mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-13 00:16:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/sleuthkit/autopsy

Browse Source 
- fix previous merge
This commit is contained in:
adam-m 2012-05-02 00:26:43 -04:00
parent a38d546ecb
commit ff96ae6f13
26 changed files with 3407 additions and 3169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivity.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera * @author arivera
*/ */
public enum BrowserActivity { public enum BrowserActivity {
IE(0),
FF(1), IE(0),
CH(2); FF(1),
private static final Map<Integer,BrowserActivity> lookup CH(2);
= new HashMap<Integer,BrowserActivity>(); private static final Map<Integer, BrowserActivity> lookup = new HashMap<Integer, BrowserActivity>();
static { static {
for(BrowserActivity bat : values()) for (BrowserActivity bat : values()) {
lookup.put(bat.type, bat); lookup.put(bat.type, bat);
}
}
private int type;
private BrowserActivity(int type) {
this.type = type;
} }
public int getType() {
private int type; return type;
}
private BrowserActivity(int type)
{
this.type = type;
}
public int getType() { return type; }
public static BrowserActivity get(int type) { public static BrowserActivity get(int type) {
switch(type) { switch (type) {
case 0: return IE; case 0:
case 1: return FF; return IE;
case 2: return CH; case 1:
return FF;
case 2:
return CH;
} }
return null; return null;
} }
} }

64
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivityType.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera * @author arivera
*/ */
public enum BrowserActivityType { public enum BrowserActivityType {
Cookies(0),
Url(1), Cookies(0),
Bookmarks(2); Url(1),
private static final Map<Integer,BrowserActivityType> lookup Bookmarks(2);
= new HashMap<Integer,BrowserActivityType>(); private static final Map<Integer, BrowserActivityType> lookup = new HashMap<Integer, BrowserActivityType>();
static { static {
for(BrowserActivityType bat : values()) for (BrowserActivityType bat : values()) {
lookup.put(bat.type, bat); lookup.put(bat.type, bat);
}
}
private int type;
private BrowserActivityType(int type) {
this.type = type;
} }
public int getType() {
private int type; return type;
}
private BrowserActivityType(int type)
{
this.type = type;
}
public int getType() { return type; }
public static BrowserActivityType get(int type) { public static BrowserActivityType get(int type) {
switch(type) { switch (type) {
case 0: return Cookies; case 0:
case 1: return Url; return Cookies;
case 2: return Bookmarks; case 1:
return Url;
case 2:
return Bookmarks;
} }
return null; return null;
} }
} }

64
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserType.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -12,34 +28,36 @@ import java.util.Map;
* @author arivera * @author arivera
*/ */
public enum BrowserType { public enum BrowserType {
IE(0), //Internet Explorer
FF(1), //Firefox IE(0), //Internet Explorer
CH(2); //Chrome FF(1), //Firefox
private static final Map<Integer,BrowserType> lookup CH(2); //Chrome
= new HashMap<Integer,BrowserType>(); private static final Map<Integer, BrowserType> lookup = new HashMap<Integer, BrowserType>();
static { static {
for(BrowserType bt : values()) for (BrowserType bt : values()) {
lookup.put(bt.type, bt); lookup.put(bt.type, bt);
}
}
private int type;
private BrowserType(int type) {
this.type = type;
} }
public int getType() {
private int type; return type;
}
private BrowserType(int type)
{
this.type = type;
}
public int getType() { return type; }
public static BrowserType get(int type) { public static BrowserType get(int type) {
switch(type) { switch (type) {
case 0: return IE; case 0:
case 1: return FF; return IE;
case 2: return CH; case 1:
return FF;
case 2:
return CH;
} }
return null; return null;
} }
} }

677
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -1,8 +1,25 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import com.google.gson.JsonArray; import com.google.gson.JsonArray;
import com.google.gson.JsonElement; import com.google.gson.JsonElement;
import com.google.gson.JsonObject; import com.google.gson.JsonObject;
@ -25,398 +42,410 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class Chrome { public class Chrome {
public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies";
public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies"; public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id";
public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id"; public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads";
public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads"; public static final String chloginquery = "select origin_url, username_value, signon_realm from logins";
public static final String chloginquery = "select origin_url, username_value, signon_realm from logins"; private final Logger logger = Logger.getLogger(this.getClass().getName());
private final Logger logger = Logger.getLogger(this.getClass().getName()); public int ChromeCount = 0;
public int ChromeCount = 0;
public Chrome() {
public Chrome(){ }
} public void getchdb(List<String> image, IngestImageWorkerController controller) {
public void getchdb(List<String> image, IngestImageWorkerController controller){ try {
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb; List<FsContent> FFSqlitedb = null;
Map<String, Object> kvs = new LinkedHashMap<String, Object>(); Map<String, Object> kvs = new LinkedHashMap<String, Object>();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
ChromeCount = FFSqlitedb.size();
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
ChromeCount = FFSqlitedb.size();
rs.close();
rs.getStatement().close();
int j = 0; int j = 0;
while (j < FFSqlitedb.size()) if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write to disk.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{ dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); ResultSet temprs = tempdbconnect.executeQry(chquery);
ResultSet temprs = tempdbconnect.executeQry(chquery);
while (temprs.next()) {
while(temprs.next()) try {
{ String domain = Util.extractDomain(temprs.getString("url"));
String domain = Util.extractDomain(temprs.getString("url")); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("url")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",temprs.getString("url"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Accessed", (temprs.getLong("last_visit_time") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Accessed",(temprs.getLong("last_visit_time")/10000))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", temprs.getString("from_visit")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",temprs.getString("from_visit"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes);
bbart.addAttributes(bbattributes); } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to insert BB artifact.{0}", ex);
} }
tempdbconnect.closeConnection();
temprs.close(); }
tempdbconnect.closeConnection();
} temprs.close();
catch (Exception ex)
{ } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//COOKIES section
// This gets the cookie info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
allFS += " AND (0";
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
allFS += ")";
}
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0;
while (j < FFSqlitedb.size())
{
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
File dbFile = new File(temps);
if (controller.isCancelled() ) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(chcookiequery);
while(temprs.next())
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = temprs.getString("host_key");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",(temprs.getLong("last_access_utc")/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); //COOKIES section
} // This gets the cookie info
catch(IOException ioex) try {
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//BOokmarks section
// This gets the bm info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{ dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chcookiequery);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = temprs.getString("host_key");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", (temprs.getLong("last_access_utc") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
//BOokmarks section
// This gets the bm info
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO {0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try {
final JsonParser parser = new JsonParser(); final JsonParser parser = new JsonParser();
JsonElement jsonElement = parser.parse(new FileReader(temps)); JsonElement jsonElement = parser.parse(new FileReader(temps));
JsonObject test = jsonElement.getAsJsonObject(); JsonObject test = jsonElement.getAsJsonObject();
JsonObject whatever = test.get("roots").getAsJsonObject(); JsonObject whatever = test.get("roots").getAsJsonObject();
JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject(); JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject();
JsonArray whatever3 = whatever2.getAsJsonArray("children"); JsonArray whatever3 = whatever2.getAsJsonArray("children");
for (JsonElement result : whatever3) {
// JsonArray results = parser.parse(new FileReader(temps)).getAsJsonObject().getAsJsonArray("roots").getAsJsonObject().getAsJsonArray("bookmark_bar").get(0).getAsJsonObject().getAsJsonArray("children"); try {
for (JsonElement result : whatever3) { JsonObject address = result.getAsJsonObject();
String url = address.get("url").getAsString();
JsonObject address = result.getAsJsonObject(); String name = address.get("name").getAsString();
String url = address.get("url").getAsString(); Long date = address.get("date_added").getAsLong();
String name = address.get("name").getAsString(); String domain = Util.extractDomain(url);
Long date = address.get("date_added").getAsLong(); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
String domain = Util.extractDomain(url); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (date / 10000)));
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",(date/10000))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); bbart.addAttributes(bbattributes);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); } catch (Exception ex) {
bbart.addAttributes(bbattributes); logger.log(Level.WARNING, "Error while trying to insert BB artifact{0}", ex);
} }
}
} } catch (Exception ex) {
catch (Exception ex) logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex);
{ }
logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex);
}
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); //Downloads section
} // This gets the downloads info
catch(IOException ioex) try {
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section
// This gets the downloads info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb; List<FsContent> FFSqlitedb = null;
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{ dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); ResultSet temprs = tempdbconnect.executeQry(chdownloadquery);
ResultSet temprs = tempdbconnect.executeQry(chdownloadquery); while (temprs.next()) {
while(temprs.next()) try {
{ BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); String domain = Util.extractDomain(temprs.getString("url"));
String domain = Util.extractDomain(temprs.getString("url")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (temprs.getLong("start_time") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",(temprs.getLong("start_time")/10000))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(temprs.getString("full_path"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(temprs.getString("full_path")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); bbart.addAttributes(bbattributes);
bbart.addAttributes(bbattributes); } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
tempdbconnect.closeConnection();
temprs.close(); }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); tempdbconnect.closeConnection();
temprs.close();
} IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
catch (Exception ex)
{ } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
} }
j++; j++;
dbFile.delete(); dbFile.delete();
} }
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex); //Login/Password section
} // This gets the user info
catch(IOException ioex) try {
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Login/Password section
// This gets the user info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{ dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); ResultSet temprs = tempdbconnect.executeQry(chloginquery);
ResultSet temprs = tempdbconnect.executeQry(chloginquery); while (temprs.next()) {
while(temprs.next()) try {
{ BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity","", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")))); bbart.addAttributes(bbattributes);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); } catch (Exception ex) {
bbart.addAttributes(bbattributes); logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
tempdbconnect.closeConnection(); tempdbconnect.closeConnection();
temprs.close(); temprs.close();
} } catch (Exception ex) {
catch (Exception ex) logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
{ }
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
} }
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
} }
} }

111
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java
View File

@ -1,9 +1,26 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.sql.SQLException;
import java.util.List; import java.util.List;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@ -12,49 +29,51 @@ import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
* @author Alex * @author Alex
*/ */
public class ExtractAll { public class ExtractAll {
void ExtractAll(){
}
public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds){ void ExtractAll() {
controller.switchToDeterminate(3); }
try{
// Will make registry entries later, comment out for DEMO ONLY public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds) {
controller.switchToDeterminate(4); controller.switchToDeterminate(3);
controller.progress(0); try {
ExtractRegistry eree = new ExtractRegistry(); // Will make registry entries later, comment out for DEMO ONLY
eree.getregistryfiles(imgIds, controller); controller.switchToDeterminate(4);
controller.progress(1); controller.progress(0);
if (controller.isCancelled()) ExtractRegistry eree = new ExtractRegistry();
return true; eree.getregistryfiles(imgIds, controller);
controller.progress(1);
Firefox ffre = new Firefox(); if (controller.isCancelled()) {
ffre.getffdb(imgIds, controller);
controller.progress(2);
if (controller.isCancelled())
return true;
Chrome chre = new Chrome();
chre.getchdb(imgIds, controller);
controller.progress(3);
if (controller.isCancelled())
return true;
ExtractIE eere = new ExtractIE(imgIds, controller);
eere.parsePascoResults();
controller.progress(4);
if (controller.isCancelled())
return true;
//Find a way to put these results into BB
return true; return true;
} }
catch(Error e){
return false; Firefox ffre = new Firefox();
} ffre.getffdb(imgIds, controller);
controller.progress(2);
} if (controller.isCancelled()) {
return true;
}
Chrome chre = new Chrome();
chre.getchdb(imgIds, controller);
controller.progress(3);
if (controller.isCancelled()) {
return true;
}
ExtractIE eere = new ExtractIE(imgIds, controller);
eere.parsePascoResults();
controller.progress(4);
if (controller.isCancelled()) {
return true;
}
//Find a way to put these results into BB
return true;
} catch (SQLException e) {
return false;
} catch (Error e) {
return false;
}
}
} }

