbody></table>");
}
if(countKeyword > 0){
formatted_Report.append(nodeKeyword);
report keywords = new report();
formatted_Report.append(keywords.getGroupedKeywordHit());
// "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>
// formatted_Report.append("</tbody></table>");
if (countKeyword > 0) {
formatted_Report.append(nodeKeyword);
report keywords = new report();
formatted_Report.append(keywords.getGroupedKeywordHit());
// "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>
// formatted_Report.append("</tbody></table>");
}
if(countHash > 0){
formatted_Report.append(nodeHash);
formatted_Report.append("</tbody></table>");
if (countHash > 0) {
formatted_Report.append(nodeHash);
formatted_Report.append("</tbody></table>");
}
if(countDevice > 0){
formatted_Report.append(nodeDevice);
formatted_Report.append("</tbody></table>");
if (countDevice > 0) {
formatted_Report.append(nodeDevice);
formatted_Report.append("</tbody></table>");
}
//end of master loop
formatted_Report.append("</div></div></body></html>");
formatted_header.append(formatted_Report);
// unformatted_header.append(formatted_Report);
htmlPath = currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".html";
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlPath), "UTF-8"));
out.write(formatted_header.toString());
out.flush();
out.close();
}
catch(Exception e)
{
Logger.getLogger(reportHTML.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
}
formatted_Report.append("</div></div></body></html>");
formatted_header.append(formatted_Report);
// unformatted_header.append(formatted_Report);
htmlPath = currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".html";
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlPath), "UTF-8"));
out.write(formatted_header.toString());
out.flush();
out.close();
} catch (Exception e) {
Logger.getLogger(reportHTML.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
}
}

2
Report/src/org/sleuthkit/autopsy/report/reportPanel.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?>
<?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents>

158
Report/src/org/sleuthkit/autopsy/report/reportPanel.java
View File

@ -1,20 +1,27 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportPanel.java
/*
*
* Created on Feb 21, 2012, 12:13:14 PM
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener;
import java.io.BufferedWriter;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.io.*;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
@ -30,16 +37,17 @@ import org.jdom.output.XMLOutputter;
*/
public class reportPanel extends javax.swing.JPanel {
/** Creates new form reportPanel */
public reportPanel(String report) {
/**
* Creates new form reportPanel
*/
public reportPanel() {
initComponents();
setReportWindow(report);
}
/** This method is called from within the constructor to
* initialize the form.
* WARNING: Do NOT modify this code. The content of this method is
* always regenerated by the Form Editor.
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
* regenerated by the Form Editor.
*/
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -94,86 +102,64 @@ public class reportPanel extends javax.swing.JPanel {
}// </editor-fold>//GEN-END:initComponents
private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_saveReportActionPerformed
saveReportAction();
}//GEN-LAST:event_saveReportActionPerformed
/**
/**
* Sets the listener for the OK button
*
* @param e The action listener
* @param e The action listener
*/
public void setjButton1ActionListener(ActionListener e){
jButton1.addActionListener(e);
public void setjButton1ActionListener(ActionListener e) {
jButton1.addActionListener(e);
}
public void getLink(HyperlinkEvent evt){
try{
String str = evt.getDescription();
// jEditorPane1.scrollToReference(str.substring(1));
}
catch(Exception e){
String whater = "";
}
}
public void setjEditorPane1EventListener(HyperlinkListener evt){
// jEditorPane1.addHyperlinkListener(evt);
}
private void setReportWindow(String report)
{
// jEditorPane1.setText(report);
// jEditorPane1.setCaretPosition(0);
}
public void setFinishedReportText(){
public void setFinishedReportText() {
DateFormat dateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
Date date = new Date();
String reportText = "Report was sucessfully generated at " + dateFormat.format(date) + ".";
jLabel1.setText(reportText);
}
private void saveReportAction(){
private void saveReportAction() {
int option = jFileChooser1.showSaveDialog(this);
if(option == JFileChooser.APPROVE_OPTION){
if(jFileChooser1.getSelectedFile()!=null){
String path = jFileChooser1.getSelectedFile().toString();
exportReport(path);
if (option == JFileChooser.APPROVE_OPTION) {
if (jFileChooser1.getSelectedFile() != null) {
String path = jFileChooser1.getSelectedFile().toString();
exportReport(path);
}
}
}
}
private void exportReport(String path){
String htmlpath = reportUtils.changeExtension(path, ".html");
String xmlpath = reportUtils.changeExtension(path, ".xml");
String xlspath = reportUtils.changeExtension(path, ".xlsx");
try {
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlpath), "UTF-8"));
// FileOutputStream out = new FileOutputStream(htmlpath);
out.write(reportHTML.formatted_header.toString());
out.flush();
out.close();
//xls report
FileOutputStream fos = new FileOutputStream(xlspath);
