Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
CacheLocationAnalyzer.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.android;
20 
21 import java.io.File;
22 import java.io.FileInputStream;
23 import java.io.InputStream;
24 import java.math.BigInteger;
25 import java.nio.ByteBuffer;
26 import java.util.List;
27 import java.util.logging.Level;
28 
29 import org.openide.util.NbBundle;
30 import org.sleuthkit.autopsy.casemodule.Case;
31 import org.sleuthkit.autopsy.casemodule.services.FileManager;
32 import org.sleuthkit.autopsy.coreutils.Logger;
33 import org.sleuthkit.autopsy.datamodel.ContentUtils;
34 import org.sleuthkit.datamodel.AbstractFile;
35 import org.sleuthkit.datamodel.BlackboardArtifact;
36 import org.sleuthkit.datamodel.BlackboardAttribute;
37 import org.sleuthkit.datamodel.Content;
38 import org.sleuthkit.datamodel.SleuthkitCase;
39 import org.sleuthkit.datamodel.TskCoreException;
40 
44 class CacheLocationAnalyzer {
45 
46  private static final String moduleName = AndroidModuleFactory.getModuleName();
47  private static final Logger logger = Logger.getLogger(CacheLocationAnalyzer.class.getName());
48 
52  public static void findGeoLocations(Content dataSource, FileManager fileManager) {
53 
54  try {
55  List<AbstractFile> abstractFiles = fileManager.findFiles(dataSource, "cache.cell"); //NON-NLS
56  abstractFiles.addAll(fileManager.findFiles(dataSource, "cache.wifi"));
57 
58  for (AbstractFile abstractFile : abstractFiles) {
59  try {
60  if (abstractFile.getSize() == 0) {
61  continue;
62  }
63  File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
64  ContentUtils.writeToFile(abstractFile, jFile);
65 
66  findGeoLocationsInFile(jFile, abstractFile);
67  } catch (Exception e) {
68  logger.log(Level.SEVERE, "Error parsing cached Location files", e); //NON-NLS
69  }
70  }
71  } catch (TskCoreException e) {
72  logger.log(Level.SEVERE, "Error finding cached Location files", e); //NON-NLS
73  }
74  }
75 
76  private static void findGeoLocationsInFile(File file, AbstractFile f) {
77  byte[] bytes; // will temporarily hold bytes to be converted into the correct data types
78 
79  try {
80  InputStream inputStream = new FileInputStream(file);
81 
82  bytes = new byte[2]; // version
83  inputStream.read(bytes);
84 
85  bytes = new byte[2];
86  inputStream.read(bytes); //number of location entries
87 
88  int iterations = new BigInteger(bytes).intValue();
89 
90  for (int i = 0; i < iterations; i++) { //loop through every entry
91  bytes = new byte[2];
92  inputStream.read(bytes);
93 
94  bytes = new byte[1];
95  inputStream.read(bytes);
96  while (new BigInteger(bytes).intValue() != 0) { //pass through non important values until the start of accuracy(around 7-10 bytes)
97  if (0 > inputStream.read(bytes)) {
98  break;
99  }
100  }
101  bytes = new byte[3];
102  inputStream.read(bytes);
103  if (new BigInteger(bytes).intValue() <= 0) {//This refers to a location that could not be calculated.
104  bytes = new byte[28]; //read rest of the row's bytes
105  inputStream.read(bytes);
106  continue;
107  }
108  String accuracy = "" + new BigInteger(bytes).intValue();
109 
110  bytes = new byte[4];
111  inputStream.read(bytes);
112  String confidence = "" + new BigInteger(bytes).intValue();
113 
114  bytes = new byte[8];
115  inputStream.read(bytes);
116  double latitude = toDouble(bytes);
117 
118  bytes = new byte[8];
119  inputStream.read(bytes);
120  double longitude = toDouble(bytes);
121 
122  bytes = new byte[8];
123  inputStream.read(bytes);
124  Long timestamp = new BigInteger(bytes).longValue() / 1000;
125 
126  BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT);
127  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE.getTypeID(), moduleName, latitude));
128  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE.getTypeID(), moduleName, longitude));
129  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), moduleName, timestamp));
130  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), moduleName,
131  NbBundle.getMessage(CacheLocationAnalyzer.class,
132  "CacheLocationAnalyzer.bbAttribute.fileLocationHistory",
133  file.getName())));
134 
135  //Not storing these for now.
136  // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy));
137  // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(),moduleName, confidence));
138  }
139 
140  } catch (Exception e) {
141  logger.log(Level.SEVERE, "Error parsing Cached GPS locations to Blackboard", e); //NON-NLS
142  }
143  }
144 
145  private static double toDouble(byte[] bytes) {
146  return ByteBuffer.wrap(bytes).getDouble();
147  }
148 }
org::sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:50
org::sleuthkit::datamodel::Content

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.