486
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -1,15 +1,17 @@
/* /*
*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2012 42six Solutions.
* Contact: carrier <at> sleuthkit <dot> org * Contact: aebadirad <at> 42six <dot> com
* * Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -27,7 +29,6 @@ import java.io.IOException;
import java.sql.ResultSet; import java.sql.ResultSet;
//Util Imports //Util Imports
import java.sql.SQLException;
import java.text.ParseException; import java.text.ParseException;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.ArrayList; import java.util.ArrayList;
@ -43,7 +44,6 @@ import java.util.regex.Pattern;
// TSK Imports // TSK Imports
import org.openide.modules.InstalledFileLocator; import org.openide.modules.InstalledFileLocator;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.datamodel.DataConversion; import org.sleuthkit.autopsy.datamodel.DataConversion;
@ -58,7 +58,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException; import org.sleuthkit.autopsy.coreutils.PlatformUtil;
public class ExtractIE { // implements BrowserActivity { public class ExtractIE { // implements BrowserActivity {
@ -69,220 +69,223 @@ public class ExtractIE { // implements BrowserActivity {
private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'"; private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'";
//sleauthkit db handle //sleauthkit db handle
SleuthkitCase tempDb; SleuthkitCase tempDb;
//paths set in init() //paths set in init()
private String PASCO_RESULTS_PATH; private String PASCO_RESULTS_PATH;
private String PASCO_LIB_PATH; private String PASCO_LIB_PATH;
private String JAVA_PATH;
//Results List to be referenced/used outside the class //Results List to be referenced/used outside the class
public ArrayList<HashMap<String, Object>> PASCO_RESULTS_LIST = new ArrayList<HashMap<String, Object>>(); public ArrayList<HashMap<String, Object>> PASCO_RESULTS_LIST = new ArrayList<HashMap<String, Object>>();
//Look Up Table that holds Pasco2 results //Look Up Table that holds Pasco2 results
private HashMap<String, Object> PASCO_RESULTS_LUT; private HashMap<String, Object> PASCO_RESULTS_LUT;
private KeyValue IE_PASCO_LUT = new KeyValue(BrowserType.IE.name(), BrowserType.IE.getType()); private KeyValue IE_PASCO_LUT = new KeyValue(BrowserType.IE.name(), BrowserType.IE.getType());
public LinkedHashMap<String, Object> IE_OBJ; public LinkedHashMap<String, Object> IE_OBJ;
boolean pascoFound = false; boolean pascoFound = false;
public ExtractIE(List<String> image, IngestImageWorkerController controller) { public ExtractIE(List<String> image, IngestImageWorkerController controller) {
init(image, controller); init(image, controller);
//Favorites section //Favorites section
// This gets the favorite info // This gets the favorite info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
List<FsContent> FavoriteList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(favoriteQuery + allFS);
FavoriteList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
List<FsContent> FavoriteList;
ResultSet rs = tempDb.runQuery(favoriteQuery + allFS); for (FsContent Favorite : FavoriteList) {
FavoriteList = tempDb.resultSetToFsContents(rs); if (controller.isCancelled()) {
rs.close(); break;
rs.getStatement().close(); }
for(FsContent Favorite : FavoriteList)
{
if (controller.isCancelled() ) {
break;
}
Content fav = Favorite; Content fav = Favorite;
byte[] t = new byte[(int) fav.getSize()]; byte[] t = new byte[(int) fav.getSize()];
final int bytesRead = fav.read(t, 0, fav.getSize()); final int bytesRead = fav.read(t, 0, fav.getSize());
String bookmarkString = new String(t); String bookmarkString = new String(t);
String re1=".*?"; // Non-greedy match on filler String re1 = ".*?"; // Non-greedy match on filler
String re2="((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1 String re2 = "((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1
String url = ""; String url = "";
Pattern p = Pattern.compile(re1+re2,Pattern.CASE_INSENSITIVE | Pattern.DOTALL); Pattern p = Pattern.compile(re1 + re2, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m = p.matcher(bookmarkString); Matcher m = p.matcher(bookmarkString);
if (m.find()) if (m.find()) {
{ url = m.group(1);
url = m.group(1);
} }
String name = Favorite.getName(); String name = Favorite.getName();
String datetime = Favorite.getCrtimeAsDate(); Long datetime = Favorite.getCrtime();
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); try {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime)); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbart.addAttributes(bbattributes); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); bbart.addAttributes(bbattributes);
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
} } catch (Exception ex) {
catch(TskException ex)
{
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
} }
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex); //Cookies section
} // This gets the cookies info
try {
//Cookies section
// This gets the cookies info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
List<FsContent> CookiesList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(cookiesQuery + allFS);
CookiesList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
List<FsContent> CookiesList;
ResultSet rs = tempDb.runQuery(cookiesQuery + allFS); for (FsContent Cookie : CookiesList) {
CookiesList = tempDb.resultSetToFsContents(rs); if (controller.isCancelled()) {
rs.close(); break;
rs.getStatement().close(); }
for(FsContent Cookie : CookiesList)
{
if (controller.isCancelled() ) {
break;
}
Content fav = Cookie; Content fav = Cookie;
byte[] t = new byte[(int) fav.getSize()]; byte[] t = new byte[(int) fav.getSize()];
final int bytesRead = fav.read(t, 0, fav.getSize()); final int bytesRead = fav.read(t, 0, fav.getSize());
String cookieString = new String(t); String cookieString = new String(t);
String[] values = cookieString.split("\n"); String[] values = cookieString.split("\n");
String url = values.length > 2 ? values[2] : ""; String url = values.length > 2 ? values[2] : "";
String value = values.length > 1 ? values[1] : ""; String value = values.length > 1 ? values[1] : "";
String name = values.length > 0 ? values[0] : ""; String name = values.length > 0 ? values[0] : "";
String datetime = Cookie.getCrtimeAsDate(); Long datetime = Cookie.getCrtime();
String domain = Util.extractDomain(url); String domain = Util.extractDomain(url);
BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); try {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url)); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : "")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbart.addAttributes(bbattributes); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} } catch (Exception ex) {
catch(TskException ex)
{
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
} }
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
} //Recent Documents section
// This gets the recent object info
try {
//Recent Documents section
// This gets the recent object info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
} }
List<FsContent> RecentList; List<FsContent> RecentList = new ArrayList<FsContent>();
ResultSet rs = tempDb.runQuery(recentQuery + allFS); try {
RecentList = tempDb.resultSetToFsContents(rs); ResultSet rs = tempDb.runQuery(recentQuery + allFS);
rs.close(); RecentList = tempDb.resultSetToFsContents(rs);
rs.getStatement().close(); rs.close();
rs.getStatement().close();
for(FsContent Recent : RecentList) } catch (Exception ex) {
{ logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
if (controller.isCancelled() ) { }
break;
} for (FsContent Recent : RecentList) {
if (controller.isCancelled()) {
break;
}
Content fav = Recent; Content fav = Recent;
byte[] t = new byte[(int) fav.getSize()]; byte[] t = new byte[(int) fav.getSize()];
int bytesRead = 0; int bytesRead = 0;
if (fav.getSize() > 0) { if (fav.getSize() > 0) {
bytesRead = fav.read(t, 0, fav.getSize()); // read the data bytesRead = fav.read(t, 0, fav.getSize()); // read the data
} }
// set the data on the bottom and show it // set the data on the bottom and show it
String recentString = new String(); String recentString = new String();
if (bytesRead > 0) { if (bytesRead > 0) {
recentString = DataConversion.getString(t, bytesRead, 4); recentString = DataConversion.getString(t, bytesRead, 4);
} }
String path = Util.getPath(recentString); String path = Util.getPath(recentString);
String name = Util.getFileName(path); String name = Util.getFileName(path);
String datetime = Recent.getCrtimeAsDate(); Long datetime = Recent.getCrtime();
BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); try {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),"RecentActivity","Last Visited",path)); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", "Last Visited", path));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(path))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity","Date Created",datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(path)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Windows Explorer")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime));
bbart.addAttributes(bbattributes); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Windows Explorer"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
} } catch (Exception ex) {
catch(TskException ex)
{
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
} }
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
} }
//@Override //@Override
@ -293,44 +296,52 @@ public class ExtractIE { // implements BrowserActivity {
private void init(List<String> image, IngestImageWorkerController controller) { private void init(List<String> image, IngestImageWorkerController controller) {
final Case currentCase = Case.getCurrentCase(); final Case currentCase = Case.getCurrentCase();
final String caseDir = Case.getCurrentCase().getCaseDirectory(); final String caseDir = Case.getCurrentCase().getCaseDirectory();
PASCO_RESULTS_PATH = caseDir + File.separator + "recentactivity" + File.separator + "results"; PASCO_RESULTS_PATH = Case.getCurrentCase().getTempDirectory() + File.separator + "results";
JAVA_PATH = PlatformUtil.getJavaPath();
if (JAVA_PATH.isEmpty() || JAVA_PATH == null) {
JAVA_PATH = "java";
}
logger.log(Level.INFO, "Pasco results path: " + PASCO_RESULTS_PATH); logger.log(Level.INFO, "Pasco results path: " + PASCO_RESULTS_PATH);
final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false);
if (pascoRoot == null) { if (pascoRoot == null) {
logger.log(Level.SEVERE, "Pasco2 not found"); logger.log(Level.SEVERE, "Pasco2 not found");
pascoFound = false; pascoFound = false;
return; return;
} } else {
else { pascoFound = true;
pascoFound = true; }
}
final String pascoHome = pascoRoot.getAbsolutePath(); final String pascoHome = pascoRoot.getAbsolutePath();
logger.log(Level.INFO, "Pasco2 home: " + pascoHome); logger.log(Level.INFO, "Pasco2 home: " + pascoHome);
PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator
+ pascoHome + File.separator + "*"; + pascoHome + File.separator + "*";
try { try {
File resultsDir = new File(PASCO_RESULTS_PATH); File resultsDir = new File(PASCO_RESULTS_PATH);
resultsDir.mkdirs(); resultsDir.mkdirs();
Collection<FsContent> FsContentCollection; Collection<FsContent> FsContentCollection = null;
tempDb = currentCase.getSleuthkitCase(); tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS);
FsContentCollection = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS);
FsContentCollection = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
String temps; String temps;
String indexFileName; String indexFileName;
@ -340,22 +351,21 @@ public class ExtractIE { // implements BrowserActivity {
// index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat) // index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
// Write each index.dat file to a temp directory. // Write each index.dat file to a temp directory.
//BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
indexFileName = "index" + Integer.toString((int)fsc.getId()) + ".dat"; indexFileName = "index" + Integer.toString((int) fsc.getId()) + ".dat";
//indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat"; //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
temps = currentCase.getTempDirectory() + File.separator + indexFileName; temps = currentCase.getTempDirectory() + File.separator + indexFileName;
File datFile = new File(temps); File datFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
datFile.delete(); datFile.delete();
break; break;
} }
try { try {
ContentUtils.writeToFile(fsc, datFile); ContentUtils.writeToFile(fsc, datFile);
} } catch (IOException e) {
catch (IOException e) {
logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e);
} }
boolean bPascProcSuccess = executePasco(temps, (int)fsc.getId()); boolean bPascProcSuccess = executePasco(temps, (int) fsc.getId());
//At this point pasco2 proccessed the index files. //At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files. //Now fetch the results, parse them and the delete the files.
@ -368,9 +378,9 @@ public class ExtractIE { // implements BrowserActivity {
} catch (Exception ioex) { } catch (Exception ioex) {
logger.log(Level.SEVERE, "Error while trying to write index.dat files.", ioex); logger.log(Level.SEVERE, "Error while trying to write index.dat files.", ioex);
} }
//bookmarks //bookmarks
//cookies //cookies
} }
@ -378,8 +388,9 @@ public class ExtractIE { // implements BrowserActivity {
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath // TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now. // I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private boolean executePasco(String indexFilePath, int fileIndex) { private boolean executePasco(String indexFilePath, int fileIndex) {
if (pascoFound == false) if (pascoFound == false) {
return false; return false;
}
boolean success = true; boolean success = true;
try { try {
@ -391,9 +402,9 @@ public class ExtractIE { // implements BrowserActivity {
command.append(" -T history"); command.append(" -T history");
command.append(" \"").append(indexFilePath).append("\""); command.append(" \"").append(indexFilePath).append("\"");
command.append(" > \"").append(PASCO_RESULTS_PATH).append("\\pasco2Result.").append(Integer.toString(fileIndex)).append(".txt\""); command.append(" > \"").append(PASCO_RESULTS_PATH).append("\\pasco2Result.").append(Integer.toString(fileIndex)).append(".txt\"");
// command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\""); // command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\"");
String cmd = command.toString(); String cmd = command.toString();
JavaSystemCaller.Exec.execute("\"java "+cmd+ "\""); JavaSystemCaller.Exec.execute("\"" + JAVA_PATH + " " + cmd + "\"");
} catch (Exception e) { } catch (Exception e) {
success = false; success = false;
@ -404,8 +415,9 @@ public class ExtractIE { // implements BrowserActivity {
} }
public void parsePascoResults() { public void parsePascoResults() {
if (pascoFound == false) if (pascoFound == false) {
return; return;
}
// First thing we want to do is check to make sure the results directory // First thing we want to do is check to make sure the results directory
// is not empty. // is not empty.
File rFile = new File(PASCO_RESULTS_PATH); File rFile = new File(PASCO_RESULTS_PATH);
@ -421,8 +433,8 @@ public class ExtractIE { // implements BrowserActivity {
if (pascoFiles.length > 0) { if (pascoFiles.length > 0) {
try { try {
for (File file : pascoFiles) { for (File file : pascoFiles) {
String fileName = file.getName(); String fileName = file.getName();
long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".")+1, fileName.lastIndexOf("."))); long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".") + 1, fileName.lastIndexOf(".")));
//bbartname = bbartname.substring(0, 4); //bbartname = bbartname.substring(0, 4);
// Make sure the file the is not empty or the Scanner will // Make sure the file the is not empty or the Scanner will
@ -433,7 +445,7 @@ public class ExtractIE { // implements BrowserActivity {
fileScanner.nextLine(); fileScanner.nextLine();
fileScanner.nextLine(); fileScanner.nextLine();
fileScanner.nextLine(); fileScanner.nextLine();
// long inIndexId = 0; // long inIndexId = 0;
while (fileScanner.hasNext()) { while (fileScanner.hasNext()) {
//long bbartId = Long.parseLong(bbartname + inIndexId++); //long bbartId = Long.parseLong(bbartname + inIndexId++);
@ -449,56 +461,58 @@ public class ExtractIE { // implements BrowserActivity {
try { try {
String[] lineBuff = line.split("\\t"); String[] lineBuff = line.split("\\t");
PASCO_RESULTS_LUT = new HashMap<String, Object>(); PASCO_RESULTS_LUT = new HashMap<String, Object>();
String url[] = lineBuff[1].split("@",2); String url[] = lineBuff[1].split("@", 2);
String ddtime = lineBuff[2]; String ddtime = lineBuff[2];
String actime = lineBuff[3]; String actime = lineBuff[3];
Long ftime = (long)0; Long ftime = (long) 0;
String user = ""; String user = "";
String realurl = ""; String realurl = "";
String domain = ""; String domain = "";
if(url.length > 1) if (url.length > 1) {
{ user = url[0];
user = url[0]; user = user.replace("Visited:", "");
user = user.replace("Visited:", ""); user = user.replace(":Host:", "");
user = user.replace(":Host:", ""); user = user.replaceAll("(:)(.*?)(:)", "");
user = user.replaceAll("(:)(.*?)(:)", ""); user = user.trim();
user = user.trim(); realurl = url[1];
realurl = url[1]; realurl = realurl.replace("Visited:", "");
realurl = realurl.replace("Visited:", ""); realurl = realurl.replaceAll(":(.*?):", "");
realurl = realurl.replaceAll(":(.*?):", ""); realurl = realurl.replace(":Host:", "");
realurl = realurl.replace(":Host:", ""); realurl = realurl.trim();
realurl = realurl.trim(); domain = Util.extractDomain(realurl);
domain = Util.extractDomain(realurl);
}
if(!ddtime.isEmpty()){
ddtime = ddtime.replace("T"," ");
ddtime = ddtime.substring(ddtime.length()-5);
}
if(!actime.isEmpty()){
try{
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime();
ftime = epochtime.longValue();
} }
catch(ParseException e){ if (!ddtime.isEmpty()) {
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage()); ddtime = ddtime.replace("T", " ");
ddtime = ddtime.substring(ddtime.length() - 5);
} }
} if (!actime.isEmpty()) {
try {
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime();
ftime = epochtime.longValue();
} catch (ParseException e) {
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
}
}
// TODO: Need to fix this so we have the right obj_id // TODO: Need to fix this so we have the right obj_id
BlackboardArtifact bbart = tempDb.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); try {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); BlackboardArtifact bbart = tempDb.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", realurl)); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", realurl));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "", ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "", ftime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", ""));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(),"RecentActivity","",user)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", user));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
//KeyValueThing //KeyValueThing
//This will be redundant in terms IE.name() because of //This will be redundant in terms IE.name() because of
@ -508,9 +522,9 @@ public class ExtractIE { // implements BrowserActivity {
IE_PASCO_LUT.addMap(IE_OBJ); IE_PASCO_LUT.addMap(IE_OBJ);
PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT); PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT);
} catch (TskException ex) { } catch (Exception ex) {
Exceptions.printStackTrace(ex); logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
} }
} }
@ -524,7 +538,7 @@ public class ExtractIE { // implements BrowserActivity {
} }
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} }
} }

465
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -4,22 +4,14 @@
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.io.BufferedReader;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.*;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.text.ParseException;
import java.util.ArrayList; import java.text.SimpleDateFormat;
import java.util.Collection; import java.util.*;
import java.util.Iterator;
import java.util.List;
import java.util.Scanner;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
import org.apache.commons.lang3.StringEscapeUtils;
import org.jdom.Document; import org.jdom.Document;
import org.jdom.Element; import org.jdom.Element;
import org.jdom.input.SAXBuilder; import org.jdom.input.SAXBuilder;
@ -27,15 +19,9 @@ import org.openide.modules.InstalledFileLocator;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils; import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.*;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* *
@ -43,271 +29,232 @@ import org.sleuthkit.datamodel.SleuthkitCase;
*/ */
public class ExtractRegistry { public class ExtractRegistry {
public Logger logger = Logger.getLogger(this.getClass().getName()); public Logger logger = Logger.getLogger(this.getClass().getName());
private String RR_PATH; private String RR_PATH;
boolean rrFound = false; boolean rrFound = false;
private int sysid; private int sysid;
ExtractRegistry(){
ExtractRegistry() {
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false);
if (rrRoot == null) { if (rrRoot == null) {
logger.log(Level.SEVERE, "RegRipper not found"); logger.log(Level.SEVERE, "RegRipper not found");
rrFound = false; rrFound = false;
return; return;
} } else {
else { rrFound = true;
rrFound = true; }
} try {
try{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
while (artset.next()){
sysid = artset.getInt("artifact_type_id");
}
}
catch(Exception e){
}
final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome);
RR_PATH = rrHome + File.separator + "rip.exe";
}
public void getregistryfiles(List<String> image, IngestImageWorkerController controller){
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
for(int i = 0; i < image.size(); i++) {
if(i == 0) while (artset.next()) {
allFS += " AND (0"; sysid = artset.getInt("artifact_type_id");
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
allFS += ")";
} }
List<FsContent> Regfiles; } catch (Exception e) {
ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS); }
Regfiles = tempDb.resultSetToFsContents(rs); final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome);
RR_PATH = rrHome + File.separator + "rip.exe";
}
public void getregistryfiles(List<String> image, IngestImageWorkerController controller) {
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if (i == image.size() - 1) {
allFS += ")";
}
}
List<FsContent> Regfiles = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS);
Regfiles = tempDb.resultSetToFsContents(rs);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
while (j < Regfiles.size()) while (j < Regfiles.size()) {
{
boolean Success; boolean Success;
Content orgFS = Regfiles.get(j); Content orgFS = Regfiles.get(j);
long orgId = orgFS.getId(); long orgId = orgFS.getId();
String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString(); String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString();
ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName())); try {
ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName()));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File regFile = new File(temps); File regFile = new File(temps);
String txtPath = executeRegRip(temps, j);
if(txtPath.length() > 0)
{
Success = parseReg(txtPath,orgId);
}
else
{
Success = false;
}
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
if(Success)
{
//Delete dat file since it was succcessful
regFile.delete();
}
j++;
}
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Registry files", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
String txtPath = executeRegRip(temps, j);
if (txtPath.length() > 0) {
Success = parseReg(txtPath, orgId);
} else {
Success = false;
}
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
if (Success) {
//Delete dat file since it was succcessful
regFile.delete();
}
j++;
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Registry files", ex);
}
}
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath // TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now. // I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private String executeRegRip(String regFilePath, int fileIndex) private String executeRegRip(String regFilePath, int fileIndex) {
{ String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt";
String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt"; String type = "";
String type = "";
try
{
if(regFilePath.toLowerCase().contains("system"))
{
type = "autopsysystem";
}
if(regFilePath.toLowerCase().contains("software"))
{
type = "autopsysoftware";
}
if(regFilePath.toLowerCase().contains("ntuser"))
{
type = "autopsy";
}
if(regFilePath.toLowerCase().contains("default"))
{
type = "1default";
}
if(regFilePath.toLowerCase().contains("sam"))
{
type = "1sam";
}
if(regFilePath.toLowerCase().contains("security"))
{
type = "1security";
}
String command = "\"" + RR_PATH + "\" -r \"" + regFilePath +"\" -f " + type + " > \"" + txtPath + "\" 2> NUL"; try {
JavaSystemCaller.Exec.execute("\""+command + "\"");
} if (regFilePath.toLowerCase().contains("system")) {
catch(Exception e) type = "autopsysystem";
{ }
if (regFilePath.toLowerCase().contains("software")) {
logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> " ,e.getMessage() ); type = "autopsysoftware";
} }
if (regFilePath.toLowerCase().contains("ntuser")) {
type = "autopsy";
}
if (regFilePath.toLowerCase().contains("default")) {
type = "1default";
}
if (regFilePath.toLowerCase().contains("sam")) {
type = "1sam";
}
if (regFilePath.toLowerCase().contains("security")) {
type = "1security";
}
return txtPath; String command = "\"" + RR_PATH + "\" -r \"" + regFilePath + "\" -f " + type + " > \"" + txtPath + "\" 2> NUL";
JavaSystemCaller.Exec.execute("\"" + command + "\"");
} catch (Exception e) {
logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> ", e.getMessage());
}
return txtPath;
} }
private boolean parseReg(String regRecord, long orgId) {
private boolean parseReg(String regRecord, long orgId)
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try { try {
File regfile = new File(regRecord); File regfile = new File(regRecord);
FileInputStream fstream = new FileInputStream(regfile);
FileInputStream fstream = new FileInputStream(regfile); InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8");
InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8"); BufferedReader input = new BufferedReader(fstreamReader);
BufferedReader input = new BufferedReader(fstreamReader); //logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding());
//logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding()); String regString = new Scanner(input).useDelimiter("\\Z").next();
String regString = new Scanner(input).useDelimiter("\\Z").next(); regfile.delete();
regfile.delete(); String startdoc = "<?xml version=\"1.0\"?><document>";
String startdoc = "<?xml version=\"1.0\"?><document>"; String result = regString.replaceAll("----------------------------------------", "");
String result = regString.replaceAll("----------------------------------------",""); result = result.replaceAll("\\n", "");
result = result.replaceAll("\\n", ""); result = result.replaceAll("\\r", "");
result = result.replaceAll("\\r",""); result = result.replaceAll("'", "&apos;");
result = result.replaceAll("'","&apos;"); result = result.replaceAll("&", "&amp;");
result = result.replaceAll("&", "&amp;"); String enddoc = "</document>";
String enddoc = "</document>"; String stringdoc = startdoc + result + enddoc;
String stringdoc = startdoc + result + enddoc; SAXBuilder sb = new SAXBuilder();
SAXBuilder sb = new SAXBuilder(); Document document = sb.build(new StringReader(stringdoc));
Document document = sb.build(new StringReader(stringdoc)); Element root = document.getRootElement();
Element root = document.getRootElement(); List<Element> types = root.getChildren();
List<Element> types = root.getChildren(); Iterator<Element> iterator = types.iterator();
Iterator<Element> iterator = types.iterator();
//for(int i = 0; i < types.size(); i++)
//for(Element tempnode : types)
while (iterator.hasNext()) { while (iterator.hasNext()) {
String time = ""; String etime = "";
String context = ""; String context = "";
Element tempnode = iterator.next(); Element tempnode = iterator.next();
// Element tempnode = types.get(i); // Element tempnode = types.get(i);
context = tempnode.getName(); context = tempnode.getName();
Element timenode = tempnode.getChild("time"); Element timenode = tempnode.getChild("time");
time = timenode.getTextTrim(); etime = timenode.getTextTrim();
Long time = null;
Element artroot = tempnode.getChild("artifacts"); try {
List<Element> artlist = artroot.getChildren(); Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(etime).getTime();
String winver = ""; time = epochtime.longValue();
String installdate = ""; } catch (ParseException e) {
if(artlist.isEmpty()){ logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
}
else{
Iterator<Element> aiterator = artlist.iterator();
while (aiterator.hasNext()) {
Element artnode = aiterator.next();
String name = artnode.getAttributeValue("name");
String value = artnode.getTextTrim();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
if("recentdocs".equals(context)){
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
// bbart.addAttributes(bbattributes);
}
else if("usb".equals(context)){
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
String dev = artnode.getAttributeValue("dev");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
bbart.addAttributes(bbattributes);
}
else if("uninstall".equals(context)){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
} }
else if("WinVersion".equals(context)){ Element artroot = tempnode.getChild("artifacts");
List<Element> artlist = artroot.getChildren();
if(name.contains("ProductName")) String winver = "";
{ String installdate = "";
winver = value; if (artlist.isEmpty()) {
} } else {
if(name.contains("CSDVersion")){ Iterator<Element> aiterator = artlist.iterator();
winver = winver + " " + value; while (aiterator.hasNext()) {
} Element artnode = aiterator.next();
if(name.contains("InstallDate")) String name = artnode.getAttributeValue("name");
{ String value = artnode.getTextTrim();
installdate = value; Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver)); if ("recentdocs".equals(context)) {
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate)); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
bbart.addAttributes(bbattributes); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
// bbart.addAttributes(bbattributes);
} else if ("usb".equals(context)) {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
String dev = artnode.getAttributeValue("dev");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
bbart.addAttributes(bbattributes);
} else if ("uninstall".equals(context)) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
} else if ("WinVersion".equals(context)) {
if (name.contains("ProductName")) {
winver = value;
}
if (name.contains("CSDVersion")) {
winver = winver + " " + value;
}
if (name.contains("InstallDate")) {
installdate = value;
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
}
} else {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes);
}
} }
} }
else
{
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes);
}
}
} }
} } catch (Exception ex) {
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
String sadafd = "";
}
logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
return true; }
return true;
} }
} }