reportXLS.wb.write(fos);
fos.close();
FileOutputStream xmlout = new FileOutputStream(xmlpath);
XMLOutputter serializer = new XMLOutputter();
serializer.output(reportXML.xmldoc, xmlout);
xmlout.flush();
xmlout.close();
JOptionPane.showMessageDialog(this, "Report has been successfully saved!");
}
catch (IOException e) {
System.err.println(e);
}
}
private void exportReport(String path) {
String htmlpath = reportUtils.changeExtension(path, ".html");
String xmlpath = reportUtils.changeExtension(path, ".xml");
String xlspath = reportUtils.changeExtension(path, ".xlsx");
try {
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlpath), "UTF-8"));
// FileOutputStream out = new FileOutputStream(htmlpath);
out.write(reportHTML.formatted_header.toString());
out.flush();
out.close();
//xls report
FileOutputStream fos = new FileOutputStream(xlspath);
reportXLS.wb.write(fos);
fos.close();
FileOutputStream xmlout = new FileOutputStream(xmlpath);
XMLOutputter serializer = new XMLOutputter();
serializer.output(reportXML.xmldoc, xmlout);
xmlout.flush();
xmlout.close();
JOptionPane.showMessageDialog(this, "Report has been successfully saved!");
} catch (IOException e) {
System.err.println(e);
}
}
// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton jButton1;
private javax.swing.JFileChooser jFileChooser1;
@ -181,6 +167,4 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
private javax.swing.JOptionPane jOptionPane1;
private javax.swing.JButton saveReport;
// End of variables declaration//GEN-END:variables
}

73
Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -8,18 +24,11 @@ import java.awt.Dimension;
import java.awt.Toolkit;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.logging.Level;
import javax.swing.JDialog;
import javax.swing.JFrame;
import javax.swing.SwingUtilities;
import javax.swing.event.HyperlinkEvent;
import javax.swing.event.HyperlinkListener;
import org.sleuthkit.autopsy.coreutils.Log;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
/**
*
@ -32,15 +41,14 @@ public class reportPanelAction {
}
public void reportGenerate(ArrayList<Integer> reportlist, final reportFilter rr){
public void reportGenerate(ReportConfiguration reportconfig, final reportFilter rr){
try {
//Clear any old reports in the string
viewReport.setLength(0);
// Generate the reports and create the hashmap
final HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> Results = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
report bbreport = new report();
final ReportGen report = new ReportGen();
//see what reports we need to run and run them
//Set progress bar to move while doing this
SwingUtilities.invokeLater(new Runnable() {
@ -48,21 +56,11 @@ public class reportPanelAction {
public void run() {
rr.progBarStartText();
}});
if(reportlist.contains(1)){Results.putAll(bbreport.getGenInfo());}
if(reportlist.contains(2)){Results.putAll(bbreport.getWebBookmark());}
if(reportlist.contains(3)){Results.putAll(bbreport.getWebCookie());}
if(reportlist.contains(4)){Results.putAll(bbreport.getWebHistory());}
if(reportlist.contains(5)){Results.putAll(bbreport.getWebDownload());}
if(reportlist.contains(6)){Results.putAll(bbreport.getRecentObject());}
// if(reportlist.contains(7)){Results.putAll(bbreport.getGenInfo());}
if(reportlist.contains(8)){Results.putAll(bbreport.getInstalledProg());}
if(reportlist.contains(9)){Results.putAll(bbreport.getKeywordHit());}
if(reportlist.contains(10)){Results.putAll(bbreport.getHashHit());}
if(reportlist.contains(11)){Results.putAll(bbreport.getDevices());}
report.populateReport(reportconfig);
SwingUtilities.invokeLater(new Runnable() {
@Override
public void run() {
rr.progBarCount(2*Results.size());
rr.progBarCount(2*report.Results.size());
}});
//Turn our results into the appropriate xml/html reports
//TODO: add a way for users to select what they will run when
@ -71,7 +69,7 @@ public class reportPanelAction {
@Override
public void run()
{
reportXML xmlReport = new reportXML(Results, rr);
reportXML xmlReport = new reportXML(report.Results, rr);
}
});
Thread htmlthread = new Thread(new Runnable()
@ -79,8 +77,8 @@ public class reportPanelAction {
@Override
public void run()
{
reportHTML htmlReport = new reportHTML(Results,rr);
reportHTML htmlReport = new reportHTML(report.Results,rr);
BrowserControl.openUrl(reportHTML.htmlPath);
}
});
Thread xlsthread = new Thread(new Runnable()
@ -88,8 +86,8 @@ public class reportPanelAction {
@Override
public void run()
{
reportXLS xlsReport = new reportXLS(Results,rr);
// BrowserControl.openUrl(xlsReport.xlsPath);
reportXLS xlsReport = new reportXLS(report.Results,rr);
//
}
});
@ -110,7 +108,7 @@ public class reportPanelAction {
htmlthread.join();
//Set the temporary label to let the user know its done and is waiting on the report
rr.progBarText();
final reportPanel panel = new reportPanel(viewReport.toString());
final reportPanel panel = new reportPanel();
panel.setjButton1ActionListener(new ActionListener() {
@ -120,19 +118,6 @@ public class reportPanelAction {
popUpWindow.dispose();
}
});
panel.setjEditorPane1EventListener(new HyperlinkListener(){
@Override
public void hyperlinkUpdate(HyperlinkEvent hev) {
try {
if (hev.getEventType() == HyperlinkEvent.EventType.ACTIVATED)
panel.getLink(hev);
}
catch (Exception e) {
// Exceptions thrown...............
