mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-13 00:16:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/sleuthkit/autopsy

Browse Source 
- fix previous merge
This commit is contained in:
adam-m 2012-05-02 00:26:43 -04:00
parent a38d546ecb
commit ff96ae6f13
26 changed files with 3407 additions and 3169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivity.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera
*/
public enum BrowserActivity {
IE(0),
FF(1),
CH(2);
private static final Map<Integer,BrowserActivity> lookup
= new HashMap<Integer,BrowserActivity>();
private static final Map<Integer, BrowserActivity> lookup = new HashMap<Integer, BrowserActivity>();
static {
for(BrowserActivity bat : values())
for (BrowserActivity bat : values()) {
lookup.put(bat.type, bat);
}
}
private int type;
private BrowserActivity(int type)
{
private BrowserActivity(int type) {
this.type = type;
}
public int getType() { return type; }
public int getType() {
return type;
}
public static BrowserActivity get(int type) {
switch(type) {
case 0: return IE;
case 1: return FF;
case 2: return CH;
switch (type) {
case 0:
return IE;
case 1:
return FF;
case 2:
return CH;
}
return null;
}
}

50
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserActivityType.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -13,34 +29,36 @@ import java.util.Map;
* @author arivera
*/
public enum BrowserActivityType {
Cookies(0),
Url(1),
Bookmarks(2);
private static final Map<Integer,BrowserActivityType> lookup
= new HashMap<Integer,BrowserActivityType>();
private static final Map<Integer, BrowserActivityType> lookup = new HashMap<Integer, BrowserActivityType>();
static {
for(BrowserActivityType bat : values())
for (BrowserActivityType bat : values()) {
lookup.put(bat.type, bat);
}
}
private int type;
private BrowserActivityType(int type)
{
private BrowserActivityType(int type) {
this.type = type;
}
public int getType() { return type; }
public int getType() {
return type;
}
public static BrowserActivityType get(int type) {
switch(type) {
case 0: return Cookies;
case 1: return Url;
case 2: return Bookmarks;
switch (type) {
case 0:
return Cookies;
case 1:
return Url;
case 2:
return Bookmarks;
}
return null;
}
}

50
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/BrowserType.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -12,34 +28,36 @@ import java.util.Map;
* @author arivera
*/
public enum BrowserType {
IE(0), //Internet Explorer
FF(1), //Firefox
CH(2); //Chrome
private static final Map<Integer,BrowserType> lookup
= new HashMap<Integer,BrowserType>();
private static final Map<Integer, BrowserType> lookup = new HashMap<Integer, BrowserType>();
static {
for(BrowserType bt : values())
for (BrowserType bt : values()) {
lookup.put(bt.type, bt);
}
}
private int type;
private BrowserType(int type)
{
private BrowserType(int type) {
this.type = type;
}
public int getType() { return type; }
public int getType() {
return type;
}
public static BrowserType get(int type) {
switch(type) {
case 0: return IE;
case 1: return FF;
case 2: return CH;
switch (type) {
case 0:
return IE;
case 1:
return FF;
case 2:
return CH;
}
return null;
}
}

349
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
View File

@ -1,8 +1,25 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
@ -25,15 +42,13 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
/**
*
* @author Alex
*/
public class Chrome {
public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
+ "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies";
@ -43,191 +58,205 @@ public class Chrome {
private final Logger logger = Logger.getLogger(this.getClass().getName());
public int ChromeCount = 0;
public Chrome(){
public Chrome() {
}
public void getchdb(List<String> image, IngestImageWorkerController controller){
public void getchdb(List<String> image, IngestImageWorkerController controller) {
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb;
List<FsContent> FFSqlitedb = null;
Map<String, Object> kvs = new LinkedHashMap<String, Object>();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' AND parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
ChromeCount = FFSqlitedb.size();
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write to disk.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chquery);
while(temprs.next())
{
while (temprs.next()) {
try {
String domain = Util.extractDomain(temprs.getString("url"));
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",temprs.getString("url")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Accessed",(temprs.getLong("last_visit_time")/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",temprs.getString("from_visit")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("url")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Accessed", (temprs.getLong("last_visit_time") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", temprs.getString("from_visit")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to insert BB artifact.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
catch (SQLException ex)
{
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//COOKIES section
// This gets the cookie info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FFSqlitedb;
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chcookiequery);
while(temprs.next())
{
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = temprs.getString("host_key");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",(temprs.getLong("last_access_utc")/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", (temprs.getLong("last_access_utc") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
catch (SQLException ex)
{
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//BOokmarks section
// This gets the bm info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FFSqlitedb;
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to write IO {0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
try {
final JsonParser parser = new JsonParser();
JsonElement jsonElement = parser.parse(new FileReader(temps));
@ -235,10 +264,8 @@ public class Chrome {
JsonObject whatever = test.get("roots").getAsJsonObject();
JsonObject whatever2 = whatever.get("bookmark_bar").getAsJsonObject();
JsonArray whatever3 = whatever2.getAsJsonArray("children");
// JsonArray results = parser.parse(new FileReader(temps)).getAsJsonObject().getAsJsonArray("roots").getAsJsonObject().getAsJsonArray("bookmark_bar").get(0).getAsJsonObject().getAsJsonArray("children");
for (JsonElement result : whatever3) {
try {
JsonObject address = result.getAsJsonObject();
String url = address.get("url").getAsString();
String name = address.get("name").getAsString();
@ -246,177 +273,179 @@ public class Chrome {
String domain = Util.extractDomain(url);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",(date/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (date / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to insert BB artifact{0}", ex);
}
}
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
}
catch (SQLException ex)
{
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section
// This gets the downloads info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
List<FsContent> FFSqlitedb;
List<FsContent> FFSqlitedb = null;
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chdownloadquery);
while(temprs.next())
{
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
String domain = Util.extractDomain(temprs.getString("url"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",(temprs.getLong("start_time")/10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", (temprs.getLong("start_time") / 10000)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(temprs.getString("full_path"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(temprs.getString("full_path"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
}
catch (SQLException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Login/Password section
// This gets the user info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FFSqlitedb;
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Chrome%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(chloginquery);
while(temprs.next())
{
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity","", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Chrome"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
catch (SQLException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Chrome SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
}

49
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractAll.java
View File

@ -1,9 +1,26 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.sql.SQLException;
import java.util.List;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
@ -13,48 +30,50 @@ import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
*/
public class ExtractAll {
void ExtractAll(){
void ExtractAll() {
}
public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds){
public boolean extractToBlackboard(IngestImageWorkerController controller, List<String> imgIds) {
controller.switchToDeterminate(3);
try{
try {
// Will make registry entries later, comment out for DEMO ONLY
controller.switchToDeterminate(4);
controller.progress(0);
ExtractRegistry eree = new ExtractRegistry();
eree.getregistryfiles(imgIds, controller);
controller.progress(1);
if (controller.isCancelled())
if (controller.isCancelled()) {
return true;
}
Firefox ffre = new Firefox();
ffre.getffdb(imgIds, controller);
controller.progress(2);
if (controller.isCancelled())
if (controller.isCancelled()) {
return true;
}
Chrome chre = new Chrome();
chre.getchdb(imgIds, controller);
controller.progress(3);
if (controller.isCancelled())
if (controller.isCancelled()) {
return true;
}
ExtractIE eere = new ExtractIE(imgIds, controller);
eere.parsePascoResults();
controller.progress(4);
if (controller.isCancelled())
if (controller.isCancelled()) {
return true;
}
//Find a way to put these results into BB
return true;
}
catch(Error e){
} catch (SQLException e) {
return false;
} catch (Error e) {
return false;
}
}
}