490
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -1,30 +1,49 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import java.sql.*;
import java.util.logging.Level;
import java.util.logging.Logger;
//<editor-fold defaultstate="collapsed" desc="comment">
import java.lang.*;
//</editor-fold>
import java.util.*;
import java.io.File; import java.io.File;
import java.io.IOException; import java.io.IOException;
import java.net.URLDecoder; import java.net.URLDecoder;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.ServiceDataEvent; import org.sleuthkit.autopsy.ingest.ServiceDataEvent;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.*;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* *
* @author Alex * @author Alex
@ -33,282 +52,275 @@ public class Firefox {
private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
private static final String ffcookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed,(creationTime/1000) as creationTime FROM moz_cookies"; private static final String ffcookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed,(creationTime/1000) as creationTime FROM moz_cookies";
private static final String ff3cookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed FROM moz_cookies";
private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id";
private static final String ffdownloadquery = "select target, source,(startTime/1000) as startTime, maxBytes from moz_downloads"; private static final String ffdownloadquery = "select target, source,(startTime/1000) as startTime, maxBytes from moz_downloads";
public Logger logger = Logger.getLogger(this.getClass().getName()); public Logger logger = Logger.getLogger(this.getClass().getName());
public int FireFoxCount = 0; public int FireFoxCount = 0;
public Firefox(){
}
public void getffdb(List<String> image, IngestImageWorkerController controller){ public Firefox() {
//Make these seperate, this is for history }
try
{ public void getffdb(List<String> image, IngestImageWorkerController controller) throws SQLException {
//Make these seperate, this is for history
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
} }
List<FsContent> FFSqlitedb; }
List<FsContent> FFSqlitedb = null;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS); try {
FFSqlitedb = tempDb.resultSetToFsContents(rs); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
Statement s = rs.getStatement(); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close(); Statement s = rs.getStatement();
if (s != null) rs.close();
s.close(); if (s != null) {
s.close();
FireFoxCount = FFSqlitedb.size(); FireFoxCount = FFSqlitedb.size();
}
rs.close(); rs.close();
rs.getStatement().close(); rs.getStatement().close();
int j = 0; } catch (SQLException ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
while (j < FFSqlitedb.size()) }
{ int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try ResultSet temprs = Util.runQuery(ffquery, connectionString);
{ while (temprs.next()) {
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
ResultSet temprs = tempdbconnect.executeQry(ffquery); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
while(temprs.next()) bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : "")));
{ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("visit_date")));
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", ((temprs.getString("ref") != null) ? temprs.getString("ref") : "")));
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getLong("visit_date"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", (Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",((temprs.getString("ref") != null) ? temprs.getString("ref") : ""))); bbart.addAttributes(bbattributes);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : ""))); } catch (Exception ex) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",(Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : "")))); }
bbart.addAttributes(bbattributes); }
temprs.close();
}
temprs.close();
tempdbconnect.closeConnection();
try {
} dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC", connectionString);
catch (Exception ex) ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery);
{ while (tempbm.next()) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); try {
} BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
try bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((tempbm.getString("url") != null) ? tempbm.getString("url") : "")));
{ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(tempbm.getString("url"))));
dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC",connectionString); bbart.addAttributes(bbattributes);
ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery); } catch (Exception ex) {
while(tempbm.next()) logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
{ }
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); }
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); tempbm.close();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((tempbm.getString("url") != null) ? tempbm.getString("url") : ""))); tempdbconnect2.closeConnection();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : ""))); } catch (Exception ex) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(tempbm.getString("url")))); }
bbart.addAttributes(bbattributes);
}
tempbm.close();
tempdbconnect2.closeConnection();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
}
} }
catch (SQLException ex) catch (Exception ex) {
{ logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
} }
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//COOKIES section //COOKIES section
// This gets the cookie info // This gets the cookie info
try try {
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
} }
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db")); try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", connectionString);
{ String query;
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); if (checkColumn) {
ResultSet temprs = tempdbconnect.executeQry(ffcookiequery); query = ffcookiequery;
while(temprs.next()) } else {
{ query = ff3cookiequery;
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); }
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host"))); dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("lastAccessed"))); ResultSet temprs = tempdbconnect.executeQry(query);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value"))); while (temprs.next()) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : ""))); try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",temprs.getString("host"))); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbart.addAttributes(bbattributes); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("lastAccessed")));
} if (checkColumn == true) {
tempdbconnect.closeConnection(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", temprs.getLong("creationTime")));
temprs.close(); }
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
} bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : "")));
catch (Exception ex) bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
{ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", temprs.getString("host")));
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); bbart.addAttributes(bbattributes);
} } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE)); }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
} }
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
} //Downloads section
catch(IOException ioex) // This gets the downloads info
{ try {
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section
// This gets the downloads info
try
{
Case currentCase = Case.getCurrentCase(); // get the most updated case Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String(); String allFS = new String();
for(int i = 0; i < image.size(); i++) { for (int i = 0; i < image.size(); i++) {
if(i == 0) if (i == 0) {
allFS += " AND (0"; allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'"; allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1) if (i == image.size() - 1) {
allFS += ")"; allFS += ")";
}
} }
List<FsContent> FFSqlitedb; List<FsContent> FFSqlitedb = null;
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS); try {
FFSqlitedb = tempDb.resultSetToFsContents(rs); ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
rs.close(); FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.getStatement().close(); rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0; int j = 0;
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
while (j < FFSqlitedb.size())
{ {
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps; String connectionString = "jdbc:sqlite:" + temps;
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps); File dbFile = new File(temps);
if (controller.isCancelled() ) { if (controller.isCancelled()) {
dbFile.delete(); dbFile.delete();
break; break;
} }
try try {
{ dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery);
ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery); while (temprs.next()) {
while(temprs.next()) try {
{ BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("startTime")));
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("source") != null) ? temprs.getString("source") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getLong("startTime"))); String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("source") != null) ? temprs.getString("source") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(urldecodedtarget)));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget));
String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8"); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(temprs.getString("source"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(urldecodedtarget))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget)); bbart.addAttributes(bbattributes);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(temprs.getString("source")))); } catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); } catch (Exception ex) {
bbart.addAttributes(bbattributes); logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++; j++;
dbFile.delete(); dbFile.delete();
} }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); }
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex);
} }
catch (SQLException ex) }
{
logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
} }
//@Override
// public HashMap<String,String> ExtractActivity() {
// return ExtractActivity;
//
// }

688
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/JavaSystemCaller.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -11,332 +27,372 @@ import java.io.InputStreamReader;
import java.util.ArrayList; import java.util.ArrayList;
/** /**
* Make a system call through a system shell in a platform-independent manner in Java. <br /> * Make a system call through a system shell in a platform-independent manner in
* This class only demonstrate a 'dir' or 'ls' within current (execution) path, if no parameters are used. * Java. <br /> This class only demonstrate a 'dir' or 'ls' within current
* If parameters are used, the first one is the system command to execute, the others are its system command parameters. <br /> * (execution) path, if no parameters are used. If parameters are used, the
* To be system independent, an <b><a href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm"> * first one is the system command to execute, the others are its system command
* Abstract Factory Pattern</a></b> will be used to build the right underlying system shell in which the system command will be executed. * parameters. <br /> To be system independent, an <b><a
* href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm">
* Abstract Factory Pattern</a></b> will be used to build the right underlying
* system shell in which the system command will be executed.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
* @see <a href="http://stackoverflow.com/questions/236737#236873"> * @see <a href="http://stackoverflow.com/questions/236737#236873"> How to make
How to make a system call that returns the stdout output as a string in various languages?</a> * a system call that returns the stdout output as a string in various
* languages?</a>
*/ */
public final class JavaSystemCaller public final class JavaSystemCaller {
{
/**
* Execute a system command. <br />
* Default is 'ls' in current directory if no parameters, or a system command (if Windows, it is automatically translated to 'dir')
* @param args first element is the system command, the others are its parameters (NOT NULL)
* @throws IllegalArgumentException if one parameters is null or empty.
* 'args' can be empty (default 'ls' performed then)
*/
public static void main(final String[] args)
{
String anOutput = "";
if(args.length == 0)
{
anOutput = Exec.execute("ls");
}
else
{
String[] someParameters = null;
anOutput = Exec.execute(args[0],someParameters);
}
System.out.println("Final output: " + anOutput);
}
/**
* Asynchronously read the output of a given input stream. <br />
* Any exception during execution of the command in managed in this thread.
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class StreamGobbler extends Thread
{
private InputStream is;
private String type;
private StringBuffer output = new StringBuffer();
StreamGobbler(final InputStream anIs, final String aType) /**
{ * Execute a system command. <br /> Default is 'ls' in current directory if
this.is = anIs; * no parameters, or a system command (if Windows, it is automatically
this.type = aType; * translated to 'dir')
} *
* @param args first element is the system command, the others are its
* parameters (NOT NULL)
* @throws IllegalArgumentException if one parameters is null or empty.
* 'args' can be empty (default 'ls' performed then)
*/
public static void main(final String[] args) {
String anOutput = "";
if (args.length == 0) {
anOutput = Exec.execute("ls");
} else {
String[] someParameters = null;
anOutput = Exec.execute(args[0], someParameters);
}
System.out.println("Final output: " + anOutput);
}
/** /**
* Asynchronous read of the input stream. <br /> * Asynchronously read the output of a given input stream. <br /> Any
* Will report output as its its displayed. * exception during execution of the command in managed in this thread.
* @see java.lang.Thread#run() *
*/ * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
@Override */
public final void run() public static class StreamGobbler extends Thread {
{
try
{
final InputStreamReader isr = new InputStreamReader(this.is);
final BufferedReader br = new BufferedReader(isr);
String line=null;
while ( (line = br.readLine()) != null)
{
System.out.println(this.type + ">" + line);
this.output.append(line+System.getProperty("line.separator"));
}
} catch (final IOException ioe)
{
ioe.printStackTrace();
}
}
/**
* Get output filled asynchronously. <br />
* Should be called after execution
* @return final output
*/
public final String getOutput()
{
return this.output.toString();
}
}
/**
* Execute a system command in the appropriate shell. <br />
* Read asynchronously stdout and stderr to report any result.
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec
{
/**
* Execute a system command. <br />
* Listen asynchronously to stdout and stderr
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
* @return final output (stdout only)
*/
public static String execute(final String aCommand, final String... someParameters)
{
String output = "";
try
{
ExecEnvironmentFactory anExecEnvFactory = getExecEnvironmentFactory(aCommand, someParameters);
final IShell aShell = anExecEnvFactory.createShell();
final String aCommandLine = anExecEnvFactory.createCommandLine();
final Runtime rt = Runtime.getRuntime(); private InputStream is;
System.out.println("Executing " + aShell.getShellCommand() + " " + aCommandLine); private String type;
private StringBuffer output = new StringBuffer();
final Process proc = rt.exec(aShell.getShellCommand() + " " + aCommandLine); StreamGobbler(final InputStream anIs, final String aType) {
// any error message? this.is = anIs;
final StreamGobbler errorGobbler = new this.type = aType;
StreamGobbler(proc.getErrorStream(), "ERROR"); }
// any output? /**
final StreamGobbler outputGobbler = new * Asynchronous read of the input stream. <br /> Will report output as
StreamGobbler(proc.getInputStream(), "OUTPUT"); * its its displayed.
*
* @see java.lang.Thread#run()
*/
@Override
public final void run() {
try {
final InputStreamReader isr = new InputStreamReader(this.is);
final BufferedReader br = new BufferedReader(isr);
String line = null;
while ((line = br.readLine()) != null) {
System.out.println(this.type + ">" + line);
this.output.append(line + System.getProperty("line.separator"));
}
} catch (final IOException ioe) {
ioe.printStackTrace();
}
}
// kick them off /**
errorGobbler.start(); * Get output filled asynchronously. <br /> Should be called after
outputGobbler.start(); * execution
*
* @return final output
*/
public final String getOutput() {
return this.output.toString();
}
}
// any error??? /**
final int exitVal = proc.waitFor(); * Execute a system command in the appropriate shell. <br /> Read
System.out.println("ExitValue: " + exitVal); * asynchronously stdout and stderr to report any result.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec {
output = outputGobbler.getOutput(); /**
* Execute a system command. <br /> Listen asynchronously to stdout and
* stderr
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
* @return final output (stdout only)
*/
public static String execute(final String aCommand, final String... someParameters) {
String output = "";
try {
ExecEnvironmentFactory anExecEnvFactory = getExecEnvironmentFactory(aCommand, someParameters);
final IShell aShell = anExecEnvFactory.createShell();
final String aCommandLine = anExecEnvFactory.createCommandLine();
} catch (final Throwable t) final Runtime rt = Runtime.getRuntime();
{ System.out.println("Executing " + aShell.getShellCommand() + " " + aCommandLine);
t.printStackTrace();
}
return output;
}
private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters)
{
final String anOSName = System.getProperty("os.name" );
if(anOSName.toLowerCase().startsWith("windows"))
{
return new WindowsExecEnvFactory(aCommand, someParameters);
}
return new UnixExecEnvFactory(aCommand, someParameters);
// TODO be more specific for other OS.
}
private Exec() { /**/ }
}
private JavaSystemCaller() { /**/ }
/*
* ABSTRACT FACTORY PATTERN
*/
/**
* Environment needed to be build for the Exec class to be able to execute the system command. <br />
* Must have the right shell and the right command line. <br />
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public abstract static class ExecEnvironmentFactory
{
private String command = null;
private ArrayList<String> parameters = new ArrayList<String>();
final String getCommand() { return this.command; }
final ArrayList<String> getParameters() { return this.parameters; }
/**
* Builds an execution environment for a system command to be played. <br />
* Independent from the OS.
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
*/
public ExecEnvironmentFactory(final String aCommand, final String... someParameters)
{
if(aCommand == null || aCommand.length() == 0) { throw new IllegalArgumentException("Command must not be empty"); }
this.command = aCommand;
for (int i = 0; i < someParameters.length; i++) {
final String aParameter = someParameters[i];
if(aParameter == null || aParameter.length() == 0) { throw new IllegalArgumentException("Parameter n° '"+i+"' must not be empty"); }
this.parameters.add(aParameter);
}
}
/**
* Builds the right Shell for the current OS. <br />
* Allow for independent platform execution.
* @return right shell, NEVER NULL
*/
public abstract IShell createShell();
/**
* Builds the right command line for the current OS. <br />
* Means that a command might be translated, if it does not fit the right OS ('dir' => 'ls' on unix)
* @return right complete command line, with parameters added (NEVER NULL)
*/
public abstract String createCommandLine();
protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters)
{
final StringBuilder aCommandLine = new StringBuilder();
aCommandLine.append(aCommand);
for (String aParameter : someParameters) {
aCommandLine.append(" ");
aCommandLine.append(aParameter);
}
return aCommandLine.toString();
}
}
/**
* Builds a Execution Environment for Windows. <br />
* Cmd with windows commands
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory
{
/** final Process proc = rt.exec(aShell.getShellCommand() + " " + aCommandLine);
* Builds an execution environment for a Windows system command to be played. <br /> // any error message?
* Any command not from windows will be translated in its windows equivalent if possible. final StreamGobbler errorGobbler = new StreamGobbler(proc.getErrorStream(), "ERROR");
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
*/
public WindowsExecEnvFactory(final String aCommand, final String... someParameters)
{
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new WindowsShell();
}
/** // any output?
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine() final StreamGobbler outputGobbler = new StreamGobbler(proc.getInputStream(), "OUTPUT");
*/
@Override
public String createCommandLine() {
String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("ls")) { aCommand = "dir"; }
// TODO translates other Unix commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* Builds a Execution Environment for Unix. <br />
* Sh with Unix commands
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class UnixExecEnvFactory extends ExecEnvironmentFactory
{
/** // kick them off
* Builds an execution environment for a Unix system command to be played. <br /> errorGobbler.start();
* Any command not from Unix will be translated in its Unix equivalent if possible. outputGobbler.start();
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
*/
public UnixExecEnvFactory(final String aCommand, final String... someParameters)
{
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new UnixShell();
}
/** // any error???
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine() final int exitVal = proc.waitFor();
*/ System.out.println("ExitValue: " + exitVal);
@Override
public String createCommandLine() { output = outputGobbler.getOutput();
String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("dir")) { aCommand = "ls"; } } catch (final Throwable t) {
// TODO translates other Windows commands t.printStackTrace();
return buildCommandLine(aCommand, getParameters()); }
} return output;
} }
/** private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters) {
* System Shell with its right OS command. <br /> final String anOSName = System.getProperty("os.name");
* 'cmd' for Windows or 'sh' for Unix, ... if (anOSName.toLowerCase().startsWith("windows")) {
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> return new WindowsExecEnvFactory(aCommand, someParameters);
*/ }
public interface IShell return new UnixExecEnvFactory(aCommand, someParameters);
{ // TODO be more specific for other OS.
/** }
* Get the right shell command. <br />
* Used to launch a new shell private Exec() { /*
* @return command used to launch a Shell (NEVEL NULL) *
*/ */ }
String getShellCommand(); }
}
/** private JavaSystemCaller() { /*
* Windows shell (cmd). <br /> *
* More accurately 'cmd /C' */ }
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/ /*
public static class WindowsShell implements IShell * ABSTRACT FACTORY PATTERN
{ */
/** /**
* @see test.JavaSystemCaller.IShell#getShellCommand() * Environment needed to be build for the Exec class to be able to execute
*/ * the system command. <br /> Must have the right shell and the right
@Override * command line. <br />
public final String getShellCommand() { *
final String osName = System.getProperty("os.name" ); * @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
if( osName.equals( "Windows 95" ) ) { return "command.com /C"; } */
return "cmd.exe /C"; public abstract static class ExecEnvironmentFactory {
}
} private String command = null;
/** private ArrayList<String> parameters = new ArrayList<String>();
* Unix shell (sh). <br />
* More accurately 'sh -C' final String getCommand() {
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a> return this.command;
*/ }
public static class UnixShell implements IShell
{ final ArrayList<String> getParameters() {
/** return this.parameters;
* @see test.JavaSystemCaller.IShell#getShellCommand() }
*/
@Override /**
public final String getShellCommand() { * Builds an execution environment for a system command to be played.
return "/bin/sh -c"; * <br /> Independent from the OS.
} *
} * @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public ExecEnvironmentFactory(final String aCommand, final String... someParameters) {
if (aCommand == null || aCommand.length() == 0) {
throw new IllegalArgumentException("Command must not be empty");
}
this.command = aCommand;
for (int i = 0; i < someParameters.length; i++) {
final String aParameter = someParameters[i];
if (aParameter == null || aParameter.length() == 0) {
throw new IllegalArgumentException("Parameter n° '" + i + "' must not be empty");
}
this.parameters.add(aParameter);
}
}
/**
* Builds the right Shell for the current OS. <br /> Allow for
* independent platform execution.
*
* @return right shell, NEVER NULL
*/
public abstract IShell createShell();
/**
* Builds the right command line for the current OS. <br /> Means that a
* command might be translated, if it does not fit the right OS ('dir'
* => 'ls' on unix)
*
* @return right complete command line, with parameters added (NEVER
* NULL)
*/
public abstract String createCommandLine();
protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters) {
final StringBuilder aCommandLine = new StringBuilder();
aCommandLine.append(aCommand);
for (String aParameter : someParameters) {
aCommandLine.append(" ");
aCommandLine.append(aParameter);
}
return aCommandLine.toString();
}
}
/**
* Builds a Execution Environment for Windows. <br /> Cmd with windows
* commands
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory {
/**
* Builds an execution environment for a Windows system command to be
* played. <br /> Any command not from windows will be translated in its
* windows equivalent if possible.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public WindowsExecEnvFactory(final String aCommand, final String... someParameters) {
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new WindowsShell();
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine()
*/
@Override
public String createCommandLine() {
String aCommand = getCommand();
if (aCommand.toLowerCase().trim().equals("ls")) {
aCommand = "dir";
}
// TODO translates other Unix commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* Builds a Execution Environment for Unix. <br /> Sh with Unix commands
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class UnixExecEnvFactory extends ExecEnvironmentFactory {
/**
* Builds an execution environment for a Unix system command to be
* played. <br /> Any command not from Unix will be translated in its
* Unix equivalent if possible.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public UnixExecEnvFactory(final String aCommand, final String... someParameters) {
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@Override
public IShell createShell() {
return new UnixShell();
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createCommandLine()
*/
@Override
public String createCommandLine() {
String aCommand = getCommand();
if (aCommand.toLowerCase().trim().equals("dir")) {
aCommand = "ls";
}
// TODO translates other Windows commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* System Shell with its right OS command. <br /> 'cmd' for Windows or 'sh'
* for Unix, ...
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public interface IShell {
/**
* Get the right shell command. <br /> Used to launch a new shell
*
* @return command used to launch a Shell (NEVEL NULL)
*/
String getShellCommand();
}
/**
* Windows shell (cmd). <br /> More accurately 'cmd /C'
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class WindowsShell implements IShell {
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/
@Override
public final String getShellCommand() {
final String osName = System.getProperty("os.name");
if (osName.equals("Windows 95")) {
return "command.com /C";
}
return "cmd.exe /C";
}
}
/**
* Unix shell (sh). <br /> More accurately 'sh -C'
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class UnixShell implements IShell {
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/
@Override
public final String getShellCommand() {
return "/bin/sh -c";
}
}
} }