}
}
});
// add the panel to the popup window
popUpWindow.add(panel);

76
Report/src/org/sleuthkit/autopsy/report/reportUtils.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -9,34 +25,32 @@ package org.sleuthkit.autopsy.report;
* @author Alex
*/
public class reportUtils {
static String changeExtension(String originalName, String newExtension) {
int lastDot = originalName.lastIndexOf(".");
if (lastDot != -1) {
return originalName.substring(0, lastDot) + newExtension;
} else {
return originalName + newExtension;
}
}
public static String insertPeriodically(
String text, String insert, int period)
{
StringBuilder builder = new StringBuilder(
text.length() + insert.length() * (text.length()/period)+1);
int index = 0;
String prefix = "";
while (index < text.length())
{
// Don't put the insert in the very first iteration.
// This is easier than appending it *after* each substring
builder.append(prefix);
prefix = insert;
builder.append(text.substring(index,
Math.min(index + period, text.length())));
index += period;
static String changeExtension(String originalName, String newExtension) {
int lastDot = originalName.lastIndexOf(".");
if (lastDot != -1) {
return originalName.substring(0, lastDot) + newExtension;
} else {
return originalName + newExtension;
}
}
public static String insertPeriodically(
String text, String insert, int period) {
StringBuilder builder = new StringBuilder(
text.length() + insert.length() * (text.length() / period) + 1);
int index = 0;
String prefix = "";
while (index < text.length()) {
// Don't put the insert in the very first iteration.
// This is easier than appending it *after* each substring
builder.append(prefix);
prefix = insert;
builder.append(text.substring(index,
Math.min(index + period, text.length())));
index += period;
}
return builder.toString();
}
return builder.toString();
}
}

692
Report/src/org/sleuthkit/autopsy/report/reportXLS.java
View File

@ -1,11 +1,26 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream;
import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
@ -14,362 +29,343 @@ import java.util.Date;
import java.util.HashMap;
import java.util.Map.Entry;
import java.util.TreeMap;
import org.apache.poi.ss.usermodel.Cell;
import org.apache.poi.ss.usermodel.CellStyle;
import org.apache.poi.ss.usermodel.Font;
import org.apache.poi.ss.usermodel.Row;
import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.ss.usermodel.*;
import org.apache.poi.xssf.usermodel.XSSFWorkbook;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.*;
/**
*
* @author Alex
*/
public class reportXLS {
public static Workbook wb = new XSSFWorkbook();
public reportXLS(HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
//Empty the workbook first
Workbook wbtemp = new XSSFWorkbook();
int countGen = 0;
int countBookmark = 0;
int countCookie = 0;
int countHistory = 0;
int countDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){
countGen++;
}
if(entry.getKey().getArtifactTypeID() == 2){
countBookmark++;
}
if(entry.getKey().getArtifactTypeID() == 3){
countCookie++;
}
if(entry.getKey().getArtifactTypeID() == 4){
public static Workbook wb = new XSSFWorkbook();
countHistory++;
public reportXLS(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
//Empty the workbook first
Workbook wbtemp = new XSSFWorkbook();
int countGen = 0;
int countBookmark = 0;
int countCookie = 0;
int countHistory = 0;
int countDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countBookmark++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countCookie++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countHistory++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countDownload++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countRecentObjects++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
countTrackPoint++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++;
}
}
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
//The first summary report page
Sheet sheetSummary = wbtemp.createSheet("Summary");
//Generate a sheet per artifact type
// Sheet sheetGen = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getDisplayName());
Sheet sheetHash = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName());
Sheet sheetDevice = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getDisplayName());
Sheet sheetInstalled = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getDisplayName());
Sheet sheetKeyword = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName());
// Sheet sheetTrackpoint = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getDisplayName());
Sheet sheetRecent = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getDisplayName());
Sheet sheetCookie = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getDisplayName());
Sheet sheetBookmark = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName());
Sheet sheetDownload = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getDisplayName());
Sheet sheetHistory = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName());
//Bold/underline cell style for the top header rows
CellStyle style = wbtemp.createCellStyle();
style.setBorderBottom((short) 2);
Font font = wbtemp.createFont();
font.setFontHeightInPoints((short) 16);
