mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-13 08:26:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/sleuthkit/autopsy

Browse Source 
- fix previous merge
This commit is contained in:
adam-m 2012-05-02 00:26:43 -04:00
parent a38d546ecb
commit ff96ae6f13
26 changed files with 3407 additions and 3169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivity.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera * @author arivera
*/ */
public enum BrowserActivity { public enum BrowserActivity {
IE(0), IE(0),
FF(1), FF(1),
CH(2); CH(2);
private static final Map<Integer,BrowserActivity> lookup private static final Map<Integer, BrowserActivity> lookup = new HashMap<Integer, BrowserActivity>();
= new HashMap<Integer,BrowserActivity>();
static { static {
for(BrowserActivity bat : values()) for (BrowserActivity bat : values()) {
lookup.put(bat.type, bat); lookup.put(bat.type, bat);
} }
}
private int type; private int type;
private BrowserActivity(int type) private BrowserActivity(int type) {
{
this.type = type; this.type = type;
} }
public int getType() { return type; } public int getType() {
return type;
}
public static BrowserActivity get(int type) { public static BrowserActivity get(int type) {
switch (type) { switch (type) {
case 0: return IE; case 0:
case 1: return FF; return IE;
case 2: return CH; case 1:
return FF;
case 2:
return CH;
} }
return null; return null;
} }
} }

46
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivityType.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera * @author arivera
*/ */
public enum BrowserActivityType { public enum BrowserActivityType {
Cookies(0), Cookies(0),
Url(1), Url(1),
Bookmarks(2); Bookmarks(2);
private static final Map<Integer,BrowserActivityType> lookup private static final Map<Integer, BrowserActivityType> lookup = new HashMap<Integer, BrowserActivityType>();
= new HashMap<Integer,BrowserActivityType>();
static { static {
for(BrowserActivityType bat : values()) for (BrowserActivityType bat : values()) {
lookup.put(bat.type, bat); lookup.put(bat.type, bat);
} }
}
private int type; private int type;
private BrowserActivityType(int type) private BrowserActivityType(int type) {
{
this.type = type; this.type = type;
} }
public int getType() { return type; } public int getType() {
return type;
}
public static BrowserActivityType get(int type) { public static BrowserActivityType get(int type) {
switch (type) { switch (type) {
case 0: return Cookies; case 0:
case 1: return Url; return Cookies;
case 2: return Bookmarks; case 1:
return Url;
case 2:
return Bookmarks;
} }
return null; return null;
} }
} }

46
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserType.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -12,34 +28,36 @@ import java.util.Map;
* @author arivera * @author arivera
*/ */
public enum BrowserType { public enum BrowserType {
IE(0), //Internet Explorer IE(0), //Internet Explorer
FF(1), //Firefox FF(1), //Firefox
CH(2); //Chrome CH(2); //Chrome
private static final Map<Integer,BrowserType> lookup private static final Map<Integer, BrowserType> lookup = new HashMap<Integer, BrowserType>();
= new HashMap<Integer,BrowserType>();
static { static {
for(BrowserType bt : values()) for (BrowserType bt : values()) {
lookup.put(bt.type, bt); lookup.put(bt.type, bt);
} }
}
private int type; private int type;
private BrowserType(int type) private BrowserType(int type) {
{
this.type = type; this.type = type;
} }
public int getType() { return type; } public int getType() {
return type;
}
public static BrowserType get(int type) { public static BrowserType get(int type) {
switch (type) { switch (type) {
case 0: return IE; case 0:
case 1: return FF; return IE;
case 2: return CH; case 1:
return FF;
case 2:
return CH;
} }
return null; return null;
} }
} }

265
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -1,8 +1,25 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import com.google.gson.JsonArray; import com.google.gson.JsonArray;
import com.google.gson.JsonElement; import com.google.gson.JsonElement;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
@ -25,15 +42,13 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class Chrome { public class Chrome {
public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies"; public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies";
@ -44,50 +59,57 @@ public class Chrome {
public int ChromeCount = 0; public int ChromeCount = 0;
public Chrome() { public Chrome() {
} }
public void getchdb(List<String> image, IngestImageWorkerController controller) { public void getchdb(List<String> image, IngestImageWorkerController controller) {
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb; List<FsContent> FFSqlitedb = null;
Map<String, Object> kvs = new LinkedHashMap<String, Object>(); Map<String, Object> kvs = new LinkedHashMap<String, Object>();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
ChromeCount = FFSqlitedb.size(); ChromeCount = FFSqlitedb.size();
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
while (j < FFSqlitedb.size()) if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write to disk.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString); dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chquery); ResultSet temprs = tempdbconnect.executeQry(chquery);
while(temprs.next()) while (temprs.next()) {
{ try {
String domain = Util.extractDomain(temprs.getString("url")); String domain = Util.extractDomain(temprs.getString("url"));
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
@ -98,69 +120,73 @@ public class Chrome {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to insert BB artifact.{0}", ex);
}
} }
tempdbconnect.closeConnection(); tempdbconnect.closeConnection();
temprs.close(); temprs.close();
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} }
catch (SQLException ex) IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
{ } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//COOKIES section //COOKIES section
// This gets the cookie info // This gets the cookie info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FFSqlitedb; }
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString); dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chcookiequery); ResultSet temprs = tempdbconnect.executeQry(chcookiequery);
while(temprs.next()) while (temprs.next()) {
{ try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = temprs.getString("host_key"); String domain = temprs.getString("host_key");
@ -171,63 +197,66 @@ public class Chrome {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
tempdbconnect.closeConnection(); tempdbconnect.closeConnection();
temprs.close(); temprs.close();
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} }
catch (SQLException ex) IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
{ } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//BOokmarks section //BOokmarks section
// This gets the bm info // This gets the bm info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FFSqlitedb; }
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO {0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{
final JsonParser parser = new JsonParser(); final JsonParser parser = new JsonParser();
JsonElement jsonElement = parser.parse(new FileReader(temps)); JsonElement jsonElement = parser.parse(new FileReader(temps));
@ -235,10 +264,8 @@ public class Chrome {
JsonObject whatever = test.get("roots").getAsJsonObject(); JsonObject whatever = test.get("roots").getAsJsonObject();
JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject(); JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject();
JsonArray whatever3 = whatever2.getAsJsonArray("children"); JsonArray whatever3 = whatever2.getAsJsonArray("children");
// JsonArray results = parser.parse(new FileReader(temps)).getAsJsonObject().getAsJsonArray("roots").getAsJsonObject().getAsJsonArray("bookmark_bar").get(0).getAsJsonObject().getAsJsonArray("children");
for (JsonElement result : whatever3) { for (JsonElement result : whatever3) {
try {
JsonObject address = result.getAsJsonObject(); JsonObject address = result.getAsJsonObject();
String url = address.get("url").getAsString(); String url = address.get("url").getAsString();
String name = address.get("name").getAsString(); String name = address.get("name").getAsString();
@ -252,66 +279,70 @@ public class Chrome {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to insert BB artifact{0}", ex);
}
} }
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex); logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} }
catch (SQLException ex) IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
{ } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section //Downloads section
// This gets the downloads info // This gets the downloads info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb; List<FsContent> FFSqlitedb = null;
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString); dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chdownloadquery); ResultSet temprs = tempdbconnect.executeQry(chdownloadquery);
while(temprs.next()) while (temprs.next()) {
{ try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = Util.extractDomain(temprs.getString("url")); String domain = Util.extractDomain(temprs.getString("url"));
@ -323,100 +354,98 @@ public class Chrome {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
tempdbconnect.closeConnection(); tempdbconnect.closeConnection();
temprs.close(); temprs.close();
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
} }
catch (SQLException ex) } catch (Exception ex) {
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Login/Password section //Login/Password section
// This gets the user info // This gets the user info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FFSqlitedb; }
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString); dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chloginquery); ResultSet temprs = tempdbconnect.executeQry(chloginquery);
while(temprs.next()) while (temprs.next()) {
{ try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
tempdbconnect.closeConnection(); tempdbconnect.closeConnection();
temprs.close(); temprs.close();
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} } catch (Exception ex) {
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
} }
} }

41
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java
View File

@ -1,9 +1,26 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.sql.SQLException;
import java.util.List; import java.util.List;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@ -14,10 +31,8 @@ import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
public class ExtractAll { public class ExtractAll {
void ExtractAll() { void ExtractAll() {
} }
public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds) { public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds) {
controller.switchToDeterminate(3); controller.switchToDeterminate(3);
try { try {
@ -27,34 +42,38 @@ public class ExtractAll {
ExtractRegistry eree = new ExtractRegistry(); ExtractRegistry eree = new ExtractRegistry();
eree.getregistryfiles(imgIds, controller); eree.getregistryfiles(imgIds, controller);
controller.progress(1); controller.progress(1);
if (controller.isCancelled()) if (controller.isCancelled()) {
return true; return true;
}
Firefox ffre = new Firefox(); Firefox ffre = new Firefox();
ffre.getffdb(imgIds, controller); ffre.getffdb(imgIds, controller);
controller.progress(2); controller.progress(2);
if (controller.isCancelled()) if (controller.isCancelled()) {
return true; return true;
}
Chrome chre = new Chrome(); Chrome chre = new Chrome();
chre.getchdb(imgIds, controller); chre.getchdb(imgIds, controller);
controller.progress(3); controller.progress(3);
if (controller.isCancelled()) if (controller.isCancelled()) {
return true; return true;
}
ExtractIE eere = new ExtractIE(imgIds, controller); ExtractIE eere = new ExtractIE(imgIds, controller);
eere.parsePascoResults(); eere.parsePascoResults();
controller.progress(4); controller.progress(4);
if (controller.isCancelled()) if (controller.isCancelled()) {
return true; return true;
}
//Find a way to put these results into BB //Find a way to put these results into BB
return true; return true;
} } catch (SQLException e) {
catch(Error e){ return false;
} catch (Error e) {
return false; return false;
} }
} }
} }