70
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java
View File

@ -1,15 +1,17 @@
/* /*
*
* Autopsy Forensic Browser * Autopsy Forensic Browser
* *
* Copyright 2011 Basis Technology Corp. * Copyright 2012 42six Solutions.
* Contact: carrier <at> sleuthkit <dot> org * Contact: aebadirad <at> 42six <dot> com
* * Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
* You may obtain a copy of the License at * You may obtain a copy of the License at
* *
* http://www.apache.org/licenses/LICENSE-2.0 * http://www.apache.org/licenses/LICENSE-2.0
* *
* Unless required by applicable law or agreed to in writing, software * Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, * distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@ -35,8 +37,8 @@ import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.FileSystem; import org.sleuthkit.datamodel.FileSystem;
/** /**
* Recent activity image ingest service * Recent activity image ingest service
* *
*/ */
public final class RAImageIngestService implements IngestServiceImage { public final class RAImageIngestService implements IngestServiceImage {
@ -77,27 +79,20 @@ public final class RAImageIngestService implements IngestServiceImage {
try { try {
//do the work for(FileSystem img : imageFS ) //do the work for(FileSystem img : imageFS )
try{ try {
ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'"); ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
int artcount = 0; int artcount = 0;
while (artset.next()){ while (artset.next()) {
artcount++; artcount++;
} }
// artset.beforeFirst();
if(artcount > 0)
{
} // artset.beforeFirst();
else if (artcount > 0) {
{ } else {
int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information"); int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information");
} }
} } catch (Exception e) {
catch(Exception e)
{
} }
ext.extractToBlackboard(controller, fsIds); ext.extractToBlackboard(controller, fsIds);
@ -123,7 +118,7 @@ public final class RAImageIngestService implements IngestServiceImage {
public String getName() { public String getName() {
return "Recent Activity"; return "Recent Activity";
} }
@Override @Override
public String getDescription() { public String getDescription() {
return "Extracts recent user activity, such as Internet browsing, recently used documents and installed programs."; return "Extracts recent user activity, such as Internet browsing, recently used documents and installed programs.";
@ -149,12 +144,12 @@ public final class RAImageIngestService implements IngestServiceImage {
public ServiceType getType() { public ServiceType getType() {
return ServiceType.Image; return ServiceType.Image;
} }
@Override @Override
public boolean hasSimpleConfiguration() { public boolean hasSimpleConfiguration() {
return false; return false;
} }
@Override @Override
public boolean hasAdvancedConfiguration() { public boolean hasAdvancedConfiguration() {
return false; return false;
@ -164,23 +159,22 @@ public final class RAImageIngestService implements IngestServiceImage {
public javax.swing.JPanel getSimpleConfiguration() { public javax.swing.JPanel getSimpleConfiguration() {
return null; return null;
} }
@Override @Override
public javax.swing.JPanel getAdvancedConfiguration() { public javax.swing.JPanel getAdvancedConfiguration() {
return null; return null;
} }
@Override @Override
public void saveAdvancedConfiguration() { public void saveAdvancedConfiguration() {
} }
@Override @Override
public void saveSimpleConfiguration() { public void saveSimpleConfiguration() {
} }
@Override @Override
public boolean hasBackgroundJobsRunning() { public boolean hasBackgroundJobsRunning() {
return false; return false;
} }
} }

269
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
View File

@ -1,8 +1,25 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.io.File; import java.io.File;
import java.io.FileInputStream; import java.io.FileInputStream;
import java.io.IOException; import java.io.IOException;
@ -24,138 +41,133 @@ import java.util.regex.Pattern;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class Util { public class Util {
private static Logger logger = Logger.getLogger(Util.class.getName());
private Util(){
}
public static boolean pathexists(String path){ private static Logger logger = Logger.getLogger(Util.class.getName());
File file=new File(path);
boolean exists = file.exists();
return exists;
}
public static String utcConvert(String utc){ private Util() {
SimpleDateFormat formatter = new SimpleDateFormat("MM-dd-yyyy HH:mm");
String tempconvert = formatter.format(new Date(Long.parseLong(utc)));
return tempconvert;
}
public static String readFile(String path) throws IOException {
FileInputStream stream = new FileInputStream(new File(path));
try {
FileChannel fc = stream.getChannel();
MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size());
/* Instead of using default, pass in a decoder. */
return Charset.defaultCharset().decode(bb).toString();
}
finally {
stream.close();
}
}
public static boolean imgpathexists(String path){
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
Boolean rt = false;
int count = 0;
try {
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%"+ path + "%'");
FFSqlitedb = tempDb.resultSetToFsContents(rs);
count = FFSqlitedb.size();
final Statement s = rs.getStatement();
rs.close();
if (s != null){
s.close();
}
if(count > 0)
{
rt = true;
}
else
{
rt = false;
}
} }
catch (SQLException ex)
{ public static boolean pathexists(String path) {
//logger.log(Level.WARNING, "Error while trying to contact SQLite db.", ex); File file = new File(path);
boolean exists = file.exists();
return exists;
}
public static String utcConvert(String utc) {
SimpleDateFormat formatter = new SimpleDateFormat("MM-dd-yyyy HH:mm");
String tempconvert = formatter.format(new Date(Long.parseLong(utc)));
return tempconvert;
}
public static String readFile(String path) throws IOException {
FileInputStream stream = new FileInputStream(new File(path));
try {
FileChannel fc = stream.getChannel();
MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size());
/*
* Instead of using default, pass in a decoder.
*/
return Charset.defaultCharset().decode(bb).toString();
} finally {
stream.close();
} }
return rt;
} }
public static String extractDomain(String value){ public static boolean imgpathexists(String path) {
if (value == null) throw new java.lang.NullPointerException("domains to extract"); Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
Boolean rt = false;
int count = 0;
try {
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%" + path + "%'");
FFSqlitedb = tempDb.resultSetToFsContents(rs);
count = FFSqlitedb.size();
final Statement s = rs.getStatement();
rs.close();
if (s != null) {
s.close();
}
if (count > 0) {
rt = true;
} else {
rt = false;
}
} catch (SQLException ex) {
//logger.log(Level.WARNING, "Error while trying to contact SQLite db.", ex);
}
return rt;
}
public static String extractDomain(String value) {
if (value == null) {
throw new java.lang.NullPointerException("domains to extract");
}
String result = ""; String result = "";
// String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))"; // String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))";
// Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE); // Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE);
// Matcher m = p.matcher(value); // Matcher m = p.matcher(value);
// while (m.find()) { // while (m.find()) {
// result = value.substring(m.start(0),m.end(0)); // result = value.substring(m.start(0),m.end(0));
// } // }
try{ try {
URL url = new URL(value); URL url = new URL(value);
result = url.getHost(); result = url.getHost();
} catch (Exception e) {
} }
catch(Exception e){
return result;
}
public static String getFileName(String value) {
String filename = "";
String filematch = "^([a-zA-Z]\\:)(\\\\[^\\\\/:*?<>\"|]*(?<!\\[ \\]))*(\\.[a-zA-Z]{2,6})$";
Pattern p = Pattern.compile(filematch, Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS);
Matcher m = p.matcher(value);
if (m.find()) {
filename = m.group(1);
} }
int lastPos = value.lastIndexOf('\\');
return result; filename = (lastPos < 0) ? value : value.substring(lastPos + 1);
return filename.toString();
} }
public static String getFileName(String value){ public static String getPath(String txt) {
String filename = ""; String path = "";
String filematch = "^([a-zA-Z]\\:)(\\\\[^\\\\/:*?<>\"|]*(?<!\\[ \\]))*(\\.[a-zA-Z]{2,6})$";
Pattern p = Pattern.compile(filematch,Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS); //String drive ="([a-z]:\\\\(?:[-\\w\\.\\d]+\\\\)*(?:[-\\w\\.\\d]+)?)"; // Windows drive
Matcher m = p.matcher(value); String drive = "([a-z]:\\\\\\S.+)";
if (m.find()) Pattern p = Pattern.compile(drive, Pattern.CASE_INSENSITIVE | Pattern.COMMENTS);
{ Matcher m = p.matcher(txt);
filename = m.group(1); if (m.find()) {
path = m.group(1);
}
int lastPos = value.lastIndexOf('\\');
filename = (lastPos < 0) ? value : value.substring(lastPos + 1);
return filename.toString();
}
public static String getPath(String txt){ } else {
String path = "";
//String drive ="([a-z]:\\\\(?:[-\\w\\.\\d]+\\\\)*(?:[-\\w\\.\\d]+)?)"; // Windows drive String network = "(\\\\(?:\\\\[^:\\s?*\"<>|]+)+)"; // Windows network
String drive = "([a-z]:\\\\\\S.+)";
Pattern p = Pattern.compile(drive,Pattern.CASE_INSENSITIVE | Pattern.COMMENTS);
Matcher m = p.matcher(txt);
if (m.find())
{
path = m.group(1);
}else{
String network ="(\\\\(?:\\\\[^:\\s?*\"<>|]+)+)"; // Windows network
Pattern p2 = Pattern.compile(network,Pattern.CASE_INSENSITIVE | Pattern.DOTALL); Pattern p2 = Pattern.compile(network, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m2 = p2.matcher(txt); Matcher m2 = p2.matcher(txt);
if (m2.find()) if (m2.find()) {
{ path = m2.group(1);
path = m2.group(1); }
} }
} return path;
return path;
} }
public static long findID(String path) { public static long findID(String path) {
String parent_path = path.replace('\\', '/'); // fix Chrome paths String parent_path = path.replace('\\', '/'); // fix Chrome paths
if(parent_path.length() > 2 && parent_path.charAt(1) == ':') if (parent_path.length() > 2 && parent_path.charAt(1) == ':') {
parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:') parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:')
}
int index = parent_path.lastIndexOf('/'); int index = parent_path.lastIndexOf('/');
String name = parent_path.substring(++index); String name = parent_path.substring(++index);
parent_path = parent_path.substring(0, index); parent_path = parent_path.substring(0, index);
@ -167,14 +179,45 @@ public static long findID(String path) {
List<FsContent> results = tempDb.resultSetToFsContents(rs); List<FsContent> results = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement(); Statement s = rs.getStatement();
rs.close(); rs.close();
if (s != null) if (s != null) {
s.close(); s.close();
if(results.size() > 0) { }
if (results.size() > 0) {
return results.get(0).getId(); return results.get(0).getId();
} }
} catch (Exception ex) { } catch (Exception ex) {
// logger.log(Level.WARNING, "Error retrieving content from DB", ex); // logger.log(Level.WARNING, "Error retrieving content from DB", ex);
} }
return -1; return -1;
} }
public static boolean checkColumn(String column, String tablename, String connection) {
String query = "PRAGMA table_info(" + tablename + ")";
boolean found = false;
ResultSet temprs;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
temprs = tempdbconnect.executeQry(query);
while (temprs.next()) {
if (temprs.getString("name") == null ? column == null : temprs.getString("name").equals(column)) {
found = true;
}
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return found;
}
public static ResultSet runQuery(String query, String connection) {
ResultSet results = null;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
results = tempdbconnect.executeQry(query);
tempdbconnect.closeConnection();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return results;
}
} }

47
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/dbconnect.java
View File

@ -1,25 +1,40 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
import java.sql.*; import java.sql.*;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class dbconnect extends sqlitedbconnect{ public class dbconnect extends sqlitedbconnect {
private String sDriverForclass = "org.sqlite.JDBC"; private String sDriverForclass = "org.sqlite.JDBC";
public dbconnect(String sDriverForClass, String sUrlKey) throws Exception
{ public dbconnect(String sDriverForClass, String sUrlKey) throws Exception {
init(sDriverForClass, sUrlKey); init(sDriverForClass, sUrlKey);
//Statement stmt = conn.createStatement(); //Statement stmt = conn.createStatement();
//String selecthistory = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,rev_host FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; //String selecthistory = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,rev_host FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
// ResultSet rs = stmt.executeQuery(selecthistory); // ResultSet rs = stmt.executeQuery(selecthistory);
}
} }
}

4
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/layer.xml
View File

@ -1,11 +1,11 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE filesystem PUBLIC "-//NetBeans//DTD Filesystem 1.2//EN" "http://www.netbeans.org/dtds/filesystem-1_2.dtd"> <!DOCTYPE filesystem PUBLIC "-//NetBeans//DTD Filesystem 1.2//EN" "http://www.netbeans.org/dtds/filesystem-1_2.dtd">
<filesystem> <filesystem>
<folder name="Services"> <folder name="Services">
<file name="org-sleuthkit-autopsy-recentactivity-RAImageIngestService.instance"> <file name="org-sleuthkit-autopsy-recentactivity-RAImageIngestService.instance">
<attr name="instanceOf" stringvalue="org.sleuthkit.autopsy.ingest.IngestServiceImage"/> <attr name="instanceOf" stringvalue="org.sleuthkit.autopsy.ingest.IngestServiceImage"/>
<attr name="instanceCreate" methodvalue="org.sleuthkit.autopsy.recentactivity.RAImageIngestService.getDefault"/> <attr name="instanceCreate" methodvalue="org.sleuthkit.autopsy.recentactivity.RAImageIngestService.getDefault"/>
<attr name="position" intvalue="100"/> <attr name="position" intvalue="100"/>
</file> </file>
</folder> </folder>
</filesystem> </filesystem>

190
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/sqlitedbconnect.java
View File

@ -1,5 +1,22 @@
/* /*
* General C&P class that we need to figure out a better way to integrate, replace after demo *
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.recentactivity; package org.sleuthkit.autopsy.recentactivity;
@ -7,96 +24,99 @@ package org.sleuthkit.autopsy.recentactivity;
* *
* @author Alex * @author Alex
*/ */
import java.sql.Connection; import java.sql.Connection;
import java.sql.DriverManager; import java.sql.DriverManager;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.sql.SQLException; import java.sql.SQLException;
import java.sql.Statement; import java.sql.Statement;
/**
/** Database connection class & utilities **/ * Database connection class & utilities *
*/
abstract class sqlitedbconnect { abstract class sqlitedbconnect {
public String sDriver = ""; public String sDriver = "";
public String sUrl = null; public String sUrl = null;
public int iTimeout = 30; public int iTimeout = 30;
public Connection conn = null; public Connection conn = null;
public Statement statement = null; public Statement statement = null;
/*
/* Stub constructor for quick instantiation o/t fly for using some of the ancillary stuff */ * Stub constructor for quick instantiation o/t fly for using some of the
* ancillary stuff
public sqlitedbconnect() */
{} public sqlitedbconnect() {
}
/* quick and dirty constructor to test the database passing the DriverManager name and the fully loaded url to handle */
/* NB this will typically be available if you make this class concrete and not abstract */ /*
public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception * quick and dirty constructor to test the database passing the
{ * DriverManager name and the fully loaded url to handle
init(sDriverToLoad, sUrlToLoad); */
} /*
* NB this will typically be available if you make this class concrete and
public void init(String sDriverVar, String sUrlVar) throws Exception * not abstract
{ */
setDriver(sDriverVar); public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception {
setUrl(sUrlVar); init(sDriverToLoad, sUrlToLoad);
setConnection(); }
setStatement();
} public void init(String sDriverVar, String sUrlVar) throws Exception {
setDriver(sDriverVar);
private void setDriver(String sDriverVar) setUrl(sUrlVar);
{ setConnection();
sDriver = sDriverVar; setStatement();
} }
private void setUrl(String sUrlVar) private void setDriver(String sDriverVar) {
{ sDriver = sDriverVar;
sUrl = sUrlVar; }
}
private void setUrl(String sUrlVar) {
public void setConnection() throws Exception { sUrl = sUrlVar;
Class.forName(sDriver); }
conn = DriverManager.getConnection(sUrl);
} public void setConnection() throws Exception {
Class.forName(sDriver);
conn = DriverManager.getConnection(sUrl);
public Connection getConnection() { }
return conn;
} public Connection getConnection() {
return conn;
public void setStatement() throws Exception { }
if (conn == null) {
setConnection(); public void setStatement() throws Exception {
} if (conn == null) {
statement = conn.createStatement(); setConnection();
statement.setQueryTimeout(iTimeout); // set timeout to 30 sec. }
} statement = conn.createStatement();
statement.setQueryTimeout(iTimeout); // set timeout to 30 sec.
public Statement getStatement() { }
return statement;
} public Statement getStatement() {
return statement;
public void executeStmt(String instruction) throws SQLException { }
statement.executeUpdate(instruction);
} public void executeStmt(String instruction) throws SQLException {
statement.executeUpdate(instruction);
}
// processes an array of instructions e.g. a set of SQL command strings passed from a file // processes an array of instructions e.g. a set of SQL command strings passed from a file
//NB you should ensure you either handle empty lines in files by either removing them or parsing them out //NB you should ensure you either handle empty lines in files by either removing them or parsing them out
// since they will generate spurious SQLExceptions when they are encountered during the iteration.... // since they will generate spurious SQLExceptions when they are encountered during the iteration....
public void executeStmt(String[] instructionSet) throws SQLException { public void executeStmt(String[] instructionSet) throws SQLException {
for (int i = 0; i < instructionSet.length; i++) { for (int i = 0; i < instructionSet.length; i++) {
executeStmt(instructionSet[i]); executeStmt(instructionSet[i]);
} }
} }
public ResultSet executeQry(String instruction) throws SQLException { public ResultSet executeQry(String instruction) throws SQLException {
return statement.executeQuery(instruction); return statement.executeQuery(instruction);
} }
public void closeConnection() { public void closeConnection() {
try { conn.close(); } catch (Exception ignore) {} try {
} conn.close();
} catch (Exception ignore) {
}
}
} }

489
Report/src/org/sleuthkit/autopsy/report/report.java
View File

@ -1,12 +1,29 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.sql.ResultSet; import java.sql.ResultSet;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
@ -18,278 +35,242 @@ import org.sleuthkit.datamodel.SleuthkitCase;
* *
* @author Alex * @author Alex
*/ */
public class report implements reportInterface { public class report {
private void report(){
} private void report() {
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getGenInfo() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(1);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} }
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getGenInfo() {
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebHistory() { HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>(); Case currentCase = Case.getCurrentCase(); // get the most updated case
Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase();
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); try {
try ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO);
{ for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(4);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e) Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
{ }
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebCookie() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(3);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebBookmark() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(2);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override return reportMap;
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebDownload() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(5);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} }
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebHistory() {
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getRecentObject() { HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>(); Case currentCase = Case.getCurrentCase(); // get the most updated case
Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase();
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); try {
try ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY);
{ for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(6);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e) Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
{ }
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override return reportMap;
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getKeywordHit() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(9);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} }
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getHashHit() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(10);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getInstalledProg() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(8);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebCookie() {
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getDevices() { HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>(); Case currentCase = Case.getCurrentCase(); // get the most updated case
Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase();
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); try {
try ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE);
{ for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(11);
for (BlackboardArtifact artifact : bbart)
{
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes(); ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes); reportMap.put(artifact, attributes);
} }
} } catch (Exception e) {
catch (Exception e) Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
{ }
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override return reportMap;
public String getGroupedKeywordHit() { }
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>(); public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebBookmark() {
Case currentCase = Case.getCurrentCase(); // get the most updated case HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
SleuthkitCase tempDb = currentCase.getSleuthkitCase(); Case currentCase = Case.getCurrentCase(); // get the most updated case
try SleuthkitCase tempDb = currentCase.getSleuthkitCase();
{ try {
ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC"); ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
while(uniqueresults.next()) for (BlackboardArtifact artifact : bbart) {
{ ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>"); reportMap.put(artifact, attributes);
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>();
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") +"'");
while(tempresults.next())
{
artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id")));
} }
for(BlackboardArtifact art : artlist) } catch (Exception e) {
{ Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
String filename = tempDb.getFsContentById(art.getObjectID()).getName(); }
String preview = "";
String set = ""; return reportMap;
table.append("<tr><td>").append(filename).append("</td>"); }
ArrayList<BlackboardAttribute> tempatts = art.getAttributes();
for(BlackboardAttribute att : tempatts) public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebDownload() {
{ HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
if(att.getAttributeTypeID() == 12) Case currentCase = Case.getCurrentCase(); // get the most updated case
{ SleuthkitCase tempDb = currentCase.getSleuthkitCase();
preview = "<td>" + att.getValueString() + "</td>"; try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getRecentObject() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getKeywordHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getHashHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getInstalledProg() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getDevices() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
public String getGroupedKeywordHit() {
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC");
while (uniqueresults.next()) {
table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>();
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") + "'");
while (tempresults.next()) {
artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id")));
}
for (BlackboardArtifact art : artlist) {
String filename = tempDb.getFsContentById(art.getObjectID()).getName();
String preview = "";
String set = "";
table.append("<tr><td>").append(filename).append("</td>");
ArrayList<BlackboardAttribute> tempatts = art.getAttributes();
for (BlackboardAttribute att : tempatts) {
if (att.getAttributeTypeID() == 12) {
preview = "<td>" + att.getValueString() + "</td>";
}
if (att.getAttributeTypeID() == 13) {
set = "<td>" + att.getValueString() + "</td>";
}
} }
if(att.getAttributeTypeID() == 13) table.append(preview).append(set).append("</tr>");
{ }
set = "<td>" + att.getValueString() + "</td>";
table.append("</tbody></table><br /><br />");
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
String result = table.toString();
return result;
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getAllTypes(ReportConfiguration config) {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
for (Map.Entry<BlackboardArtifact.ARTIFACT_TYPE, Boolean> entry : config.config.entrySet()) {
if (entry.getValue()) {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(entry.getKey());
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
} }
} }
table.append(preview).append(set).append("</tr>");
} }
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e);
table.append("</tbody></table><br /><br />");
} }
}
catch (Exception e)
{
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
String result = table.toString();
return result;
}
return reportMap;
}
} }