246
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
View File

@ -1,8 +1,10 @@
/*
/*
*
* Autopsy Forensic Browser
*
* Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -27,7 +29,6 @@ import java.io.IOException;
import java.sql.ResultSet;
//Util Imports
import java.sql.SQLException;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
@ -43,7 +44,6 @@ import java.util.regex.Pattern;
// TSK Imports
import org.openide.modules.InstalledFileLocator;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.datamodel.DataConversion;
@ -58,7 +58,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException;
import org.sleuthkit.autopsy.coreutils.PlatformUtil;
public class ExtractIE { // implements BrowserActivity {
@ -69,19 +69,16 @@ public class ExtractIE { // implements BrowserActivity {
private String recentQuery = "select * from `tsk_files` where parent_path LIKE '%/Recent%' and name LIKE '%.lnk'";
//sleauthkit db handle
SleuthkitCase tempDb;
//paths set in init()
private String PASCO_RESULTS_PATH;
private String PASCO_LIB_PATH;
private String JAVA_PATH;
//Results List to be referenced/used outside the class
public ArrayList<HashMap<String, Object>> PASCO_RESULTS_LIST = new ArrayList<HashMap<String, Object>>();
//Look Up Table that holds Pasco2 results
private HashMap<String, Object> PASCO_RESULTS_LUT;
private KeyValue IE_PASCO_LUT = new KeyValue(BrowserType.IE.name(), BrowserType.IE.getType());
public LinkedHashMap<String, Object> IE_OBJ;
boolean pascoFound = false;
public ExtractIE(List<String> image, IngestImageWorkerController controller) {
@ -89,91 +86,95 @@ public class ExtractIE { // implements BrowserActivity {
//Favorites section
// This gets the favorite info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FavoriteList;
}
List<FsContent> FavoriteList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(favoriteQuery + allFS);
FavoriteList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
for(FsContent Favorite : FavoriteList)
{
if (controller.isCancelled() ) {
for (FsContent Favorite : FavoriteList) {
if (controller.isCancelled()) {
break;
}
Content fav = Favorite;
byte[] t = new byte[(int) fav.getSize()];
final int bytesRead = fav.read(t, 0, fav.getSize());
String bookmarkString = new String(t);
String re1=".*?"; // Non-greedy match on filler
String re2="((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1
String re1 = ".*?"; // Non-greedy match on filler
String re2 = "((?:http|https)(?::\\/{2}[\\w]+)(?:[\\/|\\.]?)(?:[^\\s\"]*))"; // HTTP URL 1
String url = "";
Pattern p = Pattern.compile(re1+re2,Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Pattern p = Pattern.compile(re1 + re2, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m = p.matcher(bookmarkString);
if (m.find())
{
if (m.find()) {
url = m.group(1);
}
String name = Favorite.getName();
String datetime = Favorite.getCrtimeAsDate();
Long datetime = Favorite.getCrtime();
String domain = Util.extractDomain(url);
try {
BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
}
catch(TskException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
}
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
//Cookies section
// This gets the cookies info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> CookiesList;
}
List<FsContent> CookiesList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(cookiesQuery + allFS);
CookiesList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
for(FsContent Cookie : CookiesList)
{
if (controller.isCancelled() ) {
for (FsContent Cookie : CookiesList) {
if (controller.isCancelled()) {
break;
}
Content fav = Cookie;
@ -185,56 +186,59 @@ public class ExtractIE { // implements BrowserActivity {
String url = values.length > 2 ? values[2] : "";
String value = values.length > 1 ? values[1] : "";
String name = values.length > 0 ? values[0] : "";
String datetime = Cookie.getCrtimeAsDate();
Long datetime = Cookie.getCrtime();
String domain = Util.extractDomain(url);
try {
BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", (name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
catch(TskException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
}
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
//Recent Documents section
// This gets the recent object info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> RecentList;
}
List<FsContent> RecentList = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery(recentQuery + allFS);
RecentList = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
for(FsContent Recent : RecentList)
{
if (controller.isCancelled() ) {
for (FsContent Recent : RecentList) {
if (controller.isCancelled()) {
break;
}
Content fav = Recent;
@ -259,28 +263,27 @@ public class ExtractIE { // implements BrowserActivity {
String path = Util.getPath(recentString);
String name = Util.getFileName(path);
String datetime = Recent.getCrtimeAsDate();
Long datetime = Recent.getCrtime();
try {
BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),"RecentActivity","Last Visited",path));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(path)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity","Date Created",datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Windows Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "RecentActivity", "Last Visited", path));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(path)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Date Created", datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Windows Explorer"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT));
}
catch(TskException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex);
}
catch(SQLException ioex)
{
logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex);
}
}
@ -293,8 +296,11 @@ public class ExtractIE { // implements BrowserActivity {
private void init(List<String> image, IngestImageWorkerController controller) {
final Case currentCase = Case.getCurrentCase();
final String caseDir = Case.getCurrentCase().getCaseDirectory();
PASCO_RESULTS_PATH = caseDir + File.separator + "recentactivity" + File.separator + "results";
PASCO_RESULTS_PATH = Case.getCurrentCase().getTempDirectory() + File.separator + "results";
JAVA_PATH = PlatformUtil.getJavaPath();
if (JAVA_PATH.isEmpty() || JAVA_PATH == null) {
JAVA_PATH = "java";
}
logger.log(Level.INFO, "Pasco results path: " + PASCO_RESULTS_PATH);
final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false);
@ -302,8 +308,7 @@ public class ExtractIE { // implements BrowserActivity {
logger.log(Level.SEVERE, "Pasco2 not found");
pascoFound = false;
return;
}
else {
} else {
pascoFound = true;
}
@ -317,20 +322,26 @@ public class ExtractIE { // implements BrowserActivity {
File resultsDir = new File(PASCO_RESULTS_PATH);
resultsDir.mkdirs();
Collection<FsContent> FsContentCollection;
Collection<FsContent> FsContentCollection = null;
tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
}
try {
ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS);
FsContentCollection = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
String temps;
String indexFileName;
@ -340,22 +351,21 @@ public class ExtractIE { // implements BrowserActivity {
// index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
// Write each index.dat file to a temp directory.
//BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
indexFileName = "index" + Integer.toString((int)fsc.getId()) + ".dat";
indexFileName = "index" + Integer.toString((int) fsc.getId()) + ".dat";
//indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
temps = currentCase.getTempDirectory() + File.separator + indexFileName;
File datFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
datFile.delete();
break;
}
try {
ContentUtils.writeToFile(fsc, datFile);
}
catch (IOException e) {
} catch (IOException e) {
logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e);
}
boolean bPascProcSuccess = executePasco(temps, (int)fsc.getId());
boolean bPascProcSuccess = executePasco(temps, (int) fsc.getId());
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
@ -378,8 +388,9 @@ public class ExtractIE { // implements BrowserActivity {
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private boolean executePasco(String indexFilePath, int fileIndex) {
if (pascoFound == false)
if (pascoFound == false) {
return false;
}
boolean success = true;
try {
@ -393,7 +404,7 @@ public class ExtractIE { // implements BrowserActivity {
command.append(" > \"").append(PASCO_RESULTS_PATH).append("\\pasco2Result.").append(Integer.toString(fileIndex)).append(".txt\"");
// command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\"");
String cmd = command.toString();
JavaSystemCaller.Exec.execute("\"java "+cmd+ "\"");
JavaSystemCaller.Exec.execute("\"" + JAVA_PATH + " " + cmd + "\"");
} catch (Exception e) {
success = false;
@ -404,8 +415,9 @@ public class ExtractIE { // implements BrowserActivity {
}
public void parsePascoResults() {
if (pascoFound == false)
if (pascoFound == false) {
return;
}
// First thing we want to do is check to make sure the results directory
// is not empty.
File rFile = new File(PASCO_RESULTS_PATH);
@ -422,7 +434,7 @@ public class ExtractIE { // implements BrowserActivity {
try {
for (File file : pascoFiles) {
String fileName = file.getName();
long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".")+1, fileName.lastIndexOf(".")));
long artObjId = Long.parseLong(fileName.substring(fileName.indexOf(".") + 1, fileName.lastIndexOf(".")));
//bbartname = bbartname.substring(0, 4);
// Make sure the file the is not empty or the Scanner will
@ -449,15 +461,14 @@ public class ExtractIE { // implements BrowserActivity {
try {
String[] lineBuff = line.split("\\t");
PASCO_RESULTS_LUT = new HashMap<String, Object>();
String url[] = lineBuff[1].split("@",2);
String url[] = lineBuff[1].split("@", 2);
String ddtime = lineBuff[2];
String actime = lineBuff[3];
Long ftime = (long)0;
Long ftime = (long) 0;
String user = "";
String realurl = "";
String domain = "";
if(url.length > 1)
{
if (url.length > 1) {
user = url[0];
user = user.replace("Visited:", "");
user = user.replace(":Host:", "");
@ -470,21 +481,21 @@ public class ExtractIE { // implements BrowserActivity {
realurl = realurl.trim();
domain = Util.extractDomain(realurl);
}
if(!ddtime.isEmpty()){
ddtime = ddtime.replace("T"," ");
ddtime = ddtime.substring(ddtime.length()-5);
if (!ddtime.isEmpty()) {
ddtime = ddtime.replace("T", " ");
ddtime = ddtime.substring(ddtime.length() - 5);
}
if(!actime.isEmpty()){
try{
if (!actime.isEmpty()) {
try {
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime();
ftime = epochtime.longValue();
}
catch(ParseException e){
} catch (ParseException e) {
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
}
}
// TODO: Need to fix this so we have the right obj_id
try {
BlackboardArtifact bbart = tempDb.getContentById(artObjId).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", realurl));
@ -495,10 +506,13 @@ public class ExtractIE { // implements BrowserActivity {
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(),"RecentActivity","",user));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "Internet Explorer"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity", "", user));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
//KeyValueThing
//This will be redundant in terms IE.name() because of
@ -508,8 +522,8 @@ public class ExtractIE { // implements BrowserActivity {
IE_PASCO_LUT.addMap(IE_OBJ);
PASCO_RESULTS_LIST.add(PASCO_RESULTS_LUT);
} catch (TskException ex) {
Exceptions.printStackTrace(ex);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}

203
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -4,22 +4,14 @@
*/
package org.sleuthkit.autopsy.recentactivity;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.io.*;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Scanner;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.*;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.commons.lang3.StringEscapeUtils;
import org.jdom.Document;
import org.jdom.Element;
import org.jdom.input.SAXBuilder;
@ -27,15 +19,9 @@ import org.openide.modules.InstalledFileLocator;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.*;
/**
*
@ -47,27 +33,25 @@ public class ExtractRegistry {
private String RR_PATH;
boolean rrFound = false;
private int sysid;
ExtractRegistry(){
ExtractRegistry() {
final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false);
if (rrRoot == null) {
logger.log(Level.SEVERE, "RegRipper not found");
rrFound = false;
return;
}
else {
} else {
rrFound = true;
}
try{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
ResultSet artset = tempDb.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
while (artset.next()){
while (artset.next()) {
sysid = artset.getInt("artifact_type_id");
}
}
catch(Exception e){
} catch (Exception e) {
}
final String rrHome = rrRoot.getAbsolutePath();
logger.log(Level.INFO, "RegRipper home: " + rrHome);
@ -75,128 +59,109 @@ public class ExtractRegistry {
RR_PATH = rrHome + File.separator + "rip.exe";
}
public void getregistryfiles(List<String> image, IngestImageWorkerController controller){
try
{
public void getregistryfiles(List<String> image, IngestImageWorkerController controller) {
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> Regfiles;
}
List<FsContent> Regfiles = new ArrayList<FsContent>();
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name LIKE 'system' OR name LIKE 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS);
Regfiles = tempDb.resultSetToFsContents(rs);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < Regfiles.size())
{
while (j < Regfiles.size()) {
boolean Success;
Content orgFS = Regfiles.get(j);
long orgId = orgFS.getId();
String temps = currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName().toString();
try {
ContentUtils.writeToFile(Regfiles.get(j), new File(currentCase.getTempDirectory() + "\\" + Regfiles.get(j).getName()));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File regFile = new File(temps);
String txtPath = executeRegRip(temps, j);
if(txtPath.length() > 0)
{
Success = parseReg(txtPath,orgId);
}
else
{
if (txtPath.length() > 0) {
Success = parseReg(txtPath, orgId);
} else {
Success = false;
}
//At this point pasco2 proccessed the index files.
//Now fetch the results, parse them and the delete the files.
if(Success)
{
if (Success) {
//Delete dat file since it was succcessful
regFile.delete();
}
j++;
}
}
catch (SQLException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Registry files", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
}
// TODO: Hardcoded command args/path needs to be removed. Maybe set some constants and set env variables for classpath
// I'm not happy with this code. Can't stand making a system call, is not an acceptable solution but is a hack for now.
private String executeRegRip(String regFilePath, int fileIndex)
{
private String executeRegRip(String regFilePath, int fileIndex) {
String txtPath = regFilePath + Integer.toString(fileIndex) + ".txt";
String type = "";
try
{
try {
if(regFilePath.toLowerCase().contains("system"))
{
if (regFilePath.toLowerCase().contains("system")) {
type = "autopsysystem";
}
if(regFilePath.toLowerCase().contains("software"))
{
if (regFilePath.toLowerCase().contains("software")) {
type = "autopsysoftware";
}
if(regFilePath.toLowerCase().contains("ntuser"))
{
if (regFilePath.toLowerCase().contains("ntuser")) {
type = "autopsy";
}
if(regFilePath.toLowerCase().contains("default"))
{
if (regFilePath.toLowerCase().contains("default")) {
type = "1default";
}
if(regFilePath.toLowerCase().contains("sam"))
{
if (regFilePath.toLowerCase().contains("sam")) {
type = "1sam";
}
if(regFilePath.toLowerCase().contains("security"))
{
if (regFilePath.toLowerCase().contains("security")) {
type = "1security";
}
String command = "\"" + RR_PATH + "\" -r \"" + regFilePath +"\" -f " + type + " > \"" + txtPath + "\" 2> NUL";
JavaSystemCaller.Exec.execute("\""+command + "\"");
String command = "\"" + RR_PATH + "\" -r \"" + regFilePath + "\" -f " + type + " > \"" + txtPath + "\" 2> NUL";
JavaSystemCaller.Exec.execute("\"" + command + "\"");
}
catch(Exception e)
{
} catch (Exception e) {
logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> " ,e.getMessage() );
logger.log(Level.SEVERE, "ExtractRegistry::executeRegRip() -> ", e.getMessage());
}
return txtPath;
}
private boolean parseReg(String regRecord, long orgId)
{
private boolean parseReg(String regRecord, long orgId) {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
File regfile = new File(regRecord);
FileInputStream fstream = new FileInputStream(regfile);
InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8");
BufferedReader input = new BufferedReader(fstreamReader);
@ -204,10 +169,10 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
String regString = new Scanner(input).useDelimiter("\\Z").next();
regfile.delete();
String startdoc = "<?xml version=\"1.0\"?><document>";
String result = regString.replaceAll("----------------------------------------","");
String result = regString.replaceAll("----------------------------------------", "");
result = result.replaceAll("\\n", "");
result = result.replaceAll("\\r","");
result = result.replaceAll("'","&apos;");
result = result.replaceAll("\\r", "");
result = result.replaceAll("'", "&apos;");
result = result.replaceAll("&", "&amp;");
String enddoc = "</document>";
String stringdoc = startdoc + result + enddoc;
@ -216,25 +181,27 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
Element root = document.getRootElement();
List<Element> types = root.getChildren();
Iterator<Element> iterator = types.iterator();
//for(int i = 0; i < types.size(); i++)
//for(Element tempnode : types)
while (iterator.hasNext()) {
String time = "";
String etime = "";
String context = "";
Element tempnode = iterator.next();
// Element tempnode = types.get(i);
context = tempnode.getName();
Element timenode = tempnode.getChild("time");
time = timenode.getTextTrim();
etime = timenode.getTextTrim();
Long time = null;
try {
Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(etime).getTime();
time = epochtime.longValue();
} catch (ParseException e) {
logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
}
Element artroot = tempnode.getChild("artifacts");
List<Element> artlist = artroot.getChildren();
String winver = "";
String installdate = "";
if(artlist.isEmpty()){
}
else{
if (artlist.isEmpty()) {
} else {
Iterator<Element> aiterator = artlist.iterator();
while (aiterator.hasNext()) {
Element artnode = aiterator.next();
@ -242,72 +209,52 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con
String value = artnode.getTextTrim();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
if("recentdocs".equals(context)){
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
// bbart.addAttributes(bbattributes);
}
else if("usb".equals(context)){
if ("recentdocs".equals(context)) {
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name));
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value));
// bbart.addAttributes(bbattributes);
} else if ("usb".equals(context)) {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
String dev = artnode.getAttributeValue("dev");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
bbart.addAttributes(bbattributes);
}
else if("uninstall".equals(context)){
} else if ("uninstall".equals(context)) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
}
else if("WinVersion".equals(context)){
} else if ("WinVersion".equals(context)) {
if(name.contains("ProductName"))
{
if (name.contains("ProductName")) {
winver = value;
}
if(name.contains("CSDVersion")){
if (name.contains("CSDVersion")) {
winver = winver + " " + value;
}
if(name.contains("InstallDate"))
{
if (name.contains("InstallDate")) {
installdate = value;
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", context, winver));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, installdate));
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
bbart.addAttributes(bbattributes);
}
}
else
{
} else {
BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(sysid);
bbart.addAttributes(bbattributes);
}
}
}
}
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex);
String sadafd = "";
}
return true;
}
}