166
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -1,8 +1,10 @@
/* /*
*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2012 42six Solutions.
* Contact: carrier <at> sleuthkit <dot> org * Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -27,7 +29,6 @@ import java.io.IOException;
import java.sql.ResultSet; import java.sql.ResultSet;
//Util Imports //Util Imports
import java.sql.SQLException;
import java.text.ParseException; import java.text.ParseException;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.ArrayList; import java.util.ArrayList;
@ -43,7 +44,6 @@ import java.util.regex.Pattern;
// TSK Imports // TSK Imports
import org.openide.modules.InstalledFileLocator; import org.openide.modules.InstalledFileLocator;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.datamodel.DataConversion; import org.sleuthkit.autopsy.datamodel.DataConversion;
@ -58,7 +58,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException; import org.sleuthkit.autopsy.coreutils.PlatformUtil;
public class ExtractIE { // implements BrowserActivity { public class ExtractIE { // implements BrowserActivity {
@ -69,19 +69,16 @@ public class ExtractIE { // implements BrowserActivity {
private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'"; private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'";
//sleauthkit db handle //sleauthkit db handle
SleuthkitCase tempDb; SleuthkitCase tempDb;
//paths set in init() //paths set in init()
private String PASCO_RESULTS_PATH; private String PASCO_RESULTS_PATH;
private String PASCO_LIB_PATH; private String PASCO_LIB_PATH;
private String JAVA_PATH;
//Results List to be referenced/used outside the class //Results List to be referenced/used outside the class
public ArrayList<HashMap<String, Object>> PASCO_RESULTS_LIST = new ArrayList<HashMap<String, Object>>(); public ArrayList<HashMap<String, Object>> PASCO_RESULTS_LIST = new ArrayList<HashMap<String, Object>>();
//Look Up Table that holds Pasco2 results //Look Up Table that holds Pasco2 results
private HashMap<String, Object> PASCO_RESULTS_LUT; private HashMap<String, Object> PASCO_RESULTS_LUT;
private KeyValue IE_PASCO_LUT = new KeyValue(BrowserType.IE.name(), BrowserType.IE.getType()); private KeyValue IE_PASCO_LUT = new KeyValue(BrowserType.IE.name(), BrowserType.IE.getType());
public LinkedHashMap<String, Object> IE_OBJ; public LinkedHashMap<String, Object> IE_OBJ;
boolean pascoFound = false; boolean pascoFound = false;
public ExtractIE(List<String> image, IngestImageWorkerController controller) { public ExtractIE(List<String> image, IngestImageWorkerController controller) {
@ -89,27 +86,30 @@ public class ExtractIE { // implements BrowserActivity {
//Favorites section //Favorites section
// This gets the favorite info // This gets the favorite info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FavoriteList; }
List<FsContent> FavoriteList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(favoriteQuery + allFS); ResultSet rs = tempDb.runQuery(favoriteQuery + allFS);
FavoriteList = tempDb.resultSetToFsContents(rs); FavoriteList = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
for(FsContent Favorite : FavoriteList) for (FsContent Favorite : FavoriteList) {
{
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
@ -122,13 +122,13 @@ public class ExtractIE { // implements BrowserActivity {
String url = ""; String url = "";
Pattern p = Pattern.compile(re1 + re2, Pattern.CASE_INSENSITIVE | Pattern.DOTALL); Pattern p = Pattern.compile(re1 + re2, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m = p.matcher(bookmarkString); Matcher m = p.matcher(bookmarkString);
if (m.find()) if (m.find()) {
{
url = m.group(1); url = m.group(1);
} }
String name = Favorite.getName(); String name = Favorite.getName();
String datetime = Favorite.getCrtimeAsDate(); Long datetime = Favorite.getCrtime();
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
try {
BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", datetime));
@ -138,41 +138,42 @@ public class ExtractIE { // implements BrowserActivity {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
} } catch (Exception ex) {
catch(TskException ex)
{
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
} }
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
//Cookies section //Cookies section
// This gets the cookies info // This gets the cookies info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> CookiesList; }
List<FsContent> CookiesList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(cookiesQuery + allFS); ResultSet rs = tempDb.runQuery(cookiesQuery + allFS);
CookiesList = tempDb.resultSetToFsContents(rs); CookiesList = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
for(FsContent Cookie : CookiesList) for (FsContent Cookie : CookiesList) {
{
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
@ -185,8 +186,9 @@ public class ExtractIE { // implements BrowserActivity {
String url = values.length > 2 ? values[2] : ""; String url = values.length > 2 ? values[2] : "";
String value = values.length > 1 ? values[1] : ""; String value = values.length > 1 ? values[1] : "";
String name = values.length > 0 ? values[0] : ""; String name = values.length > 0 ? values[0] : "";
String datetime = Cookie.getCrtimeAsDate(); Long datetime = Cookie.getCrtime();
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
try {
BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
@ -196,44 +198,46 @@ public class ExtractIE { // implements BrowserActivity {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} } catch (Exception ex) {
catch(TskException ex)
{
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
} }
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
//Recent Documents section //Recent Documents section
// This gets the recent object info // This gets the recent object info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> RecentList; }
List<FsContent> RecentList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(recentQuery + allFS); ResultSet rs = tempDb.runQuery(recentQuery + allFS);
RecentList = tempDb.resultSetToFsContents(rs); RecentList = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
for(FsContent Recent : RecentList) for (FsContent Recent : RecentList) {
{
if (controller.isCancelled()) { if (controller.isCancelled()) {
break; break;
} }
@ -259,7 +263,8 @@ public class ExtractIE { // implements BrowserActivity {
String path = Util.getPath(recentString); String path = Util.getPath(recentString);
String name = Util.getFileName(path); String name = Util.getFileName(path);
String datetime = Recent.getCrtimeAsDate(); Long datetime = Recent.getCrtime();
try {
BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", "Last Visited", path)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", "Last Visited", path));
@ -268,19 +273,17 @@ public class ExtractIE { // implements BrowserActivity {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Windows Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Windows Explorer"));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
} } catch (Exception ex) {
catch(TskException ex)
{
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
} }
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
} }
@ -293,8 +296,11 @@ public class ExtractIE { // implements BrowserActivity {
private void init(List<String> image, IngestImageWorkerController controller) { private void init(List<String> image, IngestImageWorkerController controller) {
final Case currentCase = Case.getCurrentCase(); final Case currentCase = Case.getCurrentCase();
final String caseDir = Case.getCurrentCase().getCaseDirectory(); final String caseDir = Case.getCurrentCase().getCaseDirectory();
PASCO_RESULTS_PATH = caseDir + File.separator + "recentactivity" + File.separator + "results"; PASCO_RESULTS_PATH = Case.getCurrentCase().getTempDirectory() + File.separator + "results";
JAVA_PATH = PlatformUtil.getJavaPath();
if (JAVA_PATH.isEmpty() || JAVA_PATH == null) {
JAVA_PATH = "java";
}
logger.log(Level.INFO, "Pasco results path: " + PASCO_RESULTS_PATH); logger.log(Level.INFO, "Pasco results path: " + PASCO_RESULTS_PATH);
final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false);
@ -302,8 +308,7 @@ public class ExtractIE { // implements BrowserActivity {
logger.log(Level.SEVERE, "Pasco2 not found"); logger.log(Level.SEVERE, "Pasco2 not found");
pascoFound = false; pascoFound = false;
return; return;
} } else {
else {
pascoFound = true; pascoFound = true;
} }
@ -317,20 +322,26 @@ public class ExtractIE { // implements BrowserActivity {
File resultsDir = new File(PASCO_RESULTS_PATH); File resultsDir = new File(PASCO_RESULTS_PATH);
resultsDir.mkdirs(); resultsDir.mkdirs();
Collection<FsContent> FsContentCollection; Collection<FsContent> FsContentCollection = null;
tempDb = currentCase.getSleuthkitCase(); tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
}
try {
ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS); ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS);
FsContentCollection = tempDb.resultSetToFsContents(rs); FsContentCollection = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
String temps; String temps;
String indexFileName; String indexFileName;
@ -350,8 +361,7 @@ public class ExtractIE { // implements BrowserActivity {
} }
try { try {
ContentUtils.writeToFile(fsc, datFile); ContentUtils.writeToFile(fsc, datFile);
} } catch (IOException e) {
catch (IOException e) {
logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e);
} }
@ -378,8 +388,9 @@ public class ExtractIE { // implements BrowserActivity {
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath // TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now. // I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private boolean executePasco(String indexFilePath, int fileIndex) { private boolean executePasco(String indexFilePath, int fileIndex) {
if (pascoFound == false) if (pascoFound == false) {
return false; return false;
}
boolean success = true; boolean success = true;
try { try {
@ -393,7 +404,7 @@ public class ExtractIE { // implements BrowserActivity {
command.append(" > \"").append(PASCO_RESULTS_PATH).append("\\pasco2Result.").append(Integer.toString(fileIndex)).append(".txt\""); command.append(" > \"").append(PASCO_RESULTS_PATH).append("\\pasco2Result.").append(Integer.toString(fileIndex)).append(".txt\"");
// command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\""); // command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\"");
String cmd = command.toString(); String cmd = command.toString();
JavaSystemCaller.Exec.execute("\"java "+cmd+ "\""); JavaSystemCaller.Exec.execute("\"" + JAVA_PATH + " " + cmd + "\"");
} catch (Exception e) { } catch (Exception e) {
success = false; success = false;
@ -404,8 +415,9 @@ public class ExtractIE { // implements BrowserActivity {
} }
public void parsePascoResults() { public void parsePascoResults() {
if (pascoFound == false) if (pascoFound == false) {
return; return;
}
// First thing we want to do is check to make sure the results directory // First thing we want to do is check to make sure the results directory
// is not empty. // is not empty.
File rFile = new File(PASCO_RESULTS_PATH); File rFile = new File(PASCO_RESULTS_PATH);
@ -456,8 +468,7 @@ public class ExtractIE { // implements BrowserActivity {
String user = ""; String user = "";
String realurl = ""; String realurl = "";
String domain = ""; String domain = "";
if(url.length > 1) if (url.length > 1) {
{
user = url[0]; user = url[0];
user = user.replace("Visited:", ""); user = user.replace("Visited:", "");
user = user.replace(":Host:", ""); user = user.replace(":Host:", "");
@ -478,13 +489,13 @@ public class ExtractIE { // implements BrowserActivity {
try { try {
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime(); Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime();
ftime = epochtime.longValue(); ftime = epochtime.longValue();
} } catch (ParseException e) {
catch(ParseException e){
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage()); logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
} }
} }
// TODO: Need to fix this so we have the right obj_id // TODO: Need to fix this so we have the right obj_id
try {
BlackboardArtifact bbart = tempDb.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); BlackboardArtifact bbart = tempDb.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", realurl)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", realurl));
@ -499,6 +510,9 @@ public class ExtractIE { // implements BrowserActivity {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", user)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", user));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
//KeyValueThing //KeyValueThing
//This will be redundant in terms IE.name() because of //This will be redundant in terms IE.name() because of
@ -508,8 +522,8 @@ public class ExtractIE { // implements BrowserActivity {
IE_PASCO_LUT.addMap(IE_OBJ); IE_PASCO_LUT.addMap(IE_OBJ);
PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT); PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT);
} catch (TskException ex) { } catch (Exception ex) {
Exceptions.printStackTrace(ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
} }