119
Report/src/org/sleuthkit/autopsy/report/reportAction.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -12,22 +28,22 @@ import java.awt.event.ActionListener;
import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener; import java.beans.PropertyChangeListener;
import java.io.File; import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
import javax.swing.JButton; import javax.swing.JButton;
import javax.swing.JDialog; import javax.swing.JDialog;
import javax.swing.JFrame; import javax.swing.JFrame;
import org.openide.awt.ActionRegistration; import org.openide.awt.ActionID;
import org.openide.awt.ActionReference; import org.openide.awt.ActionReference;
import org.openide.awt.ActionReferences; import org.openide.awt.ActionReferences;
import org.openide.awt.ActionID; import org.openide.awt.ActionRegistration;
import org.openide.util.HelpCtx; import org.openide.util.HelpCtx;
import org.openide.util.NbBundle.Messages; import org.openide.util.NbBundle.Messages;
import org.openide.util.actions.CallableSystemAction; import org.openide.util.actions.CallableSystemAction;
import org.openide.util.actions.Presenter; import org.openide.util.actions.Presenter;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Log; import org.sleuthkit.autopsy.coreutils.Log;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
@ActionID(category = "Tools", @ActionID(category = "Tools",
id = "org.sleuthkit.autopsy.report.reportAction") id = "org.sleuthkit.autopsy.report.reportAction")
@ -36,53 +52,50 @@ id = "org.sleuthkit.autopsy.report.reportAction")
@ActionReference(path = "Menu/Tools", position = 80) @ActionReference(path = "Menu/Tools", position = 80)
}) })
@Messages("CTL_reportAction=Run Report") @Messages("CTL_reportAction=Run Report")
public final class reportAction extends CallableSystemAction implements Presenter.Toolbar{ public final class reportAction extends CallableSystemAction implements Presenter.Toolbar {
private JButton toolbarButton = new JButton(); private JButton toolbarButton = new JButton();
private static final String ACTION_NAME = "Generate Report"; private static final String ACTION_NAME = "Generate Report";
Logger logger = Logger.getLogger(reportAction.class.getName()); static final Logger logger = Logger.getLogger(reportAction.class.getName());
public reportAction() { public reportAction() {
setEnabled(false); setEnabled(false);
Case.addPropertyChangeListener(new PropertyChangeListener() { Case.addPropertyChangeListener(new PropertyChangeListener() {
@Override @Override
public void propertyChange(PropertyChangeEvent evt) { public void propertyChange(PropertyChangeEvent evt) {
if(evt.getPropertyName().equals(Case.CASE_CURRENT_CASE)){ if (evt.getPropertyName().equals(Case.CASE_CURRENT_CASE)) {
setEnabled(evt.getNewValue() != null); setEnabled(evt.getNewValue() != null);
} }
} }
}); });
//attempt to create a report folder if a case is active //attempt to create a report folder if a case is active
Case.addPropertyChangeListener(new PropertyChangeListener () { Case.addPropertyChangeListener(new PropertyChangeListener() {
@Override @Override
public void propertyChange(PropertyChangeEvent evt) { public void propertyChange(PropertyChangeEvent evt) {
String changed = evt.getPropertyName(); String changed = evt.getPropertyName();
//case has been changed //case has been changed
if (changed.equals(Case.CASE_CURRENT_CASE)) { if (changed.equals(Case.CASE_CURRENT_CASE)) {
Case newCase = (Case)evt.getNewValue(); Case newCase = (Case) evt.getNewValue();
if (newCase != null) { if (newCase != null) {
boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists(); boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists();
if (exists) { if (exists) {
// report directory exists -- don't need to do anything // report directory exists -- don't need to do anything
} else {
} else { // report directory does not exist -- create it
// report directory does not exist -- create it boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs();
boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs(); if (!reportCreate) {
if(!reportCreate){ logger.log(Level.WARNING, "Could not create Reports directory for case. It does not exist.");
logger.log(Level.WARNING, "Could not create Reports directory for case. It does not exist."); }
} }
} }
} }
} }
} });
});
// set action of the toolbar button // set action of the toolbar button
toolbarButton.addActionListener(new ActionListener() { toolbarButton.addActionListener(new ActionListener() {
@ -93,24 +106,25 @@ public final class reportAction extends CallableSystemAction implements Presente
}); });
} }
@Override @Override
public void actionPerformed(ActionEvent e) { public void actionPerformed(ActionEvent e) {
try { try {
// create the popUp window for it // create the popUp window for it
final JFrame frame = new JFrame(ACTION_NAME); final JFrame frame = new JFrame(ACTION_NAME);
final JDialog popUpWindow = new JDialog(frame, ACTION_NAME, true); // to make the popUp Window to be modal final JDialog popUpWindow = new JDialog(frame, ACTION_NAME, true); // to make the popUp Window to be modal
// initialize panel with loaded settings // initialize panel with loaded settings
final reportFilter panel = new reportFilter(); final reportFilter panel = new reportFilter();
panel.setjButton2ActionListener(new ActionListener() { panel.setjButton2ActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e) { @Override
popUpWindow.dispose(); public void actionPerformed(ActionEvent e) {
} popUpWindow.dispose();
}); }
});
// add the panel to the popup window // add the panel to the popup window
popUpWindow.add(panel); popUpWindow.add(panel);
popUpWindow.pack(); popUpWindow.pack();
@ -125,16 +139,15 @@ public final class reportAction extends CallableSystemAction implements Presente
// display the window // display the window
popUpWindow.setVisible(true); popUpWindow.setVisible(true);
// add the command to close the window to the button on the Case Properties form / panel // add the command to close the window to the button on the Case Properties form / panel
} catch (Exception ex) { } catch (Exception ex) {
Log.get(reportFilterAction.class).log(Level.WARNING, "Error displaying " + ACTION_NAME + " window.", ex); Log.get(reportFilterAction.class).log(Level.WARNING, "Error displaying " + ACTION_NAME + " window.", ex);
} }
} }
@Override @Override
public void performAction() { public void performAction() {
} }
@Override @Override
@ -146,11 +159,11 @@ public final class reportAction extends CallableSystemAction implements Presente
public HelpCtx getHelpCtx() { public HelpCtx getHelpCtx() {
return HelpCtx.DEFAULT_HELP; return HelpCtx.DEFAULT_HELP;
} }
/** /**
* Returns the toolbar component of this action * Returns the toolbar component of this action
* *
* @return component the toolbar button * @return component the toolbar button
*/ */
@Override @Override
public Component getToolbarPresenter() { public Component getToolbarPresenter() {
@ -163,10 +176,10 @@ public final class reportAction extends CallableSystemAction implements Presente
/** /**
* Set this action to be enabled/disabled * Set this action to be enabled/disabled
* *
* @param value whether to enable this action or not * @param value whether to enable this action or not
*/ */
@Override @Override
public void setEnabled(boolean value){ public void setEnabled(boolean value) {
super.setEnabled(value); super.setEnabled(value);
toolbarButton.setEnabled(value); toolbarButton.setEnabled(value);
} }

31
Report/src/org/sleuthkit/autopsy/report/reportFilter.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo"> <Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents> <NonVisualComponents>
@ -39,29 +39,24 @@
<Group type="102" attributes="0"> <Group type="102" attributes="0">
<EmptySpace max="-2" attributes="0"/> <EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0"> <Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox3" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox2" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox1" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox5" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox4" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
</Group>
<EmptySpace min="-2" pref="69" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0"> <Group type="102" alignment="0" attributes="0">
<Component id="jButton1" min="-2" max="-2" attributes="0"/> <Component id="jButton1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/> <EmptySpace max="32767" attributes="0"/>
<Component id="cancelButton" min="-2" max="-2" attributes="0"/> <Component id="cancelButton" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="156" max="-2" attributes="0"/> <EmptySpace min="-2" pref="156" max="-2" attributes="0"/>
</Group> </Group>
<Component id="jCheckBox3" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox2" alignment="0" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox1" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jCheckBox5" min="-2" max="-2" attributes="0"/>
<Component id="jCheckBox4" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
<Component id="progBar" alignment="0" min="-2" pref="231" max="-2" attributes="0"/> <Component id="progBar" alignment="0" min="-2" pref="231" max="-2" attributes="0"/>
</Group> </Group>
<EmptySpace max="-2" attributes="0"/> <EmptySpace max="-2" attributes="0"/>

286
Report/src/org/sleuthkit/autopsy/report/reportFilter.java
View File

@ -1,43 +1,63 @@
/* /*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportFilter.java
* *
* Created on Feb 22, 2012, 11:12:12 AM * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener; import java.awt.event.ActionListener;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.SwingUtilities; import javax.swing.SwingUtilities;
import javax.swing.SwingWorker; import javax.swing.SwingWorker;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class reportFilter extends javax.swing.JPanel { public class reportFilter extends javax.swing.JPanel {
public static ArrayList<Integer> filters = new ArrayList<Integer>();
public final reportFilter panel = this; public static ArrayList<Integer> filters = new ArrayList<Integer>();
reportPanelAction rpa = new reportPanelAction(); public static ReportConfiguration config = new ReportConfiguration();
public static boolean cancel = false; private final Logger logger = Logger.getLogger(this.getClass().getName());
Case currentCase = Case.getCurrentCase(); // get the most updated case public final reportFilter panel = this;
SleuthkitCase skCase = currentCase.getSleuthkitCase(); reportPanelAction rpa = new reportPanelAction();
/** Creates new form reportFilter */ public static boolean cancel = false;
public reportFilter() { Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
/**
* Creates new form reportFilter
*/
public reportFilter() {
initComponents(); initComponents();
cancel = false; cancel = false;
} }
/** This method is called from within the constructor to /**
* initialize the form. * This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is * WARNING: Do NOT modify this code. The content of this method is always
* always regenerated by the Form Editor. * regenerated by the Form Editor.
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents // <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -162,65 +182,94 @@ public class reportFilter extends javax.swing.JPanel {
}// </editor-fold>//GEN-END:initComponents }// </editor-fold>//GEN-END:initComponents
private void jCheckBox1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jCheckBox1ActionPerformed private void jCheckBox1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jCheckBox1ActionPerformed
}//GEN-LAST:event_jCheckBox1ActionPerformed }//GEN-LAST:event_jCheckBox1ActionPerformed
public void getfilters(java.awt.event.ActionEvent evt) public void getfilters(java.awt.event.ActionEvent evt) {
{ jButton1ActionPerformed(evt);
jButton1ActionPerformed(evt); }
}
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButton1ActionPerformed private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButton1ActionPerformed
jButton1.setEnabled(false); jButton1.setEnabled(false);
progBar.setEnabled(true); progBar.setEnabled(true);
cancelButton.setEnabled(true); cancelButton.setEnabled(true);
progBar.setStringPainted(true); progBar.setStringPainted(true);
progBar.setValue(0); progBar.setValue(0);
filters.clear(); filters.clear();
if(jCheckBox1.isSelected()) if (jCheckBox1.isSelected()) {
{ try {
filters.add(2); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, true);
filters.add(3); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, true);
filters.add(4); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, true);
filters.add(5); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, true);
filters.add(2);
filters.add(3);
filters.add(4);
filters.add(5);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
} }
if(jCheckBox2.isSelected()) if (jCheckBox2.isSelected()) {
{ try {
filters.add(1); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO, true);
filters.add(1);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
} }
if(jCheckBox3.isSelected()) if (jCheckBox3.isSelected()) {
{ try {
filters.add(9); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT, true);
filters.add(9);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
} }
if(jCheckBox4.isSelected()) if (jCheckBox4.isSelected()) {
{ try {
filters.add(10); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT, true);
filters.add(10);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
} }
if(jCheckBox5.isSelected()) if (jCheckBox5.isSelected()) {
{ try {
filters.add(6); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT, true);
filters.add(8); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG, true);
filters.add(11); config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, true);
filters.add(6);
filters.add(8);
filters.add(11);
} catch (ReportModuleException ex) {
}
} }
getReports(); getReports();
}//GEN-LAST:event_jButton1ActionPerformed }//GEN-LAST:event_jButton1ActionPerformed
public void getReports() { public void getReports() {
new SwingWorker<Void, Void>() { new SwingWorker<Void, Void>() {
protected Void doInBackground() throws Exception {
rpa.reportGenerate(filters, panel); @Override
return null; protected Void doInBackground() throws Exception {
}; rpa.reportGenerate(config, panel);
return null;
}
;
// this is called when the SwingWorker's doInBackground finishes // this is called when the SwingWorker's doInBackground finishes
protected void done() { @Override
progBar.setVisible(false); // hide my progress bar JFrame protected void done() {
}; progBar.setVisible(false); // hide my progress bar JFrame
}.execute(); }
;
}.execute();
progBar.setVisible(true); progBar.setVisible(true);
} }
private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_cancelButtonActionPerformed private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_cancelButtonActionPerformed
cancelButton.setText("Cancelled!"); cancelButton.setText("Cancelled!");
@ -228,67 +277,69 @@ private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-
}//GEN-LAST:event_cancelButtonActionPerformed }//GEN-LAST:event_cancelButtonActionPerformed
private void jButton1MouseReleased(java.awt.event.MouseEvent evt) {//GEN-FIRST:event_jButton1MouseReleased private void jButton1MouseReleased(java.awt.event.MouseEvent evt) {//GEN-FIRST:event_jButton1MouseReleased
}//GEN-LAST:event_jButton1MouseReleased }//GEN-LAST:event_jButton1MouseReleased
public void progBarSet(int cc) public void progBarSet(int cc) {
{ final int count = cc;
final int count = cc; SwingUtilities.invokeLater(new Runnable() {
SwingUtilities.invokeLater(new Runnable() {
public void run() {
int start = progBar.getValue();
int end = start + count;
progBar.setValue(end);
progBar.setString(null);
progBar.setString(progBar.getString());
progBar.setStringPainted(true);
if(progBar.getPercentComplete() == 1.0){
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.setIndeterminate(true);
}
}});
}
public void progBarDone(){ @Override
int max = progBar.getMaximum(); public void run() {
progBar.setValue(max); int start = progBar.getValue();
jButton2.doClick(); int end = start + count;
} progBar.setValue(end);
public void progBarStartText(){ progBar.setString(null);
progBar.setIndeterminate(true); progBar.setString(progBar.getString());
progBar.setString("Querying Database for Report Results..."); progBar.setStringPainted(true);
} if (progBar.getPercentComplete() == 1.0) {
public void progBarText(){ progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.setString("Populating Report - Please wait..."); progBar.setIndeterminate(true);
progBar.setStringPainted(true); }
progBar.repaint(); }
progBar.setIndeterminate(true); });
}
public void progBarCount(int count){
progBar.setIndeterminate(false);
progBar.setString(null);
progBar.setMinimum(0);
progBar.setMaximum(count);
progBar.setValue(0);
//Double bper = progBar.getPercentComplete();
progBar.setString(progBar.getString());
}
public void setjButton1ActionListener(ActionListener e){
jButton1.addActionListener(e);
} }
public void setjButton2ActionListener(ActionListener e){ public void progBarDone() {
jButton2.addActionListener(e); int max = progBar.getMaximum();
cancelButton.addActionListener(e); progBar.setValue(max);
jButton2.doClick();
} }
public void progBarStartText() {
progBar.setIndeterminate(true);
progBar.setString("Querying Database for Report Results...");
}
public void progBarText() {
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.repaint();
progBar.setIndeterminate(true);
}
public void progBarCount(int count) {
progBar.setIndeterminate(false);
progBar.setString(null);
progBar.setMinimum(0);
progBar.setMaximum(count);
progBar.setValue(0);
//Double bper = progBar.getPercentComplete();
progBar.setString(progBar.getString());
}
public void setjButton1ActionListener(ActionListener e) {
jButton1.addActionListener(e);
}
public void setjButton2ActionListener(ActionListener e) {
jButton2.addActionListener(e);
cancelButton.addActionListener(e);
}
// Variables declaration - do not modify//GEN-BEGIN:variables // Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton cancelButton; private javax.swing.JButton cancelButton;
private javax.swing.JButton jButton1; private javax.swing.JButton jButton1;
@ -300,5 +351,4 @@ public void setjButton2ActionListener(ActionListener e){
private javax.swing.JCheckBox jCheckBox5; private javax.swing.JCheckBox jCheckBox5;
private javax.swing.JProgressBar progBar; private javax.swing.JProgressBar progBar;
// End of variables declaration//GEN-END:variables // End of variables declaration//GEN-END:variables
} }

13
Report/src/org/sleuthkit/autopsy/report/reportFilterAction.java
View File

@ -16,7 +16,6 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.awt.Container; import java.awt.Container;
@ -31,6 +30,7 @@ import org.sleuthkit.autopsy.coreutils.Log;
/** /**
* The reportFilterAction opens the reportFilterPanel in a dialog, and saves the * The reportFilterAction opens the reportFilterPanel in a dialog, and saves the
* settings of the panel if the Apply button is clicked. * settings of the panel if the Apply button is clicked.
*
* @author pmartel * @author pmartel
*/ */
class reportFilterAction { class reportFilterAction {
@ -44,10 +44,10 @@ class reportFilterAction {
try { try {
// create the popUp window for it // create the popUp window for it
Container cpane; Container cpane;
final JFrame frame = new JFrame(ACTION_NAME); final JFrame frame = new JFrame(ACTION_NAME);
final JDialog popUpWindow = new JDialog(frame, ACTION_NAME, true); // to make the popUp Window to be modal final JDialog popUpWindow = new JDialog(frame, ACTION_NAME, true); // to make the popUp Window to be modal
cpane = frame.getContentPane(); cpane = frame.getContentPane();
// initialize panel with loaded settings // initialize panel with loaded settings
final reportFilter panel = new reportFilter(); final reportFilter panel = new reportFilter();
@ -64,8 +64,8 @@ class reportFilterAction {
// display the window // display the window
popUpWindow.setVisible(true); popUpWindow.setVisible(true);
} catch (Exception ex) { } catch (Exception ex) {
Log.get(reportFilterAction.class).log(Level.WARNING, "Error displaying " + ACTION_NAME + " window.", ex); Log.get(reportFilterAction.class).log(Level.WARNING, "Error displaying " + ACTION_NAME + " window.", ex);
} }
@ -76,9 +76,8 @@ class reportFilterAction {
return ACTION_NAME; return ACTION_NAME;
} }
// @Override // @Override
public HelpCtx getHelpCtx() { public HelpCtx getHelpCtx() {
return HelpCtx.DEFAULT_HELP; return HelpCtx.DEFAULT_HELP;
} }
} }