font.setFontName("Courier New");
font.setBoldweight((short) 2);
style.setFont(font);
//create the rows in the worksheet for our records
//Create first row and header
// sheetGen.createRow(0);
// sheetGen.getRow(0).createCell(0).setCellValue("Name");
// sheetGen.getRow(0).createCell(1).setCellValue("Value");
// sheetGen.getRow(0).createCell(2).setCellValue("Date/Time");
sheetSummary.createRow(0).setRowStyle(style);
sheetSummary.getRow(0).createCell(0).setCellValue("Summary Information");
sheetSummary.getRow(0).createCell(1).setCellValue(caseName);
//add some basic information
sheetSummary.createRow(1);
sheetSummary.getRow(1).createCell(0).setCellValue("# of Images");
sheetSummary.getRow(1).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(2);
sheetSummary.getRow(2).createCell(0).setCellValue("Filesystems found");
sheetSummary.getRow(2).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(3);
sheetSummary.getRow(3).createCell(0).setCellValue("# of Files");
sheetSummary.getRow(3).createCell(1).setCellValue(totalfiles);
sheetSummary.createRow(4);
sheetSummary.getRow(4).createCell(0).setCellValue("# of Directories");
sheetSummary.getRow(4).createCell(1).setCellValue(totaldirs);
sheetSummary.createRow(5);
sheetSummary.getRow(5).createCell(0).setCellValue("Date/Time");
sheetSummary.getRow(5).createCell(1).setCellValue(datetime);
sheetHash.createRow(0).setRowStyle(style);
sheetHash.getRow(0).createCell(0).setCellValue("Name");
sheetHash.getRow(0).createCell(1).setCellValue("Size");
sheetHash.getRow(0).createCell(2).setCellValue("Hashset Name");
sheetDevice.createRow(0).setRowStyle(style);
sheetDevice.getRow(0).createCell(0).setCellValue("Name");
sheetDevice.getRow(0).createCell(1).setCellValue("Serial #");
sheetDevice.getRow(0).createCell(2).setCellValue("Time");
sheetInstalled.createRow(0).setRowStyle(style);
sheetInstalled.getRow(0).createCell(0).setCellValue("Program Name");
sheetInstalled.getRow(0).createCell(1).setCellValue("Install Date/Time");
sheetKeyword.createRow(0).setRowStyle(style);
sheetKeyword.getRow(0).createCell(0).setCellValue("Keyword");
sheetKeyword.getRow(0).createCell(1).setCellValue("File Name");
sheetKeyword.getRow(0).createCell(2).setCellValue("Preview");
sheetKeyword.getRow(0).createCell(3).setCellValue("Keyword LIst");
sheetRecent.createRow(0).setRowStyle(style);
sheetRecent.getRow(0).createCell(0).setCellValue("Name");
sheetRecent.getRow(0).createCell(1).setCellValue("Path");
sheetRecent.getRow(0).createCell(2).setCellValue("Related Shortcut");
sheetCookie.createRow(0).setRowStyle(style);
sheetCookie.getRow(0).createCell(0).setCellValue("URL");
sheetCookie.getRow(0).createCell(1).setCellValue("Date");
sheetCookie.getRow(0).createCell(2).setCellValue("Name");
sheetCookie.getRow(0).createCell(3).setCellValue("Value");
sheetCookie.getRow(0).createCell(4).setCellValue("Program");
sheetBookmark.createRow(0).setRowStyle(style);
sheetBookmark.getRow(0).createCell(0).setCellValue("URL");
sheetBookmark.getRow(0).createCell(1).setCellValue("Title");
sheetBookmark.getRow(0).createCell(2).setCellValue("Program");
sheetDownload.createRow(0).setRowStyle(style);
sheetDownload.getRow(0).createCell(0).setCellValue("File");
sheetDownload.getRow(0).createCell(1).setCellValue("Source");
sheetDownload.getRow(0).createCell(2).setCellValue("Time");
sheetDownload.getRow(0).createCell(3).setCellValue("Program");
sheetHistory.createRow(0).setRowStyle(style);
sheetHistory.getRow(0).createCell(0).setCellValue("URL");
sheetHistory.getRow(0).createCell(1).setCellValue("Date");
sheetHistory.getRow(0).createCell(2).setCellValue("Referrer");
sheetHistory.getRow(0).createCell(3).setCellValue("Title");
sheetHistory.getRow(0).createCell(4).setCellValue("Program");
for (int i = 0; i < wbtemp.getNumberOfSheets(); i++) {
Sheet tempsheet = wbtemp.getSheetAt(i);
tempsheet.setAutobreaks(true);
for (Row temprow : tempsheet) {
for (Cell cell : temprow) {
cell.setCellStyle(style);
tempsheet.autoSizeColumn(cell.getColumnIndex());
}
if(entry.getKey().getArtifactTypeID() == 5){
countDownload++;
}
}
int countedGen = 0;
int countedBookmark = 0;
int countedCookie = 0;
int countedHistory = 0;
int countedDownload = 0;
int countedRecentObjects = 0;
int countedTrackPoint = 0;
int countedInstalled = 0;
int countedKeyword = 0;
int countedHash = 0;
int countedDevice = 0;
//start populating the sheets in the workbook
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (reportFilter.cancel == true) {
break;
}
int cc = 0;
Long objId = entry.getKey().getObjectID();
FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for (n = 1; n <= 36; n++) {
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue()) {
if (reportFilter.cancel == true) {
break;
}
if(entry.getKey().getArtifactTypeID() == 6){
countRecentObjects++;
String value = "";
int type = tempatt.getAttributeTypeID();
if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
} else if (type == 2 || type == 33) {
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong()) * 1000));
} else {
value = tempatt.getValueString();
}
if(entry.getKey().getArtifactTypeID() == 7){
countTrackPoint++;
}
if(entry.getKey().getArtifactTypeID() == 8){
countInstalled++;
}
if(entry.getKey().getArtifactTypeID() == 9){
countKeyword++;
}