163
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -4,22 +4,14 @@
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.io.BufferedReader;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.*;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.text.ParseException;
import java.util.ArrayList; import java.text.SimpleDateFormat;
import java.util.Collection; import java.util.*;
import java.util.Iterator;
import java.util.List;
import java.util.Scanner;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
import org.apache.commons.lang3.StringEscapeUtils;
import org.jdom.Document; import org.jdom.Document;
import org.jdom.Element; import org.jdom.Element;
import org.jdom.input.SAXBuilder; import org.jdom.input.SAXBuilder;
@ -27,15 +19,9 @@ import org.openide.modules.InstalledFileLocator;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.*;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* *
@ -47,14 +33,14 @@ public class ExtractRegistry {
private String RR_PATH; private String RR_PATH;
boolean rrFound = false; boolean rrFound = false;
private int sysid; private int sysid;
ExtractRegistry() { ExtractRegistry() {
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false);
if (rrRoot == null) { if (rrRoot == null) {
logger.log(Level.SEVERE, "RegRipper not found"); logger.log(Level.SEVERE, "RegRipper not found");
rrFound = false; rrFound = false;
return; return;
} } else {
else {
rrFound = true; rrFound = true;
} }
try { try {
@ -65,9 +51,7 @@ public class ExtractRegistry {
while (artset.next()) { while (artset.next()) {
sysid = artset.getInt("artifact_type_id"); sysid = artset.getInt("artifact_type_id");
} }
} } catch (Exception e) {
catch(Exception e){
} }
final String rrHome = rrRoot.getAbsolutePath(); final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome); logger.log(Level.INFO, "RegRipper home: " + rrHome);
@ -75,102 +59,88 @@ public class ExtractRegistry {
RR_PATH = rrHome + File.separator + "rip.exe"; RR_PATH = rrHome + File.separator + "rip.exe";
} }
public void getregistryfiles(List<String> image, IngestImageWorkerController controller) { public void getregistryfiles(List<String> image, IngestImageWorkerController controller) {
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> Regfiles; }
List<FsContent> Regfiles = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS);
Regfiles = tempDb.resultSetToFsContents(rs); Regfiles = tempDb.resultSetToFsContents(rs);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
while (j < Regfiles.size()) while (j < Regfiles.size()) {
{
boolean Success; boolean Success;
Content orgFS = Regfiles.get(j); Content orgFS = Regfiles.get(j);
long orgId = orgFS.getId(); long orgId = orgFS.getId();
String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString(); String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString();
try {
ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName())); ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName()));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File regFile = new File(temps); File regFile = new File(temps);
String txtPath = executeRegRip(temps, j); String txtPath = executeRegRip(temps, j);
if(txtPath.length() > 0) if (txtPath.length() > 0) {
{
Success = parseReg(txtPath, orgId); Success = parseReg(txtPath, orgId);
} } else {
else
{
Success = false; Success = false;
} }
//At this point pasco2 proccessed the index files. //At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files. //Now fetch the results, parse them and the delete the files.
if(Success) if (Success) {
{
//Delete dat file since it was succcessful //Delete dat file since it was succcessful
regFile.delete(); regFile.delete();
} }
j++; j++;
} }
} } catch (Exception ex) {
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Registry files", ex); logger.log(Level.WARNING, "Error while trying to get Registry files", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
}
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath // TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now. // I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private String executeRegRip(String regFilePath, int fileIndex) private String executeRegRip(String regFilePath, int fileIndex) {
{
String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt"; String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt";
String type = ""; String type = "";
try try {
{
if(regFilePath.toLowerCase().contains("system")) if (regFilePath.toLowerCase().contains("system")) {
{
type = "autopsysystem"; type = "autopsysystem";
} }
if(regFilePath.toLowerCase().contains("software")) if (regFilePath.toLowerCase().contains("software")) {
{
type = "autopsysoftware"; type = "autopsysoftware";
} }
if(regFilePath.toLowerCase().contains("ntuser")) if (regFilePath.toLowerCase().contains("ntuser")) {
{
type = "autopsy"; type = "autopsy";
} }
if(regFilePath.toLowerCase().contains("default")) if (regFilePath.toLowerCase().contains("default")) {
{
type = "1default"; type = "1default";
} }
if(regFilePath.toLowerCase().contains("sam")) if (regFilePath.toLowerCase().contains("sam")) {
{
type = "1sam"; type = "1sam";
} }
if(regFilePath.toLowerCase().contains("security")) if (regFilePath.toLowerCase().contains("security")) {
{
type = "1security"; type = "1security";
} }
@ -178,9 +148,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
JavaSystemCaller.Exec.execute("\"" + command + "\""); JavaSystemCaller.Exec.execute("\"" + command + "\"");
} } catch (Exception e) {
catch(Exception e)
{
logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> ", e.getMessage()); logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> ", e.getMessage());
} }
@ -188,15 +156,12 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
return txtPath; return txtPath;
} }
private boolean parseReg(String regRecord, long orgId) {
private boolean parseReg(String regRecord, long orgId)
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try { try {
File regfile = new File(regRecord); File regfile = new File(regRecord);
FileInputStream fstream = new FileInputStream(regfile); FileInputStream fstream = new FileInputStream(regfile);
InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8"); InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8");
BufferedReader input = new BufferedReader(fstreamReader); BufferedReader input = new BufferedReader(fstreamReader);
@ -216,25 +181,27 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
Element root = document.getRootElement(); Element root = document.getRootElement();
List<Element> types = root.getChildren(); List<Element> types = root.getChildren();
Iterator<Element> iterator = types.iterator(); Iterator<Element> iterator = types.iterator();
//for(int i = 0; i < types.size(); i++)
//for(Element tempnode : types)
while (iterator.hasNext()) { while (iterator.hasNext()) {
String time = ""; String etime = "";
String context = ""; String context = "";
Element tempnode = iterator.next(); Element tempnode = iterator.next();
// Element tempnode = types.get(i); // Element tempnode = types.get(i);
context = tempnode.getName(); context = tempnode.getName();
Element timenode = tempnode.getChild("time"); Element timenode = tempnode.getChild("time");
time = timenode.getTextTrim(); etime = timenode.getTextTrim();
Long time = null;
try {
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(etime).getTime();
time = epochtime.longValue();
} catch (ParseException e) {
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
}
Element artroot = tempnode.getChild("artifacts"); Element artroot = tempnode.getChild("artifacts");
List<Element> artlist = artroot.getChildren(); List<Element> artlist = artroot.getChildren();
String winver = ""; String winver = "";
String installdate = ""; String installdate = "";
if (artlist.isEmpty()) { if (artlist.isEmpty()) {
} } else {
else{
Iterator<Element> aiterator = artlist.iterator(); Iterator<Element> aiterator = artlist.iterator();
while (aiterator.hasNext()) { while (aiterator.hasNext()) {
Element artnode = aiterator.next(); Element artnode = aiterator.next();
@ -248,66 +215,46 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
// bbart.addAttributes(bbattributes); // bbart.addAttributes(bbattributes);
} } else if ("usb".equals(context)) {
else if("usb".equals(context)){
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
String dev = artnode.getAttributeValue("dev"); String dev = artnode.getAttributeValue("dev");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} } else if ("uninstall".equals(context)) {
else if("uninstall".equals(context)){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} } else if ("WinVersion".equals(context)) {
else if("WinVersion".equals(context)){
if(name.contains("ProductName")) if (name.contains("ProductName")) {
{
winver = value; winver = value;
} }
if (name.contains("CSDVersion")) { if (name.contains("CSDVersion")) {
winver = winver + " " + value; winver = winver + " " + value;
} }
if(name.contains("InstallDate")) if (name.contains("InstallDate")) {
{
installdate = value; installdate = value;
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} }
} } else {
else
{
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid); BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} }
} }
} }
} }
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex); logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
String sadafd = "";
} }
return true; return true;
} }
} }

252
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -1,30 +1,49 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import java.sql.*;
import java.util.logging.Level;
import java.util.logging.Logger;
//<editor-fold defaultstate="collapsed" desc="comment">
import java.lang.*;
//</editor-fold>
import java.util.*;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.net.URLDecoder; import java.net.URLDecoder;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.ServiceDataEvent; import org.sleuthkit.autopsy.ingest.ServiceDataEvent;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.*;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* *
* @author Alex * @author Alex
@ -33,64 +52,66 @@ public class Firefox {
private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
private static final String ffcookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed,(creationTime/1000) as creationTime FROM moz_cookies"; private static final String ffcookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed,(creationTime/1000) as creationTime FROM moz_cookies";
private static final String ff3cookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed FROM moz_cookies";
private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id";
private static final String ffdownloadquery = "select target, source,(startTime/1000) as startTime, maxBytes from moz_downloads"; private static final String ffdownloadquery = "select target, source,(startTime/1000) as startTime, maxBytes from moz_downloads";
public Logger logger = Logger.getLogger(this.getClass().getName()); public Logger logger = Logger.getLogger(this.getClass().getName());
public int FireFoxCount = 0; public int FireFoxCount = 0;
public Firefox() { public Firefox() {
} }
public void getffdb(List<String> image, IngestImageWorkerController controller){ public void getffdb(List<String> image, IngestImageWorkerController controller) throws SQLException {
//Make these seperate, this is for history //Make these seperate, this is for history
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FFSqlitedb; }
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement(); Statement s = rs.getStatement();
rs.close(); rs.close();
if (s != null) if (s != null) {
s.close(); s.close();
FireFoxCount = FFSqlitedb.size(); FireFoxCount = FFSqlitedb.size();
}
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (SQLException ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try ResultSet temprs = Util.runQuery(ffquery, connectionString);
{ while (temprs.next()) {
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffquery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : "")));
@ -100,25 +121,19 @@ public class Firefox {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", (Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : "")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", (Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : ""))));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
}
temprs.close();
tempdbconnect.closeConnection();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
}
try temprs.close();
{
try {
dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC", connectionString); dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery); ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery);
while(tempbm.next()) while (tempbm.next()) {
{ try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((tempbm.getString("url") != null) ? tempbm.getString("url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((tempbm.getString("url") != null) ? tempbm.getString("url") : "")));
@ -126,12 +141,13 @@ public class Firefox {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(tempbm.getString("url")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(tempbm.getString("url"))));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
tempbm.close(); tempbm.close();
tempdbconnect2.closeConnection(); tempdbconnect2.closeConnection();
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
@ -142,173 +158,169 @@ public class Firefox {
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} }
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
} }
catch(IOException ioex) catch (Exception ex) {
{ logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
} }
//COOKIES section //COOKIES section
// This gets the cookie info // This gets the cookie info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FFSqlitedb; }
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", connectionString);
{ String query;
if (checkColumn) {
query = ffcookiequery;
} else {
query = ff3cookiequery;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString); dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffcookiequery); ResultSet temprs = tempdbconnect.executeQry(query);
while(temprs.next()) while (temprs.next()) {
{ try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("lastAccessed"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("lastAccessed")));
if (checkColumn == true) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", temprs.getLong("creationTime")));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", temprs.getString("host"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
tempdbconnect.closeConnection(); tempdbconnect.closeConnection();
temprs.close(); temprs.close();
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} }
catch (SQLException ex) IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
{ } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex); logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section //Downloads section
// This gets the downloads info // This gets the downloads info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for (int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FFSqlitedb; }
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled()) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString); dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery); ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery);
while(temprs.next()) while (temprs.next()) {
{ try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("startTime"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("startTime")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("source") != null) ? temprs.getString("source") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("source") != null) ? temprs.getString("source") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8"); String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(urldecodedtarget))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(urldecodedtarget)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(temprs.getString("source")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(temprs.getString("source"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbart.addAttributes(bbattributes); bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
tempdbconnect.closeConnection(); tempdbconnect.closeConnection();
temprs.close(); temprs.close();
} } catch (Exception ex) {
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
} }
catch (SQLException ex) IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
{ } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex); logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
} }
} }
}
//@Override
// public HashMap<String,String> ExtractActivity() {
// return ExtractActivity;
//
// }