310
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
View File

@ -1,30 +1,49 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import java.sql.*;
import java.util.logging.Level;
import java.util.logging.Logger;
//<editor-fold defaultstate="collapsed" desc="comment">
import java.lang.*;
//</editor-fold>
import java.util.*;
import java.io.File;
import java.io.IOException;
import java.net.URLDecoder;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.openide.util.Exceptions;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
import org.sleuthkit.autopsy.ingest.IngestManager;
import org.sleuthkit.autopsy.ingest.ServiceDataEvent;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.*;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
*
* @author Alex
@ -33,105 +52,102 @@ public class Firefox {
private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,(visit_date/1000) as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
private static final String ffcookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed,(creationTime/1000) as creationTime FROM moz_cookies";
private static final String ff3cookiequery = "SELECT name,value,host,expiry,(lastAccessed/1000) as lastAccessed FROM moz_cookies";
private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id";
private static final String ffdownloadquery = "select target, source,(startTime/1000) as startTime, maxBytes from moz_downloads";
public Logger logger = Logger.getLogger(this.getClass().getName());
public int FireFoxCount = 0;
public Firefox(){
public Firefox() {
}
public void getffdb(List<String> image, IngestImageWorkerController controller){
public void getffdb(List<String> image, IngestImageWorkerController controller) throws SQLException {
//Make these seperate, this is for history
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FFSqlitedb;
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement();
rs.close();
if (s != null)
if (s != null) {
s.close();
FireFoxCount = FFSqlitedb.size();
}
rs.close();
rs.getStatement().close();
} catch (SQLException ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffquery);
while(temprs.next())
{
ResultSet temprs = Util.runQuery(ffquery, connectionString);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getLong("visit_date")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",((temprs.getString("ref") != null) ? temprs.getString("ref") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",(Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("url") != null) ? temprs.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("visit_date")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", ((temprs.getString("ref") != null) ? temprs.getString("ref") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", (Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : ""))));
bbart.addAttributes(bbattributes);
}
temprs.close();
tempdbconnect.closeConnection();
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
try
{
}
temprs.close();
dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC",connectionString);
try {
dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery);
while(tempbm.next())
{
while (tempbm.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((tempbm.getString("url") != null) ? tempbm.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(tempbm.getString("url"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((tempbm.getString("url") != null) ? tempbm.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(tempbm.getString("url"))));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempbm.close();
tempdbconnect2.closeConnection();
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
@ -142,173 +158,169 @@ public class Firefox {
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
}
catch (SQLException ex)
{
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
//COOKIES section
// This gets the cookie info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FFSqlitedb;
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%cookies.sqlite%' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + File.separator + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffcookiequery);
while(temprs.next())
{
boolean checkColumn = Util.checkColumn("creationTime", "moz_cookies", connectionString);
String query;
if (checkColumn) {
query = ffcookiequery;
} else {
query = ff3cookiequery;
}
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(query);
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("lastAccessed")));
if (checkColumn == true) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "Created", temprs.getLong("creationTime")));
}
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",temprs.getString("host")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", "Title", ((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", temprs.getString("host")));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
catch (SQLException ex)
{
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get Firefox SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
//Downloads section
// This gets the downloads info
try
{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
String allFS = new String();
for(int i = 0; i < image.size(); i++) {
if(i == 0)
for (int i = 0; i < image.size(); i++) {
if (i == 0) {
allFS += " AND (0";
}
allFS += " OR fs_obj_id = '" + image.get(i) + "'";
if(i == image.size()-1)
if (i == image.size() - 1) {
allFS += ")";
}
List<FsContent> FFSqlitedb;
}
List<FsContent> FFSqlitedb = null;
try {
ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and name NOT LIKE '%journal%' and parent_path LIKE '%Firefox%'" + allFS);
FFSqlitedb = tempDb.resultSetToFsContents(rs);
rs.close();
rs.getStatement().close();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
int j = 0;
while (j < FFSqlitedb.size())
if(FFSqlitedb != null && !FFSqlitedb.isEmpty())
{
while (j < FFSqlitedb.size()) {
String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db";
String connectionString = "jdbc:sqlite:" + temps;
try {
ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"));
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
File dbFile = new File(temps);
if (controller.isCancelled() ) {
if (controller.isCancelled()) {
dbFile.delete();
break;
}
try
{
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString);
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connectionString);
ResultSet temprs = tempdbconnect.executeQry(ffdownloadquery);
while(temprs.next())
{
while (temprs.next()) {
try {
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getLong("startTime")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("source") != null) ? temprs.getString("source") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "Last Visited", temprs.getLong("startTime")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", ((temprs.getString("source") != null) ? temprs.getString("source") : "")));
String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(urldecodedtarget)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), "RecentActivity", "", Util.findID(urldecodedtarget)));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(temprs.getString("source"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "RecentActivity", "", Util.extractDomain(temprs.getString("source"))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", "", "FireFox"));
bbart.addAttributes(bbattributes);
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db.{0}", ex);
}
}
tempdbconnect.closeConnection();
temprs.close();
}
catch (Exception ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex);
}
j++;
dbFile.delete();
}
}
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD));
}
catch (SQLException ex)
{
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get FireFox SQLite db.", ex);
}
catch(IOException ioex)
{
logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex);
}
}
}
//@Override
// public HashMap<String,String> ExtractActivity() {
// return ExtractActivity;
//
// }

320
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/JavaSystemCaller.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -11,109 +27,113 @@ import java.io.InputStreamReader;
import java.util.ArrayList;
/**
* Make a system call through a system shell in a platform-independent manner in Java. <br />
* This class only demonstrate a 'dir' or 'ls' within current (execution) path, if no parameters are used.
* If parameters are used, the first one is the system command to execute, the others are its system command parameters. <br />
* To be system independent, an <b><a href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm">
* Abstract Factory Pattern</a></b> will be used to build the right underlying system shell in which the system command will be executed.
* Make a system call through a system shell in a platform-independent manner in
* Java. <br /> This class only demonstrate a 'dir' or 'ls' within current
* (execution) path, if no parameters are used. If parameters are used, the
* first one is the system command to execute, the others are its system command
* parameters. <br /> To be system independent, an <b><a
* href="http://www.allapplabs.com/java_design_patterns/abstract_factory_pattern.htm">
* Abstract Factory Pattern</a></b> will be used to build the right underlying
* system shell in which the system command will be executed.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
* @see <a href="http://stackoverflow.com/questions/236737#236873">
How to make a system call that returns the stdout output as a string in various languages?</a>
* @see <a href="http://stackoverflow.com/questions/236737#236873"> How to make
* a system call that returns the stdout output as a string in various
* languages?</a>
*/
public final class JavaSystemCaller
{
public final class JavaSystemCaller {
/**
* Execute a system command. <br />
* Default is 'ls' in current directory if no parameters, or a system command (if Windows, it is automatically translated to 'dir')
* @param args first element is the system command, the others are its parameters (NOT NULL)
* Execute a system command. <br /> Default is 'ls' in current directory if
* no parameters, or a system command (if Windows, it is automatically
* translated to 'dir')
*
* @param args first element is the system command, the others are its
* parameters (NOT NULL)
* @throws IllegalArgumentException if one parameters is null or empty.
* 'args' can be empty (default 'ls' performed then)
*/
public static void main(final String[] args)
{
public static void main(final String[] args) {
String anOutput = "";
if(args.length == 0)
{
if (args.length == 0) {
anOutput = Exec.execute("ls");
}
else
{
} else {
String[] someParameters = null;
anOutput = Exec.execute(args[0],someParameters);
anOutput = Exec.execute(args[0], someParameters);
}
System.out.println("Final output: " + anOutput);
}
/**
* Asynchronously read the output of a given input stream. <br />
* Any exception during execution of the command in managed in this thread.
* Asynchronously read the output of a given input stream. <br /> Any
* exception during execution of the command in managed in this thread.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class StreamGobbler extends Thread
{
public static class StreamGobbler extends Thread {
private InputStream is;
private String type;
private StringBuffer output = new StringBuffer();
StreamGobbler(final InputStream anIs, final String aType)
{
StreamGobbler(final InputStream anIs, final String aType) {
this.is = anIs;
this.type = aType;
}
/**
* Asynchronous read of the input stream. <br />
* Will report output as its its displayed.
* Asynchronous read of the input stream. <br /> Will report output as
* its its displayed.
*
* @see java.lang.Thread#run()
*/
@Override
public final void run()
{
try
{
public final void run() {
try {
final InputStreamReader isr = new InputStreamReader(this.is);
final BufferedReader br = new BufferedReader(isr);
String line=null;
while ( (line = br.readLine()) != null)
{
String line = null;
while ((line = br.readLine()) != null) {
System.out.println(this.type + ">" + line);
this.output.append(line+System.getProperty("line.separator"));
this.output.append(line + System.getProperty("line.separator"));
}
} catch (final IOException ioe)
{
} catch (final IOException ioe) {
ioe.printStackTrace();
}
}
/**
* Get output filled asynchronously. <br />
* Should be called after execution
* Get output filled asynchronously. <br /> Should be called after
* execution
*
* @return final output
*/
public final String getOutput()
{
public final String getOutput() {
return this.output.toString();
}
}
/**
* Execute a system command in the appropriate shell. <br />
* Read asynchronously stdout and stderr to report any result.
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec
{
/**
* Execute a system command. <br />
* Listen asynchronously to stdout and stderr
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
* Execute a system command in the appropriate shell. <br /> Read
* asynchronously stdout and stderr to report any result.
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class Exec {
/**
* Execute a system command. <br /> Listen asynchronously to stdout and
* stderr
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
* @return final output (stdout only)
*/
public static String execute(final String aCommand, final String... someParameters)
{
public static String execute(final String aCommand, final String... someParameters) {
String output = "";
try
{
try {
ExecEnvironmentFactory anExecEnvFactory = getExecEnvironmentFactory(aCommand, someParameters);
final IShell aShell = anExecEnvFactory.createShell();
final String aCommandLine = anExecEnvFactory.createCommandLine();
@ -123,12 +143,10 @@ public final class JavaSystemCaller
final Process proc = rt.exec(aShell.getShellCommand() + " " + aCommandLine);
// any error message?
final StreamGobbler errorGobbler = new
StreamGobbler(proc.getErrorStream(), "ERROR");
final StreamGobbler errorGobbler = new StreamGobbler(proc.getErrorStream(), "ERROR");
// any output?
final StreamGobbler outputGobbler = new
StreamGobbler(proc.getInputStream(), "OUTPUT");
final StreamGobbler outputGobbler = new StreamGobbler(proc.getInputStream(), "OUTPUT");
// kick them off
errorGobbler.start();
@ -140,73 +158,95 @@ public final class JavaSystemCaller
output = outputGobbler.getOutput();
} catch (final Throwable t)
{
} catch (final Throwable t) {
t.printStackTrace();
}
return output;
}
private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters)
{
final String anOSName = System.getProperty("os.name" );
if(anOSName.toLowerCase().startsWith("windows"))
{
private static ExecEnvironmentFactory getExecEnvironmentFactory(final String aCommand, final String... someParameters) {
final String anOSName = System.getProperty("os.name");
if (anOSName.toLowerCase().startsWith("windows")) {
return new WindowsExecEnvFactory(aCommand, someParameters);
}
return new UnixExecEnvFactory(aCommand, someParameters);
// TODO be more specific for other OS.
}
private Exec() { /**/ }
private Exec() { /*
*
*/ }
}
private JavaSystemCaller() { /**/ }
private JavaSystemCaller() { /*
*
*/ }
/*
* ABSTRACT FACTORY PATTERN
*/
/**
* Environment needed to be build for the Exec class to be able to execute the system command. <br />
* Must have the right shell and the right command line. <br />
* Environment needed to be build for the Exec class to be able to execute
* the system command. <br /> Must have the right shell and the right
* command line. <br />
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public abstract static class ExecEnvironmentFactory
{
public abstract static class ExecEnvironmentFactory {
private String command = null;
private ArrayList<String> parameters = new ArrayList<String>();
final String getCommand() { return this.command; }
final ArrayList<String> getParameters() { return this.parameters; }
final String getCommand() {
return this.command;
}
final ArrayList<String> getParameters() {
return this.parameters;
}
/**
* Builds an execution environment for a system command to be played. <br />
* Independent from the OS.
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
* Builds an execution environment for a system command to be played.
* <br /> Independent from the OS.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public ExecEnvironmentFactory(final String aCommand, final String... someParameters)
{
if(aCommand == null || aCommand.length() == 0) { throw new IllegalArgumentException("Command must not be empty"); }
public ExecEnvironmentFactory(final String aCommand, final String... someParameters) {
if (aCommand == null || aCommand.length() == 0) {
throw new IllegalArgumentException("Command must not be empty");
}
this.command = aCommand;
for (int i = 0; i < someParameters.length; i++) {
final String aParameter = someParameters[i];
if(aParameter == null || aParameter.length() == 0) { throw new IllegalArgumentException("Parameter n° '"+i+"' must not be empty"); }
if (aParameter == null || aParameter.length() == 0) {
throw new IllegalArgumentException("Parameter n° '" + i + "' must not be empty");
}
this.parameters.add(aParameter);
}
}
/**
* Builds the right Shell for the current OS. <br />
* Allow for independent platform execution.
* Builds the right Shell for the current OS. <br /> Allow for
* independent platform execution.
*
* @return right shell, NEVER NULL
*/
public abstract IShell createShell();
/**
* Builds the right command line for the current OS. <br />
* Means that a command might be translated, if it does not fit the right OS ('dir' => 'ls' on unix)
* @return right complete command line, with parameters added (NEVER NULL)
* Builds the right command line for the current OS. <br /> Means that a
* command might be translated, if it does not fit the right OS ('dir'
* => 'ls' on unix)
*
* @return right complete command line, with parameters added (NEVER
* NULL)
*/
public abstract String createCommandLine();
protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters)
{
protected final String buildCommandLine(final String aCommand, final ArrayList<String> someParameters) {
final StringBuilder aCommandLine = new StringBuilder();
aCommandLine.append(aCommand);
for (String aParameter : someParameters) {
@ -218,23 +258,27 @@ public final class JavaSystemCaller
}
/**
* Builds a Execution Environment for Windows. <br />
* Cmd with windows commands
* Builds a Execution Environment for Windows. <br /> Cmd with windows
* commands
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory
{
public static final class WindowsExecEnvFactory extends ExecEnvironmentFactory {
/**
* Builds an execution environment for a Windows system command to be played. <br />
* Any command not from windows will be translated in its windows equivalent if possible.
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
* Builds an execution environment for a Windows system command to be
* played. <br /> Any command not from windows will be translated in its
* windows equivalent if possible.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public WindowsExecEnvFactory(final String aCommand, final String... someParameters)
{
public WindowsExecEnvFactory(final String aCommand, final String... someParameters) {
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@ -249,30 +293,35 @@ public final class JavaSystemCaller
@Override
public String createCommandLine() {
String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("ls")) { aCommand = "dir"; }
if (aCommand.toLowerCase().trim().equals("ls")) {
aCommand = "dir";
}
// TODO translates other Unix commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* Builds a Execution Environment for Unix. <br />
* Sh with Unix commands
* Builds a Execution Environment for Unix. <br /> Sh with Unix commands
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static final class UnixExecEnvFactory extends ExecEnvironmentFactory
{
public static final class UnixExecEnvFactory extends ExecEnvironmentFactory {
/**
* Builds an execution environment for a Unix system command to be played. <br />
* Any command not from Unix will be translated in its Unix equivalent if possible.
* @param aCommand system command to be executed (must not be null or empty)
* @param someParameters parameters of the command (must not be null or empty)
* Builds an execution environment for a Unix system command to be
* played. <br /> Any command not from Unix will be translated in its
* Unix equivalent if possible.
*
* @param aCommand system command to be executed (must not be null or
* empty)
* @param someParameters parameters of the command (must not be null or
* empty)
*/
public UnixExecEnvFactory(final String aCommand, final String... someParameters)
{
public UnixExecEnvFactory(final String aCommand, final String... someParameters) {
super(aCommand, someParameters);
}
/**
* @see test.JavaSystemCaller.ExecEnvironmentFactory#createShell()
*/
@ -287,50 +336,57 @@ public final class JavaSystemCaller
@Override
public String createCommandLine() {
String aCommand = getCommand();
if(aCommand.toLowerCase().trim().equals("dir")) { aCommand = "ls"; }
if (aCommand.toLowerCase().trim().equals("dir")) {
aCommand = "ls";
}
// TODO translates other Windows commands
return buildCommandLine(aCommand, getParameters());
}
}
/**
* System Shell with its right OS command. <br />
* 'cmd' for Windows or 'sh' for Unix, ...
* System Shell with its right OS command. <br /> 'cmd' for Windows or 'sh'
* for Unix, ...
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public interface IShell
{
public interface IShell {
/**
* Get the right shell command. <br />
* Used to launch a new shell
* Get the right shell command. <br /> Used to launch a new shell
*
* @return command used to launch a Shell (NEVEL NULL)
*/
String getShellCommand();
}
/**
* Windows shell (cmd). <br />
* More accurately 'cmd /C'
* Windows shell (cmd). <br /> More accurately 'cmd /C'
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class WindowsShell implements IShell
{
public static class WindowsShell implements IShell {
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/
@Override
public final String getShellCommand() {
final String osName = System.getProperty("os.name" );
if( osName.equals( "Windows 95" ) ) { return "command.com /C"; }
final String osName = System.getProperty("os.name");
if (osName.equals("Windows 95")) {
return "command.com /C";
}
return "cmd.exe /C";
}
}
/**
* Unix shell (sh). <br />
* More accurately 'sh -C'
* Unix shell (sh). <br /> More accurately 'sh -C'
*
* @author <a href="http://stackoverflow.com/users/6309/vonc">VonC</a>
*/
public static class UnixShell implements IShell
{
public static class UnixShell implements IShell {
/**
* @see test.JavaSystemCaller.IShell#getShellCommand()
*/