if(entry.getKey().getArtifactTypeID() == 10){
countHash++;
}
if(entry.getKey().getArtifactTypeID() == 11){
countDevice++;
}
attributes.put(type, value);
cc++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countedGen++;
// Row temp = sheetGen.getRow(countedGen);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countedBookmark++;
Row temp = sheetBookmark.createRow(countedBookmark);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countedCookie++;
Row temp = sheetCookie.createRow(countedCookie);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(2));
temp.createCell(2).setCellValue(attributes.get(3));
temp.createCell(3).setCellValue(attributes.get(6));
temp.createCell(4).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countedHistory++;
Row temp = sheetHistory.createRow(countedHistory);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(33));
temp.createCell(2).setCellValue(attributes.get(32));
temp.createCell(3).setCellValue(attributes.get(3));
temp.createCell(4).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countedDownload++;
Row temp = sheetDownload.createRow(countedDownload);
temp.createCell(0).setCellValue(attributes.get(8));
temp.createCell(1).setCellValue(attributes.get(1));
temp.createCell(2).setCellValue(attributes.get(33));
temp.createCell(3).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countedRecentObjects++;
Row temp = sheetRecent.createRow(countedRecentObjects);
temp.createCell(0).setCellValue(attributes.get(3));
temp.createCell(1).setCellValue(attributes.get(8));
temp.createCell(2).setCellValue(file.getName());
temp.createCell(3).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
// sheetTrackpoint.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countedInstalled++;
Row temp = sheetInstalled.createRow(countedInstalled);
temp.createCell(0).setCellValue(attributes.get(4));
temp.createCell(1).setCellValue(attributes.get(2));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countedKeyword++;
Row temp = sheetKeyword.createRow(countedKeyword);
temp.createCell(0).setCellValue(attributes.get(10));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(12));
temp.createCell(3).setCellValue(attributes.get(13));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countedHash++;
Row temp = sheetHash.createRow(countedHash);
temp.createCell(0).setCellValue(file.getName().toString());
temp.createCell(1).setCellValue(filesize.toString());
temp.createCell(2).setCellValue(attributes.get(30));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countedDevice++;
Row temp = sheetDevice.createRow(countedDevice);
temp.createCell(0).setCellValue(attributes.get(18));
temp.createCell(1).setCellValue(attributes.get(20));
temp.createCell(2).setCellValue(attributes.get(2));
}
cc++;
rr.progBarSet(cc);
}
//write out the report to the reports folder
try {
FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".xlsx");
wbtemp.write(fos);
fos.close();
wb = wbtemp;
} catch (IOException e) {
System.err.println(e);
}
} catch (Exception E) {
String test = E.toString();
}
}
try{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
//The first summary report page
Sheet sheetSummary = wbtemp.createSheet("Summary");
//Generate a sheet per artifact type
// Sheet sheetGen = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getDisplayName());
Sheet sheetHash = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName());
Sheet sheetDevice = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getDisplayName());
Sheet sheetInstalled = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getDisplayName());
Sheet sheetKeyword = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName());
// Sheet sheetTrackpoint = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getDisplayName());
Sheet sheetRecent = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getDisplayName());
Sheet sheetCookie = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getDisplayName());
Sheet sheetBookmark = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName());
Sheet sheetDownload = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getDisplayName());
Sheet sheetHistory = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName());
//Bold/underline cell style for the top header rows
CellStyle style = wbtemp.createCellStyle();
style.setBorderBottom((short) 2);
Font font = wbtemp.createFont();
font.setFontHeightInPoints((short)16);
font.setFontName("Courier New");
font.setBoldweight((short)2);
style.setFont(font);
//create the rows in the worksheet for our records
//Create first row and header
// sheetGen.createRow(0);
// sheetGen.getRow(0).createCell(0).setCellValue("Name");
// sheetGen.getRow(0).createCell(1).setCellValue("Value");
// sheetGen.getRow(0).createCell(2).setCellValue("Date/Time");
sheetSummary.createRow(0).setRowStyle(style);
sheetSummary.getRow(0).createCell(0).setCellValue("Summary Information");
sheetSummary.getRow(0).createCell(1).setCellValue(caseName);
//add some basic information
sheetSummary.createRow(1);
sheetSummary.getRow(1).createCell(0).setCellValue("# of Images");
sheetSummary.getRow(1).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(2);
sheetSummary.getRow(2).createCell(0).setCellValue("Filesystems found");