656
Report/src/org/sleuthkit/autopsy/report/reportHTML.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -30,383 +46,369 @@ import org.sleuthkit.datamodel.TskData;
* @author Alex * @author Alex
*/ */
public class reportHTML { public class reportHTML {
//Declare our publically accessible formatted report, this will change everytime they run a report //Declare our publically accessible formatted report, this will change everytime they run a report
public static StringBuilder formatted_Report = new StringBuilder(); public static StringBuilder formatted_Report = new StringBuilder();
public static StringBuilder unformatted_header = new StringBuilder(); public static StringBuilder unformatted_header = new StringBuilder();
public static StringBuilder formatted_header = new StringBuilder(); public static StringBuilder formatted_header = new StringBuilder();
public static String htmlPath = ""; public static String htmlPath = "";
public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
//This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones.
//Unlike the XML report, which is dynamic, this is formatted and needs to be redone later instead of being hardcoded.
//Also, clearing variables to generate new report.
formatted_Report.setLength(0);
unformatted_header.setLength(0);
formatted_header.setLength(0);
int countGen = 0;
int countWebBookmark = 0;
int countWebCookie = 0;
int countWebHistory = 0;
int countWebDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){
countGen++;
}
if(entry.getKey().getArtifactTypeID() == 2){
countWebBookmark++;
}
if(entry.getKey().getArtifactTypeID() == 3){
countWebCookie++; public reportHTML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
}
if(entry.getKey().getArtifactTypeID() == 4){
countWebHistory++; //This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones.
} //Unlike the XML report, which is dynamic, this is formatted and needs to be redone later instead of being hardcoded.
if(entry.getKey().getArtifactTypeID() == 5){ //Also, clearing variables to generate new report.
countWebDownload++; formatted_Report.setLength(0);
} unformatted_header.setLength(0);
if(entry.getKey().getArtifactTypeID() == 6){ formatted_header.setLength(0);
countRecentObjects++;
} int countGen = 0;
if(entry.getKey().getArtifactTypeID() == 7){ int countWebBookmark = 0;
countTrackPoint++; int countWebCookie = 0;
} int countWebHistory = 0;
if(entry.getKey().getArtifactTypeID() == 8){ int countWebDownload = 0;
countInstalled++; int countRecentObjects = 0;
} int countTrackPoint = 0;
if(entry.getKey().getArtifactTypeID() == 9){ int countInstalled = 0;
countKeyword++; int countKeyword = 0;
} int countHash = 0;
if(entry.getKey().getArtifactTypeID() == 10){ int countDevice = 0;
countHash++; for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
} if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
if(entry.getKey().getArtifactTypeID() == 11){ countGen++;
countDevice++; }
} if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
} countWebBookmark++;
}
try{ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
String ingestwarning = "<h2 style=\"color: red;\">Warning, this report was run before ingest services completed!</h2>";
Case currentCase = Case.getCurrentCase(); // get the most updated case countWebCookie++;
SleuthkitCase skCase = currentCase.getSleuthkitCase(); }
String caseName = currentCase.getName(); if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
Integer imagecount = currentCase.getImageIDs().length;
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG); countWebHistory++;
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR); }
int reportsize = report.size(); if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
Integer filesystemcount = currentCase.getRootObjectsCount(); countWebDownload++;
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); }
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy"); if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
Date date = new Date(); countRecentObjects++;
String datetime = datetimeFormat.format(date); }
String datenotime = dateFormat.format(date); if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
String CSS = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><style>" countTrackPoint++;
+ "body {padding: 30px; margin: 0; background: #FFFFFF; font: 13px/20px Arial, Helvetica, sans-serif; color: #535353;} " }
+ "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} " if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++;
}
}
try {
String ingestwarning = "<h2 style=\"color: red;\">Warning, this report was run before ingest services completed!</h2>";
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
int reportsize = report.size();
Integer filesystemcount = currentCase.getRootObjectsCount();
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
String CSS = "<meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><style>"
+ "body {padding: 30px; margin: 0; background: #FFFFFF; font: 13px/20px Arial, Helvetica, sans-serif; color: #535353;} "
+ "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} "
+ "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} " + "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} "
+ "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} " + "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} "
+ "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} " + "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} "
+ "table thead th {display: table-cell; text-align: left; padding: 8px 16px; background: #e5e5e5; color: #777;font-size: 11px;text-shadow: #e9f9fd 0 1px 0; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} " + "table thead th {display: table-cell; text-align: left; padding: 8px 16px; background: #e5e5e5; color: #777;font-size: 11px;text-shadow: #e9f9fd 0 1px 0; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} "
+ "table tr th:nth-child(1) {text-align: center; width: 60px;} " + "table tr th:nth-child(1) {text-align: center; width: 60px;} "
+ "table td {display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;} " + "table td {display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;} "
+ "table tr:nth-child(even) td {background: #f3f3f3;} " + "table tr:nth-child(even) td {background: #f3f3f3;} "
+ "table tr td:nth-child(1) {text-align: left; width: 60px; background: #f3f3f3;} " + "table tr td:nth-child(1) {text-align: left; width: 60px; background: #f3f3f3;} "
+ "table tr:nth-child(even) td:nth-child(1) {background: #eaeaea;}" + "table tr:nth-child(even) td:nth-child(1) {background: #eaeaea;}"
+ "</style>"; + "</style>";
//Add additional header information //Add additional header information
String header = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case: " + caseName + "</title>"; String header = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case: " + caseName + "</title>";
formatted_header.append(header); formatted_header.append(header);
formatted_header.append(CSS); formatted_header.append(CSS);
//do for unformatted //do for unformatted
String simpleCSS = "<style>" String simpleCSS = "<style>"
+ "body {padding: 30px; margin: 0; background: #FFFFFF; color: #535353;} " + "body {padding: 30px; margin: 0; background: #FFFFFF; color: #535353;} "
+ "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} " + "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} "
+ "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} " + "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} "
+ "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} " + "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} "
+ "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} " + "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} "
+ "table thead th {display: table-cell; text-align: left; padding: 4px 8px; background: #e5e5e5; color: #777;font-size: 11px; width: 80px; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} " + "table thead th {display: table-cell; text-align: left; padding: 4px 8px; background: #e5e5e5; color: #777;font-size: 11px; width: 80px; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} "
+ "table tr th {text-align: left; width: 80px;} " + "table tr th {text-align: left; width: 80px;} "
+ "table td {width: 100px; font-size: 8px; display: table-cell; padding: 4px 8px;} " + "table td {width: 100px; font-size: 8px; display: table-cell; padding: 4px 8px;} "
+ "table tr {text-align: left; width: 60px; background: #f3f3f3;} " + "table tr {text-align: left; width: 60px; background: #f3f3f3;} "
+ "tr.alt td{ background-color: #FFFFFF;}" + "tr.alt td{ background-color: #FFFFFF;}"
+ "</style>"; + "</style>";
unformatted_header.append(header); unformatted_header.append(header);
unformatted_header.append(simpleCSS); unformatted_header.append(simpleCSS);
//formatted_Report.append("<link rel=\"stylesheet\" href=\"" + rrpath + "report.css\" type=\"text/css\" />"); //formatted_Report.append("<link rel=\"stylesheet\" href=\"" + rrpath + "report.css\" type=\"text/css\" />");
formatted_Report.append("</head><body><div id=\"main\"><div id=\"content\">"); formatted_Report.append("</head><body><div id=\"main\"><div id=\"content\">");
// Add summary information now // Add summary information now
formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>"); formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>");
if(IngestManager.getDefault().isIngestRunning()) if (IngestManager.getDefault().isIngestRunning()) {
{
formatted_Report.append(ingestwarning); formatted_Report.append(ingestwarning);
} }
formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<ul>"); formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<ul>");
formatted_Report.append("<li># of Images: ").append(imagecount).append("</li>"); formatted_Report.append("<li># of Images: ").append(imagecount).append("</li>");
formatted_Report.append("<li>FileSystems: ").append(filesystemcount).append("</li>"); formatted_Report.append("<li>FileSystems: ").append(filesystemcount).append("</li>");
formatted_Report.append("<li># of Files: ").append(totalfiles.toString()).append("</li>"); formatted_Report.append("<li># of Files: ").append(totalfiles.toString()).append("</li>");
formatted_Report.append("<li># of Dirs: ").append(totaldirs.toString()).append("</li>"); formatted_Report.append("<li># of Dirs: ").append(totaldirs.toString()).append("</li>");
formatted_Report.append("<li># of Artifacts: ").append(reportsize).append("</li></ul>"); formatted_Report.append("<li># of Artifacts: ").append(reportsize).append("</li></ul>");
formatted_Report.append("<br /><table><thead><tr><th>Section</th><th>Count</th></tr></thead><tbody>"); formatted_Report.append("<br /><table><thead><tr><th>Section</th><th>Count</th></tr></thead><tbody>");
if(countWebBookmark > 0){ if (countWebBookmark > 0) {
formatted_Report.append("<tr><td><a href=\"#bookmark\">Web Bookmarks</a></td><td>").append(countWebBookmark).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#bookmark\">Web Bookmarks</a></td><td>").append(countWebBookmark).append("</td></tr>");
} }
if(countWebCookie > 0){ if (countWebCookie > 0) {
formatted_Report.append("<tr><td><a href=\"#cookie\">Web Cookies</a></td><td>").append(countWebCookie).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#cookie\">Web Cookies</a></td><td>").append(countWebCookie).append("</td></tr>");
} }
if(countWebHistory > 0){ if (countWebHistory > 0) {
formatted_Report.append("<tr><td><a href=\"#history\">Web History</a></td><td>").append(countWebHistory).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#history\">Web History</a></td><td>").append(countWebHistory).append("</td></tr>");
} }
if(countWebDownload > 0){ if (countWebDownload > 0) {
formatted_Report.append("<tr><td><a href=\"#download\">Web Downloads</a></td><td>").append(countWebDownload).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#download\">Web Downloads</a></td><td>").append(countWebDownload).append("</td></tr>");
} }
if(countRecentObjects > 0){ if (countRecentObjects > 0) {
formatted_Report.append("<tr><td><a href=\"#recent\">Recent Documents</a></td><td>").append(countRecentObjects).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#recent\">Recent Documents</a></td><td>").append(countRecentObjects).append("</td></tr>");
} }
if(countInstalled > 0){ if (countInstalled > 0) {
formatted_Report.append("<tr><td><a href=\"#installed\">Installed Programs</a></td><td>").append(countInstalled).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#installed\">Installed Programs</a></td><td>").append(countInstalled).append("</td></tr>");
} }
if(countKeyword > 0){ if (countKeyword > 0) {
formatted_Report.append("<tr><td><a href=\"#keyword\">Keyword Hits</a></td><td>").append(countKeyword).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#keyword\">Keyword Hits</a></td><td>").append(countKeyword).append("</td></tr>");
} }
if(countHash > 0){ if (countHash > 0) {
formatted_Report.append("<tr><td><a href=\"#hash\">Hash Hits</a></td><td>").append(countHash).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#hash\">Hash Hits</a></td><td>").append(countHash).append("</td></tr>");
} }
if(countDevice > 0){ if (countDevice > 0) {
formatted_Report.append("<tr><td><a href=\"#device\">Attached Devices</a></td><td>").append(countDevice).append("</td></tr>"); formatted_Report.append("<tr><td><a href=\"#device\">Attached Devices</a></td><td>").append(countDevice).append("</td></tr>");
} }
formatted_Report.append("</tbody></table><br />"); formatted_Report.append("</tbody></table><br />");
String tableHeader = "<table><thead><tr>"; String tableHeader = "<table><thead><tr>";
StringBuilder nodeGen = new StringBuilder("<h3>General Information (").append(countGen).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>"); StringBuilder nodeGen = new StringBuilder("<h3>General Information (").append(countGen).append(")</h3>").append(tableHeader).append("<th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeWebBookmark = new StringBuilder("<h3><a name=\"bookmark\">Web Bookmarks (").append(countWebBookmark).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Title</th><th>Program</th></tr></thead><tbody>"); StringBuilder nodeWebBookmark = new StringBuilder("<h3><a name=\"bookmark\">Web Bookmarks (").append(countWebBookmark).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebCookie = new StringBuilder("<h3><a name=\"cookie\">Web Cookies (").append(countWebCookie).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Name</th><th>Value</th><th>Program</th></tr></thead><tbody>"); StringBuilder nodeWebCookie = new StringBuilder("<h3><a name=\"cookie\">Web Cookies (").append(countWebCookie).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Name</th><th>Value</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebHistory = new StringBuilder("<h3><a name=\"history\">Web History (").append(countWebHistory).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Referrer</th><th>Title</th><th>Program</th></tr></thead><tbody>"); StringBuilder nodeWebHistory = new StringBuilder("<h3><a name=\"history\">Web History (").append(countWebHistory).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Referrer</th><th>Title</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeWebDownload = new StringBuilder("<h3><a name=\"download\">Web Downloads (").append(countWebDownload).append(")</h3>").append(tableHeader).append("<th>File</th><th>Source</th><th>Time</th><th>Program</th></tr></thead><tbody>"); StringBuilder nodeWebDownload = new StringBuilder("<h3><a name=\"download\">Web Downloads (").append(countWebDownload).append(")</h3>").append(tableHeader).append("<th>File</th><th>Source</th><th>Time</th><th>Program</th></tr></thead><tbody>");
StringBuilder nodeRecentObjects = new StringBuilder("<h3><a name=\"recent\">Recent Documents (").append(countRecentObjects).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Path</th><th>Related Shortcut</th></tr></thead><tbody>"); StringBuilder nodeRecentObjects = new StringBuilder("<h3><a name=\"recent\">Recent Documents (").append(countRecentObjects).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Path</th><th>Related Shortcut</th></tr></thead><tbody>");
StringBuilder nodeTrackPoint = new StringBuilder("<h3><a name=\"track\">Track Points (").append(countTrackPoint).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>"); StringBuilder nodeTrackPoint = new StringBuilder("<h3><a name=\"track\">Track Points (").append(countTrackPoint).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>");
StringBuilder nodeInstalled = new StringBuilder("<h3><a name=\"installed\">Installed Programs (").append(countInstalled).append(")</h3>").append(tableHeader).append("<th>Program Name</th><th>Install Date/Time</th></tr></thead><tbody>"); StringBuilder nodeInstalled = new StringBuilder("<h3><a name=\"installed\">Installed Programs (").append(countInstalled).append(")</h3>").append(tableHeader).append("<th>Program Name</th><th>Install Date/Time</th></tr></thead><tbody>");
StringBuilder nodeKeyword = new StringBuilder("<h3><a name=\"keyword\">Keyword Search Hits (").append(countKeyword).append(")</h3>"); StringBuilder nodeKeyword = new StringBuilder("<h3><a name=\"keyword\">Keyword Search Hits (").append(countKeyword).append(")</h3>");
StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Size</th><th>Hashset Name</th></tr></thead><tbody>"); StringBuilder nodeHash = new StringBuilder("<h3><a name=\"hash\">Hashset Hit (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Size</th><th>Hashset Name</th></tr></thead><tbody>");
StringBuilder nodeDevice = new StringBuilder("<h3><a name=\"device\">Attached Devices (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Serial #</th><th>Time</th></tr></thead><tbody>"); StringBuilder nodeDevice = new StringBuilder("<h3><a name=\"device\">Attached Devices (").append(countHash).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Serial #</th><th>Time</th></tr></thead><tbody>");
int alt = 0; int alt = 0;
String altRow = ""; String altRow = "";
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) { for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){ if (reportFilter.cancel == true) {
break; break;
} }
int cc = 0; int cc = 0;
if(alt > 0) if (alt > 0) {
{ altRow = " class=\"alt\"";
altRow = " class=\"alt\""; alt = 0;
alt = 0; } else {
} altRow = "";
else{ alt++;
altRow=""; }
alt++; StringBuilder artifact = new StringBuilder("");
}
StringBuilder artifact = new StringBuilder("");
Long objId = entry.getKey().getObjectID(); Long objId = entry.getKey().getObjectID();
//Content file = skCase.getContentById(objId); //Content file = skCase.getContentById(objId);
FsContent file = skCase.getFsContentById(objId); FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize(); Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer,String>(); TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type // Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n; int n;
for(n=1;n<=35;n++) for (n = 1; n <= 35; n++) {
{ attributes.put(n, "");
attributes.put(n, "");
}
} for (BlackboardAttribute tempatt : entry.getValue()) {
for (BlackboardAttribute tempatt : entry.getValue()) if (reportFilter.cancel == true) {
{ break;
if(reportFilter.cancel == true){
break;
}
String value = "";
int type = tempatt.getAttributeTypeID();
if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){
}
else if(type == 2 || type == 33 ){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())));
if(value == null || "".equals(value)){
value = tempatt.getValueString();
}
}
else
{
value = tempatt.getValueString();
}
value = reportUtils.insertPeriodically(value, "<br>", 30);
attributes.put(type, value);
cc++;
}
if(entry.getKey().getArtifactTypeID() == 1){
artifact.append("</tr>");
nodeGen.append(artifact);
} }
if(entry.getKey().getArtifactTypeID() == 2){ String value = "";
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>"); int type = tempatt.getAttributeTypeID();
artifact.append("<td>").append(attributes.get(3)).append("</td>"); if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
artifact.append("<td>").append(attributes.get(4)).append("</td>"); } else if (type == 2 || type == 33) {
artifact.append("</tr>"); value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong())));
nodeWebBookmark.append(artifact); if (value == null || "".equals(value)) {
} value = tempatt.getValueString();
if(entry.getKey().getArtifactTypeID() == 3){ }
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>"); } else {
artifact.append("<td>").append(attributes.get(2)).append("</td>"); value = tempatt.getValueString();
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(6)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebCookie.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 4){
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(32)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebHistory.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 5){
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebDownload.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 6){
//artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(3)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(file.getName()).append("</td>");
artifact.append("</tr>");
nodeRecentObjects.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 7){
artifact.append("<tr").append(altRow).append("><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
artifact.append("</tr>");
nodeTrackPoint.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(4)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeInstalled.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 9){
// artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>");
// artifact.append("</tr></table>");
// nodeKeyword.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 10){
// artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
//artifact.append("<td>").append(attributes.get(31)).append("</td>");
artifact.append("<td>").append(attributes.get(30)).append("</td>");
artifact.append("</tr>");
nodeHash.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 11){
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(18)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(20)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeDevice.append(artifact);
} }
value = reportUtils.insertPeriodically(value, "<br>", 30);
attributes.put(type, value);
cc++; cc++;
rr.progBarSet(cc); }
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
artifact.append("</tr>");
nodeGen.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebBookmark.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(6)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebCookie.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(32)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebHistory.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebDownload.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
//artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(3)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(file.getName()).append("</td>");
artifact.append("</tr>");
nodeRecentObjects.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
artifact.append("</tr>");
nodeTrackPoint.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(4)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeInstalled.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
// artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>");
// artifact.append("</tr></table>");
// nodeKeyword.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
// artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
//artifact.append("<td>").append(attributes.get(31)).append("</td>");
artifact.append("<td>").append(attributes.get(30)).append("</td>");
artifact.append("</tr>");
nodeHash.append(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(18)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(20)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeDevice.append(artifact);
}
cc++;
rr.progBarSet(cc);
}
//Add them back in order //Add them back in order
//formatted_Report.append(nodeGen); //formatted_Report.append(nodeGen);
// formatted_Report.append("</tbody></table>"); // formatted_Report.append("</tbody></table>");
if(countWebBookmark > 0){ if (countWebBookmark > 0) {
formatted_Report.append(nodeWebBookmark); formatted_Report.append(nodeWebBookmark);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
if(countWebCookie > 0){ if (countWebCookie > 0) {
formatted_Report.append(nodeWebCookie); formatted_Report.append(nodeWebCookie);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
if(countWebHistory > 0){ if (countWebHistory > 0) {
formatted_Report.append(nodeWebHistory); formatted_Report.append(nodeWebHistory);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
if(countWebDownload > 0){ if (countWebDownload > 0) {
formatted_Report.append(nodeWebDownload); formatted_Report.append(nodeWebDownload);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
if(countRecentObjects > 0){ if (countRecentObjects > 0) {
formatted_Report.append(nodeRecentObjects); formatted_Report.append(nodeRecentObjects);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
// formatted_Report.append(nodeTrackPoint); // formatted_Report.append(nodeTrackPoint);
//formatted_Report.append("</tbody></table>"); //formatted_Report.append("</tbody></table>");
if(countInstalled > 0){ if (countInstalled > 0) {
formatted_Report.append(nodeInstalled); formatted_Report.append(nodeInstalled);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
if(countKeyword > 0){ if (countKeyword > 0) {
formatted_Report.append(nodeKeyword); formatted_Report.append(nodeKeyword);
report keywords = new report(); report keywords = new report();
formatted_Report.append(keywords.getGroupedKeywordHit()); formatted_Report.append(keywords.getGroupedKeywordHit());
// "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th> // "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>
// formatted_Report.append("</tbody></table>"); // formatted_Report.append("</tbody></table>");
} }
if(countHash > 0){ if (countHash > 0) {
formatted_Report.append(nodeHash); formatted_Report.append(nodeHash);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
if(countDevice > 0){ if (countDevice > 0) {
formatted_Report.append(nodeDevice); formatted_Report.append(nodeDevice);
formatted_Report.append("</tbody></table>"); formatted_Report.append("</tbody></table>");
} }
//end of master loop //end of master loop
formatted_Report.append("</div></div></body></html>");
formatted_header.append(formatted_Report);
// unformatted_header.append(formatted_Report);
htmlPath = currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".html";
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlPath), "UTF-8"));
out.write(formatted_header.toString());
out.flush();
out.close();
}
catch(Exception e)
{
Logger.getLogger(reportHTML.class.getName()).log(Level.WARNING, "Exception occurred", e); formatted_Report.append("</div></div></body></html>");
} formatted_header.append(formatted_Report);
} // unformatted_header.append(formatted_Report);
htmlPath = currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".html";
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlPath), "UTF-8"));
out.write(formatted_header.toString());
out.flush();
out.close();
} catch (Exception e) {
Logger.getLogger(reportHTML.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
}
} }

2
Report/src/org/sleuthkit/autopsy/report/reportPanel.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?> <?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo"> <Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents> <NonVisualComponents>