308
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/JavaSystemCaller.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -11,109 +27,113 @@ import java.io.InputStreamReader;
import java.util.ArrayList; import java.util.ArrayList;
/** /**
* Make a system call through a system shell in a platform-independent manner in Java. <br /> * Make a system call through a system shell in a platform-independent manner in
* This class only demonstrate a 'dir' or 'ls' within current (execution) path, if no parameters are used. * Java. <br /> This class only demonstrate a 'dir' or 'ls' within current
* If parameters are used, the first one is the system command to execute, the others are its system command parameters. <br /> * (execution) path, if no parameters are used. If parameters are used, the
* To be system independent, an <b><a href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm"> * first one is the system command to execute, the others are its system command
* Abstract Factory Pattern</a></b> will be used to build the right underlying system shell in which the system command will be executed. * parameters. <br /> To be system independent, an <b><a
* href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm">
* Abstract Factory Pattern</a></b> will be used to build the right underlying
* system shell in which the system command will be executed.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
* @see <a href="http://stackoverflow.com/questions/236737#236873"> * @see <a href="http://stackoverflow.com/questions/236737#236873"> How to make
How to make a system call that returns the stdout output as a string in various languages?</a> * a system call that returns the stdout output as a string in various
* languages?</a>
*/ */
public final class JavaSystemCaller public final class JavaSystemCaller {
{
/** /**
* Execute a system command. <br /> * Execute a system command. <br /> Default is 'ls' in current directory if
* Default is 'ls' in current directory if no parameters, or a system command (if Windows, it is automatically translated to 'dir') * no parameters, or a system command (if Windows, it is automatically
* @param args first element is the system command, the others are its parameters (NOT NULL) * translated to 'dir')
*
* @param args first element is the system command, the others are its
* parameters (NOT NULL)
* @throws IllegalArgumentException if one parameters is null or empty. * @throws IllegalArgumentException if one parameters is null or empty.
* 'args' can be empty (default 'ls' performed then) * 'args' can be empty (default 'ls' performed then)
*/ */
public static void main(final String[] args) public static void main(final String[] args) {
{
String anOutput = ""; String anOutput = "";
if(args.length == 0) if (args.length == 0) {
{
anOutput = Exec.execute("ls"); anOutput = Exec.execute("ls");
} } else {
else
{
String[] someParameters = null; String[] someParameters = null;
anOutput = Exec.execute(args[0], someParameters); anOutput = Exec.execute(args[0], someParameters);
} }
System.out.println("Final output: " + anOutput); System.out.println("Final output: " + anOutput);
} }
/** /**
* Asynchronously read the output of a given input stream. <br /> * Asynchronously read the output of a given input stream. <br /> Any
* Any exception during execution of the command in managed in this thread. * exception during execution of the command in managed in this thread.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ */
public static class StreamGobbler extends Thread public static class StreamGobbler extends Thread {
{
private InputStream is; private InputStream is;
private String type; private String type;
private StringBuffer output = new StringBuffer(); private StringBuffer output = new StringBuffer();
StreamGobbler(final InputStream anIs, final String aType) StreamGobbler(final InputStream anIs, final String aType) {
{
this.is = anIs; this.is = anIs;
this.type = aType; this.type = aType;
} }
/** /**
* Asynchronous read of the input stream. <br /> * Asynchronous read of the input stream. <br /> Will report output as
* Will report output as its its displayed. * its its displayed.
*
* @see java.lang.Thread#run() * @see java.lang.Thread#run()
*/ */
@Override @Override
public final void run() public final void run() {
{ try {
try
{
final InputStreamReader isr = new InputStreamReader(this.is); final InputStreamReader isr = new InputStreamReader(this.is);
final BufferedReader br = new BufferedReader(isr); final BufferedReader br = new BufferedReader(isr);
String line = null; String line = null;
while ( (line = br.readLine()) != null) while ((line = br.readLine()) != null) {
{
System.out.println(this.type + ">" + line); System.out.println(this.type + ">" + line);
this.output.append(line + System.getProperty("line.separator")); this.output.append(line + System.getProperty("line.separator"));
} }
} catch (final IOException ioe) } catch (final IOException ioe) {
{
ioe.printStackTrace(); ioe.printStackTrace();
} }
} }
/** /**
* Get output filled asynchronously. <br /> * Get output filled asynchronously. <br /> Should be called after
* Should be called after execution * execution
*
* @return final output * @return final output
*/ */
public final String getOutput() public final String getOutput() {
{
return this.output.toString(); return this.output.toString();
} }
} }
/**
* Execute a system command in the appropriate shell. <br />
* Read asynchronously stdout and stderr to report any result.
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec
{
/** /**
* Execute a system command. <br /> * Execute a system command in the appropriate shell. <br /> Read
* Listen asynchronously to stdout and stderr * asynchronously stdout and stderr to report any result.
* @param aCommand system command to be executed (must not be null or empty) *
* @param someParameters parameters of the command (must not be null or empty) * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec {
/**
* Execute a system command. <br /> Listen asynchronously to stdout and
* stderr
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
* @return final output (stdout only) * @return final output (stdout only)
*/ */
public static String execute(final String aCommand, final String... someParameters) public static String execute(final String aCommand, final String... someParameters) {
{
String output = ""; String output = "";
try try {
{
ExecEnvironmentFactory anExecEnvFactory = getExecEnvironmentFactory(aCommand, someParameters); ExecEnvironmentFactory anExecEnvFactory = getExecEnvironmentFactory(aCommand, someParameters);
final IShell aShell = anExecEnvFactory.createShell(); final IShell aShell = anExecEnvFactory.createShell();
final String aCommandLine = anExecEnvFactory.createCommandLine(); final String aCommandLine = anExecEnvFactory.createCommandLine();
@ -123,12 +143,10 @@ public final class JavaSystemCaller
final Process proc = rt.exec(aShell.getShellCommand() + " " + aCommandLine); final Process proc = rt.exec(aShell.getShellCommand() + " " + aCommandLine);
// any error message? // any error message?
final StreamGobbler errorGobbler = new final StreamGobbler errorGobbler = new StreamGobbler(proc.getErrorStream(), "ERROR");
StreamGobbler(proc.getErrorStream(), "ERROR");
// any output? // any output?
final StreamGobbler outputGobbler = new final StreamGobbler outputGobbler = new StreamGobbler(proc.getInputStream(), "OUTPUT");
StreamGobbler(proc.getInputStream(), "OUTPUT");
// kick them off // kick them off
errorGobbler.start(); errorGobbler.start();
@ -140,73 +158,95 @@ public final class JavaSystemCaller
output = outputGobbler.getOutput(); output = outputGobbler.getOutput();
} catch (final Throwable t) } catch (final Throwable t) {
{
t.printStackTrace(); t.printStackTrace();
} }
return output; return output;
} }
private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters) private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters) {
{
final String anOSName = System.getProperty("os.name"); final String anOSName = System.getProperty("os.name");
if(anOSName.toLowerCase().startsWith("windows")) if (anOSName.toLowerCase().startsWith("windows")) {
{
return new WindowsExecEnvFactory(aCommand, someParameters); return new WindowsExecEnvFactory(aCommand, someParameters);
} }
return new UnixExecEnvFactory(aCommand, someParameters); return new UnixExecEnvFactory(aCommand, someParameters);
// TODO be more specific for other OS. // TODO be more specific for other OS.
} }
private Exec() { /**/ } private Exec() { /*
*
*/ }
} }
private JavaSystemCaller() { /**/ }
private JavaSystemCaller() { /*
*
*/ }
/* /*
* ABSTRACT FACTORY PATTERN * ABSTRACT FACTORY PATTERN
*/ */
/** /**
* Environment needed to be build for the Exec class to be able to execute the system command. <br /> * Environment needed to be build for the Exec class to be able to execute
* Must have the right shell and the right command line. <br /> * the system command. <br /> Must have the right shell and the right
* command line. <br />
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ */
public abstract static class ExecEnvironmentFactory public abstract static class ExecEnvironmentFactory {
{
private String command = null; private String command = null;
private ArrayList<String> parameters = new ArrayList<String>(); private ArrayList<String> parameters = new ArrayList<String>();
final String getCommand() { return this.command; }
final ArrayList<String> getParameters() { return this.parameters; } final String getCommand() {
return this.command;
}
final ArrayList<String> getParameters() {
return this.parameters;
}
/** /**
* Builds an execution environment for a system command to be played. <br /> * Builds an execution environment for a system command to be played.
* Independent from the OS. * <br /> Independent from the OS.
* @param aCommand system command to be executed (must not be null or empty) *
* @param someParameters parameters of the command (must not be null or empty) * @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/ */
public ExecEnvironmentFactory(final String aCommand, final String... someParameters) public ExecEnvironmentFactory(final String aCommand, final String... someParameters) {
{ if (aCommand == null || aCommand.length() == 0) {
if(aCommand == null || aCommand.length() == 0) { throw new IllegalArgumentException("Command must not be empty"); } throw new IllegalArgumentException("Command must not be empty");
}
this.command = aCommand; this.command = aCommand;
for (int i = 0; i < someParameters.length; i++) { for (int i = 0; i < someParameters.length; i++) {
final String aParameter = someParameters[i]; final String aParameter = someParameters[i];
if(aParameter == null || aParameter.length() == 0) { throw new IllegalArgumentException("Parameter n° '"+i+"' must not be empty"); } if (aParameter == null || aParameter.length() == 0) {
throw new IllegalArgumentException("Parameter n° '" + i + "' must not be empty");
}
this.parameters.add(aParameter); this.parameters.add(aParameter);
} }
} }
/** /**
* Builds the right Shell for the current OS. <br /> * Builds the right Shell for the current OS. <br /> Allow for
* Allow for independent platform execution. * independent platform execution.
*
* @return right shell, NEVER NULL * @return right shell, NEVER NULL
*/ */
public abstract IShell createShell(); public abstract IShell createShell();
/** /**
* Builds the right command line for the current OS. <br /> * Builds the right command line for the current OS. <br /> Means that a
* Means that a command might be translated, if it does not fit the right OS ('dir' => 'ls' on unix) * command might be translated, if it does not fit the right OS ('dir'
* @return right complete command line, with parameters added (NEVER NULL) * => 'ls' on unix)
*
* @return right complete command line, with parameters added (NEVER
* NULL)
*/ */
public abstract String createCommandLine(); public abstract String createCommandLine();
protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters) protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters) {
{
final StringBuilder aCommandLine = new StringBuilder(); final StringBuilder aCommandLine = new StringBuilder();
aCommandLine.append(aCommand); aCommandLine.append(aCommand);
for (String aParameter : someParameters) { for (String aParameter : someParameters) {
@ -218,23 +258,27 @@ public final class JavaSystemCaller
} }
/** /**
* Builds a Execution Environment for Windows. <br /> * Builds a Execution Environment for Windows. <br /> Cmd with windows
* Cmd with windows commands * commands
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ */
public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory {
{
/** /**
* Builds an execution environment for a Windows system command to be played. <br /> * Builds an execution environment for a Windows system command to be
* Any command not from windows will be translated in its windows equivalent if possible. * played. <br /> Any command not from windows will be translated in its
* @param aCommand system command to be executed (must not be null or empty) * windows equivalent if possible.
* @param someParameters parameters of the command (must not be null or empty) *
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/ */
public WindowsExecEnvFactory(final String aCommand, final String... someParameters) public WindowsExecEnvFactory(final String aCommand, final String... someParameters) {
{
super(aCommand, someParameters); super(aCommand, someParameters);
} }
/** /**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell() * @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/ */
@ -249,30 +293,35 @@ public final class JavaSystemCaller
@Override @Override
public String createCommandLine() { public String createCommandLine() {
String aCommand = getCommand(); String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("ls")) { aCommand = "dir"; } if (aCommand.toLowerCase().trim().equals("ls")) {
aCommand = "dir";
}
// TODO translates other Unix commands // TODO translates other Unix commands
return buildCommandLine(aCommand, getParameters()); return buildCommandLine(aCommand, getParameters());
} }
} }
/** /**
* Builds a Execution Environment for Unix. <br /> * Builds a Execution Environment for Unix. <br /> Sh with Unix commands
* Sh with Unix commands *
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ */
public static final class UnixExecEnvFactory extends ExecEnvironmentFactory public static final class UnixExecEnvFactory extends ExecEnvironmentFactory {
{
/** /**
* Builds an execution environment for a Unix system command to be played. <br /> * Builds an execution environment for a Unix system command to be
* Any command not from Unix will be translated in its Unix equivalent if possible. * played. <br /> Any command not from Unix will be translated in its
* @param aCommand system command to be executed (must not be null or empty) * Unix equivalent if possible.
* @param someParameters parameters of the command (must not be null or empty) *
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/ */
public UnixExecEnvFactory(final String aCommand, final String... someParameters) public UnixExecEnvFactory(final String aCommand, final String... someParameters) {
{
super(aCommand, someParameters); super(aCommand, someParameters);
} }
/** /**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell() * @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/ */
@ -287,50 +336,57 @@ public final class JavaSystemCaller
@Override @Override
public String createCommandLine() { public String createCommandLine() {
String aCommand = getCommand(); String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("dir")) { aCommand = "ls"; } if (aCommand.toLowerCase().trim().equals("dir")) {
aCommand = "ls";
}
// TODO translates other Windows commands // TODO translates other Windows commands
return buildCommandLine(aCommand, getParameters()); return buildCommandLine(aCommand, getParameters());
} }
} }
/** /**
* System Shell with its right OS command. <br /> * System Shell with its right OS command. <br /> 'cmd' for Windows or 'sh'
* 'cmd' for Windows or 'sh' for Unix, ... * for Unix, ...
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ */
public interface IShell public interface IShell {
{
/** /**
* Get the right shell command. <br /> * Get the right shell command. <br /> Used to launch a new shell
* Used to launch a new shell *
* @return command used to launch a Shell (NEVEL NULL) * @return command used to launch a Shell (NEVEL NULL)
*/ */
String getShellCommand(); String getShellCommand();
} }
/** /**
* Windows shell (cmd). <br /> * Windows shell (cmd). <br /> More accurately 'cmd /C'
* More accurately 'cmd /C' *
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ */
public static class WindowsShell implements IShell public static class WindowsShell implements IShell {
{
/** /**
* @see test.JavaSystemCaller.IShell#getShellCommand() * @see test.JavaSystemCaller.IShell#getShellCommand()
*/ */
@Override @Override
public final String getShellCommand() { public final String getShellCommand() {
final String osName = System.getProperty("os.name"); final String osName = System.getProperty("os.name");
if( osName.equals( "Windows 95" ) ) { return "command.com /C"; } if (osName.equals("Windows 95")) {
return "command.com /C";
}
return "cmd.exe /C"; return "cmd.exe /C";
} }
} }
/** /**
* Unix shell (sh). <br /> * Unix shell (sh). <br /> More accurately 'sh -C'
* More accurately 'sh -C' *
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ */
public static class UnixShell implements IShell public static class UnixShell implements IShell {
{
/** /**
* @see test.JavaSystemCaller.IShell#getShellCommand() * @see test.JavaSystemCaller.IShell#getShellCommand()
*/ */

20
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java
View File

@ -1,8 +1,10 @@
/* /*
*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2012 42six Solutions.
* Contact: carrier <at> sleuthkit <dot> org * Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -85,19 +87,12 @@ public final class RAImageIngestService implements IngestServiceImage {
} }
// artset.beforeFirst(); // artset.beforeFirst();
if(artcount > 0) if (artcount > 0) {
{ } else {
}
else
{
int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information"); int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information");
} }
} } catch (Exception e) {
catch(Exception e)
{
} }
ext.extractToBlackboard(controller, fsIds); ext.extractToBlackboard(controller, fsIds);
@ -182,5 +177,4 @@ public final class RAImageIngestService implements IngestServiceImage {
public boolean hasBackgroundJobsRunning() { public boolean hasBackgroundJobsRunning() {
return false; return false;
} }
} }