sheetSummary.getRow(2).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(3);
sheetSummary.getRow(3).createCell(0).setCellValue("# of Files");
sheetSummary.getRow(3).createCell(1).setCellValue(totalfiles);
sheetSummary.createRow(4);
sheetSummary.getRow(4).createCell(0).setCellValue("# of Directories");
sheetSummary.getRow(4).createCell(1).setCellValue(totaldirs);
sheetSummary.createRow(5);
sheetSummary.getRow(5).createCell(0).setCellValue("Date/Time");
sheetSummary.getRow(5).createCell(1).setCellValue(datetime);
sheetHash.createRow(0).setRowStyle(style);
sheetHash.getRow(0).createCell(0).setCellValue("Name");
sheetHash.getRow(0).createCell(1).setCellValue("Size");
sheetHash.getRow(0).createCell(2).setCellValue("Hashset Name");
sheetDevice.createRow(0).setRowStyle(style);
sheetDevice.getRow(0).createCell(0).setCellValue("Name");
sheetDevice.getRow(0).createCell(1).setCellValue("Serial #");
sheetDevice.getRow(0).createCell(2).setCellValue("Time");
sheetInstalled.createRow(0).setRowStyle(style);
sheetInstalled.getRow(0).createCell(0).setCellValue("Program Name");
sheetInstalled.getRow(0).createCell(1).setCellValue("Install Date/Time");
sheetKeyword.createRow(0).setRowStyle(style);
sheetKeyword.getRow(0).createCell(0).setCellValue("Keyword");
sheetKeyword.getRow(0).createCell(1).setCellValue("File Name");
sheetKeyword.getRow(0).createCell(2).setCellValue("Preview");
sheetKeyword.getRow(0).createCell(3).setCellValue("Keyword LIst");
sheetRecent.createRow(0).setRowStyle(style);
sheetRecent.getRow(0).createCell(0).setCellValue("Name");
sheetRecent.getRow(0).createCell(1).setCellValue("Path");
sheetRecent.getRow(0).createCell(2).setCellValue("Related Shortcut");
sheetCookie.createRow(0).setRowStyle(style);
sheetCookie.getRow(0).createCell(0).setCellValue("URL");
sheetCookie.getRow(0).createCell(1).setCellValue("Date");
sheetCookie.getRow(0).createCell(2).setCellValue("Name");
sheetCookie.getRow(0).createCell(3).setCellValue("Value");
sheetCookie.getRow(0).createCell(4).setCellValue("Program");
sheetBookmark.createRow(0).setRowStyle(style);
sheetBookmark.getRow(0).createCell(0).setCellValue("URL");
sheetBookmark.getRow(0).createCell(1).setCellValue("Title");
sheetBookmark.getRow(0).createCell(2).setCellValue("Program");
sheetDownload.createRow(0).setRowStyle(style);
sheetDownload.getRow(0).createCell(0).setCellValue("File");
sheetDownload.getRow(0).createCell(1).setCellValue("Source");
sheetDownload.getRow(0).createCell(2).setCellValue("Time");
sheetDownload.getRow(0).createCell(3).setCellValue("Program");
sheetHistory.createRow(0).setRowStyle(style);
sheetHistory.getRow(0).createCell(0).setCellValue("URL");
sheetHistory.getRow(0).createCell(1).setCellValue("Date");
sheetHistory.getRow(0).createCell(2).setCellValue("Referrer");
sheetHistory.getRow(0).createCell(3).setCellValue("Title");
sheetHistory.getRow(0).createCell(4).setCellValue("Program");
for(int i = 0;i < wbtemp.getNumberOfSheets();i++){
Sheet tempsheet = wbtemp.getSheetAt(i);
tempsheet.setAutobreaks(true);
for (Row temprow : tempsheet){
for (Cell cell : temprow) {
cell.setCellStyle(style);
tempsheet.autoSizeColumn(cell.getColumnIndex());
}
}
}
int countedGen = 0;
int countedBookmark = 0;
int countedCookie = 0;
int countedHistory = 0;
int countedDownload = 0;
int countedRecentObjects = 0;
int countedTrackPoint = 0;
int countedInstalled = 0;
int countedKeyword = 0;
int countedHash = 0;
int countedDevice = 0;
//start populating the sheets in the workbook
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
break;
}
int cc = 0;
Long objId = entry.getKey().getObjectID();
FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer,String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for(n=1;n<=36;n++)
{
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
break;
}
String value = "";
int type = tempatt.getAttributeTypeID();
if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){
}
else if(type == 2){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())*1000));
}
else
{
value = tempatt.getValueString();
}
attributes.put(type, value);
cc++;
}
if(entry.getKey().getArtifactTypeID() == 1){
countedGen++;
// Row temp = sheetGen.getRow(countedGen);
}
if(entry.getKey().getArtifactTypeID() == 2){
countedBookmark++;
Row temp = sheetBookmark.createRow(countedBookmark);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 3){
countedCookie++;
Row temp = sheetCookie.createRow(countedCookie);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(2));
temp.createCell(2).setCellValue(attributes.get(3));
temp.createCell(3).setCellValue(attributes.get(6));
temp.createCell(4).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 4){
countedHistory++;
Row temp = sheetHistory.createRow(countedHistory);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(33));
temp.createCell(2).setCellValue(attributes.get(32));
temp.createCell(3).setCellValue(attributes.get(3));
temp.createCell(4).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 5){
countedDownload++;
Row temp = sheetDownload.createRow(countedDownload);
temp.createCell(0).setCellValue(attributes.get(8));
temp.createCell(1).setCellValue(attributes.get(1));
temp.createCell(2).setCellValue(attributes.get(33));