26
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/RAImageIngestService.java
View File

@ -1,8 +1,10 @@
/*
/*
*
* Autopsy Forensic Browser
*
* Copyright 2011 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -77,27 +79,20 @@ public final class RAImageIngestService implements IngestServiceImage {
try {
//do the work for(FileSystem img : imageFS )
try{
try {
ResultSet artset = sCurrentCase.runQuery("SELECT * from blackboard_artifact_types WHERE type_name = 'TSK_SYS_INFO'");
int artcount = 0;
while (artset.next()){
while (artset.next()) {
artcount++;
}
// artset.beforeFirst();
if(artcount > 0)
{
}
else
{
if (artcount > 0) {
} else {
int artint = sCurrentCase.addArtifactType("TSK_SYS_INFO", "System Information");
}
}
catch(Exception e)
{
} catch (Exception e) {
}
ext.extractToBlackboard(controller, fsIds);
@ -182,5 +177,4 @@ public final class RAImageIngestService implements IngestServiceImage {
public boolean hasBackgroundJobsRunning() {
return false;
}
}

141
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
View File

@ -1,8 +1,25 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
@ -24,75 +41,74 @@ import java.util.regex.Pattern;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
*
* @author Alex
*/
public class Util {
private static Logger logger = Logger.getLogger(Util.class.getName());
private Util(){
private static Logger logger = Logger.getLogger(Util.class.getName());
private Util() {
}
public static boolean pathexists(String path){
File file=new File(path);
public static boolean pathexists(String path) {
File file = new File(path);
boolean exists = file.exists();
return exists;
}
}
public static String utcConvert(String utc){
public static String utcConvert(String utc) {
SimpleDateFormat formatter = new SimpleDateFormat("MM-dd-yyyy HH:mm");
String tempconvert = formatter.format(new Date(Long.parseLong(utc)));
return tempconvert;
}
}
public static String readFile(String path) throws IOException {
public static String readFile(String path) throws IOException {
FileInputStream stream = new FileInputStream(new File(path));
try {
FileChannel fc = stream.getChannel();
MappedByteBuffer bb = fc.map(FileChannel.MapMode.READ_ONLY, 0, fc.size());
/* Instead of using default, pass in a decoder. */
/*
* Instead of using default, pass in a decoder.
*/
return Charset.defaultCharset().decode(bb).toString();
}
finally {
} finally {
stream.close();
}
}
}
public static boolean imgpathexists(String path){
public static boolean imgpathexists(String path) {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
Boolean rt = false;
int count = 0;
try {
List<FsContent> FFSqlitedb;
ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%"+ path + "%'");
ResultSet rs = tempDb.runQuery("select * from tsk_files where parent_path LIKE '%" + path + "%'");
FFSqlitedb = tempDb.resultSetToFsContents(rs);
count = FFSqlitedb.size();
final Statement s = rs.getStatement();
rs.close();
if (s != null){
if (s != null) {
s.close();
}
if(count > 0)
{
if (count > 0) {
rt = true;
}
else
{
} else {
rt = false;
}
}
catch (SQLException ex)
{
} catch (SQLException ex) {
//logger.log(Level.WARNING, "Error while trying to contact SQLite db.", ex);
}
return rt;
}
public static String extractDomain(String value){
if (value == null) throw new java.lang.NullPointerException("domains to extract");
public static String extractDomain(String value) {
if (value == null) {
throw new java.lang.NullPointerException("domains to extract");
}
String result = "";
// String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))";
// Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE);
@ -100,25 +116,22 @@ public static String extractDomain(String value){
// while (m.find()) {
// result = value.substring(m.start(0),m.end(0));
// }
try{
try {
URL url = new URL(value);
result = url.getHost();
}
catch(Exception e){
} catch (Exception e) {
}
return result;
}
public static String getFileName(String value){
public static String getFileName(String value) {
String filename = "";
String filematch = "^([a-zA-Z]\\:)(\\\\[^\\\\/:*?<>\"|]*(?<!\\[ \\]))*(\\.[a-zA-Z]{2,6})$";
Pattern p = Pattern.compile(filematch,Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS);
Pattern p = Pattern.compile(filematch, Pattern.CASE_INSENSITIVE | Pattern.DOTALL | Pattern.COMMENTS);
Matcher m = p.matcher(value);
if (m.find())
{
if (m.find()) {
filename = m.group(1);
}
@ -127,35 +140,34 @@ public static String getFileName(String value){
return filename.toString();
}
public static String getPath(String txt){
public static String getPath(String txt) {
String path = "";
//String drive ="([a-z]:\\\\(?:[-\\w\\.\\d]+\\\\)*(?:[-\\w\\.\\d]+)?)"; // Windows drive
String drive = "([a-z]:\\\\\\S.+)";
Pattern p = Pattern.compile(drive,Pattern.CASE_INSENSITIVE | Pattern.COMMENTS);
Pattern p = Pattern.compile(drive, Pattern.CASE_INSENSITIVE | Pattern.COMMENTS);
Matcher m = p.matcher(txt);
if (m.find())
{
if (m.find()) {
path = m.group(1);
}else{
} else {
String network ="(\\\\(?:\\\\[^:\\s?*\"<>|]+)+)"; // Windows network
String network = "(\\\\(?:\\\\[^:\\s?*\"<>|]+)+)"; // Windows network
Pattern p2 = Pattern.compile(network,Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Pattern p2 = Pattern.compile(network, Pattern.CASE_INSENSITIVE | Pattern.DOTALL);
Matcher m2 = p2.matcher(txt);
if (m2.find())
{
if (m2.find()) {
path = m2.group(1);
}
}
return path;
}
public static long findID(String path) {
public static long findID(String path) {
String parent_path = path.replace('\\', '/'); // fix Chrome paths
if(parent_path.length() > 2 && parent_path.charAt(1) == ':')
if (parent_path.length() > 2 && parent_path.charAt(1) == ':') {
parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:')
}
int index = parent_path.lastIndexOf('/');
String name = parent_path.substring(++index);
parent_path = parent_path.substring(0, index);
@ -167,9 +179,10 @@ public static long findID(String path) {
List<FsContent> results = tempDb.resultSetToFsContents(rs);
Statement s = rs.getStatement();
rs.close();
if (s != null)
if (s != null) {
s.close();
if(results.size() > 0) {
}
if (results.size() > 0) {
return results.get(0).getId();
}
} catch (Exception ex) {
@ -177,4 +190,34 @@ public static long findID(String path) {
}
return -1;
}
public static boolean checkColumn(String column, String tablename, String connection) {
String query = "PRAGMA table_info(" + tablename + ")";
boolean found = false;
ResultSet temprs;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
temprs = tempdbconnect.executeQry(query);
while (temprs.next()) {
if (temprs.getString("name") == null ? column == null : temprs.getString("name").equals(column)) {
found = true;
}
}
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return found;
}
public static ResultSet runQuery(String query, String connection) {
ResultSet results = null;
try {
dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC", connection);
results = tempdbconnect.executeQry(query);
tempdbconnect.closeConnection();
} catch (Exception ex) {
logger.log(Level.WARNING, "Error while trying to get columns from sqlite db." + connection, ex);
}
return results;
}
}