95
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
View File

@ -1,8 +1,25 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.IOException; import java.io.IOException;
@ -24,15 +41,16 @@ import java.util.regex.Pattern;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class Util { public class Util {
private static Logger logger = Logger.getLogger(Util.class.getName()); private static Logger logger = Logger.getLogger(Util.class.getName());
private Util() { private Util() {
} }
public static boolean pathexists(String path) { public static boolean pathexists(String path) {
@ -52,10 +70,11 @@ public static String readFile(String path) throws IOException {
try { try {
FileChannel fc = stream.getChannel(); FileChannel fc = stream.getChannel();
MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size()); MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size());
/* Instead of using default, pass in a decoder. */ /*
* Instead of using default, pass in a decoder.
*/
return Charset.defaultCharset().decode(bb).toString(); return Charset.defaultCharset().decode(bb).toString();
} } finally {
finally {
stream.close(); stream.close();
} }
} }
@ -75,24 +94,21 @@ public static boolean imgpathexists(String path){
if (s != null) { if (s != null) {
s.close(); s.close();
} }
if(count > 0) if (count > 0) {
{
rt = true; rt = true;
} } else {
else
{
rt = false; rt = false;
} }
} } catch (SQLException ex) {
catch (SQLException ex)
{
//logger.log(Level.WARNING, "Error while trying to contact SQLite db.", ex); //logger.log(Level.WARNING, "Error while trying to contact SQLite db.", ex);
} }
return rt; return rt;
} }
public static String extractDomain(String value) { public static String extractDomain(String value) {
if (value == null) throw new java.lang.NullPointerException("domains to extract"); if (value == null) {
throw new java.lang.NullPointerException("domains to extract");
}
String result = ""; String result = "";
// String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))"; // String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))";
// Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE); // Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE);
@ -103,9 +119,7 @@ public static String extractDomain(String value){
try { try {
URL url = new URL(value); URL url = new URL(value);
result = url.getHost(); result = url.getHost();
} } catch (Exception e) {
catch(Exception e){
} }
return result; return result;
@ -117,8 +131,7 @@ public static String getFileName(String value){
Pattern p = Pattern.compile(filematch, Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS); Pattern p = Pattern.compile(filematch, Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS);
Matcher m = p.matcher(value); Matcher m = p.matcher(value);
if (m.find()) if (m.find()) {
{
filename = m.group(1); filename = m.group(1);
} }
@ -134,8 +147,7 @@ public static String getPath(String txt){
String drive = "([a-z]:\\\\\\S.+)"; String drive = "([a-z]:\\\\\\S.+)";
Pattern p = Pattern.compile(drive, Pattern.CASE_INSENSITIVE | Pattern.COMMENTS); Pattern p = Pattern.compile(drive, Pattern.CASE_INSENSITIVE | Pattern.COMMENTS);
Matcher m = p.matcher(txt); Matcher m = p.matcher(txt);
if (m.find()) if (m.find()) {
{
path = m.group(1); path = m.group(1);
} else { } else {
@ -144,8 +156,7 @@ public static String getPath(String txt){
Pattern p2 = Pattern.compile(network, Pattern.CASE_INSENSITIVE | Pattern.DOTALL); Pattern p2 = Pattern.compile(network, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m2 = p2.matcher(txt); Matcher m2 = p2.matcher(txt);
if (m2.find()) if (m2.find()) {
{
path = m2.group(1); path = m2.group(1);
} }
} }
@ -154,8 +165,9 @@ public static String getPath(String txt){
public static long findID(String path) { public static long findID(String path) {
String parent_path = path.replace('\\', '/'); // fix Chrome paths String parent_path = path.replace('\\', '/'); // fix Chrome paths
if(parent_path.length() > 2 && parent_path.charAt(1) == ':') if (parent_path.length() > 2 && parent_path.charAt(1) == ':') {
parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:') parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:')
}
int index = parent_path.lastIndexOf('/'); int index = parent_path.lastIndexOf('/');
String name = parent_path.substring(++index); String name = parent_path.substring(++index);
parent_path = parent_path.substring(0, index); parent_path = parent_path.substring(0, index);
@ -167,8 +179,9 @@ public static long findID(String path) {
List<FsContent> results = tempDb.resultSetToFsContents(rs); List<FsContent> results = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement(); Statement s = rs.getStatement();
rs.close(); rs.close();
if (s != null) if (s != null) {
s.close(); s.close();
}
if (results.size() > 0) { if (results.size() > 0) {
return results.get(0).getId(); return results.get(0).getId();
} }
@ -177,4 +190,34 @@ public static long findID(String path) {
} }
return -1; return -1;
} }
public static boolean checkColumn(String column, String tablename, String connection) {
String query = "PRAGMA table_info(" + tablename + ")";
boolean found = false;
ResultSet temprs;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
temprs = tempdbconnect.executeQry(query);
while (temprs.next()) {
if (temprs.getString("name") == null ? column == null : temprs.getString("name").equals(column)) {
found = true;
}
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return found;
}
public static ResultSet runQuery(String query, String connection) {
ResultSet results = null;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
results = tempdbconnect.executeQry(query);
tempdbconnect.closeConnection();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return results;
}
} }

27
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/dbconnect.java
View File

@ -1,10 +1,27 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.sql.*; import java.sql.*;
/** /**
* *
* @author Alex * @author Alex
@ -12,14 +29,12 @@ import java.sql.*;
public class dbconnect extends sqlitedbconnect { public class dbconnect extends sqlitedbconnect {
private String sDriverForclass = "org.sqlite.JDBC"; private String sDriverForclass = "org.sqlite.JDBC";
public dbconnect(String sDriverForClass, String sUrlKey) throws Exception
{ public dbconnect(String sDriverForClass, String sUrlKey) throws Exception {
init(sDriverForClass, sUrlKey); init(sDriverForClass, sUrlKey);
//Statement stmt = conn.createStatement(); //Statement stmt = conn.createStatement();
//String selecthistory = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,rev_host FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; //String selecthistory = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,rev_host FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
// ResultSet rs = stmt.executeQuery(selecthistory); // ResultSet rs = stmt.executeQuery(selecthistory);
} }
} }

66
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/sqlitedbconnect.java
View File

@ -1,5 +1,22 @@
/* /*
* General C&P class that we need to figure out a better way to integrate, replace after demo *
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -7,16 +24,15 @@ package org.sleuthkit.autopsy.recentactivity;
* *
* @author Alex * @author Alex
*/ */
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.Statement; import java.sql.Statement;
/**
/** Database connection class & utilities **/ * Database connection class & utilities *
*/
abstract class sqlitedbconnect { abstract class sqlitedbconnect {
public String sDriver = ""; public String sDriver = "";
@ -25,34 +41,37 @@ public int iTimeout = 30;
public Connection conn = null; public Connection conn = null;
public Statement statement = null; public Statement statement = null;
/*
* Stub constructor for quick instantiation o/t fly for using some of the
* ancillary stuff
*/
public sqlitedbconnect() {
}
/* Stub constructor for quick instantiation o/t fly for using some of the ancillary stuff */ /*
* quick and dirty constructor to test the database passing the
public sqlitedbconnect() * DriverManager name and the fully loaded url to handle
{} */
/*
/* quick and dirty constructor to test the database passing the DriverManager name and the fully loaded url to handle */ * NB this will typically be available if you make this class concrete and
/* NB this will typically be available if you make this class concrete and not abstract */ * not abstract
public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception */
{ public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception {
init(sDriverToLoad, sUrlToLoad); init(sDriverToLoad, sUrlToLoad);
} }
public void init(String sDriverVar, String sUrlVar) throws Exception public void init(String sDriverVar, String sUrlVar) throws Exception {
{
setDriver(sDriverVar); setDriver(sDriverVar);
setUrl(sUrlVar); setUrl(sUrlVar);
setConnection(); setConnection();
setStatement(); setStatement();
} }
private void setDriver(String sDriverVar) private void setDriver(String sDriverVar) {
{
sDriver = sDriverVar; sDriver = sDriverVar;
} }
private void setUrl(String sUrlVar) private void setUrl(String sUrlVar) {
{
sUrl = sUrlVar; sUrl = sUrlVar;
} }
@ -61,7 +80,6 @@ Class.forName(sDriver);
conn = DriverManager.getConnection(sUrl); conn = DriverManager.getConnection(sUrl);
} }
public Connection getConnection() { public Connection getConnection() {
return conn; return conn;
} }
@ -96,7 +114,9 @@ return statement.executeQuery(instruction);
} }
public void closeConnection() { public void closeConnection() {
try { conn.close(); } catch (Exception ignore) {} try {
conn.close();
} catch (Exception ignore) {
}
} }
} }

205
Report/src/org/sleuthkit/autopsy/report/report.java
View File

@ -1,12 +1,29 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
@ -18,261 +35,207 @@ import org.sleuthkit.datamodel.SleuthkitCase;
* *
* @author Alex * @author Alex
*/ */
public class report implements reportInterface { public class report {
private void report() { private void report() {
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getGenInfo() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getGenInfo() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(1); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebHistory() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebHistory() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(4); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebCookie() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebCookie() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(3); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebBookmark() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebBookmark() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(2); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebDownload() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebDownload() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(5); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getRecentObject() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getRecentObject() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(6); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getKeywordHit() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getKeywordHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(9); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getHashHit() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getHashHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(10); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getInstalledProg() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getInstalledProg() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(8); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getDevices() { public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getDevices() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{ ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(11); for (BlackboardArtifact artifact : bbart) {
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
return reportMap; return reportMap;
} }
@Override
public String getGroupedKeywordHit() { public String getGroupedKeywordHit() {
StringBuilder table = new StringBuilder(); StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>(); HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try try {
{
ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC"); ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC");
while(uniqueresults.next()) while (uniqueresults.next()) {
{
table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>"); table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>"); table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>(); ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>();
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") + "'"); ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") + "'");
while(tempresults.next()) while (tempresults.next()) {
{
artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id"))); artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id")));
} }
for(BlackboardArtifact art : artlist) for (BlackboardArtifact art : artlist) {
{
String filename = tempDb.getFsContentById(art.getObjectID()).getName(); String filename = tempDb.getFsContentById(art.getObjectID()).getName();
String preview = ""; String preview = "";
String set = ""; String set = "";
table.append("<tr><td>").append(filename).append("</td>"); table.append("<tr><td>").append(filename).append("</td>");
ArrayList<BlackboardAttribute> tempatts = art.getAttributes(); ArrayList<BlackboardAttribute> tempatts = art.getAttributes();
for(BlackboardAttribute att : tempatts) for (BlackboardAttribute att : tempatts) {
{ if (att.getAttributeTypeID() == 12) {
if(att.getAttributeTypeID() == 12)
{
preview = "<td>" + att.getValueString() + "</td>"; preview = "<td>" + att.getValueString() + "</td>";
} }
if(att.getAttributeTypeID() == 13) if (att.getAttributeTypeID() == 13) {
{
set = "<td>" + att.getValueString() + "</td>"; set = "<td>" + att.getValueString() + "</td>";
} }
} }
@ -282,9 +245,7 @@ public String getGroupedKeywordHit() {
table.append("</tbody></table><br /><br />"); table.append("</tbody></table><br /><br />");
} }
} } catch (Exception e) {
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
@ -292,4 +253,24 @@ public String getGroupedKeywordHit() {
return result; return result;
} }
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getAllTypes(ReportConfiguration config) {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
for (Map.Entry<BlackboardArtifact.ARTIFACT_TYPE, Boolean> entry : config.config.entrySet()) {
if (entry.getValue()) {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(entry.getKey());
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e);
}
return reportMap;
}
} }