temp.createCell(3).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 6){
countedRecentObjects++;
Row temp = sheetRecent.createRow(countedRecentObjects);
temp.createCell(0).setCellValue(attributes.get(3));
temp.createCell(1).setCellValue(attributes.get(8));
temp.createCell(2).setCellValue(file.getName());
temp.createCell(3).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 7){
// sheetTrackpoint.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
countedInstalled++;
Row temp = sheetInstalled.createRow(countedInstalled);
temp.createCell(0).setCellValue(attributes.get(4));
temp.createCell(1).setCellValue(attributes.get(2));
}
if(entry.getKey().getArtifactTypeID() == 9){
countedKeyword++;
Row temp = sheetKeyword.createRow(countedKeyword);
temp.createCell(0).setCellValue(attributes.get(10));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(12));
temp.createCell(3).setCellValue(attributes.get(13));
}
if(entry.getKey().getArtifactTypeID() == 10){
countedHash++;
Row temp = sheetHash.createRow(countedHash);
temp.createCell(0).setCellValue(file.getName().toString());
temp.createCell(1).setCellValue(filesize.toString());
temp.createCell(2).setCellValue(attributes.get(30));
}
if(entry.getKey().getArtifactTypeID() == 11){
countedDevice++;
Row temp = sheetDevice.createRow(countedDevice);
temp.createCell(0).setCellValue(attributes.get(18));
temp.createCell(1).setCellValue(attributes.get(20));
temp.createCell(2).setCellValue(attributes.get(2));
}
cc++;
rr.progBarSet(cc);
}
//write out the report to the reports folder
try {
FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xlsx");
wbtemp.write(fos);
fos.close();
wb = wbtemp;
}
catch (IOException e) {
System.err.println(e);
}
}
catch(Exception E)
{
String test = E.toString();
}
}
}

292
Report/src/org/sleuthkit/autopsy/report/reportXML.java
View File

@ -1,8 +1,25 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream;
import java.io.IOException;
import java.text.DateFormat;
@ -31,128 +48,129 @@ import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
public class reportXML {
public static Document xmldoc = new Document();
public reportXML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
try{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
Element root = new Element("Case");
xmldoc = new Document(root);
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
Comment comment = new Comment("XML Report Generated by Autopsy 3 on " + datetime);
root.addContent(comment);
//Create summary node involving how many of each type
Element summary = new Element("Summary");
if(IngestManager.getDefault().isIngestRunning())
{
summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!"));
public reportXML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
Element root = new Element("Case");
xmldoc = new Document(root);
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
Comment comment = new Comment("XML Report Generated by Autopsy 3 on " + datetime);
root.addContent(comment);
//Create summary node involving how many of each type
Element summary = new Element("Summary");
if (IngestManager.getDefault().isIngestRunning()) {
summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!"));
}
summary.addContent(new Element("Name").setText(caseName));
summary.addContent(new Element("Total-Images").setText(imagecount.toString()));
summary.addContent(new Element("Total-FileSystems").setText(filesystemcount.toString()));
summary.addContent(new Element("Total-Files").setText(totalfiles.toString()));
summary.addContent(new Element("Total-Directories").setText(totaldirs.toString()));
root.addContent(summary);
//generate the nodes for each of the types so we can use them later
Element nodeGen = new Element("General-Information");
Element nodeWebBookmark = new Element("Web-Bookmarks");
Element nodeWebCookie = new Element("Web-Cookies");
Element nodeWebHistory = new Element("Web-History");
Element nodeWebDownload = new Element("Web-Downloads");
Element nodeRecentObjects = new Element("Recent-Documents");
Element nodeTrackPoint = new Element("Track-Points");
Element nodeInstalled = new Element("Installed-Programfiles");
Element nodeKeyword = new Element("Keyword-Search-Hits");
Element nodeHash = new Element("Hashset-Hits");
Element nodeDevice = new Element("Attached-Devices");
//remove bytes
Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]");
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
break;
}
int cc = 0;
Element artifact = new Element("Artifact");
Long objId = entry.getKey().getObjectID();
Content cont = skCase.getContentById(objId);
Long filesize = cont.getSize();
artifact.setAttribute("ID", objId.toString());
artifact.setAttribute("Name", cont.accept(new NameVisitor()));
artifact.setAttribute("Size", filesize.toString());
// Get all the attributes for this guy
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
break;
}
Element attribute = new Element("Attribute").setAttribute("Type",tempatt.getAttributeTypeDisplayName());
String tempvalue = tempatt.getValueString();
//INVALID_XML_CHARS.matcher(tempvalue).replaceAll("");
Element value = new Element("Value").setText(tempvalue);
attribute.addContent(value);
Element context = new Element("Context").setText(StringEscapeUtils.escapeXml(tempatt.getContext()));
