Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
FileExtMismatchIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.fileextmismatch;
20 
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.Collections;
24 import java.util.HashMap;
25 import java.util.List;
26 import java.util.logging.Level;
27 import org.openide.util.NbBundle;
42 
47 
48  private static final Logger logger = Logger.getLogger(FileExtMismatchIngestModule.class.getName());
50  private final FileExtMismatchDetectorModuleSettings settings;
51  private HashMap<String, String[]> SigTypeToExtMap = new HashMap<>();
52  private long jobId;
53  private static final HashMap<Long, IngestJobTotals> totalsForIngestJobs = new HashMap<>();
55 
56  private static class IngestJobTotals {
57  private long processTime = 0;
58  private long numFiles = 0;
59  }
60 
66  private static synchronized void addToTotals(long ingestJobId, long processTimeInc) {
67  IngestJobTotals ingestJobTotals = totalsForIngestJobs.get(ingestJobId);
68  if (ingestJobTotals == null) {
69  ingestJobTotals = new IngestJobTotals();
70  totalsForIngestJobs.put(ingestJobId, ingestJobTotals);
71  }
72 
73  ingestJobTotals.processTime += processTimeInc;
74  ingestJobTotals.numFiles++;
75  totalsForIngestJobs.put(ingestJobId, ingestJobTotals);
76  }
77 
78  FileExtMismatchIngestModule(FileExtMismatchDetectorModuleSettings settings) {
79  this.settings = settings;
80  }
81 
82  @Override
83  public void startUp(IngestJobContext context) throws IngestModuleException {
84  jobId = context.getJobId();
85  refCounter.incrementAndGet(jobId);
86 
87  FileExtMismatchXML xmlLoader = FileExtMismatchXML.getDefault();
88  SigTypeToExtMap = xmlLoader.load();
89  }
90 
91  @Override
92  public ProcessResult process(AbstractFile abstractFile) {
93  // skip non-files
96  || (abstractFile.isFile() == false)) {
97  return ProcessResult.OK;
98  }
99 
100  // deleted files often have content that was not theirs and therefor causes mismatch
103  return ProcessResult.OK;
104  }
105 
106  try {
107  long startTime = System.currentTimeMillis();
108 
109  boolean mismatchDetected = compareSigTypeToExt(abstractFile);
110 
111  addToTotals(jobId, System.currentTimeMillis() - startTime);
112 
113  if (mismatchDetected) {
114  // add artifact
116 
117  services.fireModuleDataEvent(new ModuleDataEvent(FileExtMismatchDetectorModuleFactory.getModuleName(), ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED, Collections.singletonList(bart)));
118  }
119  return ProcessResult.OK;
120  } catch (TskException ex) {
121  logger.log(Level.WARNING, "Error matching file signature", ex); //NON-NLS
122  return ProcessResult.ERROR;
123  }
124  }
125 
132  private boolean compareSigTypeToExt(AbstractFile abstractFile) {
133  try {
134  String currActualExt = abstractFile.getNameExtension();
135 
136  // If we are skipping names with no extension
137  if (settings.skipFilesWithNoExtension() && currActualExt.isEmpty()) {
138  return false;
139  }
140 
141  // find file_sig value.
142  // check the blackboard for a file type attribute
143  ArrayList<BlackboardAttribute> attributes = abstractFile.getGenInfoAttributes(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_FILE_TYPE_SIG);
144  for (BlackboardAttribute attribute : attributes) {
145  String currActualSigType = attribute.getValueString();
146  if (settings.skipFilesWithTextPlainMimeType()) {
147  if (!currActualExt.isEmpty() && currActualSigType.equals("text/plain")) { //NON-NLS
148  return false;
149  }
150  }
151 
152  //get known allowed values from the map for this type
153  String[] allowedExtArray = SigTypeToExtMap.get(currActualSigType);
154  if (allowedExtArray != null) {
155  List<String> allowedExtList = Arrays.asList(allowedExtArray);
156 
157  // see if the filename ext is in the allowed list
158  if (allowedExtList != null) {
159  for (String e : allowedExtList) {
160  if (e.equals(currActualExt)) {
161  return false;
162  }
163  }
164  return true; //potential mismatch
165  }
166  }
167  }
168  } catch (TskCoreException ex) {
169  logger.log(Level.WARNING, "Error while getting file signature from blackboard.", ex); //NON-NLS
170  }
171 
172  return false;
173  }
174 
175  @Override
176  public void shutDown() {
177  // We only need to post the summary msg from the last module per job
178  if (refCounter.decrementAndGet(jobId) == 0) {
179  IngestJobTotals jobTotals;
180  synchronized(this) {
181  jobTotals = totalsForIngestJobs.remove(jobId);
182  }
183  if (jobTotals != null) {
184  StringBuilder detailsSb = new StringBuilder();
185  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
186  detailsSb.append("<tr><td>").append(FileExtMismatchDetectorModuleFactory.getModuleName()).append("</td></tr>"); //NON-NLS
187  detailsSb.append("<tr><td>").append( //NON-NLS
188  NbBundle.getMessage(this.getClass(), "FileExtMismatchIngestModule.complete.totalProcTime"))
189  .append("</td><td>").append(jobTotals.processTime).append("</td></tr>\n"); //NON-NLS
190  detailsSb.append("<tr><td>").append( //NON-NLS
191  NbBundle.getMessage(this.getClass(), "FileExtMismatchIngestModule.complete.totalFiles"))
192  .append("</td><td>").append(jobTotals.numFiles).append("</td></tr>\n"); //NON-NLS
193  detailsSb.append("</table>"); //NON-NLS
194 
196  NbBundle.getMessage(this.getClass(),
197  "FileExtMismatchIngestModule.complete.svcMsg.text"),
198  detailsSb.toString()));
199  }
200  }
201  }
202 }
boolean isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM flag)
TskData.TSK_DB_FILES_TYPE_ENUM getType()
static IngestMessage createMessage(MessageType messageType, String source, String subject, String detailsHtml)
boolean isMetaFlagSet(TSK_FS_META_FLAG_ENUM metaFlag)
void postMessage(final IngestMessage message)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
BlackboardArtifact newArtifact(int artifactTypeID)
ArrayList< BlackboardAttribute > getGenInfoAttributes(ATTRIBUTE_TYPE attr_type)
static Logger getLogger(String name)
Definition: Logger.java:131
static synchronized void addToTotals(long ingestJobId, long processTimeInc)
static synchronized IngestServices getInstance()

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.