33
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/dbconnect.java
View File

@ -1,25 +1,40 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
import java.sql.*;
/**
*
* @author Alex
*/
public class dbconnect extends sqlitedbconnect{
public class dbconnect extends sqlitedbconnect {
private String sDriverForclass = "org.sqlite.JDBC";
public dbconnect(String sDriverForClass, String sUrlKey) throws Exception
{
public dbconnect(String sDriverForClass, String sUrlKey) throws Exception {
init(sDriverForClass, sUrlKey);
//Statement stmt = conn.createStatement();
//String selecthistory = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,rev_host FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
// ResultSet rs = stmt.executeQuery(selecthistory);
}
}
}

160
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/sqlitedbconnect.java
View File

@ -1,5 +1,22 @@
/*
* General C&P class that we need to figure out a better way to integrate, replace after demo
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.recentactivity;
@ -7,96 +24,99 @@ package org.sleuthkit.autopsy.recentactivity;
*
* @author Alex
*/
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;
/** Database connection class & utilities **/
/**
* Database connection class & utilities *
*/
abstract class sqlitedbconnect {
public String sDriver = "";
public String sUrl = null;
public int iTimeout = 30;
public Connection conn = null;
public Statement statement = null;
public String sDriver = "";
public String sUrl = null;
public int iTimeout = 30;
public Connection conn = null;
public Statement statement = null;
/*
* Stub constructor for quick instantiation o/t fly for using some of the
* ancillary stuff
*/
public sqlitedbconnect() {
}
/* Stub constructor for quick instantiation o/t fly for using some of the ancillary stuff */
/*
* quick and dirty constructor to test the database passing the
* DriverManager name and the fully loaded url to handle
*/
/*
* NB this will typically be available if you make this class concrete and
* not abstract
*/
public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception {
init(sDriverToLoad, sUrlToLoad);
}
public sqlitedbconnect()
{}
public void init(String sDriverVar, String sUrlVar) throws Exception {
setDriver(sDriverVar);
setUrl(sUrlVar);
setConnection();
setStatement();
}
/* quick and dirty constructor to test the database passing the DriverManager name and the fully loaded url to handle */
/* NB this will typically be available if you make this class concrete and not abstract */
public sqlitedbconnect(String sDriverToLoad, String sUrlToLoad) throws Exception
{
init(sDriverToLoad, sUrlToLoad);
}
private void setDriver(String sDriverVar) {
sDriver = sDriverVar;
}
public void init(String sDriverVar, String sUrlVar) throws Exception
{
setDriver(sDriverVar);
setUrl(sUrlVar);
setConnection();
setStatement();
}
private void setUrl(String sUrlVar) {
sUrl = sUrlVar;
}
private void setDriver(String sDriverVar)
{
sDriver = sDriverVar;
}
public void setConnection() throws Exception {
Class.forName(sDriver);
conn = DriverManager.getConnection(sUrl);
}
private void setUrl(String sUrlVar)
{
sUrl = sUrlVar;
}
public Connection getConnection() {
return conn;
}
public void setConnection() throws Exception {
Class.forName(sDriver);
conn = DriverManager.getConnection(sUrl);
}
public void setStatement() throws Exception {
if (conn == null) {
setConnection();
}
statement = conn.createStatement();
statement.setQueryTimeout(iTimeout); // set timeout to 30 sec.
}
public Statement getStatement() {
return statement;
}
public Connection getConnection() {
return conn;
}
public void setStatement() throws Exception {
if (conn == null) {
setConnection();
}
statement = conn.createStatement();
statement.setQueryTimeout(iTimeout); // set timeout to 30 sec.
}
public Statement getStatement() {
return statement;
}
public void executeStmt(String instruction) throws SQLException {
statement.executeUpdate(instruction);
}
public void executeStmt(String instruction) throws SQLException {
statement.executeUpdate(instruction);
}
// processes an array of instructions e.g. a set of SQL command strings passed from a file
//NB you should ensure you either handle empty lines in files by either removing them or parsing them out
// since they will generate spurious SQLExceptions when they are encountered during the iteration....
public void executeStmt(String[] instructionSet) throws SQLException {
for (int i = 0; i < instructionSet.length; i++) {
executeStmt(instructionSet[i]);
}
}
public void executeStmt(String[] instructionSet) throws SQLException {
for (int i = 0; i < instructionSet.length; i++) {
executeStmt(instructionSet[i]);
}
}
public ResultSet executeQry(String instruction) throws SQLException {
return statement.executeQuery(instruction);
}
public void closeConnection() {
try { conn.close(); } catch (Exception ignore) {}
}
public ResultSet executeQry(String instruction) throws SQLException {
return statement.executeQuery(instruction);
}
public void closeConnection() {
try {
conn.close();
} catch (Exception ignore) {
}
}
}

277
Report/src/org/sleuthkit/autopsy/report/report.java
View File

@ -1,12 +1,29 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.sql.ResultSet;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.sleuthkit.autopsy.casemodule.Case;
@ -18,261 +35,207 @@ import org.sleuthkit.datamodel.SleuthkitCase;
*
* @author Alex
*/
public class report implements reportInterface {
public class report {
private void report(){
private void report() {
}
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getGenInfo() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getGenInfo() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(1);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebHistory() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebHistory() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(4);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebCookie() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebCookie() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(3);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebBookmark() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebBookmark() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(2);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getWebDownload() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getWebDownload() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(5);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getRecentObject() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getRecentObject() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(6);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getKeywordHit() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getKeywordHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(9);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getHashHit() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getHashHit() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(10);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getInstalledProg() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getInstalledProg() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(8);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
}
@Override
public HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> getDevices() {
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getDevices() {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(11);
for (BlackboardArtifact artifact : bbart)
{
try {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
return reportMap;
}
}
@Override
public String getGroupedKeywordHit() {
public String getGroupedKeywordHit() {
StringBuilder table = new StringBuilder();
HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try
{
try {
ResultSet uniqueresults = tempDb.runQuery("SELECT DISTINCT value_text from blackboard_attributes where attribute_type_id = '10' order by value_text ASC");
while(uniqueresults.next())
{
while (uniqueresults.next()) {
table.append("<strong>").append(uniqueresults.getString("value_text")).append("</strong>");
table.append("<table><thead><tr><th>").append("File Name").append("</th><th>Preview</th><th>Keyword List</th></tr><tbody>");
ArrayList<BlackboardArtifact> artlist = new ArrayList<BlackboardArtifact>();
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") +"'");
while(tempresults.next())
{
ResultSet tempresults = tempDb.runQuery("select DISTINCT artifact_id from blackboard_attributes where attribute_type_id = '10' and value_text = '" + uniqueresults.getString("value_text") + "'");
while (tempresults.next()) {
artlist.add(tempDb.getBlackboardArtifact(tempresults.getLong("artifact_id")));
}
for(BlackboardArtifact art : artlist)
{
for (BlackboardArtifact art : artlist) {
String filename = tempDb.getFsContentById(art.getObjectID()).getName();
String preview = "";
String set = "";
table.append("<tr><td>").append(filename).append("</td>");
ArrayList<BlackboardAttribute> tempatts = art.getAttributes();
for(BlackboardAttribute att : tempatts)
{
if(att.getAttributeTypeID() == 12)
{
for (BlackboardAttribute att : tempatts) {
if (att.getAttributeTypeID() == 12) {
preview = "<td>" + att.getValueString() + "</td>";
}
if(att.getAttributeTypeID() == 13)
{
if (att.getAttributeTypeID() == 13) {
set = "<td>" + att.getValueString() + "</td>";
}
}
@ -282,14 +245,32 @@ public String getGroupedKeywordHit() {
table.append("</tbody></table><br /><br />");
}
}
catch (Exception e)
{
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
String result = table.toString();
return result;
}
}
public HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> getAllTypes(ReportConfiguration config) {
HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> reportMap = new HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>>();
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase tempDb = currentCase.getSleuthkitCase();
try {
for (Map.Entry<BlackboardArtifact.ARTIFACT_TYPE, Boolean> entry : config.config.entrySet()) {
if (entry.getValue()) {
ArrayList<BlackboardArtifact> bbart = tempDb.getBlackboardArtifacts(entry.getKey());
for (BlackboardArtifact artifact : bbart) {
ArrayList<BlackboardAttribute> attributes = artifact.getAttributes();
reportMap.put(artifact, attributes);
}
}
}
} catch (Exception e) {
Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e);
}
return reportMap;
}
}

53
Report/src/org/sleuthkit/autopsy/report/reportAction.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -12,22 +28,22 @@ import java.awt.event.ActionListener;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.io.File;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
import javax.swing.JButton;
import javax.swing.JDialog;
import javax.swing.JFrame;
import org.openide.awt.ActionRegistration;
import org.openide.awt.ActionID;
import org.openide.awt.ActionReference;
import org.openide.awt.ActionReferences;
import org.openide.awt.ActionID;
import org.openide.awt.ActionRegistration;
import org.openide.util.HelpCtx;
import org.openide.util.NbBundle.Messages;
import org.openide.util.actions.CallableSystemAction;
import org.openide.util.actions.Presenter;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Log;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.ImageIcon;
@ActionID(category = "Tools",
id = "org.sleuthkit.autopsy.report.reportAction")
@ -36,11 +52,11 @@ id = "org.sleuthkit.autopsy.report.reportAction")
@ActionReference(path = "Menu/Tools", position = 80)
})
@Messages("CTL_reportAction=Run Report")
public final class reportAction extends CallableSystemAction implements Presenter.Toolbar{
public final class reportAction extends CallableSystemAction implements Presenter.Toolbar {
private JButton toolbarButton = new JButton();
private static final String ACTION_NAME = "Generate Report";
Logger logger = Logger.getLogger(reportAction.class.getName());
static final Logger logger = Logger.getLogger(reportAction.class.getName());
public reportAction() {
setEnabled(false);
@ -48,14 +64,13 @@ public final class reportAction extends CallableSystemAction implements Presente
@Override
public void propertyChange(PropertyChangeEvent evt) {
if(evt.getPropertyName().equals(Case.CASE_CURRENT_CASE)){
if (evt.getPropertyName().equals(Case.CASE_CURRENT_CASE)) {
setEnabled(evt.getNewValue() != null);
}
}
});
//attempt to create a report folder if a case is active
Case.addPropertyChangeListener(new PropertyChangeListener () {
Case.addPropertyChangeListener(new PropertyChangeListener() {
@Override
public void propertyChange(PropertyChangeEvent evt) {
@ -63,25 +78,23 @@ public final class reportAction extends CallableSystemAction implements Presente
//case has been changed
if (changed.equals(Case.CASE_CURRENT_CASE)) {
Case newCase = (Case)evt.getNewValue();
Case newCase = (Case) evt.getNewValue();
if (newCase != null) {
boolean exists = (new File(newCase.getCaseDirectory() + "\\Reports")).exists();
if (exists) {
// report directory exists -- don't need to do anything
} else {
// report directory does not exist -- create it
boolean reportCreate = (new File(newCase.getCaseDirectory() + "\\Reports")).mkdirs();
if(!reportCreate){
if (!reportCreate) {
logger.log(Level.WARNING, "Could not create Reports directory for case. It does not exist.");
}
}
}
}
}
});
});
// set action of the toolbar button
toolbarButton.addActionListener(new ActionListener() {
@ -105,6 +118,7 @@ public final class reportAction extends CallableSystemAction implements Presente
// initialize panel with loaded settings
final reportFilter panel = new reportFilter();
panel.setjButton2ActionListener(new ActionListener() {
@Override
public void actionPerformed(ActionEvent e) {
popUpWindow.dispose();
@ -134,7 +148,6 @@ public final class reportAction extends CallableSystemAction implements Presente
@Override
public void performAction() {
}
@Override
@ -166,7 +179,7 @@ public final class reportAction extends CallableSystemAction implements Presente
* @param value whether to enable this action or not
*/
@Override
public void setEnabled(boolean value){
public void setEnabled(boolean value) {
super.setEnabled(value);
toolbarButton.setEnabled(value);
}