attribute.addContent(context);
artifact.addContent(attribute);
cc++;
}
if(entry.getKey().getArtifactTypeID() == 1){
//while (entry.getValue().iterator().hasNext())
// {
// }
nodeGen.addContent(artifact);
summary.addContent(new Element("Name").setText(caseName));
summary.addContent(new Element("Total-Images").setText(imagecount.toString()));
summary.addContent(new Element("Total-FileSystems").setText(filesystemcount.toString()));
summary.addContent(new Element("Total-Files").setText(totalfiles.toString()));
summary.addContent(new Element("Total-Directories").setText(totaldirs.toString()));
root.addContent(summary);
//generate the nodes for each of the types so we can use them later
Element nodeGen = new Element("General-Information");
Element nodeWebBookmark = new Element("Web-Bookmarks");
Element nodeWebCookie = new Element("Web-Cookies");
Element nodeWebHistory = new Element("Web-History");
Element nodeWebDownload = new Element("Web-Downloads");
Element nodeRecentObjects = new Element("Recent-Documents");
Element nodeTrackPoint = new Element("Track-Points");
Element nodeInstalled = new Element("Installed-Programfiles");
Element nodeKeyword = new Element("Keyword-Search-Hits");
Element nodeHash = new Element("Hashset-Hits");
Element nodeDevice = new Element("Attached-Devices");
//remove bytes
Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]");
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (reportFilter.cancel == true) {
break;
}
int cc = 0;
Element artifact = new Element("Artifact");
Long objId = entry.getKey().getObjectID();
Content cont = skCase.getContentById(objId);
Long filesize = cont.getSize();
artifact.setAttribute("ID", objId.toString());
artifact.setAttribute("Name", cont.accept(new NameVisitor()));
artifact.setAttribute("Size", filesize.toString());
// Get all the attributes for this guy
for (BlackboardAttribute tempatt : entry.getValue()) {
if (reportFilter.cancel == true) {
break;
}
Element attribute = new Element("Attribute").setAttribute("Type", tempatt.getAttributeTypeDisplayName());
String tempvalue = tempatt.getValueString();
//INVALID_XML_CHARS.matcher(tempvalue).replaceAll("");
Element value = new Element("Value").setText(tempvalue);
attribute.addContent(value);
Element context = new Element("Context").setText(StringEscapeUtils.escapeXml(tempatt.getContext()));
attribute.addContent(context);
artifact.addContent(attribute);
cc++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
//while (entry.getValue().iterator().hasNext())
// {
// }
nodeGen.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
nodeWebBookmark.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
nodeWebCookie.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
nodeWebHistory.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
nodeWebDownload.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
nodeRecentObjects.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
nodeTrackPoint.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
nodeInstalled.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
nodeKeyword.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
nodeHash.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
nodeDevice.addContent(artifact);
}
cc++;
rr.progBarSet(cc);
//end of master loop
}
if(entry.getKey().getArtifactTypeID() == 2){
nodeWebBookmark.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 3){
nodeWebCookie.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 4){
nodeWebHistory.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 5){
nodeWebDownload.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 6){
nodeRecentObjects.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 7){
nodeTrackPoint.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
nodeInstalled.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 9){
nodeKeyword.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 10){
nodeHash.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 11){
nodeDevice.addContent(artifact);
}
cc++;
rr.progBarSet(cc);
//end of master loop
}
//add them in the order we want them to the document
//add them in the order we want them to the document
root.addContent(nodeGen);
root.addContent(nodeWebBookmark);
root.addContent(nodeWebCookie);
@ -162,26 +180,24 @@ public class reportXML {
root.addContent(nodeTrackPoint);
root.addContent(nodeInstalled);
root.addContent(nodeKeyword);
root.addContent(nodeHash);
root.addContent(nodeHash);
root.addContent(nodeDevice);
try {
FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xml");
XMLOutputter serializer = new XMLOutputter();
serializer.output(xmldoc, out);
out.flush();
out.close();
}
catch (IOException e) {
System.err.println(e);
}
}
catch (Exception e){
Logger.getLogger(reportXML.class.getName()).log(Level.WARNING, "Exception occurred", e);
try {
FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".xml");
XMLOutputter serializer = new XMLOutputter();
serializer.output(xmldoc, out);
out.flush();
out.close();
} catch (IOException e) {
System.err.println(e);
}
} catch (Exception e) {
Logger.getLogger(reportXML.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
}
}
private class NameVisitor extends ContentVisitor.Default<String> {
@Override