Autopsy  4.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
FileExtMismatchIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2016 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.fileextmismatch;
20 
21 import java.util.Arrays;
22 import java.util.Collections;
23 import java.util.HashMap;
24 import java.util.List;
25 import java.util.logging.Level;
26 import org.openide.util.NbBundle;
27 import org.sleuthkit.autopsy.casemodule.Case;
28 import org.sleuthkit.autopsy.casemodule.services.Blackboard;
29 import org.sleuthkit.autopsy.coreutils.Logger;
30 import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
31 import org.sleuthkit.autopsy.ingest.FileIngestModule;
32 import org.sleuthkit.autopsy.ingest.IngestJobContext;
33 import org.sleuthkit.autopsy.ingest.IngestMessage;
34 import org.sleuthkit.autopsy.ingest.IngestServices;
35 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
36 import org.sleuthkit.autopsy.ingest.IngestModuleReferenceCounter;
37 import org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector;
38 import org.sleuthkit.datamodel.AbstractFile;
39 import org.sleuthkit.datamodel.BlackboardArtifact;
40 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
41 import org.sleuthkit.datamodel.TskCoreException;
42 import org.sleuthkit.datamodel.TskData;
43 import org.sleuthkit.datamodel.TskData.FileKnown;
44 import org.sleuthkit.datamodel.TskException;
45 
49 public class FileExtMismatchIngestModule implements FileIngestModule {
50 
51  private static final Logger logger = Logger.getLogger(FileExtMismatchIngestModule.class.getName());
52  private final IngestServices services = IngestServices.getInstance();
53  private final FileExtMismatchDetectorModuleSettings settings;
54  private HashMap<String, String[]> SigTypeToExtMap = new HashMap<>();
55  private long jobId;
56  private static final HashMap<Long, IngestJobTotals> totalsForIngestJobs = new HashMap<>();
57  private static final IngestModuleReferenceCounter refCounter = new IngestModuleReferenceCounter();
58  private static Blackboard blackboard;
59  private FileTypeDetector detector;
60 
61  private static class IngestJobTotals {
62 
63  private long processTime = 0;
64  private long numFiles = 0;
65  }
66 
73  private static synchronized void addToTotals(long ingestJobId, long processTimeInc) {
74  IngestJobTotals ingestJobTotals = totalsForIngestJobs.get(ingestJobId);
75  if (ingestJobTotals == null) {
76  ingestJobTotals = new IngestJobTotals();
77  totalsForIngestJobs.put(ingestJobId, ingestJobTotals);
78  }
79 
80  ingestJobTotals.processTime += processTimeInc;
81  ingestJobTotals.numFiles++;
82  totalsForIngestJobs.put(ingestJobId, ingestJobTotals);
83  }
84 
85  FileExtMismatchIngestModule(FileExtMismatchDetectorModuleSettings settings) {
86  this.settings = settings;
87  }
88 
89  @Override
90  public void startUp(IngestJobContext context) throws IngestModuleException {
91  jobId = context.getJobId();
92  refCounter.incrementAndGet(jobId);
93 
94  FileExtMismatchXML xmlLoader = FileExtMismatchXML.getDefault();
95  SigTypeToExtMap = xmlLoader.load();
96  try {
97  this.detector = new FileTypeDetector();
98  } catch (FileTypeDetector.FileTypeDetectorInitException ex) {
99  throw new IngestModuleException("Could not create file type detector.", ex);
100  }
101 
102  }
103 
104  @Override
105  public ProcessResult process(AbstractFile abstractFile) {
106  blackboard = Case.getCurrentCase().getServices().getBlackboard();
107  if(this.settings.skipKnownFiles() && (abstractFile.getKnown() == FileKnown.KNOWN)) {
108  return ProcessResult.OK;
109  }
110 
111  // skip non-files
112  if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
113  || (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
114  || (abstractFile.isFile() == false)) {
115  return ProcessResult.OK;
116  }
117 
118  // deleted files often have content that was not theirs and therefor causes mismatch
119  if ((abstractFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC))
120  || (abstractFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC))) {
121  return ProcessResult.OK;
122  }
123 
124  try {
125  long startTime = System.currentTimeMillis();
126 
127  boolean mismatchDetected = compareSigTypeToExt(abstractFile);
128 
129  addToTotals(jobId, System.currentTimeMillis() - startTime);
130 
131  if (mismatchDetected) {
132  // add artifact
133  BlackboardArtifact bart = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED);
134 
135  try {
136  // index the artifact for keyword search
