Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
CacheLocationAnalyzer.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.android;
20 
21 import java.io.File;
22 import java.io.FileInputStream;
23 import java.io.InputStream;
24 import java.math.BigInteger;
25 import java.nio.ByteBuffer;
26 import java.util.List;
27 import java.util.logging.Level;
28 import org.openide.util.NbBundle;
29 import org.openide.util.NbBundle.Messages;
37 import org.sleuthkit.datamodel.AbstractFile;
38 import org.sleuthkit.datamodel.BlackboardArtifact;
39 import org.sleuthkit.datamodel.BlackboardAttribute;
40 import org.sleuthkit.datamodel.Content;
41 import org.sleuthkit.datamodel.TskCoreException;
42 
47 class CacheLocationAnalyzer {
48 
49  private static final String moduleName = AndroidModuleFactory.getModuleName();
50  private static final Logger logger = Logger.getLogger(CacheLocationAnalyzer.class.getName());
51  private static Blackboard blackboard;
52 
57  public static void findGeoLocations(Content dataSource, FileManager fileManager,
58  IngestJobContext context) {
59  blackboard = Case.getCurrentCase().getServices().getBlackboard();
60  try {
61  List<AbstractFile> abstractFiles = fileManager.findFiles(dataSource, "cache.cell"); //NON-NLS
62  abstractFiles.addAll(fileManager.findFiles(dataSource, "cache.wifi")); //NON-NLS
63 
64  for (AbstractFile abstractFile : abstractFiles) {
65  try {
66  if (abstractFile.getSize() == 0) {
67  continue;
68  }
69  File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
70  ContentUtils.writeToFile(abstractFile, jFile, context::dataSourceIngestIsCancelled);
71 
72  findGeoLocationsInFile(jFile, abstractFile);
73  } catch (Exception e) {
74  logger.log(Level.SEVERE, "Error parsing cached Location files", e); //NON-NLS
75  }
76  }
77  } catch (TskCoreException e) {
78  logger.log(Level.SEVERE, "Error finding cached Location files", e); //NON-NLS
79  }
80  }
81 
82  @Messages({"CacheLocationAnalyzer.indexError.message=Failed to index GPS trackpoint artifact for keyword search."})
83  private static void findGeoLocationsInFile(File file, AbstractFile f) {
84  byte[] bytes; // will temporarily hold bytes to be converted into the correct data types
85 
86  try {
87  InputStream inputStream = new FileInputStream(file);
88 
89  bytes = new byte[2]; // version
90  inputStream.read(bytes);
91 
92  bytes = new byte[2];
93  inputStream.read(bytes); //number of location entries
94 
95  int iterations = new BigInteger(bytes).intValue();
96 
97  for (int i = 0; i < iterations; i++) { //loop through every entry
98  bytes = new byte[2];
99  inputStream.read(bytes);
100 
101  bytes = new byte[1];
102  inputStream.read(bytes);
103  while (new BigInteger(bytes).intValue() != 0) { //pass through non important values until the start of accuracy(around 7-10 bytes)
104  if (0 > inputStream.read(bytes)) {
105  break;
106  }
107  }
108  bytes = new byte[3];
109  inputStream.read(bytes);
110  if (new BigInteger(bytes).intValue() <= 0) {//This refers to a location that could not be calculated.
111  bytes = new byte[28]; //read rest of the row's bytes
112  inputStream.read(bytes);
113  continue;
114  }
115  String accuracy = "" + new BigInteger(bytes).intValue();
116 
117  bytes = new byte[4];
118  inputStream.read(bytes);
119  String confidence = "" + new BigInteger(bytes).intValue();
120 
121  bytes = new byte[8];
122  inputStream.read(bytes);
123  double latitude = toDouble(bytes);
124 
125  bytes = new byte[8];
126  inputStream.read(bytes);
127  double longitude = toDouble(bytes);
128 
129  bytes = new byte[8];
130  inputStream.read(bytes);
131  Long timestamp = new BigInteger(bytes).longValue() / 1000;
132 
133  BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT);
134  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE, moduleName, latitude));
135  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE, moduleName, longitude));
136  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, moduleName, timestamp));
137  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, moduleName,
138  NbBundle.getMessage(CacheLocationAnalyzer.class,
139  "CacheLocationAnalyzer.bbAttribute.fileLocationHistory",
140  file.getName())));
141 
142  //Not storing these for now.
143  // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy));
144  // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(),moduleName, confidence));
145  try {
146  // index the artifact for keyword search
147  blackboard.indexArtifact(bba);
148  } catch (Blackboard.BlackboardException ex) {
149  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + bba.getArtifactID(), ex); //NON-NLS
150  MessageNotifyUtil.Notify.error(
151  Bundle.CacheLocationAnalyzer_indexError_message(), bba.getDisplayName());
152  }
153  }
154 
155  } catch (Exception e) {
156  logger.log(Level.SEVERE, "Error parsing Cached GPS locations to Blackboard", e); //NON-NLS
157  }
158  }
159 
160  private static double toDouble(byte[] bytes) {
161  return ByteBuffer.wrap(bytes).getDouble();
162  }
163 }

Copyright © 2012-2016 Basis Technology. Generated on: Tue Oct 25 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.