17
Report/src/org/sleuthkit/autopsy/report/reportFilter.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?>
<?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents>
@ -40,7 +40,11 @@
<EmptySpace max="-2" attributes="0"/>
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
<Component id="jButton1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="cancelButton" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="156" max="-2" attributes="0"/>
</Group>
<Component id="jCheckBox3" alignment="0" min="-2" max="-2" attributes="0"/>
<Group type="102" alignment="0" attributes="0">
<Group type="103" groupAlignment="0" attributes="0">
@ -53,15 +57,6 @@
<Component id="jCheckBox4" alignment="0" min="-2" max="-2" attributes="0"/>
</Group>
</Group>
</Group>
<EmptySpace min="-2" pref="69" max="-2" attributes="0"/>
</Group>
<Group type="102" alignment="0" attributes="0">
<Component id="jButton1" min="-2" max="-2" attributes="0"/>
<EmptySpace max="32767" attributes="0"/>
<Component id="cancelButton" min="-2" max="-2" attributes="0"/>
<EmptySpace min="-2" pref="156" max="-2" attributes="0"/>
</Group>
<Component id="progBar" alignment="0" min="-2" pref="231" max="-2" attributes="0"/>
</Group>
<EmptySpace max="-2" attributes="0"/>

152
Report/src/org/sleuthkit/autopsy/report/reportFilter.java
View File

@ -1,43 +1,63 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportFilter.java
/*
*
* Created on Feb 22, 2012, 11:12:12 AM
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener;
import java.util.ArrayList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.SwingUtilities;
import javax.swing.SwingWorker;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskException;
/**
*
* @author Alex
*/
public class reportFilter extends javax.swing.JPanel {
public static ArrayList<Integer> filters = new ArrayList<Integer>();
public static ReportConfiguration config = new ReportConfiguration();
private final Logger logger = Logger.getLogger(this.getClass().getName());
public final reportFilter panel = this;
reportPanelAction rpa = new reportPanelAction();
public static boolean cancel = false;
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
/** Creates new form reportFilter */
/**
* Creates new form reportFilter
*/
public reportFilter() {
initComponents();
cancel = false;
}
/** This method is called from within the constructor to
* initialize the form.
* WARNING: Do NOT modify this code. The content of this method is
* always regenerated by the Form Editor.
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
* regenerated by the Form Editor.
*/
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -162,13 +182,11 @@ public class reportFilter extends javax.swing.JPanel {
}// </editor-fold>//GEN-END:initComponents
private void jCheckBox1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jCheckBox1ActionPerformed
}//GEN-LAST:event_jCheckBox1ActionPerformed
public void getfilters(java.awt.event.ActionEvent evt)
{
public void getfilters(java.awt.event.ActionEvent evt) {
jButton1ActionPerformed(evt);
}
}
private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_jButton1ActionPerformed
@ -178,49 +196,80 @@ private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRS
progBar.setStringPainted(true);
progBar.setValue(0);
filters.clear();
if(jCheckBox1.isSelected())
{
if (jCheckBox1.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, true);
filters.add(2);
filters.add(3);
filters.add(4);
filters.add(5);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
if(jCheckBox2.isSelected())
{
}
if (jCheckBox2.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO, true);
filters.add(1);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
if(jCheckBox3.isSelected())
{
}
if (jCheckBox3.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT, true);
filters.add(9);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
if(jCheckBox4.isSelected())
{
}
if (jCheckBox4.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT, true);
filters.add(10);
} catch (ReportModuleException ex) {
logger.log(Level.WARNING, "", ex);
}
}
if(jCheckBox5.isSelected())
{
if (jCheckBox5.isSelected()) {
try {
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG, true);
config.setGenArtifactType(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, true);
filters.add(6);
filters.add(8);
filters.add(11);
} catch (ReportModuleException ex) {
}
}
getReports();
}//GEN-LAST:event_jButton1ActionPerformed
public void getReports() {
public void getReports() {
new SwingWorker<Void, Void>() {
@Override
protected Void doInBackground() throws Exception {
rpa.reportGenerate(filters, panel);
rpa.reportGenerate(config, panel);
return null;
};
}
;
// this is called when the SwingWorker's doInBackground finishes
@Override
protected void done() {
progBar.setVisible(false); // hide my progress bar JFrame
};
}
;
}.execute();
progBar.setVisible(true);
}
}
private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRST:event_cancelButtonActionPerformed
cancelButton.setText("Cancelled!");
@ -228,13 +277,13 @@ private void cancelButtonActionPerformed(java.awt.event.ActionEvent evt) {//GEN-
}//GEN-LAST:event_cancelButtonActionPerformed
private void jButton1MouseReleased(java.awt.event.MouseEvent evt) {//GEN-FIRST:event_jButton1MouseReleased
}//GEN-LAST:event_jButton1MouseReleased
public void progBarSet(int cc)
{
public void progBarSet(int cc) {
final int count = cc;
SwingUtilities.invokeLater(new Runnable() {
@Override
public void run() {
int start = progBar.getValue();
int end = start + count;
@ -242,33 +291,36 @@ public void progBarSet(int cc)
progBar.setString(null);
progBar.setString(progBar.getString());
progBar.setStringPainted(true);
if(progBar.getPercentComplete() == 1.0){
if (progBar.getPercentComplete() == 1.0) {
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.setIndeterminate(true);
}
}});
}
}
});
}
public void progBarDone(){
public void progBarDone() {
int max = progBar.getMaximum();
progBar.setValue(max);
jButton2.doClick();
}
public void progBarStartText(){
}
public void progBarStartText() {
progBar.setIndeterminate(true);
progBar.setString("Querying Database for Report Results...");
}
public void progBarText(){
}
public void progBarText() {
progBar.setString("Populating Report - Please wait...");
progBar.setStringPainted(true);
progBar.repaint();
progBar.setIndeterminate(true);
}
}
public void progBarCount(int count){
public void progBarCount(int count) {
progBar.setIndeterminate(false);
progBar.setString(null);
progBar.setMinimum(0);
@ -277,18 +329,17 @@ public void progBarCount(int count){
//Double bper = progBar.getPercentComplete();
progBar.setString(progBar.getString());
}
}
public void setjButton1ActionListener(ActionListener e){
public void setjButton1ActionListener(ActionListener e) {
jButton1.addActionListener(e);
}
public void setjButton2ActionListener(ActionListener e){
public void setjButton2ActionListener(ActionListener e) {
jButton2.addActionListener(e);
cancelButton.addActionListener(e);
}
// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton cancelButton;
private javax.swing.JButton jButton1;
@ -300,5 +351,4 @@ public void setjButton2ActionListener(ActionListener e){
private javax.swing.JCheckBox jCheckBox5;
private javax.swing.JProgressBar progBar;
// End of variables declaration//GEN-END:variables
}

3
Report/src/org/sleuthkit/autopsy/report/reportFilterAction.java
View File

@ -16,7 +16,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.awt.Container;
@ -31,6 +30,7 @@ import org.sleuthkit.autopsy.coreutils.Log;
/**
* The reportFilterAction opens the reportFilterPanel in a dialog, and saves the
* settings of the panel if the Apply button is clicked.
*
* @author pmartel
*/
class reportFilterAction {
@ -81,4 +81,3 @@ class reportFilterAction {
return HelpCtx.DEFAULT_HELP;
}
}