137  blackboard.indexArtifact(bart);
138  } catch (Blackboard.BlackboardException ex) {
139  logger.log(Level.SEVERE, NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.error.msg", bart.getDisplayName()), ex); //NON-NLS
140  MessageNotifyUtil.Notify.error(
141  NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.exception.msg"), bart.getDisplayName());
142  }
143 
144  services.fireModuleDataEvent(new ModuleDataEvent(FileExtMismatchDetectorModuleFactory.getModuleName(), ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED, Collections.singletonList(bart)));
145  }
146  return ProcessResult.OK;
147  } catch (TskException ex) {
148  logger.log(Level.WARNING, "Error matching file signature", ex); //NON-NLS
149  return ProcessResult.ERROR;
150  }
151  }
152 
160  private boolean compareSigTypeToExt(AbstractFile abstractFile) throws TskCoreException {
161  String currActualExt = abstractFile.getNameExtension();
162 
163  // If we are skipping names with no extension
164  if (settings.skipFilesWithNoExtension() && currActualExt.isEmpty()) {
165  return false;
166  }
167  String currActualSigType = detector.getFileType(abstractFile);
168  if (currActualSigType == null) {
169  return false;
170  }
171  if (settings.skipFilesWithTextPlainMimeType()) {
172  if (!currActualExt.isEmpty() && currActualSigType.equals("text/plain")) { //NON-NLS
173  return false;
174  }
175  }
176 
177  //get known allowed values from the map for this type
178  String[] allowedExtArray = SigTypeToExtMap.get(currActualSigType);
179  if (allowedExtArray != null) {
180  List<String> allowedExtList = Arrays.asList(allowedExtArray);
181 
182  // see if the filename ext is in the allowed list
183  if (allowedExtList != null) {
184  for (String e : allowedExtList) {
185  if (e.equals(currActualExt)) {
186  return false;
187  }
188  }
189  return true; //potential mismatch
190  }
191  }
192 
193  return false;
194  }
195 
196  @Override
197  public void shutDown() {
198  // We only need to post the summary msg from the last module per job
199  if (refCounter.decrementAndGet(jobId) == 0) {
200  IngestJobTotals jobTotals;
201  synchronized (this) {
202  jobTotals = totalsForIngestJobs.remove(jobId);
203  }
204  if (jobTotals != null) {
205  StringBuilder detailsSb = new StringBuilder();
206  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
207  detailsSb.append("<tr><td>").append(FileExtMismatchDetectorModuleFactory.getModuleName()).append("</td></tr>"); //NON-NLS
208  detailsSb.append("<tr><td>").append( //NON-NLS
209  NbBundle.getMessage(this.getClass(), "FileExtMismatchIngestModule.complete.totalProcTime"))
210  .append("</td><td>").append(jobTotals.processTime).append("</td></tr>\n"); //NON-NLS
211  detailsSb.append("<tr><td>").append( //NON-NLS
212  NbBundle.getMessage(this.getClass(), "FileExtMismatchIngestModule.complete.totalFiles"))
213  .append("</td><td>").append(jobTotals.numFiles).append("</td></tr>\n"); //NON-NLS
214  detailsSb.append("</table>"); //NON-NLS
215 
216  services.postMessage(IngestMessage.createMessage(IngestMessage.MessageType.INFO, FileExtMismatchDetectorModuleFactory.getModuleName(),
217  NbBundle.getMessage(this.getClass(),
218  "FileExtMismatchIngestModule.complete.svcMsg.text"),
219  detailsSb.toString()));
220  }
221  }
222  }
223 }
org.sleuthkit.autopsy.casemodule.services.Blackboard.indexArtifact
void indexArtifact(BlackboardArtifact artifact)
Definition: Blackboard.java:45
org.sleuthkit.autopsy.ingest.IngestMessage.createMessage
static IngestMessage createMessage(MessageType messageType, String source, String subject, String detailsHtml)
Definition: IngestMessage.java:183
org.sleuthkit.autopsy.ingest.IngestServices.postMessage
void postMessage(final IngestMessage message)
Definition: IngestServices.java:87
org.sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
Definition: IngestServices.java:98
org.sleuthkit.autopsy.coreutils.MessageNotifyUtil.Notify.error
static void error(String title, String message)
Definition: MessageNotifyUtil.java:227
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:166
org.sleuthkit.autopsy.modules.fileextmismatch.FileExtMismatchIngestModule.addToTotals
static synchronized void addToTotals(long ingestJobId, long processTimeInc)
Definition: FileExtMismatchIngestModule.java:73
org.sleuthkit.autopsy.ingest.IngestServices.getInstance
static synchronized IngestServices getInstance()
Definition: IngestServices.java:45

Copyright © 2012-2015 Basis Technology. Generated on: Wed Apr 6 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.