37
Report/src/org/sleuthkit/autopsy/report/reportAction.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -12,22 +28,22 @@ import java.awt.event.ActionListener;
import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener; import java.beans.PropertyChangeListener;
import java.io.File; import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
import javax.swing.JButton; import javax.swing.JButton;
import javax.swing.JDialog; import javax.swing.JDialog;
import javax.swing.JFrame; import javax.swing.JFrame;
import org.openide.awt.ActionRegistration; import org.openide.awt.ActionID;
import org.openide.awt.ActionReference; import org.openide.awt.ActionReference;
import org.openide.awt.ActionReferences; import org.openide.awt.ActionReferences;
import org.openide.awt.ActionID; import org.openide.awt.ActionRegistration;
import org.openide.util.HelpCtx; import org.openide.util.HelpCtx;
import org.openide.util.NbBundle.Messages; import org.openide.util.NbBundle.Messages;
import org.openide.util.actions.CallableSystemAction; import org.openide.util.actions.CallableSystemAction;
import org.openide.util.actions.Presenter; import org.openide.util.actions.Presenter;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Log; import org.sleuthkit.autopsy.coreutils.Log;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
@ActionID(category = "Tools", @ActionID(category = "Tools",
id = "org.sleuthkit.autopsy.report.reportAction") id = "org.sleuthkit.autopsy.report.reportAction")
@ -40,7 +56,7 @@ public final class reportAction extends CallableSystemAction implements Presente
private JButton toolbarButton = new JButton(); private JButton toolbarButton = new JButton();
private static final String ACTION_NAME = "Generate Report"; private static final String ACTION_NAME = "Generate Report";
Logger logger = Logger.getLogger(reportAction.class.getName()); static final Logger logger = Logger.getLogger(reportAction.class.getName());
public reportAction() { public reportAction() {
setEnabled(false); setEnabled(false);
@ -52,7 +68,6 @@ public final class reportAction extends CallableSystemAction implements Presente
setEnabled(evt.getNewValue() != null); setEnabled(evt.getNewValue() != null);
} }
} }
}); });
//attempt to create a report folder if a case is active //attempt to create a report folder if a case is active
Case.addPropertyChangeListener(new PropertyChangeListener() { Case.addPropertyChangeListener(new PropertyChangeListener() {
@ -69,7 +84,6 @@ public final class reportAction extends CallableSystemAction implements Presente
boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists(); boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists();
if (exists) { if (exists) {
// report directory exists -- don't need to do anything // report directory exists -- don't need to do anything
} else { } else {
// report directory does not exist -- create it // report directory does not exist -- create it
boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs(); boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs();
@ -80,7 +94,6 @@ public final class reportAction extends CallableSystemAction implements Presente
} }
} }
} }
}); });
// set action of the toolbar button // set action of the toolbar button
@ -105,6 +118,7 @@ public final class reportAction extends CallableSystemAction implements Presente
// initialize panel with loaded settings // initialize panel with loaded settings
final reportFilter panel = new reportFilter(); final reportFilter panel = new reportFilter();
panel.setjButton2ActionListener(new ActionListener() { panel.setjButton2ActionListener(new ActionListener() {
@Override @Override
public void actionPerformed(ActionEvent e) { public void actionPerformed(ActionEvent e) {
popUpWindow.dispose(); popUpWindow.dispose();
@ -134,7 +148,6 @@ public final class reportAction extends CallableSystemAction implements Presente
@Override @Override
public void performAction() { public void performAction() {
} }
@Override @Override

17
Report/src/org/sleuthkit/autopsy/report/reportFilter.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo"> <Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents> <NonVisualComponents>
@ -40,7 +40,11 @@
<EmptySpace max="-2" attributes="0"/> <EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0"> <Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0"> <Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0"> <Component id="jButton1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="cancelButton" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="156" max="-2" attributes="0"/>
</Group>
<Component id="jCheckBox3" alignment="0" min="-2" max="-2" attributes="0"/> <Component id="jCheckBox3" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0"> <Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0"> <Group type="103" groupAlignment="0" attributes="0">
@ -53,15 +57,6 @@
<Component id="jCheckBox4" alignment="0" min="-2" max="-2" attributes="0"/> <Component id="jCheckBox4" alignment="0" min="-2" max="-2" attributes="0"/>
</Group> </Group>
</Group> </Group>
</Group>
<EmptySpace min="-2" pref="69" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="jButton1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="cancelButton" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="156" max="-2" attributes="0"/>
</Group>
<Component id="progBar" alignment="0" min="-2" pref="231" max="-2" attributes="0"/> <Component id="progBar" alignment="0" min="-2" pref="231" max="-2" attributes="0"/>
</Group> </Group>
<EmptySpace max="-2" attributes="0"/> <EmptySpace max="-2" attributes="0"/>

120
Report/src/org/sleuthkit/autopsy/report/reportFilter.java
View File

@ -1,43 +1,63 @@
/* /*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportFilter.java
* *
* Created on Feb 22, 2012, 11:12:12 AM * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener; import java.awt.event.ActionListener;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.SwingUtilities; import javax.swing.SwingUtilities;
import javax.swing.SwingWorker; import javax.swing.SwingWorker;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class reportFilter extends javax.swing.JPanel { public class reportFilter extends javax.swing.JPanel {
public static ArrayList<Integer> filters = new ArrayList<Integer>(); public static ArrayList<Integer> filters = new ArrayList<Integer>();
public static ReportConfiguration config = new ReportConfiguration();
private final Logger logger = Logger.getLogger(this.getClass().getName());
public final reportFilter panel = this; public final reportFilter panel = this;
reportPanelAction rpa = new reportPanelAction(); reportPanelAction rpa = new reportPanelAction();
public static boolean cancel = false; public static boolean cancel = false;
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase(); SleuthkitCase skCase = currentCase.getSleuthkitCase();
/** Creates new form reportFilter */
/**
* Creates new form reportFilter
*/
public reportFilter() { public reportFilter() {
initComponents(); initComponents();
cancel = false; cancel = false;
} }
/** This method is called from within the constructor to /**
* initialize the form. * This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is * WARNING: Do NOT modify this code. The content of this method is always
* always regenerated by the Form Editor. * regenerated by the Form Editor.
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents // <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -162,11 +182,9 @@ public class reportFilter extends javax.swing.JPanel {
}// </editor-fold>//GEN-END:initComponents }// </editor-fold>//GEN-END:initComponents
private void jCheckBox1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jCheckBox1ActionPerformed private void jCheckBox1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jCheckBox1ActionPerformed
}//GEN-LAST:event_jCheckBox1ActionPerformed }//GEN-LAST:event_jCheckBox1ActionPerformed
public void getfilters(java.awt.event.ActionEvent evt) public void getfilters(java.awt.event.ActionEvent evt) {
{
jButton1ActionPerformed(evt); jButton1ActionPerformed(evt);
} }
@ -178,46 +196,77 @@ private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRS
progBar.setStringPainted(true); progBar.setStringPainted(true);
progBar.setValue(0); progBar.setValue(0);
filters.clear(); filters.clear();
if(jCheckBox1.isSelected()) if (jCheckBox1.isSelected()) {
{ try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, true);
filters.add(2); filters.add(2);
filters.add(3); filters.add(3);
filters.add(4); filters.add(4);
filters.add(5); filters.add(5);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
} }
if(jCheckBox2.isSelected()) }
{ if (jCheckBox2.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO, true);
filters.add(1); filters.add(1);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
} }
if(jCheckBox3.isSelected()) }
{ if (jCheckBox3.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT, true);
filters.add(9); filters.add(9);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
} }
if(jCheckBox4.isSelected()) }
{ if (jCheckBox4.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT, true);
filters.add(10); filters.add(10);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
} }
if(jCheckBox5.isSelected()) if (jCheckBox5.isSelected()) {
{ try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, true);
filters.add(6); filters.add(6);
filters.add(8); filters.add(8);
filters.add(11); filters.add(11);
} catch (ReportModuleException ex) {
}
} }
getReports(); getReports();
}//GEN-LAST:event_jButton1ActionPerformed }//GEN-LAST:event_jButton1ActionPerformed
public void getReports() { public void getReports() {
new SwingWorker<Void, Void>() { new SwingWorker<Void, Void>() {
@Override
protected Void doInBackground() throws Exception { protected Void doInBackground() throws Exception {
rpa.reportGenerate(filters, panel); rpa.reportGenerate(config, panel);
return null; return null;
}; }
;
// this is called when the SwingWorker's doInBackground finishes // this is called when the SwingWorker's doInBackground finishes
@Override
protected void done() { protected void done() {
progBar.setVisible(false); // hide my progress bar JFrame progBar.setVisible(false); // hide my progress bar JFrame
}; }
;
}.execute(); }.execute();
progBar.setVisible(true); progBar.setVisible(true);
} }
@ -228,13 +277,13 @@ private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-
}//GEN-LAST:event_cancelButtonActionPerformed }//GEN-LAST:event_cancelButtonActionPerformed
private void jButton1MouseReleased(java.awt.event.MouseEvent evt) {//GEN-FIRST:event_jButton1MouseReleased private void jButton1MouseReleased(java.awt.event.MouseEvent evt) {//GEN-FIRST:event_jButton1MouseReleased
}//GEN-LAST:event_jButton1MouseReleased }//GEN-LAST:event_jButton1MouseReleased
public void progBarSet(int cc) public void progBarSet(int cc) {
{
final int count = cc; final int count = cc;
SwingUtilities.invokeLater(new Runnable() { SwingUtilities.invokeLater(new Runnable() {
@Override
public void run() { public void run() {
int start = progBar.getValue(); int start = progBar.getValue();
int end = start + count; int end = start + count;
@ -247,7 +296,8 @@ public void progBarSet(int cc)
progBar.setStringPainted(true); progBar.setStringPainted(true);
progBar.setIndeterminate(true); progBar.setIndeterminate(true);
} }
}}); }
});
} }
public void progBarDone() { public void progBarDone() {
@ -255,10 +305,12 @@ public void progBarDone(){
progBar.setValue(max); progBar.setValue(max);
jButton2.doClick(); jButton2.doClick();
} }
public void progBarStartText() { public void progBarStartText() {
progBar.setIndeterminate(true); progBar.setIndeterminate(true);
progBar.setString("Querying Database for Report Results..."); progBar.setString("Querying Database for Report Results...");
} }
public void progBarText() { public void progBarText() {
progBar.setString("Populating Report - Please wait..."); progBar.setString("Populating Report - Please wait...");
@ -288,7 +340,6 @@ public void setjButton2ActionListener(ActionListener e){
jButton2.addActionListener(e); jButton2.addActionListener(e);
cancelButton.addActionListener(e); cancelButton.addActionListener(e);
} }
// Variables declaration - do not modify//GEN-BEGIN:variables // Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton cancelButton; private javax.swing.JButton cancelButton;
private javax.swing.JButton jButton1; private javax.swing.JButton jButton1;
@ -300,5 +351,4 @@ public void setjButton2ActionListener(ActionListener e){
private javax.swing.JCheckBox jCheckBox5; private javax.swing.JCheckBox jCheckBox5;
private javax.swing.JProgressBar progBar; private javax.swing.JProgressBar progBar;
// End of variables declaration//GEN-END:variables // End of variables declaration//GEN-END:variables
} }

3
Report/src/org/sleuthkit/autopsy/report/reportFilterAction.java
View File

@ -16,7 +16,6 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.awt.Container; import java.awt.Container;
@ -31,6 +30,7 @@ import org.sleuthkit.autopsy.coreutils.Log;
/** /**
* The reportFilterAction opens the reportFilterPanel in a dialog, and saves the * The reportFilterAction opens the reportFilterPanel in a dialog, and saves the
* settings of the panel if the Apply button is clicked. * settings of the panel if the Apply button is clicked.
*
* @author pmartel * @author pmartel
*/ */
class reportFilterAction { class reportFilterAction {
@ -81,4 +81,3 @@ class reportFilterAction {
return HelpCtx.DEFAULT_HELP; return HelpCtx.DEFAULT_HELP;
} }
} }