158
Report/src/org/sleuthkit/autopsy/report/reportHTML.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -36,7 +52,8 @@ public class reportHTML {
public static StringBuilder unformatted_header = new StringBuilder();
public static StringBuilder formatted_header = new StringBuilder();
public static String htmlPath = "";
public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
public reportHTML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
//This is literally a terrible way to count up all the types of artifacts, and doesn't include any added ones.
//Unlike the XML report, which is dynamic, this is formatted and needs to be redone later instead of being hardcoded.
@ -56,45 +73,45 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++;
}
if(entry.getKey().getArtifactTypeID() == 2){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countWebBookmark++;
}
if(entry.getKey().getArtifactTypeID() == 3){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countWebCookie++;
}
if(entry.getKey().getArtifactTypeID() == 4){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countWebHistory++;
}
if(entry.getKey().getArtifactTypeID() == 5){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countWebDownload++;
}
if(entry.getKey().getArtifactTypeID() == 6){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countRecentObjects++;
}
if(entry.getKey().getArtifactTypeID() == 7){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
countTrackPoint++;
}
if(entry.getKey().getArtifactTypeID() == 8){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++;
}
if(entry.getKey().getArtifactTypeID() == 9){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++;
}
if(entry.getKey().getArtifactTypeID() == 10){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++;
}
if(entry.getKey().getArtifactTypeID() == 11){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++;
}
}
try{
try {
String ingestwarning = "<h2 style=\"color: red;\">Warning, this report was run before ingest services completed!</h2>";
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
@ -147,8 +164,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
// Add summary information now
formatted_Report.append("<h1>Report for Case: ").append(caseName).append("</h1>");
if(IngestManager.getDefault().isIngestRunning())
{
if (IngestManager.getDefault().isIngestRunning()) {
formatted_Report.append(ingestwarning);
}
formatted_Report.append("<h2>Case Summary</h2><p>HTML Report Generated by <strong>Autopsy 3</strong> on ").append(datetime).append("<ul>");
@ -159,31 +175,31 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
formatted_Report.append("<li># of Artifacts: ").append(reportsize).append("</li></ul>");
formatted_Report.append("<br /><table><thead><tr><th>Section</th><th>Count</th></tr></thead><tbody>");
if(countWebBookmark > 0){
if (countWebBookmark > 0) {
formatted_Report.append("<tr><td><a href=\"#bookmark\">Web Bookmarks</a></td><td>").append(countWebBookmark).append("</td></tr>");
}
if(countWebCookie > 0){
if (countWebCookie > 0) {
formatted_Report.append("<tr><td><a href=\"#cookie\">Web Cookies</a></td><td>").append(countWebCookie).append("</td></tr>");
}
if(countWebHistory > 0){
if (countWebHistory > 0) {
formatted_Report.append("<tr><td><a href=\"#history\">Web History</a></td><td>").append(countWebHistory).append("</td></tr>");
}
if(countWebDownload > 0){
if (countWebDownload > 0) {
formatted_Report.append("<tr><td><a href=\"#download\">Web Downloads</a></td><td>").append(countWebDownload).append("</td></tr>");
}
if(countRecentObjects > 0){
if (countRecentObjects > 0) {
formatted_Report.append("<tr><td><a href=\"#recent\">Recent Documents</a></td><td>").append(countRecentObjects).append("</td></tr>");
}
if(countInstalled > 0){
if (countInstalled > 0) {
formatted_Report.append("<tr><td><a href=\"#installed\">Installed Programs</a></td><td>").append(countInstalled).append("</td></tr>");
}
if(countKeyword > 0){
if (countKeyword > 0) {
formatted_Report.append("<tr><td><a href=\"#keyword\">Keyword Hits</a></td><td>").append(countKeyword).append("</td></tr>");
}
if(countHash > 0){
if (countHash > 0) {
formatted_Report.append("<tr><td><a href=\"#hash\">Hash Hits</a></td><td>").append(countHash).append("</td></tr>");
}
if(countDevice > 0){
if (countDevice > 0) {
formatted_Report.append("<tr><td><a href=\"#device\">Attached Devices</a></td><td>").append(countDevice).append("</td></tr>");
}
formatted_Report.append("</tbody></table><br />");
@ -202,19 +218,17 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
int alt = 0;
String altRow = "";
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (reportFilter.cancel == true) {
break;
}
int cc = 0;
if(alt > 0)
{
if (alt > 0) {
altRow = " class=\"alt\"";
alt = 0;
}
else{
altRow="";
} else {
altRow = "";
alt++;
}
StringBuilder artifact = new StringBuilder("");
@ -225,32 +239,26 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer,String>();
TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for(n=1;n<=35;n++)
{
for (n = 1; n <= 35; n++) {
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
for (BlackboardAttribute tempatt : entry.getValue()) {
if (reportFilter.cancel == true) {
break;
}
String value = "";
int type = tempatt.getAttributeTypeID();
if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){
}
else if(type == 2 || type == 33 ){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())));
if(value == null || "".equals(value)){
if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
} else if (type == 2 || type == 33) {
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong())));
if (value == null || "".equals(value)) {
value = tempatt.getValueString();
}
}
else
{
} else {
value = tempatt.getValueString();
}
value = reportUtils.insertPeriodically(value, "<br>", 30);
@ -259,19 +267,19 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
}
if(entry.getKey().getArtifactTypeID() == 1){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
artifact.append("</tr>");
nodeGen.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 2){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
artifact.append("<td>").append(attributes.get(4)).append("</td>");
artifact.append("</tr>");
nodeWebBookmark.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 3){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("<td>").append(attributes.get(3)).append("</td>");
@ -280,7 +288,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>");
nodeWebCookie.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 4){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
artifact.append("<td>").append(attributes.get(32)).append("</td>");
@ -289,7 +297,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>");
nodeWebHistory.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 5){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(attributes.get(8)).append("</td>");
artifact.append("<td>").append(attributes.get(1)).append("</td>");
artifact.append("<td>").append(attributes.get(33)).append("</td>");
@ -297,7 +305,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>");
nodeWebDownload.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 6){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
//artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(3)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(8)).append("</td>");
@ -305,27 +313,25 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>");
nodeRecentObjects.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 7){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td>").append(objId.toString());
artifact.append("</td><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
artifact.append("</tr>");
nodeTrackPoint.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(4)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
artifact.append("</tr>");
nodeInstalled.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 9){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
// artifact.append("<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>");
// artifact.append("</tr></table>");
// nodeKeyword.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 10){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
// artifact.append("<tr><td>").append(objId.toString());
artifact.append("<tr").append(altRow).append("><td><strong>").append(file.getName().toString()).append("</strong></td>");
artifact.append("<td>").append(filesize.toString()).append("</td>");
@ -334,7 +340,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
artifact.append("</tr>");
nodeHash.append(artifact);
}
if(entry.getKey().getArtifactTypeID() == 11){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
artifact.append("<tr").append(altRow).append("><td><strong>").append(attributes.get(18)).append("</strong></td>");
artifact.append("<td>").append(attributes.get(20)).append("</td>");
artifact.append("<td>").append(attributes.get(2)).append("</td>");
@ -347,44 +353,44 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
//Add them back in order
//formatted_Report.append(nodeGen);
// formatted_Report.append("</tbody></table>");
if(countWebBookmark > 0){
if (countWebBookmark > 0) {
formatted_Report.append(nodeWebBookmark);
formatted_Report.append("</tbody></table>");
}
if(countWebCookie > 0){
if (countWebCookie > 0) {
formatted_Report.append(nodeWebCookie);
formatted_Report.append("</tbody></table>");
}
if(countWebHistory > 0){
if (countWebHistory > 0) {
formatted_Report.append(nodeWebHistory);
formatted_Report.append("</tbody></table>");
}
if(countWebDownload > 0){
if (countWebDownload > 0) {
formatted_Report.append(nodeWebDownload);
formatted_Report.append("</tbody></table>");
}
if(countRecentObjects > 0){
if (countRecentObjects > 0) {
formatted_Report.append(nodeRecentObjects);
formatted_Report.append("</tbody></table>");
}
// formatted_Report.append(nodeTrackPoint);
//formatted_Report.append("</tbody></table>");
if(countInstalled > 0){
if (countInstalled > 0) {
formatted_Report.append(nodeInstalled);
formatted_Report.append("</tbody></table>");
}
if(countKeyword > 0){
if (countKeyword > 0) {
formatted_Report.append(nodeKeyword);
report keywords = new report();
formatted_Report.append(keywords.getGroupedKeywordHit());
// "<table><thead><tr><th>Artifact ID</th><th>Name</th><th>Size</th>
// formatted_Report.append("</tbody></table>");
}
if(countHash > 0){
if (countHash > 0) {
formatted_Report.append(nodeHash);
formatted_Report.append("</tbody></table>");
}
if(countDevice > 0){
if (countDevice > 0) {
formatted_Report.append(nodeDevice);
formatted_Report.append("</tbody></table>");
}
@ -393,20 +399,16 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
formatted_Report.append("</div></div></body></html>");
formatted_header.append(formatted_Report);
// unformatted_header.append(formatted_Report);
htmlPath = currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".html";
htmlPath = currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".html";
Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlPath), "UTF-8"));
out.write(formatted_header.toString());
out.flush();
out.close();
}
catch(Exception e)
{
} catch (Exception e) {
Logger.getLogger(reportHTML.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
}
}

2
Report/src/org/sleuthkit/autopsy/report/reportPanel.form
View File

@ -1,4 +1,4 @@
<?xml version="1.1" encoding="UTF-8" ?>
<?xml version="1.0" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<NonVisualComponents>

86
Report/src/org/sleuthkit/autopsy/report/reportPanel.java
View File

@ -1,20 +1,27 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
*/
/*
* reportPanel.java
/*
*
* Created on Feb 21, 2012, 12:13:14 PM
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.awt.event.ActionListener;
import java.io.BufferedWriter;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.Writer;
import java.io.*;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Date;
@ -30,16 +37,17 @@ import org.jdom.output.XMLOutputter;
*/
public class reportPanel extends javax.swing.JPanel {
/** Creates new form reportPanel */
public reportPanel(String report) {
/**
* Creates new form reportPanel
*/
public reportPanel() {
initComponents();
setReportWindow(report);
}
/** This method is called from within the constructor to
* initialize the form.
* WARNING: Do NOT modify this code. The content of this method is
* always regenerated by the Form Editor.
/**
* This method is called from within the constructor to initialize the form.
* WARNING: Do NOT modify this code. The content of this method is always
* regenerated by the Form Editor.
*/
@SuppressWarnings("unchecked")
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
@ -102,49 +110,29 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
*
* @param e The action listener
*/
public void setjButton1ActionListener(ActionListener e){
public void setjButton1ActionListener(ActionListener e) {
jButton1.addActionListener(e);
}
public void getLink(HyperlinkEvent evt){
try{
String str = evt.getDescription();
// jEditorPane1.scrollToReference(str.substring(1));
}
catch(Exception e){
String whater = "";
}
}
public void setjEditorPane1EventListener(HyperlinkListener evt){
// jEditorPane1.addHyperlinkListener(evt);
}
private void setReportWindow(String report)
{
// jEditorPane1.setText(report);
// jEditorPane1.setCaretPosition(0);
}
public void setFinishedReportText(){
public void setFinishedReportText() {
DateFormat dateFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss");
Date date = new Date();
String reportText = "Report was sucessfully generated at " + dateFormat.format(date) + ".";
jLabel1.setText(reportText);
}
private void saveReportAction(){
private void saveReportAction() {
int option = jFileChooser1.showSaveDialog(this);
if(option == JFileChooser.APPROVE_OPTION){
if(jFileChooser1.getSelectedFile()!=null){
if (option == JFileChooser.APPROVE_OPTION) {
if (jFileChooser1.getSelectedFile() != null) {
String path = jFileChooser1.getSelectedFile().toString();
exportReport(path);
}
}
}
private void exportReport(String path){
private void exportReport(String path) {
String htmlpath = reportUtils.changeExtension(path, ".html");
String xmlpath = reportUtils.changeExtension(path, ".xml");
@ -168,12 +156,10 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
xmlout.flush();
xmlout.close();
JOptionPane.showMessageDialog(this, "Report has been successfully saved!");
}
catch (IOException e) {
} catch (IOException e) {
System.err.println(e);
}
}
// Variables declaration - do not modify//GEN-BEGIN:variables
private javax.swing.JButton jButton1;
private javax.swing.JFileChooser jFileChooser1;
@ -181,6 +167,4 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI
private javax.swing.JOptionPane jOptionPane1;
private javax.swing.JButton saveReport;
// End of variables declaration//GEN-END:variables
}

73
Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -8,18 +24,11 @@ import java.awt.Dimension;
import java.awt.Toolkit;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.logging.Level;
import javax.swing.JDialog;
import javax.swing.JFrame;
import javax.swing.SwingUtilities;
import javax.swing.event.HyperlinkEvent;
import javax.swing.event.HyperlinkListener;
import org.sleuthkit.autopsy.coreutils.Log;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
/**
*
@ -32,15 +41,14 @@ public class reportPanelAction {
}
public void reportGenerate(ArrayList<Integer> reportlist, final reportFilter rr){
public void reportGenerate(ReportConfiguration reportconfig, final reportFilter rr){
try {
//Clear any old reports in the string
viewReport.setLength(0);
// Generate the reports and create the hashmap
final HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> Results = new HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>>();
report bbreport = new report();
final ReportGen report = new ReportGen();
//see what reports we need to run and run them
//Set progress bar to move while doing this
SwingUtilities.invokeLater(new Runnable() {
@ -48,21 +56,11 @@ public class reportPanelAction {
public void run() {
rr.progBarStartText();
}});
if(reportlist.contains(1)){Results.putAll(bbreport.getGenInfo());}
if(reportlist.contains(2)){Results.putAll(bbreport.getWebBookmark());}
if(reportlist.contains(3)){Results.putAll(bbreport.getWebCookie());}
if(reportlist.contains(4)){Results.putAll(bbreport.getWebHistory());}
if(reportlist.contains(5)){Results.putAll(bbreport.getWebDownload());}
if(reportlist.contains(6)){Results.putAll(bbreport.getRecentObject());}
// if(reportlist.contains(7)){Results.putAll(bbreport.getGenInfo());}
if(reportlist.contains(8)){Results.putAll(bbreport.getInstalledProg());}
if(reportlist.contains(9)){Results.putAll(bbreport.getKeywordHit());}
if(reportlist.contains(10)){Results.putAll(bbreport.getHashHit());}
if(reportlist.contains(11)){Results.putAll(bbreport.getDevices());}
report.populateReport(reportconfig);
SwingUtilities.invokeLater(new Runnable() {
@Override
public void run() {
rr.progBarCount(2*Results.size());
rr.progBarCount(2*report.Results.size());
}});
//Turn our results into the appropriate xml/html reports
//TODO: add a way for users to select what they will run when
@ -71,7 +69,7 @@ public class reportPanelAction {
@Override
public void run()
{
reportXML xmlReport = new reportXML(Results, rr);
reportXML xmlReport = new reportXML(report.Results, rr);
}
});
Thread htmlthread = new Thread(new Runnable()
@ -79,8 +77,8 @@ public class reportPanelAction {
@Override
public void run()
{
reportHTML htmlReport = new reportHTML(Results,rr);
reportHTML htmlReport = new reportHTML(report.Results,rr);
BrowserControl.openUrl(reportHTML.htmlPath);
}
});
Thread xlsthread = new Thread(new Runnable()
@ -88,8 +86,8 @@ public class reportPanelAction {
@Override
public void run()
{
reportXLS xlsReport = new reportXLS(Results,rr);
// BrowserControl.openUrl(xlsReport.xlsPath);
reportXLS xlsReport = new reportXLS(report.Results,rr);
//
}
});
@ -110,7 +108,7 @@ public class reportPanelAction {
htmlthread.join();
//Set the temporary label to let the user know its done and is waiting on the report
rr.progBarText();
final reportPanel panel = new reportPanel(viewReport.toString());
final reportPanel panel = new reportPanel();
panel.setjButton1ActionListener(new ActionListener() {
@ -120,19 +118,6 @@ public class reportPanelAction {
popUpWindow.dispose();
}
});
panel.setjEditorPane1EventListener(new HyperlinkListener(){
@Override
public void hyperlinkUpdate(HyperlinkEvent hev) {
try {
if (hev.getEventType() == HyperlinkEvent.EventType.ACTIVATED)
panel.getLink(hev);
}
catch (Exception e) {
// Exceptions thrown...............
}
}
});
// add the panel to the popup window
popUpWindow.add(panel);