158
Report/src/org/sleuthkit/autopsy/report/reportPanel.java
View File

@ -1,20 +1,27 @@
/* /*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportPanel.java
* *
* Created on Feb 21, 2012, 12:13:14 PM * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener; import java.awt.event.ActionListener;
import java.io.BufferedWriter; import java.io.*;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.Date; import java.util.Date;
@ -30,16 +37,17 @@ import org.jdom.output.XMLOutputter;
*/ */
public class reportPanel extends javax.swing.JPanel { public class reportPanel extends javax.swing.JPanel {
/** Creates new form reportPanel */ /**
public reportPanel(String report) { * Creates new form reportPanel
*/
public reportPanel() {
initComponents(); initComponents();
setReportWindow(report);
} }
/** This method is called from within the constructor to /**
* initialize the form. * This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is * WARNING: Do NOT modify this code. The content of this method is always
* always regenerated by the Form Editor. * regenerated by the Form Editor.
*/ */
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents // <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -94,86 +102,64 @@ public class reportPanel extends javax.swing.JPanel {
}// </editor-fold>//GEN-END:initComponents }// </editor-fold>//GEN-END:initComponents
private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_saveReportActionPerformed private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_saveReportActionPerformed
saveReportAction(); saveReportAction();
}//GEN-LAST:event_saveReportActionPerformed }//GEN-LAST:event_saveReportActionPerformed
/** /**
* Sets the listener for the OK button * Sets the listener for the OK button
* *
* @param e The action listener * @param e The action listener
*/ */
public void setjButton1ActionListener(ActionListener e){ public void setjButton1ActionListener(ActionListener e) {
jButton1.addActionListener(e); jButton1.addActionListener(e);
} }
public void getLink(HyperlinkEvent evt){
try{ public void setFinishedReportText() {
String str = evt.getDescription();
// jEditorPane1.scrollToReference(str.substring(1));
}
catch(Exception e){
String whater = "";
}
}
public void setjEditorPane1EventListener(HyperlinkListener evt){
// jEditorPane1.addHyperlinkListener(evt);
}
private void setReportWindow(String report)
{
// jEditorPane1.setText(report);
// jEditorPane1.setCaretPosition(0);
}
public void setFinishedReportText(){
DateFormat dateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); DateFormat dateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
Date date = new Date(); Date date = new Date();
String reportText = "Report was sucessfully generated at " + dateFormat.format(date) + "."; String reportText = "Report was sucessfully generated at " + dateFormat.format(date) + ".";
jLabel1.setText(reportText); jLabel1.setText(reportText);
} }
private void saveReportAction() {
private void saveReportAction(){
int option = jFileChooser1.showSaveDialog(this); int option = jFileChooser1.showSaveDialog(this);
if(option == JFileChooser.APPROVE_OPTION){ if (option == JFileChooser.APPROVE_OPTION) {
if(jFileChooser1.getSelectedFile()!=null){ if (jFileChooser1.getSelectedFile() != null) {
String path = jFileChooser1.getSelectedFile().toString(); String path = jFileChooser1.getSelectedFile().toString();
exportReport(path); exportReport(path);
}
} }
}
}
private void exportReport(String path){
String htmlpath = reportUtils.changeExtension(path, ".html");
String xmlpath = reportUtils.changeExtension(path, ".xml");
String xlspath = reportUtils.changeExtension(path, ".xlsx");
try {
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlpath), "UTF-8"));
// FileOutputStream out = new FileOutputStream(htmlpath);
out.write(reportHTML.formatted_header.toString());
out.flush();
out.close();
//xls report
FileOutputStream fos = new FileOutputStream(xlspath);
reportXLS.wb.write(fos);
fos.close();
FileOutputStream xmlout = new FileOutputStream(xmlpath);
XMLOutputter serializer = new XMLOutputter();
serializer.output(reportXML.xmldoc, xmlout);
xmlout.flush();
xmlout.close();
JOptionPane.showMessageDialog(this, "Report has been successfully saved!");
}
catch (IOException e) {
System.err.println(e);
}
} }
private void exportReport(String path) {
String htmlpath = reportUtils.changeExtension(path, ".html");
String xmlpath = reportUtils.changeExtension(path, ".xml");
String xlspath = reportUtils.changeExtension(path, ".xlsx");
try {
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlpath), "UTF-8"));
// FileOutputStream out = new FileOutputStream(htmlpath);
out.write(reportHTML.formatted_header.toString());
out.flush();
out.close();
//xls report
FileOutputStream fos = new FileOutputStream(xlspath);
reportXLS.wb.write(fos);
fos.close();
FileOutputStream xmlout = new FileOutputStream(xmlpath);
XMLOutputter serializer = new XMLOutputter();
serializer.output(reportXML.xmldoc, xmlout);
xmlout.flush();
xmlout.close();
JOptionPane.showMessageDialog(this, "Report has been successfully saved!");
} catch (IOException e) {
System.err.println(e);
}
}
// Variables declaration - do not modify//GEN-BEGIN:variables // Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton jButton1; private javax.swing.JButton jButton1;
private javax.swing.JFileChooser jFileChooser1; private javax.swing.JFileChooser jFileChooser1;
@ -181,6 +167,4 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
private javax.swing.JOptionPane jOptionPane1; private javax.swing.JOptionPane jOptionPane1;
private javax.swing.JButton saveReport; private javax.swing.JButton saveReport;
// End of variables declaration//GEN-END:variables // End of variables declaration//GEN-END:variables
} }

73
Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -8,18 +24,11 @@ import java.awt.Dimension;
import java.awt.Toolkit; import java.awt.Toolkit;
import java.awt.event.ActionEvent; import java.awt.event.ActionEvent;
import java.awt.event.ActionListener; import java.awt.event.ActionListener;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.logging.Level; import java.util.logging.Level;
import javax.swing.JDialog; import javax.swing.JDialog;
import javax.swing.JFrame; import javax.swing.JFrame;
import javax.swing.SwingUtilities; import javax.swing.SwingUtilities;
import javax.swing.event.HyperlinkEvent;
import javax.swing.event.HyperlinkListener;
import org.sleuthkit.autopsy.coreutils.Log; import org.sleuthkit.autopsy.coreutils.Log;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
/** /**
* *
@ -32,15 +41,14 @@ public class reportPanelAction {
} }
public void reportGenerate(ArrayList<Integer> reportlist, final reportFilter rr){ public void reportGenerate(ReportConfiguration reportconfig, final reportFilter rr){
try { try {
//Clear any old reports in the string //Clear any old reports in the string
viewReport.setLength(0); viewReport.setLength(0);
// Generate the reports and create the hashmap // Generate the reports and create the hashmap
final HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> Results = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>(); final ReportGen report = new ReportGen();
report bbreport = new report();
//see what reports we need to run and run them //see what reports we need to run and run them
//Set progress bar to move while doing this //Set progress bar to move while doing this
SwingUtilities.invokeLater(new Runnable() { SwingUtilities.invokeLater(new Runnable() {
@ -48,21 +56,11 @@ public class reportPanelAction {
public void run() { public void run() {
rr.progBarStartText(); rr.progBarStartText();
}}); }});
if(reportlist.contains(1)){Results.putAll(bbreport.getGenInfo());} report.populateReport(reportconfig);
if(reportlist.contains(2)){Results.putAll(bbreport.getWebBookmark());}
if(reportlist.contains(3)){Results.putAll(bbreport.getWebCookie());}
if(reportlist.contains(4)){Results.putAll(bbreport.getWebHistory());}
if(reportlist.contains(5)){Results.putAll(bbreport.getWebDownload());}
if(reportlist.contains(6)){Results.putAll(bbreport.getRecentObject());}
// if(reportlist.contains(7)){Results.putAll(bbreport.getGenInfo());}
if(reportlist.contains(8)){Results.putAll(bbreport.getInstalledProg());}
if(reportlist.contains(9)){Results.putAll(bbreport.getKeywordHit());}
if(reportlist.contains(10)){Results.putAll(bbreport.getHashHit());}
if(reportlist.contains(11)){Results.putAll(bbreport.getDevices());}
SwingUtilities.invokeLater(new Runnable() { SwingUtilities.invokeLater(new Runnable() {
@Override @Override
public void run() { public void run() {
rr.progBarCount(2*Results.size()); rr.progBarCount(2*report.Results.size());
}}); }});
//Turn our results into the appropriate xml/html reports //Turn our results into the appropriate xml/html reports
//TODO: add a way for users to select what they will run when //TODO: add a way for users to select what they will run when
@ -71,7 +69,7 @@ public class reportPanelAction {
@Override @Override
public void run() public void run()
{ {
reportXML xmlReport = new reportXML(Results, rr); reportXML xmlReport = new reportXML(report.Results, rr);
} }
}); });
Thread htmlthread = new Thread(new Runnable() Thread htmlthread = new Thread(new Runnable()
@ -79,8 +77,8 @@ public class reportPanelAction {
@Override @Override
public void run() public void run()
{ {
reportHTML htmlReport = new reportHTML(Results,rr); reportHTML htmlReport = new reportHTML(report.Results,rr);
BrowserControl.openUrl(reportHTML.htmlPath);
} }
}); });
Thread xlsthread = new Thread(new Runnable() Thread xlsthread = new Thread(new Runnable()
@ -88,8 +86,8 @@ public class reportPanelAction {
@Override @Override
public void run() public void run()
{ {
reportXLS xlsReport = new reportXLS(Results,rr); reportXLS xlsReport = new reportXLS(report.Results,rr);
// BrowserControl.openUrl(xlsReport.xlsPath); //
} }
}); });
@ -110,7 +108,7 @@ public class reportPanelAction {
htmlthread.join(); htmlthread.join();
//Set the temporary label to let the user know its done and is waiting on the report //Set the temporary label to let the user know its done and is waiting on the report
rr.progBarText(); rr.progBarText();
final reportPanel panel = new reportPanel(viewReport.toString()); final reportPanel panel = new reportPanel();
panel.setjButton1ActionListener(new ActionListener() { panel.setjButton1ActionListener(new ActionListener() {
@ -120,19 +118,6 @@ public class reportPanelAction {
popUpWindow.dispose(); popUpWindow.dispose();
} }
}); });
panel.setjEditorPane1EventListener(new HyperlinkListener(){
@Override
public void hyperlinkUpdate(HyperlinkEvent hev) {
try {
if (hev.getEventType() == HyperlinkEvent.EventType.ACTIVATED)
panel.getLink(hev);
}
catch (Exception e) {
// Exceptions thrown...............
}
}
});
// add the panel to the popup window // add the panel to the popup window
popUpWindow.add(panel); popUpWindow.add(panel);

76
Report/src/org/sleuthkit/autopsy/report/reportUtils.java
View File

@ -1,6 +1,22 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
@ -9,34 +25,32 @@ package org.sleuthkit.autopsy.report;
* @author Alex * @author Alex
*/ */
public class reportUtils { public class reportUtils {
static String changeExtension(String originalName, String newExtension) {
int lastDot = originalName.lastIndexOf(".");
if (lastDot != -1) {
return originalName.substring(0, lastDot) + newExtension;
} else {
return originalName + newExtension;
}
}
public static String insertPeriodically( static String changeExtension(String originalName, String newExtension) {
String text, String insert, int period) int lastDot = originalName.lastIndexOf(".");
{ if (lastDot != -1) {
StringBuilder builder = new StringBuilder( return originalName.substring(0, lastDot) + newExtension;
text.length() + insert.length() * (text.length()/period)+1); } else {
return originalName + newExtension;
int index = 0; }
String prefix = ""; }
while (index < text.length())
{ public static String insertPeriodically(
// Don't put the insert in the very first iteration. String text, String insert, int period) {
// This is easier than appending it *after* each substring StringBuilder builder = new StringBuilder(
builder.append(prefix); text.length() + insert.length() * (text.length() / period) + 1);
prefix = insert;
builder.append(text.substring(index, int index = 0;
Math.min(index + period, text.length()))); String prefix = "";
index += period; while (index < text.length()) {
// Don't put the insert in the very first iteration.
// This is easier than appending it *after* each substring
builder.append(prefix);
prefix = insert;
builder.append(text.substring(index,
Math.min(index + period, text.length())));
index += period;
}
return builder.toString();
} }
return builder.toString();
}
} }