96
Report/src/org/sleuthkit/autopsy/report/reportHTML.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -36,6 +52,7 @@ public class reportHTML {
public static StringBuilder unformatted_header = new StringBuilder(); public static StringBuilder unformatted_header = new StringBuilder();
public static StringBuilder formatted_header = new StringBuilder(); public static StringBuilder formatted_header = new StringBuilder();
public static String htmlPath = ""; public static String htmlPath = "";
public reportHTML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) { public reportHTML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
//This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones. //This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones.
@ -57,39 +74,39 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
int countHash = 0; int countHash = 0;
int countDevice = 0; int countDevice = 0;
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) { for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++; countGen++;
} }
if(entry.getKey().getArtifactTypeID() == 2){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countWebBookmark++; countWebBookmark++;
} }
if(entry.getKey().getArtifactTypeID() == 3){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countWebCookie++; countWebCookie++;
} }
if(entry.getKey().getArtifactTypeID() == 4){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countWebHistory++; countWebHistory++;
} }
if(entry.getKey().getArtifactTypeID() == 5){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countWebDownload++; countWebDownload++;
} }
if(entry.getKey().getArtifactTypeID() == 6){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countRecentObjects++; countRecentObjects++;
} }
if(entry.getKey().getArtifactTypeID() == 7){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
countTrackPoint++; countTrackPoint++;
} }
if(entry.getKey().getArtifactTypeID() == 8){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++; countInstalled++;
} }
if(entry.getKey().getArtifactTypeID() == 9){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++; countKeyword++;
} }
if(entry.getKey().getArtifactTypeID() == 10){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++; countHash++;
} }
if(entry.getKey().getArtifactTypeID() == 11){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++; countDevice++;
} }
} }
@ -147,8 +164,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
// Add summary information now // Add summary information now
formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>"); formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>");
if(IngestManager.getDefault().isIngestRunning()) if (IngestManager.getDefault().isIngestRunning()) {
{
formatted_Report.append(ingestwarning); formatted_Report.append(ingestwarning);
} }
formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<ul>"); formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<ul>");
@ -208,12 +224,10 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
} }
int cc = 0; int cc = 0;
if(alt > 0) if (alt > 0) {
{
altRow = " class=\"alt\""; altRow = " class=\"alt\"";
alt = 0; alt = 0;
} } else {
else{
altRow = ""; altRow = "";
alt++; alt++;
} }
@ -228,29 +242,23 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
TreeMap<Integer, String> attributes = new TreeMap<Integer, String>(); TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type // Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n; int n;
for(n=1;n<=35;n++) for (n = 1; n <= 35; n++) {
{
attributes.put(n, ""); attributes.put(n, "");
} }
for (BlackboardAttribute tempatt : entry.getValue()) for (BlackboardAttribute tempatt : entry.getValue()) {
{
if (reportFilter.cancel == true) { if (reportFilter.cancel == true) {
break; break;
} }
String value = ""; String value = "";
int type = tempatt.getAttributeTypeID(); int type = tempatt.getAttributeTypeID();
if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) { if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
} else if (type == 2 || type == 33) {
}
else if(type == 2 || type == 33 ){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong()))); value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong())));
if (value == null || "".equals(value)) { if (value == null || "".equals(value)) {
value = tempatt.getValueString(); value = tempatt.getValueString();
} }
} } else {
else
{
value = tempatt.getValueString(); value = tempatt.getValueString();
} }
value = reportUtils.insertPeriodically(value, "<br>", 30); value = reportUtils.insertPeriodically(value, "<br>", 30);
@ -259,19 +267,19 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
} }
if(entry.getKey().getArtifactTypeID() == 1){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
artifact.append("</tr>"); artifact.append("</tr>");
nodeGen.append(artifact); nodeGen.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 2){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>"); artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>"); artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>"); artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>"); artifact.append("</tr>");
nodeWebBookmark.append(artifact); nodeWebBookmark.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 3){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>"); artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>"); artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>"); artifact.append("<td>").append(attributes.get(3)).append("</td>");
@ -280,7 +288,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>"); artifact.append("</tr>");
nodeWebCookie.append(artifact); nodeWebCookie.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 4){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>"); artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>"); artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(32)).append("</td>"); artifact.append("<td>").append(attributes.get(32)).append("</td>");
@ -289,7 +297,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>"); artifact.append("</tr>");
nodeWebHistory.append(artifact); nodeWebHistory.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 5){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(8)).append("</td>"); artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(attributes.get(1)).append("</td>"); artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>"); artifact.append("<td>").append(attributes.get(33)).append("</td>");
@ -297,7 +305,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>"); artifact.append("</tr>");
nodeWebDownload.append(artifact); nodeWebDownload.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 6){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
//artifact.append("<tr><td>").append(objId.toString()); //artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(3)).append("</strong></td>"); artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(3)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(8)).append("</td>"); artifact.append("<td>").append(attributes.get(8)).append("</td>");
@ -305,27 +313,25 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>"); artifact.append("</tr>");
nodeRecentObjects.append(artifact); nodeRecentObjects.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 7){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(objId.toString()); artifact.append("<tr").append(altRow).append("><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>"); artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>"); artifact.append("<td>").append(filesize.toString()).append("</td>");
artifact.append("</tr>"); artifact.append("</tr>");
nodeTrackPoint.append(artifact); nodeTrackPoint.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 8){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(4)).append("</strong></td>"); artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(4)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>"); artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>"); artifact.append("</tr>");
nodeInstalled.append(artifact); nodeInstalled.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 9){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
// artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>"); // artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>");
// artifact.append("</tr></table>"); // artifact.append("</tr></table>");
// nodeKeyword.append(artifact); // nodeKeyword.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 10){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
// artifact.append("<tr><td>").append(objId.toString()); // artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(file.getName().toString()).append("</strong></td>"); artifact.append("<tr").append(altRow).append("><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>"); artifact.append("<td>").append(filesize.toString()).append("</td>");
@ -334,7 +340,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>"); artifact.append("</tr>");
nodeHash.append(artifact); nodeHash.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 11){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(18)).append("</strong></td>"); artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(18)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(20)).append("</td>"); artifact.append("<td>").append(attributes.get(20)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>"); artifact.append("<td>").append(attributes.get(2)).append("</td>");
@ -400,13 +406,9 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
out.flush(); out.flush();
out.close(); out.close();
} } catch (Exception e) {
catch(Exception e)
{
Logger.getLogger(reportHTML.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(reportHTML.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
} }
} }

2
Report/src/org/sleuthkit/autopsy/report/reportPanel.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo"> <Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents> <NonVisualComponents>

72
Report/src/org/sleuthkit/autopsy/report/reportPanel.java
View File

@ -1,20 +1,27 @@
/* /*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportPanel.java
* *
* Created on Feb 21, 2012, 12:13:14 PM * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener; import java.awt.event.ActionListener;
import java.io.BufferedWriter; import java.io.*;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.Date; import java.util.Date;
@ -30,16 +37,17 @@ import org.jdom.output.XMLOutputter;
*/ */
public class reportPanel extends javax.swing.JPanel { public class reportPanel extends javax.swing.JPanel {
/** Creates new form reportPanel */ /**
public reportPanel(String report) { * Creates new form reportPanel
*/
public reportPanel() {
initComponents(); initComponents();
setReportWindow(report);
} }
/** This method is called from within the constructor to /**
* initialize the form. * This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is * WARNING: Do NOT modify this code. The content of this method is always
* always regenerated by the Form Editor. * regenerated by the Form Editor.
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents // <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -105,25 +113,6 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
public void setjButton1ActionListener(ActionListener e) { public void setjButton1ActionListener(ActionListener e) {
jButton1.addActionListener(e); jButton1.addActionListener(e);
} }
public void getLink(HyperlinkEvent evt){
try{
String str = evt.getDescription();
// jEditorPane1.scrollToReference(str.substring(1));
}
catch(Exception e){
String whater = "";
}
}
public void setjEditorPane1EventListener(HyperlinkListener evt){
// jEditorPane1.addHyperlinkListener(evt);
}
private void setReportWindow(String report)
{
// jEditorPane1.setText(report);
// jEditorPane1.setCaretPosition(0);
}
public void setFinishedReportText() { public void setFinishedReportText() {
DateFormat dateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); DateFormat dateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
@ -132,7 +121,6 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
jLabel1.setText(reportText); jLabel1.setText(reportText);
} }
private void saveReportAction() { private void saveReportAction() {
int option = jFileChooser1.showSaveDialog(this); int option = jFileChooser1.showSaveDialog(this);
@ -168,12 +156,10 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
xmlout.flush(); xmlout.flush();
xmlout.close(); xmlout.close();
JOptionPane.showMessageDialog(this, "Report has been successfully saved!"); JOptionPane.showMessageDialog(this, "Report has been successfully saved!");
} } catch (IOException e) {
catch (IOException e) {
System.err.println(e); System.err.println(e);
} }
} }
// Variables declaration - do not modify//GEN-BEGIN:variables // Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton jButton1; private javax.swing.JButton jButton1;
private javax.swing.JFileChooser jFileChooser1; private javax.swing.JFileChooser jFileChooser1;
@ -181,6 +167,4 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
private javax.swing.JOptionPane jOptionPane1; private javax.swing.JOptionPane jOptionPane1;
private javax.swing.JButton saveReport; private javax.swing.JButton saveReport;
// End of variables declaration//GEN-END:variables // End of variables declaration//GEN-END:variables
} }

71
Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -8,18 +24,11 @@ import java.awt.Dimension;
import java.awt.Toolkit; import java.awt.Toolkit;
import java.awt.event.ActionEvent; import java.awt.event.ActionEvent;
import java.awt.event.ActionListener; import java.awt.event.ActionListener;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.logging.Level; import java.util.logging.Level;
import javax.swing.JDialog; import javax.swing.JDialog;
import javax.swing.JFrame; import javax.swing.JFrame;
import javax.swing.SwingUtilities; import javax.swing.SwingUtilities;
import javax.swing.event.HyperlinkEvent;
import javax.swing.event.HyperlinkListener;
import org.sleuthkit.autopsy.coreutils.Log; import org.sleuthkit.autopsy.coreutils.Log;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
/** /**
* *
@ -32,15 +41,14 @@ public class reportPanelAction {
} }
public void reportGenerate(ArrayList<Integer> reportlist, final reportFilter rr){ public void reportGenerate(ReportConfiguration reportconfig, final reportFilter rr){
try { try {
//Clear any old reports in the string //Clear any old reports in the string
viewReport.setLength(0); viewReport.setLength(0);
// Generate the reports and create the hashmap // Generate the reports and create the hashmap
final HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> Results = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>(); final ReportGen report = new ReportGen();
report bbreport = new report();
//see what reports we need to run and run them //see what reports we need to run and run them
//Set progress bar to move while doing this //Set progress bar to move while doing this
SwingUtilities.invokeLater(new Runnable() { SwingUtilities.invokeLater(new Runnable() {
@ -48,21 +56,11 @@ public class reportPanelAction {
public void run() { public void run() {
rr.progBarStartText(); rr.progBarStartText();
}}); }});
if(reportlist.contains(1)){Results.putAll(bbreport.getGenInfo());} report.populateReport(reportconfig);
if(reportlist.contains(2)){Results.putAll(bbreport.getWebBookmark());}
if(reportlist.contains(3)){Results.putAll(bbreport.getWebCookie());}
if(reportlist.contains(4)){Results.putAll(bbreport.getWebHistory());}
if(reportlist.contains(5)){Results.putAll(bbreport.getWebDownload());}
if(reportlist.contains(6)){Results.putAll(bbreport.getRecentObject());}
// if(reportlist.contains(7)){Results.putAll(bbreport.getGenInfo());}
if(reportlist.contains(8)){Results.putAll(bbreport.getInstalledProg());}
if(reportlist.contains(9)){Results.putAll(bbreport.getKeywordHit());}
if(reportlist.contains(10)){Results.putAll(bbreport.getHashHit());}
if(reportlist.contains(11)){Results.putAll(bbreport.getDevices());}
SwingUtilities.invokeLater(new Runnable() { SwingUtilities.invokeLater(new Runnable() {
@Override @Override
public void run() { public void run() {
rr.progBarCount(2*Results.size()); rr.progBarCount(2*report.Results.size());
}}); }});
//Turn our results into the appropriate xml/html reports //Turn our results into the appropriate xml/html reports
//TODO: add a way for users to select what they will run when //TODO: add a way for users to select what they will run when
@ -71,7 +69,7 @@ public class reportPanelAction {
@Override @Override
public void run() public void run()
{ {
reportXML xmlReport = new reportXML(Results, rr); reportXML xmlReport = new reportXML(report.Results, rr);
} }
}); });
Thread htmlthread = new Thread(new Runnable() Thread htmlthread = new Thread(new Runnable()
@ -79,8 +77,8 @@ public class reportPanelAction {
@Override @Override
public void run() public void run()
{ {
reportHTML htmlReport = new reportHTML(Results,rr); reportHTML htmlReport = new reportHTML(report.Results,rr);
BrowserControl.openUrl(reportHTML.htmlPath);
} }
}); });
Thread xlsthread = new Thread(new Runnable() Thread xlsthread = new Thread(new Runnable()
@ -88,8 +86,8 @@ public class reportPanelAction {
@Override @Override
public void run() public void run()
{ {
reportXLS xlsReport = new reportXLS(Results,rr); reportXLS xlsReport = new reportXLS(report.Results,rr);
// BrowserControl.openUrl(xlsReport.xlsPath); //
} }
}); });
@ -110,7 +108,7 @@ public class reportPanelAction {
htmlthread.join(); htmlthread.join();
//Set the temporary label to let the user know its done and is waiting on the report //Set the temporary label to let the user know its done and is waiting on the report
rr.progBarText(); rr.progBarText();
final reportPanel panel = new reportPanel(viewReport.toString()); final reportPanel panel = new reportPanel();
panel.setjButton1ActionListener(new ActionListener() { panel.setjButton1ActionListener(new ActionListener() {
@ -120,19 +118,6 @@ public class reportPanelAction {
popUpWindow.dispose(); popUpWindow.dispose();
} }
}); });
panel.setjEditorPane1EventListener(new HyperlinkListener(){
@Override
public void hyperlinkUpdate(HyperlinkEvent hev) {
try {
if (hev.getEventType() == HyperlinkEvent.EventType.ACTIVATED)
panel.getLink(hev);
}
catch (Exception e) {
// Exceptions thrown...............
}
}
});
// add the panel to the popup window // add the panel to the popup window
popUpWindow.add(panel); popUpWindow.add(panel);