38
Report/src/org/sleuthkit/autopsy/report/reportUtils.java
View File

@ -1,6 +1,22 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
@ -10,25 +26,23 @@ package org.sleuthkit.autopsy.report;
*/
public class reportUtils {
static String changeExtension(String originalName, String newExtension) {
static String changeExtension(String originalName, String newExtension) {
int lastDot = originalName.lastIndexOf(".");
if (lastDot != -1) {
return originalName.substring(0, lastDot) + newExtension;
} else {
return originalName + newExtension;
}
}
}
public static String insertPeriodically(
String text, String insert, int period)
{
public static String insertPeriodically(
String text, String insert, int period) {
StringBuilder builder = new StringBuilder(
text.length() + insert.length() * (text.length()/period)+1);
text.length() + insert.length() * (text.length() / period) + 1);
int index = 0;
String prefix = "";
while (index < text.length())
{
while (index < text.length()) {
// Don't put the insert in the very first iteration.
// This is easier than appending it *after* each substring
builder.append(prefix);
@ -38,5 +52,5 @@ public static String insertPeriodically(
index += period;
}
return builder.toString();
}
}
}

134
Report/src/org/sleuthkit/autopsy/report/reportXLS.java
View File

@ -1,11 +1,26 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream;
import java.io.IOException;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
@ -14,27 +29,20 @@ import java.util.Date;
import java.util.HashMap;
import java.util.Map.Entry;
import java.util.TreeMap;
import org.apache.poi.ss.usermodel.Cell;
import org.apache.poi.ss.usermodel.CellStyle;
import org.apache.poi.ss.usermodel.Font;
import org.apache.poi.ss.usermodel.Row;
import org.apache.poi.ss.usermodel.Sheet;
import org.apache.poi.ss.usermodel.Workbook;
import org.apache.poi.ss.usermodel.*;
import org.apache.poi.xssf.usermodel.XSSFWorkbook;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.datamodel.*;
/**
*
* @author Alex
*/
public class reportXLS {
public static Workbook wb = new XSSFWorkbook();
public reportXLS(HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
public reportXLS(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
//Empty the workbook first
Workbook wbtemp = new XSSFWorkbook();
@ -49,45 +57,45 @@ public class reportXLS {
int countKeyword = 0;
int countHash = 0;
int countDevice = 0;
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(entry.getKey().getArtifactTypeID() == 1){
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countGen++;
}
if(entry.getKey().getArtifactTypeID() == 2){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countBookmark++;
}
if(entry.getKey().getArtifactTypeID() == 3){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countCookie++;
}
if(entry.getKey().getArtifactTypeID() == 4){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countHistory++;
}
if(entry.getKey().getArtifactTypeID() == 5){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countDownload++;
}
if(entry.getKey().getArtifactTypeID() == 6){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countRecentObjects++;
}
if(entry.getKey().getArtifactTypeID() == 7){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
countTrackPoint++;
}
if(entry.getKey().getArtifactTypeID() == 8){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countInstalled++;
}
if(entry.getKey().getArtifactTypeID() == 9){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countKeyword++;
}
if(entry.getKey().getArtifactTypeID() == 10){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countHash++;
}
if(entry.getKey().getArtifactTypeID() == 11){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countDevice++;
}
}
try{
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
@ -120,9 +128,9 @@ public class reportXLS {
CellStyle style = wbtemp.createCellStyle();
style.setBorderBottom((short) 2);
Font font = wbtemp.createFont();
font.setFontHeightInPoints((short)16);
font.setFontHeightInPoints((short) 16);
font.setFontName("Courier New");
font.setBoldweight((short)2);
font.setBoldweight((short) 2);
style.setFont(font);
//create the rows in the worksheet for our records
//Create first row and header
@ -203,11 +211,11 @@ public class reportXLS {
sheetHistory.getRow(0).createCell(3).setCellValue("Title");
sheetHistory.getRow(0).createCell(4).setCellValue("Program");
for(int i = 0;i < wbtemp.getNumberOfSheets();i++){
for (int i = 0; i < wbtemp.getNumberOfSheets(); i++) {
Sheet tempsheet = wbtemp.getSheetAt(i);
tempsheet.setAutobreaks(true);
for (Row temprow : tempsheet){
for (Row temprow : tempsheet) {
for (Cell cell : temprow) {
cell.setCellStyle(style);
tempsheet.autoSizeColumn(cell.getColumnIndex());
@ -228,37 +236,31 @@ public class reportXLS {
int countedDevice = 0;
//start populating the sheets in the workbook
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (reportFilter.cancel == true) {
break;
}
int cc = 0;
Long objId = entry.getKey().getObjectID();
FsContent file = skCase.getFsContentById(objId);
Long filesize = file.getSize();
TreeMap<Integer, String> attributes = new TreeMap<Integer,String>();
TreeMap<Integer, String> attributes = new TreeMap<Integer, String>();
// Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type
int n;
for(n=1;n<=36;n++)
{
for (n = 1; n <= 36; n++) {
attributes.put(n, "");
}
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
for (BlackboardAttribute tempatt : entry.getValue()) {
if (reportFilter.cancel == true) {
break;
}
String value = "";
int type = tempatt.getAttributeTypeID();
if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){
}
else if(type == 2){
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())*1000));
}
else
{
if (tempatt.getValueString() == null || "null".equals(tempatt.getValueString())) {
} else if (type == 2 || type == 33) {
value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date((tempatt.getValueLong()) * 1000));
} else {
value = tempatt.getValueString();
}
@ -267,19 +269,19 @@ public class reportXLS {
}
if(entry.getKey().getArtifactTypeID() == 1){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
countedGen++;
// Row temp = sheetGen.getRow(countedGen);
}
if(entry.getKey().getArtifactTypeID() == 2){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
countedBookmark++;
Row temp = sheetBookmark.createRow(countedBookmark);
temp.createCell(0).setCellValue(attributes.get(1));
temp.createCell(1).setCellValue(attributes.get(3));
temp.createCell(2).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 3){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
countedCookie++;
Row temp = sheetCookie.createRow(countedCookie);
temp.createCell(0).setCellValue(attributes.get(1));
@ -288,7 +290,7 @@ public class reportXLS {
temp.createCell(3).setCellValue(attributes.get(6));
temp.createCell(4).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 4){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
countedHistory++;
Row temp = sheetHistory.createRow(countedHistory);
temp.createCell(0).setCellValue(attributes.get(1));
@ -297,7 +299,7 @@ public class reportXLS {
temp.createCell(3).setCellValue(attributes.get(3));
temp.createCell(4).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 5){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
countedDownload++;
Row temp = sheetDownload.createRow(countedDownload);
temp.createCell(0).setCellValue(attributes.get(8));
@ -305,7 +307,7 @@ public class reportXLS {
temp.createCell(2).setCellValue(attributes.get(33));
temp.createCell(3).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 6){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
countedRecentObjects++;
Row temp = sheetRecent.createRow(countedRecentObjects);
temp.createCell(0).setCellValue(attributes.get(3));
@ -313,16 +315,16 @@ public class reportXLS {
temp.createCell(2).setCellValue(file.getName());
temp.createCell(3).setCellValue(attributes.get(4));
}
if(entry.getKey().getArtifactTypeID() == 7){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
// sheetTrackpoint.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
countedInstalled++;
Row temp = sheetInstalled.createRow(countedInstalled);
temp.createCell(0).setCellValue(attributes.get(4));
temp.createCell(1).setCellValue(attributes.get(2));
}
if(entry.getKey().getArtifactTypeID() == 9){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
countedKeyword++;
Row temp = sheetKeyword.createRow(countedKeyword);
temp.createCell(0).setCellValue(attributes.get(10));
@ -330,14 +332,14 @@ public class reportXLS {
temp.createCell(2).setCellValue(attributes.get(12));
temp.createCell(3).setCellValue(attributes.get(13));
}
if(entry.getKey().getArtifactTypeID() == 10){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
countedHash++;
Row temp = sheetHash.createRow(countedHash);
temp.createCell(0).setCellValue(file.getName().toString());
temp.createCell(1).setCellValue(filesize.toString());
temp.createCell(2).setCellValue(attributes.get(30));
}
if(entry.getKey().getArtifactTypeID() == 11){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
countedDevice++;
Row temp = sheetDevice.createRow(countedDevice);
temp.createCell(0).setCellValue(attributes.get(18));
@ -353,23 +355,17 @@ public class reportXLS {
//write out the report to the reports folder
try {
FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xlsx");
FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".xlsx");
wbtemp.write(fos);
fos.close();
wb = wbtemp;
}
catch (IOException e) {
} catch (IOException e) {
System.err.println(e);
}
}
catch(Exception E)
{
} catch (Exception E) {
String test = E.toString();
}
}
}

74
Report/src/org/sleuthkit/autopsy/report/reportXML.java
View File

@ -1,8 +1,25 @@
/*
* To change this template, choose Tools | Templates
* and open the template in the editor.
/*
*
* Autopsy Forensic Browser
*
* Copyright 2012 42six Solutions.
* Contact: aebadirad <at> 42six <dot> com
* Project Contact/Architect: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.report;
import java.io.FileOutputStream;
import java.io.IOException;
import java.text.DateFormat;
@ -31,10 +48,13 @@ import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskData;
public class reportXML {
public static Document xmldoc = new Document();
public reportXML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){
try{
public reportXML(HashMap<BlackboardArtifact, ArrayList<BlackboardAttribute>> report, reportFilter rr) {
try {
Case currentCase = Case.getCurrentCase(); // get the most updated case
SleuthkitCase skCase = currentCase.getSleuthkitCase();
String caseName = currentCase.getName();
@ -53,8 +73,7 @@ public class reportXML {
root.addContent(comment);
//Create summary node involving how many of each type
Element summary = new Element("Summary");
if(IngestManager.getDefault().isIngestRunning())
{
if (IngestManager.getDefault().isIngestRunning()) {
summary.addContent(new Element("Warning").setText("Report was run before ingest services completed!"));
}
summary.addContent(new Element("Name").setText(caseName));
@ -77,8 +96,8 @@ public class reportXML {
Element nodeDevice = new Element("Attached-Devices");
//remove bytes
Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]");
for (Entry<BlackboardArtifact,ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if(reportFilter.cancel == true){
for (Entry<BlackboardArtifact, ArrayList<BlackboardAttribute>> entry : report.entrySet()) {
if (reportFilter.cancel == true) {
break;
}
int cc = 0;
@ -91,12 +110,11 @@ public class reportXML {
artifact.setAttribute("Size", filesize.toString());
// Get all the attributes for this guy
for (BlackboardAttribute tempatt : entry.getValue())
{
if(reportFilter.cancel == true){
for (BlackboardAttribute tempatt : entry.getValue()) {
if (reportFilter.cancel == true) {
break;
}
Element attribute = new Element("Attribute").setAttribute("Type",tempatt.getAttributeTypeDisplayName());
Element attribute = new Element("Attribute").setAttribute("Type", tempatt.getAttributeTypeDisplayName());
String tempvalue = tempatt.getValueString();
//INVALID_XML_CHARS.matcher(tempvalue).replaceAll("");
Element value = new Element("Value").setText(tempvalue);
@ -107,44 +125,44 @@ public class reportXML {
cc++;
}
if(entry.getKey().getArtifactTypeID() == 1){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getTypeID()) {
//while (entry.getValue().iterator().hasNext())
// {
// }
nodeGen.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 2){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()) {
nodeWebBookmark.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 3){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()) {
nodeWebCookie.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 4){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()) {
nodeWebHistory.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 5){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()) {
nodeWebDownload.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 6){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()) {
nodeRecentObjects.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 7){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getTypeID()) {
nodeTrackPoint.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 8){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
nodeInstalled.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 9){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
nodeKeyword.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 10){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
nodeHash.addContent(artifact);
}
if(entry.getKey().getArtifactTypeID() == 11){
if (entry.getKey().getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
nodeDevice.addContent(artifact);
}
cc++;
@ -166,18 +184,16 @@ public class reportXML {
root.addContent(nodeDevice);
try {
FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xml");
FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory() + "/Reports/" + caseName + "-" + datenotime + ".xml");
XMLOutputter serializer = new XMLOutputter();
serializer.output(xmldoc, out);
out.flush();
out.close();
}
catch (IOException e) {
} catch (IOException e) {
System.err.println(e);
}
}
catch (Exception e){
} catch (Exception e) {
Logger.getLogger(reportXML.class.getName()).log(Level.WARNING, "Exception occurred", e);
}
}