692
Report/src/org/sleuthkit/autopsy/report/reportXLS.java
View File

@ -1,11 +1,26 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.text.DateFormat; import java.text.DateFormat;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
@ -14,362 +29,343 @@ import java.util.Date;
import java.util.HashMap; import java.util.HashMap;
import java.util.Map.Entry; import java.util.Map.Entry;
import java.util.TreeMap; import java.util.TreeMap;
import org.apache.poi.ss.usermodel.Cell; import org.apache.poi.ss.usermodel.*;
import org.apache.poi.ss.usermodel.CellStyle;
import org.apache.poi.ss.usermodel.Font;
import org.apache.poi.ss.usermodel.Row;
import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.xssf.usermodel.XSSFWorkbook; import org.apache.poi.xssf.usermodel.XSSFWorkbook;
import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.*;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
/** /**
* *
* @author Alex * @author Alex
*/ */
public class reportXLS { public class reportXLS {
public static Workbook wb = new XSSFWorkbook();
public reportXLS(HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
//Empty the workbook first
Workbook wbtemp = new XSSFWorkbook();
int countGen = 0;
int countBookmark = 0;
int countCookie = 0;
int countHistory = 0;
int countDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){
countGen++;
}
if(entry.getKey().getArtifactTypeID() == 2){
countBookmark++;
}
if(entry.getKey().getArtifactTypeID() == 3){
countCookie++; public static Workbook wb = new XSSFWorkbook();
}
if(entry.getKey().getArtifactTypeID() == 4){
countHistory++; public reportXLS(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
//Empty the workbook first
Workbook wbtemp = new XSSFWorkbook();
int countGen = 0;
int countBookmark = 0;
int countCookie = 0;
int countHistory = 0;
int countDownload = 0;
int countRecentObjects = 0;
int countTrackPoint = 0;
int countInstalled = 0;
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countBookmark++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countCookie++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countHistory++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countDownload++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countRecentObjects++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
countTrackPoint++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++;
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++;
}
}
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
//The first summary report page
Sheet sheetSummary = wbtemp.createSheet("Summary");
//Generate a sheet per artifact type
// Sheet sheetGen = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getDisplayName());
Sheet sheetHash = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName());
Sheet sheetDevice = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getDisplayName());
Sheet sheetInstalled = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getDisplayName());
Sheet sheetKeyword = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName());
// Sheet sheetTrackpoint = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getDisplayName());
Sheet sheetRecent = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getDisplayName());
Sheet sheetCookie = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getDisplayName());
Sheet sheetBookmark = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName());
Sheet sheetDownload = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getDisplayName());
Sheet sheetHistory = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName());
//Bold/underline cell style for the top header rows
CellStyle style = wbtemp.createCellStyle();
style.setBorderBottom((short) 2);
Font font = wbtemp.createFont();
font.setFontHeightInPoints((short) 16);
font.setFontName("Courier New");
font.setBoldweight((short) 2);
style.setFont(font);
//create the rows in the worksheet for our records
//Create first row and header
// sheetGen.createRow(0);
// sheetGen.getRow(0).createCell(0).setCellValue("Name");
// sheetGen.getRow(0).createCell(1).setCellValue("Value");
// sheetGen.getRow(0).createCell(2).setCellValue("Date/Time");
sheetSummary.createRow(0).setRowStyle(style);
sheetSummary.getRow(0).createCell(0).setCellValue("Summary Information");
sheetSummary.getRow(0).createCell(1).setCellValue(caseName);
//add some basic information
sheetSummary.createRow(1);
sheetSummary.getRow(1).createCell(0).setCellValue("# of Images");
sheetSummary.getRow(1).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(2);
sheetSummary.getRow(2).createCell(0).setCellValue("Filesystems found");
sheetSummary.getRow(2).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(3);
sheetSummary.getRow(3).createCell(0).setCellValue("# of Files");
sheetSummary.getRow(3).createCell(1).setCellValue(totalfiles);
sheetSummary.createRow(4);
sheetSummary.getRow(4).createCell(0).setCellValue("# of Directories");
sheetSummary.getRow(4).createCell(1).setCellValue(totaldirs);
sheetSummary.createRow(5);
sheetSummary.getRow(5).createCell(0).setCellValue("Date/Time");
sheetSummary.getRow(5).createCell(1).setCellValue(datetime);
sheetHash.createRow(0).setRowStyle(style);
sheetHash.getRow(0).createCell(0).setCellValue("Name");
sheetHash.getRow(0).createCell(1).setCellValue("Size");
sheetHash.getRow(0).createCell(2).setCellValue("Hashset Name");
sheetDevice.createRow(0).setRowStyle(style);
sheetDevice.getRow(0).createCell(0).setCellValue("Name");
sheetDevice.getRow(0).createCell(1).setCellValue("Serial #");
sheetDevice.getRow(0).createCell(2).setCellValue("Time");
sheetInstalled.createRow(0).setRowStyle(style);
sheetInstalled.getRow(0).createCell(0).setCellValue("Program Name");
sheetInstalled.getRow(0).createCell(1).setCellValue("Install Date/Time");
sheetKeyword.createRow(0).setRowStyle(style);
sheetKeyword.getRow(0).createCell(0).setCellValue("Keyword");
sheetKeyword.getRow(0).createCell(1).setCellValue("File Name");
sheetKeyword.getRow(0).createCell(2).setCellValue("Preview");
sheetKeyword.getRow(0).createCell(3).setCellValue("Keyword LIst");
sheetRecent.createRow(0).setRowStyle(style);
sheetRecent.getRow(0).createCell(0).setCellValue("Name");
sheetRecent.getRow(0).createCell(1).setCellValue("Path");
sheetRecent.getRow(0).createCell(2).setCellValue("Related Shortcut");
sheetCookie.createRow(0).setRowStyle(style);
sheetCookie.getRow(0).createCell(0).setCellValue("URL");
sheetCookie.getRow(0).createCell(1).setCellValue("Date");
sheetCookie.getRow(0).createCell(2).setCellValue("Name");
sheetCookie.getRow(0).createCell(3).setCellValue("Value");
sheetCookie.getRow(0).createCell(4).setCellValue("Program");
sheetBookmark.createRow(0).setRowStyle(style);
sheetBookmark.getRow(0).createCell(0).setCellValue("URL");
sheetBookmark.getRow(0).createCell(1).setCellValue("Title");
sheetBookmark.getRow(0).createCell(2).setCellValue("Program");
sheetDownload.createRow(0).setRowStyle(style);
sheetDownload.getRow(0).createCell(0).setCellValue("File");
sheetDownload.getRow(0).createCell(1).setCellValue("Source");
sheetDownload.getRow(0).createCell(2).setCellValue("Time");
sheetDownload.getRow(0).createCell(3).setCellValue("Program");
sheetHistory.createRow(0).setRowStyle(style);
sheetHistory.getRow(0).createCell(0).setCellValue("URL");
sheetHistory.getRow(0).createCell(1).setCellValue("Date");
sheetHistory.getRow(0).createCell(2).setCellValue("Referrer");
sheetHistory.getRow(0).createCell(3).setCellValue("Title");
sheetHistory.getRow(0).createCell(4).setCellValue("Program");
for (int i = 0; i < wbtemp.getNumberOfSheets(); i++) {
Sheet tempsheet = wbtemp.getSheetAt(i);
tempsheet.setAutobreaks(true);
for (Row temprow : tempsheet) {
for (Cell cell : temprow) {
cell.setCellStyle(style);
tempsheet.autoSizeColumn(cell.getColumnIndex());
} }
if(entry.getKey().getArtifactTypeID() == 5){ }
countDownload++; }
int countedGen = 0;
int countedBookmark = 0;
int countedCookie = 0;
int countedHistory = 0;
int countedDownload = 0;
int countedRecentObjects = 0;
int countedTrackPoint = 0;
int countedInstalled = 0;
int countedKeyword = 0;
int countedHash = 0;
int countedDevice = 0;
//start populating the sheets in the workbook
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (reportFilter.cancel == true) {
break;
}
int cc = 0;
Long objId = entry.getKey().getObjectID();
FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for (n = 1; n <= 36; n++) {
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue()) {
if (reportFilter.cancel == true) {
break;
} }
if(entry.getKey().getArtifactTypeID() == 6){ String value = "";
countRecentObjects++; int type = tempatt.getAttributeTypeID();
if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
} else if (type == 2 || type == 33) {
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong()) * 1000));
} else {
value = tempatt.getValueString();
} }
if(entry.getKey().getArtifactTypeID() == 7){
countTrackPoint++; attributes.put(type, value);
} cc++;
if(entry.getKey().getArtifactTypeID() == 8){ }
countInstalled++;
}
if(entry.getKey().getArtifactTypeID() == 9){ if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countKeyword++; countedGen++;
} // Row temp = sheetGen.getRow(countedGen);
if(entry.getKey().getArtifactTypeID() == 10){
countHash++; }
} if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
if(entry.getKey().getArtifactTypeID() == 11){ countedBookmark++;
countDevice++; Row temp = sheetBookmark.createRow(countedBookmark);
} temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countedCookie++;
Row temp = sheetCookie.createRow(countedCookie);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(2));
temp.createCell(2).setCellValue(attributes.get(3));
temp.createCell(3).setCellValue(attributes.get(6));
temp.createCell(4).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countedHistory++;
Row temp = sheetHistory.createRow(countedHistory);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(33));
temp.createCell(2).setCellValue(attributes.get(32));
temp.createCell(3).setCellValue(attributes.get(3));
temp.createCell(4).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countedDownload++;
Row temp = sheetDownload.createRow(countedDownload);
temp.createCell(0).setCellValue(attributes.get(8));
temp.createCell(1).setCellValue(attributes.get(1));
temp.createCell(2).setCellValue(attributes.get(33));
temp.createCell(3).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countedRecentObjects++;
Row temp = sheetRecent.createRow(countedRecentObjects);
temp.createCell(0).setCellValue(attributes.get(3));
temp.createCell(1).setCellValue(attributes.get(8));
temp.createCell(2).setCellValue(file.getName());
temp.createCell(3).setCellValue(attributes.get(4));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
// sheetTrackpoint.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countedInstalled++;
Row temp = sheetInstalled.createRow(countedInstalled);
temp.createCell(0).setCellValue(attributes.get(4));
temp.createCell(1).setCellValue(attributes.get(2));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countedKeyword++;
Row temp = sheetKeyword.createRow(countedKeyword);
temp.createCell(0).setCellValue(attributes.get(10));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(12));
temp.createCell(3).setCellValue(attributes.get(13));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countedHash++;
Row temp = sheetHash.createRow(countedHash);
temp.createCell(0).setCellValue(file.getName().toString());
temp.createCell(1).setCellValue(filesize.toString());
temp.createCell(2).setCellValue(attributes.get(30));
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countedDevice++;
Row temp = sheetDevice.createRow(countedDevice);
temp.createCell(0).setCellValue(attributes.get(18));
temp.createCell(1).setCellValue(attributes.get(20));
temp.createCell(2).setCellValue(attributes.get(2));
}
cc++;
rr.progBarSet(cc);
}
//write out the report to the reports folder
try {
FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".xlsx");
wbtemp.write(fos);
fos.close();
wb = wbtemp;
} catch (IOException e) {
System.err.println(e);
}
} catch (Exception E) {
String test = E.toString();
}
} }
try{
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
Integer imagecount = currentCase.getImageIDs().length;
Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss");
Date date = new Date();
String datetime = datetimeFormat.format(date);
String datenotime = dateFormat.format(date);
//The first summary report page
Sheet sheetSummary = wbtemp.createSheet("Summary");
//Generate a sheet per artifact type
// Sheet sheetGen = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getDisplayName());
Sheet sheetHash = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName());
Sheet sheetDevice = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getDisplayName());
Sheet sheetInstalled = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getDisplayName());
Sheet sheetKeyword = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName());
// Sheet sheetTrackpoint = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getDisplayName());
Sheet sheetRecent = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getDisplayName());
Sheet sheetCookie = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getDisplayName());
Sheet sheetBookmark = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName());
Sheet sheetDownload = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getDisplayName());
Sheet sheetHistory = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName());
//Bold/underline cell style for the top header rows
CellStyle style = wbtemp.createCellStyle();
style.setBorderBottom((short) 2);
Font font = wbtemp.createFont();
font.setFontHeightInPoints((short)16);
font.setFontName("Courier New");
font.setBoldweight((short)2);
style.setFont(font);
//create the rows in the worksheet for our records
//Create first row and header
// sheetGen.createRow(0);
// sheetGen.getRow(0).createCell(0).setCellValue("Name");
// sheetGen.getRow(0).createCell(1).setCellValue("Value");
// sheetGen.getRow(0).createCell(2).setCellValue("Date/Time");
sheetSummary.createRow(0).setRowStyle(style);
sheetSummary.getRow(0).createCell(0).setCellValue("Summary Information");
sheetSummary.getRow(0).createCell(1).setCellValue(caseName);
//add some basic information
sheetSummary.createRow(1);
sheetSummary.getRow(1).createCell(0).setCellValue("# of Images");
sheetSummary.getRow(1).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(2);
sheetSummary.getRow(2).createCell(0).setCellValue("Filesystems found");
sheetSummary.getRow(2).createCell(1).setCellValue(imagecount);
sheetSummary.createRow(3);
sheetSummary.getRow(3).createCell(0).setCellValue("# of Files");
sheetSummary.getRow(3).createCell(1).setCellValue(totalfiles);
sheetSummary.createRow(4);
sheetSummary.getRow(4).createCell(0).setCellValue("# of Directories");
sheetSummary.getRow(4).createCell(1).setCellValue(totaldirs);
sheetSummary.createRow(5);
sheetSummary.getRow(5).createCell(0).setCellValue("Date/Time");
sheetSummary.getRow(5).createCell(1).setCellValue(datetime);
sheetHash.createRow(0).setRowStyle(style);
sheetHash.getRow(0).createCell(0).setCellValue("Name");
sheetHash.getRow(0).createCell(1).setCellValue("Size");
sheetHash.getRow(0).createCell(2).setCellValue("Hashset Name");
sheetDevice.createRow(0).setRowStyle(style);
sheetDevice.getRow(0).createCell(0).setCellValue("Name");
sheetDevice.getRow(0).createCell(1).setCellValue("Serial #");
sheetDevice.getRow(0).createCell(2).setCellValue("Time");
sheetInstalled.createRow(0).setRowStyle(style);
sheetInstalled.getRow(0).createCell(0).setCellValue("Program Name");
sheetInstalled.getRow(0).createCell(1).setCellValue("Install Date/Time");
sheetKeyword.createRow(0).setRowStyle(style);
sheetKeyword.getRow(0).createCell(0).setCellValue("Keyword");
sheetKeyword.getRow(0).createCell(1).setCellValue("File Name");
sheetKeyword.getRow(0).createCell(2).setCellValue("Preview");
sheetKeyword.getRow(0).createCell(3).setCellValue("Keyword LIst");
sheetRecent.createRow(0).setRowStyle(style);
sheetRecent.getRow(0).createCell(0).setCellValue("Name");
sheetRecent.getRow(0).createCell(1).setCellValue("Path");
sheetRecent.getRow(0).createCell(2).setCellValue("Related Shortcut");
sheetCookie.createRow(0).setRowStyle(style);
sheetCookie.getRow(0).createCell(0).setCellValue("URL");
sheetCookie.getRow(0).createCell(1).setCellValue("Date");
sheetCookie.getRow(0).createCell(2).setCellValue("Name");
sheetCookie.getRow(0).createCell(3).setCellValue("Value");
sheetCookie.getRow(0).createCell(4).setCellValue("Program");
sheetBookmark.createRow(0).setRowStyle(style);
sheetBookmark.getRow(0).createCell(0).setCellValue("URL");
sheetBookmark.getRow(0).createCell(1).setCellValue("Title");
sheetBookmark.getRow(0).createCell(2).setCellValue("Program");
sheetDownload.createRow(0).setRowStyle(style);
sheetDownload.getRow(0).createCell(0).setCellValue("File");
sheetDownload.getRow(0).createCell(1).setCellValue("Source");
sheetDownload.getRow(0).createCell(2).setCellValue("Time");
sheetDownload.getRow(0).createCell(3).setCellValue("Program");
sheetHistory.createRow(0).setRowStyle(style);
sheetHistory.getRow(0).createCell(0).setCellValue("URL");
sheetHistory.getRow(0).createCell(1).setCellValue("Date");
sheetHistory.getRow(0).createCell(2).setCellValue("Referrer");
sheetHistory.getRow(0).createCell(3).setCellValue("Title");
sheetHistory.getRow(0).createCell(4).setCellValue("Program");
for(int i = 0;i < wbtemp.getNumberOfSheets();i++){
Sheet tempsheet = wbtemp.getSheetAt(i);
tempsheet.setAutobreaks(true);
for (Row temprow : tempsheet){
for (Cell cell : temprow) {
cell.setCellStyle(style);
tempsheet.autoSizeColumn(cell.getColumnIndex());
}
}
}
int countedGen = 0;
int countedBookmark = 0;
int countedCookie = 0;
int countedHistory = 0;
int countedDownload = 0;
int countedRecentObjects = 0;
int countedTrackPoint = 0;
int countedInstalled = 0;
int countedKeyword = 0;
int countedHash = 0;
int countedDevice = 0;
//start populating the sheets in the workbook
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
break;
}
int cc = 0;
Long objId = entry.getKey().getObjectID();
FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer,String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for(n=1;n<=36;n++)
{
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
break;
}
String value = "";
int type = tempatt.getAttributeTypeID();
if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){
}
else if(type == 2){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())*1000));
}
else
{
value = tempatt.getValueString();
}
attributes.put(type, value);
cc++;
}
if(entry.getKey().getArtifactTypeID() == 1){
countedGen++;
// Row temp = sheetGen.getRow(countedGen);
}
if(entry.getKey().getArtifactTypeID() == 2){
countedBookmark++;
Row temp = sheetBookmark.createRow(countedBookmark);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 3){
countedCookie++;
Row temp = sheetCookie.createRow(countedCookie);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(2));
temp.createCell(2).setCellValue(attributes.get(3));
temp.createCell(3).setCellValue(attributes.get(6));
temp.createCell(4).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 4){
countedHistory++;
Row temp = sheetHistory.createRow(countedHistory);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(33));
temp.createCell(2).setCellValue(attributes.get(32));
temp.createCell(3).setCellValue(attributes.get(3));
temp.createCell(4).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 5){
countedDownload++;
Row temp = sheetDownload.createRow(countedDownload);
temp.createCell(0).setCellValue(attributes.get(8));
temp.createCell(1).setCellValue(attributes.get(1));
temp.createCell(2).setCellValue(attributes.get(33));
temp.createCell(3).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 6){
countedRecentObjects++;
Row temp = sheetRecent.createRow(countedRecentObjects);
temp.createCell(0).setCellValue(attributes.get(3));
temp.createCell(1).setCellValue(attributes.get(8));
temp.createCell(2).setCellValue(file.getName());
temp.createCell(3).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 7){
// sheetTrackpoint.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
countedInstalled++;
Row temp = sheetInstalled.createRow(countedInstalled);
temp.createCell(0).setCellValue(attributes.get(4));
temp.createCell(1).setCellValue(attributes.get(2));
}
if(entry.getKey().getArtifactTypeID() == 9){
countedKeyword++;
Row temp = sheetKeyword.createRow(countedKeyword);
temp.createCell(0).setCellValue(attributes.get(10));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(12));
temp.createCell(3).setCellValue(attributes.get(13));
}
if(entry.getKey().getArtifactTypeID() == 10){
countedHash++;
Row temp = sheetHash.createRow(countedHash);
temp.createCell(0).setCellValue(file.getName().toString());
temp.createCell(1).setCellValue(filesize.toString());
temp.createCell(2).setCellValue(attributes.get(30));
}
if(entry.getKey().getArtifactTypeID() == 11){
countedDevice++;
Row temp = sheetDevice.createRow(countedDevice);
temp.createCell(0).setCellValue(attributes.get(18));
temp.createCell(1).setCellValue(attributes.get(20));
temp.createCell(2).setCellValue(attributes.get(2));
}
cc++;
rr.progBarSet(cc);
}
//write out the report to the reports folder
try {
FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xlsx");
wbtemp.write(fos);
fos.close();
wb = wbtemp;
}
catch (IOException e) {
System.err.println(e);
}
}
catch(Exception E)
{
String test = E.toString();
}
}
} }

292
Report/src/org/sleuthkit/autopsy/report/reportXML.java
View File

@ -1,8 +1,25 @@
/* /*
* To change this template, choose Tools | Templates *
* and open the template in the editor. * Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/ */
package org.sleuthkit.autopsy.report; package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream; import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.text.DateFormat; import java.text.DateFormat;
@ -31,128 +48,129 @@ import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskData;
public class reportXML { public class reportXML {
public static Document xmldoc = new Document(); public static Document xmldoc = new Document();
public reportXML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
try{ public reportXML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
Case currentCase = Case.getCurrentCase(); // get the most updated case try {
SleuthkitCase skCase = currentCase.getSleuthkitCase(); Case currentCase = Case.getCurrentCase(); // get the most updated case
String caseName = currentCase.getName(); SleuthkitCase skCase = currentCase.getSleuthkitCase();
Integer imagecount = currentCase.getImageIDs().length; String caseName = currentCase.getName();
Integer filesystemcount = currentCase.getRootObjectsCount(); Integer imagecount = currentCase.getImageIDs().length;
Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG); Integer filesystemcount = currentCase.getRootObjectsCount();
Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR); Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG);
Element root = new Element("Case"); Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR);
xmldoc = new Document(root); Element root = new Element("Case");
DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); xmldoc = new Document(root);
DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss"); DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
Date date = new Date(); DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss");
String datetime = datetimeFormat.format(date); Date date = new Date();
String datenotime = dateFormat.format(date); String datetime = datetimeFormat.format(date);
Comment comment = new Comment("XML Report Generated by Autopsy 3 on " + datetime); String datenotime = dateFormat.format(date);
root.addContent(comment); Comment comment = new Comment("XML Report Generated by Autopsy 3 on " + datetime);
//Create summary node involving how many of each type root.addContent(comment);
Element summary = new Element("Summary"); //Create summary node involving how many of each type
if(IngestManager.getDefault().isIngestRunning()) Element summary = new Element("Summary");
{ if (IngestManager.getDefault().isIngestRunning()) {
summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!")); summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!"));
} }
summary.addContent(new Element("Name").setText(caseName)); summary.addContent(new Element("Name").setText(caseName));
summary.addContent(new Element("Total-Images").setText(imagecount.toString())); summary.addContent(new Element("Total-Images").setText(imagecount.toString()));
summary.addContent(new Element("Total-FileSystems").setText(filesystemcount.toString())); summary.addContent(new Element("Total-FileSystems").setText(filesystemcount.toString()));
summary.addContent(new Element("Total-Files").setText(totalfiles.toString())); summary.addContent(new Element("Total-Files").setText(totalfiles.toString()));
summary.addContent(new Element("Total-Directories").setText(totaldirs.toString())); summary.addContent(new Element("Total-Directories").setText(totaldirs.toString()));
root.addContent(summary); root.addContent(summary);
//generate the nodes for each of the types so we can use them later //generate the nodes for each of the types so we can use them later
Element nodeGen = new Element("General-Information"); Element nodeGen = new Element("General-Information");
Element nodeWebBookmark = new Element("Web-Bookmarks"); Element nodeWebBookmark = new Element("Web-Bookmarks");
Element nodeWebCookie = new Element("Web-Cookies"); Element nodeWebCookie = new Element("Web-Cookies");
Element nodeWebHistory = new Element("Web-History"); Element nodeWebHistory = new Element("Web-History");
Element nodeWebDownload = new Element("Web-Downloads"); Element nodeWebDownload = new Element("Web-Downloads");
Element nodeRecentObjects = new Element("Recent-Documents"); Element nodeRecentObjects = new Element("Recent-Documents");
Element nodeTrackPoint = new Element("Track-Points"); Element nodeTrackPoint = new Element("Track-Points");
Element nodeInstalled = new Element("Installed-Programfiles"); Element nodeInstalled = new Element("Installed-Programfiles");
Element nodeKeyword = new Element("Keyword-Search-Hits"); Element nodeKeyword = new Element("Keyword-Search-Hits");
Element nodeHash = new Element("Hashset-Hits"); Element nodeHash = new Element("Hashset-Hits");
Element nodeDevice = new Element("Attached-Devices"); Element nodeDevice = new Element("Attached-Devices");
//remove bytes //remove bytes
Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]"); Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]");
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) { for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){ if (reportFilter.cancel == true) {
break; break;
} }
int cc = 0; int cc = 0;
Element artifact = new Element("Artifact"); Element artifact = new Element("Artifact");
Long objId = entry.getKey().getObjectID(); Long objId = entry.getKey().getObjectID();
Content cont = skCase.getContentById(objId); Content cont = skCase.getContentById(objId);
Long filesize = cont.getSize(); Long filesize = cont.getSize();
artifact.setAttribute("ID", objId.toString()); artifact.setAttribute("ID", objId.toString());
artifact.setAttribute("Name", cont.accept(new NameVisitor())); artifact.setAttribute("Name", cont.accept(new NameVisitor()));
artifact.setAttribute("Size", filesize.toString()); artifact.setAttribute("Size", filesize.toString());
// Get all the attributes for this guy // Get all the attributes for this guy
for (BlackboardAttribute tempatt : entry.getValue()) for (BlackboardAttribute tempatt : entry.getValue()) {
{ if (reportFilter.cancel == true) {
if(reportFilter.cancel == true){ break;
break; }
} Element attribute = new Element("Attribute").setAttribute("Type", tempatt.getAttributeTypeDisplayName());
Element attribute = new Element("Attribute").setAttribute("Type",tempatt.getAttributeTypeDisplayName()); String tempvalue = tempatt.getValueString();
String tempvalue = tempatt.getValueString(); //INVALID_XML_CHARS.matcher(tempvalue).replaceAll("");
//INVALID_XML_CHARS.matcher(tempvalue).replaceAll(""); Element value = new Element("Value").setText(tempvalue);
Element value = new Element("Value").setText(tempvalue); attribute.addContent(value);
attribute.addContent(value); Element context = new Element("Context").setText(StringEscapeUtils.escapeXml(tempatt.getContext()));
Element context = new Element("Context").setText(StringEscapeUtils.escapeXml(tempatt.getContext())); attribute.addContent(context);
attribute.addContent(context); artifact.addContent(attribute);
artifact.addContent(attribute); cc++;
cc++; }
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
if(entry.getKey().getArtifactTypeID() == 1){ //while (entry.getValue().iterator().hasNext())
//while (entry.getValue().iterator().hasNext()) // {
// { // }
// } nodeGen.addContent(artifact);
nodeGen.addContent(artifact); }
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
nodeWebBookmark.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
nodeWebCookie.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
nodeWebHistory.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
nodeWebDownload.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
nodeRecentObjects.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
nodeTrackPoint.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
nodeInstalled.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
nodeKeyword.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
nodeHash.addContent(artifact);
}
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
nodeDevice.addContent(artifact);
}
cc++;
rr.progBarSet(cc);
//end of master loop
} }
if(entry.getKey().getArtifactTypeID() == 2){
//add them in the order we want them to the document
nodeWebBookmark.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 3){
nodeWebCookie.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 4){
nodeWebHistory.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 5){
nodeWebDownload.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 6){
nodeRecentObjects.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 7){
nodeTrackPoint.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
nodeInstalled.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 9){
nodeKeyword.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 10){
nodeHash.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 11){
nodeDevice.addContent(artifact);
}
cc++;
rr.progBarSet(cc);
//end of master loop
}
//add them in the order we want them to the document
root.addContent(nodeGen); root.addContent(nodeGen);
root.addContent(nodeWebBookmark); root.addContent(nodeWebBookmark);
root.addContent(nodeWebCookie); root.addContent(nodeWebCookie);
@ -162,26 +180,24 @@ public class reportXML {
root.addContent(nodeTrackPoint); root.addContent(nodeTrackPoint);
root.addContent(nodeInstalled); root.addContent(nodeInstalled);
root.addContent(nodeKeyword); root.addContent(nodeKeyword);
root.addContent(nodeHash); root.addContent(nodeHash);
root.addContent(nodeDevice); root.addContent(nodeDevice);
try {
FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xml");
XMLOutputter serializer = new XMLOutputter();
serializer.output(xmldoc, out);
out.flush();
out.close();
}
catch (IOException e) {
System.err.println(e);
}
} try {
catch (Exception e){ FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".xml");
Logger.getLogger(reportXML.class.getName()).log(Level.WARNING, "Exception occurred", e); XMLOutputter serializer = new XMLOutputter();
serializer.output(xmldoc, out);
out.flush();
out.close();
} catch (IOException e) {
System.err.println(e);
}
} catch (Exception e) {
Logger.getLogger(reportXML.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
} }
}
private class NameVisitor extends ContentVisitor.Default<String> { private class NameVisitor extends ContentVisitor.Default<String> {
@Override @Override