26
Report/src/org/sleuthkit/autopsy/report/reportUtils.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -20,15 +36,13 @@ static String changeExtension(String originalName, String newExtension) {
} }
public static String insertPeriodically( public static String insertPeriodically(
String text, String insert, int period) String text, String insert, int period) {
{
StringBuilder builder = new StringBuilder( StringBuilder builder = new StringBuilder(
text.length() + insert.length() * (text.length() / period) + 1); text.length() + insert.length() * (text.length() / period) + 1);
int index = 0; int index = 0;
String prefix = ""; String prefix = "";
while (index < text.length()) while (index < text.length()) {
{
// Don't put the insert in the very first iteration. // Don't put the insert in the very first iteration.
// This is easier than appending it *after* each substring // This is easier than appending it *after* each substring
builder.append(prefix); builder.append(prefix);

104
Report/src/org/sleuthkit/autopsy/report/reportXLS.java
View File

@ -1,11 +1,26 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
@ -14,26 +29,19 @@ import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map.Entry; import java.util.Map.Entry;
import java.util.TreeMap; import java.util.TreeMap;
import org.apache.poi.ss.usermodel.Cell; import org.apache.poi.ss.usermodel.*;
import org.apache.poi.ss.usermodel.CellStyle;
import org.apache.poi.ss.usermodel.Font;
import org.apache.poi.ss.usermodel.Row;
import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.xssf.usermodel.XSSFWorkbook; import org.apache.poi.xssf.usermodel.XSSFWorkbook;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.*;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class reportXLS { public class reportXLS {
public static Workbook wb = new XSSFWorkbook(); public static Workbook wb = new XSSFWorkbook();
public reportXLS(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) { public reportXLS(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
//Empty the workbook first //Empty the workbook first
Workbook wbtemp = new XSSFWorkbook(); Workbook wbtemp = new XSSFWorkbook();
@ -50,39 +58,39 @@ public class reportXLS {
int countHash = 0; int countHash = 0;
int countDevice = 0; int countDevice = 0;
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) { for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++; countGen++;
} }
if(entry.getKey().getArtifactTypeID() == 2){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countBookmark++; countBookmark++;
} }
if(entry.getKey().getArtifactTypeID() == 3){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countCookie++; countCookie++;
} }
if(entry.getKey().getArtifactTypeID() == 4){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countHistory++; countHistory++;
} }
if(entry.getKey().getArtifactTypeID() == 5){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countDownload++; countDownload++;
} }
if(entry.getKey().getArtifactTypeID() == 6){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countRecentObjects++; countRecentObjects++;
} }
if(entry.getKey().getArtifactTypeID() == 7){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
countTrackPoint++; countTrackPoint++;
} }
if(entry.getKey().getArtifactTypeID() == 8){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++; countInstalled++;
} }
if(entry.getKey().getArtifactTypeID() == 9){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++; countKeyword++;
} }
if(entry.getKey().getArtifactTypeID() == 10){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++; countHash++;
} }
if(entry.getKey().getArtifactTypeID() == 11){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++; countDevice++;
} }
} }
@ -239,26 +247,20 @@ public class reportXLS {
TreeMap<Integer, String> attributes = new TreeMap<Integer, String>(); TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type // Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n; int n;
for(n=1;n<=36;n++) for (n = 1; n <= 36; n++) {
{
attributes.put(n, ""); attributes.put(n, "");
} }
for (BlackboardAttribute tempatt : entry.getValue()) for (BlackboardAttribute tempatt : entry.getValue()) {
{
if (reportFilter.cancel == true) { if (reportFilter.cancel == true) {
break; break;
} }
String value = ""; String value = "";
int type = tempatt.getAttributeTypeID(); int type = tempatt.getAttributeTypeID();
if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) { if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
} else if (type == 2 || type == 33) {
}
else if(type == 2){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong()) * 1000)); value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong()) * 1000));
} } else {
else
{
value = tempatt.getValueString(); value = tempatt.getValueString();
} }
@ -267,19 +269,19 @@ public class reportXLS {
} }
if(entry.getKey().getArtifactTypeID() == 1){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countedGen++; countedGen++;
// Row temp = sheetGen.getRow(countedGen); // Row temp = sheetGen.getRow(countedGen);
} }
if(entry.getKey().getArtifactTypeID() == 2){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countedBookmark++; countedBookmark++;
Row temp = sheetBookmark.createRow(countedBookmark); Row temp = sheetBookmark.createRow(countedBookmark);
temp.createCell(0).setCellValue(attributes.get(1)); temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(3)); temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(4)); temp.createCell(2).setCellValue(attributes.get(4));
} }
if(entry.getKey().getArtifactTypeID() == 3){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countedCookie++; countedCookie++;
Row temp = sheetCookie.createRow(countedCookie); Row temp = sheetCookie.createRow(countedCookie);
temp.createCell(0).setCellValue(attributes.get(1)); temp.createCell(0).setCellValue(attributes.get(1));
@ -288,7 +290,7 @@ public class reportXLS {
temp.createCell(3).setCellValue(attributes.get(6)); temp.createCell(3).setCellValue(attributes.get(6));
temp.createCell(4).setCellValue(attributes.get(4)); temp.createCell(4).setCellValue(attributes.get(4));
} }
if(entry.getKey().getArtifactTypeID() == 4){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countedHistory++; countedHistory++;
Row temp = sheetHistory.createRow(countedHistory); Row temp = sheetHistory.createRow(countedHistory);
temp.createCell(0).setCellValue(attributes.get(1)); temp.createCell(0).setCellValue(attributes.get(1));
@ -297,7 +299,7 @@ public class reportXLS {
temp.createCell(3).setCellValue(attributes.get(3)); temp.createCell(3).setCellValue(attributes.get(3));
temp.createCell(4).setCellValue(attributes.get(4)); temp.createCell(4).setCellValue(attributes.get(4));
} }
if(entry.getKey().getArtifactTypeID() == 5){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countedDownload++; countedDownload++;
Row temp = sheetDownload.createRow(countedDownload); Row temp = sheetDownload.createRow(countedDownload);
temp.createCell(0).setCellValue(attributes.get(8)); temp.createCell(0).setCellValue(attributes.get(8));
@ -305,7 +307,7 @@ public class reportXLS {
temp.createCell(2).setCellValue(attributes.get(33)); temp.createCell(2).setCellValue(attributes.get(33));
temp.createCell(3).setCellValue(attributes.get(4)); temp.createCell(3).setCellValue(attributes.get(4));
} }
if(entry.getKey().getArtifactTypeID() == 6){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countedRecentObjects++; countedRecentObjects++;
Row temp = sheetRecent.createRow(countedRecentObjects); Row temp = sheetRecent.createRow(countedRecentObjects);
temp.createCell(0).setCellValue(attributes.get(3)); temp.createCell(0).setCellValue(attributes.get(3));
@ -313,16 +315,16 @@ public class reportXLS {
temp.createCell(2).setCellValue(file.getName()); temp.createCell(2).setCellValue(file.getName());
temp.createCell(3).setCellValue(attributes.get(4)); temp.createCell(3).setCellValue(attributes.get(4));
} }
if(entry.getKey().getArtifactTypeID() == 7){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
// sheetTrackpoint.addContent(artifact); // sheetTrackpoint.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 8){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countedInstalled++; countedInstalled++;
Row temp = sheetInstalled.createRow(countedInstalled); Row temp = sheetInstalled.createRow(countedInstalled);
temp.createCell(0).setCellValue(attributes.get(4)); temp.createCell(0).setCellValue(attributes.get(4));
temp.createCell(1).setCellValue(attributes.get(2)); temp.createCell(1).setCellValue(attributes.get(2));
} }
if(entry.getKey().getArtifactTypeID() == 9){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countedKeyword++; countedKeyword++;
Row temp = sheetKeyword.createRow(countedKeyword); Row temp = sheetKeyword.createRow(countedKeyword);
temp.createCell(0).setCellValue(attributes.get(10)); temp.createCell(0).setCellValue(attributes.get(10));
@ -330,14 +332,14 @@ public class reportXLS {
temp.createCell(2).setCellValue(attributes.get(12)); temp.createCell(2).setCellValue(attributes.get(12));
temp.createCell(3).setCellValue(attributes.get(13)); temp.createCell(3).setCellValue(attributes.get(13));
} }
if(entry.getKey().getArtifactTypeID() == 10){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countedHash++; countedHash++;
Row temp = sheetHash.createRow(countedHash); Row temp = sheetHash.createRow(countedHash);
temp.createCell(0).setCellValue(file.getName().toString()); temp.createCell(0).setCellValue(file.getName().toString());
temp.createCell(1).setCellValue(filesize.toString()); temp.createCell(1).setCellValue(filesize.toString());
temp.createCell(2).setCellValue(attributes.get(30)); temp.createCell(2).setCellValue(attributes.get(30));
} }
if(entry.getKey().getArtifactTypeID() == 11){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countedDevice++; countedDevice++;
Row temp = sheetDevice.createRow(countedDevice); Row temp = sheetDevice.createRow(countedDevice);
temp.createCell(0).setCellValue(attributes.get(18)); temp.createCell(0).setCellValue(attributes.get(18));
@ -357,19 +359,13 @@ public class reportXLS {
wbtemp.write(fos); wbtemp.write(fos);
fos.close(); fos.close();
wb = wbtemp; wb = wbtemp;
} } catch (IOException e) {
catch (IOException e) {
System.err.println(e); System.err.println(e);
} }
} } catch (Exception E) {
catch(Exception E)
{
String test = E.toString(); String test = E.toString();
} }
} }
} }

58
Report/src/org/sleuthkit/autopsy/report/reportXML.java
View File

@ -1,8 +1,25 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.text.DateFormat; import java.text.DateFormat;
@ -31,8 +48,11 @@ import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskData;
public class reportXML { public class reportXML {
public static Document xmldoc = new Document(); public static Document xmldoc = new Document();
public reportXML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) { public reportXML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
try { try {
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
@ -53,8 +73,7 @@ public class reportXML {
root.addContent(comment); root.addContent(comment);
//Create summary node involving how many of each type //Create summary node involving how many of each type
Element summary = new Element("Summary"); Element summary = new Element("Summary");
if(IngestManager.getDefault().isIngestRunning()) if (IngestManager.getDefault().isIngestRunning()) {
{
summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!")); summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!"));
} }
summary.addContent(new Element("Name").setText(caseName)); summary.addContent(new Element("Name").setText(caseName));
@ -91,8 +110,7 @@ public class reportXML {
artifact.setAttribute("Size", filesize.toString()); artifact.setAttribute("Size", filesize.toString());
// Get all the attributes for this guy // Get all the attributes for this guy
for (BlackboardAttribute tempatt : entry.getValue()) for (BlackboardAttribute tempatt : entry.getValue()) {
{
if (reportFilter.cancel == true) { if (reportFilter.cancel == true) {
break; break;
} }
@ -107,44 +125,44 @@ public class reportXML {
cc++; cc++;
} }
if(entry.getKey().getArtifactTypeID() == 1){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
//while (entry.getValue().iterator().hasNext()) //while (entry.getValue().iterator().hasNext())
// { // {
// } // }
nodeGen.addContent(artifact); nodeGen.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 2){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
nodeWebBookmark.addContent(artifact); nodeWebBookmark.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 3){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
nodeWebCookie.addContent(artifact); nodeWebCookie.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 4){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
nodeWebHistory.addContent(artifact); nodeWebHistory.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 5){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
nodeWebDownload.addContent(artifact); nodeWebDownload.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 6){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
nodeRecentObjects.addContent(artifact); nodeRecentObjects.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 7){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
nodeTrackPoint.addContent(artifact); nodeTrackPoint.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 8){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
nodeInstalled.addContent(artifact); nodeInstalled.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 9){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
nodeKeyword.addContent(artifact); nodeKeyword.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 10){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
nodeHash.addContent(artifact); nodeHash.addContent(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 11){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
nodeDevice.addContent(artifact); nodeDevice.addContent(artifact);
} }
cc++; cc++;
@ -171,13 +189,11 @@ public class reportXML {
serializer.output(xmldoc, out); serializer.output(xmldoc, out);
out.flush(); out.flush();
out.close(); out.close();
} } catch (IOException e) {
catch (IOException e) {
System.err.println(e); System.err.println(e);
} }
} } catch (Exception e) {
catch (Exception e){
Logger.getLogger(reportXML.class.getName()).log(Level.WARNING, "Exception occurred", e); Logger.getLogger(reportXML.class.getName()).log(Level.WARNING, "Exception occurred", e);
} }
} }