Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2016 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  *
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.photoreccarver;
21 import;
22 import;
23 import java.lang.ProcessBuilder.Redirect;
24 import java.nio.file.DirectoryStream;
25 import java.nio.file.FileAlreadyExistsException;
26 import java.nio.file.Files;
27 import java.nio.file.Path;
28 import java.nio.file.Paths;
29 import java.text.DateFormat;
30 import java.text.SimpleDateFormat;
31 import java.util.ArrayList;
32 import java.util.Date;
33 import java.util.HashMap;
34 import java.util.List;
35 import java.util.Map;
36 import java.util.concurrent.ConcurrentHashMap;
37 import java.util.concurrent.atomic.AtomicLong;
38 import java.util.logging.Level;
39 import org.openide.modules.InstalledFileLocator;
40 import org.openide.util.NbBundle;
59 import org.sleuthkit.datamodel.AbstractFile;
60 import org.sleuthkit.datamodel.LayoutFile;
61 import org.sleuthkit.datamodel.TskData;
67 @NbBundle.Messages({
68  "PhotoRecIngestModule.PermissionsNotSufficient=Insufficient permissions accessing",
69  "PhotoRecIngestModule.PermissionsNotSufficientSeeReference=See 'Shared Drive Authentication' in Autopsy help.",
70  "# {0} - output directory name", "cannotCreateOutputDir.message=Unable to create output directory: {0}.",
71  "unallocatedSpaceProcessingSettingsError.message='Process Unallocated Space' is not checked. The PhotoRec module is designed to carve unallocated space. Either enable processing of unallocated space or disable this module.",
72  "unsupportedOS.message=PhotoRec module is supported on Windows platforms only.",
73  "missingExecutable.message=Unable to locate PhotoRec executable.",
74  "cannotRunExecutable.message=Unable to execute PhotoRec.",
75  "PhotoRecIngestModule.nonHostnameUNCPathUsed=PhotoRec cannot operate with a UNC path containing IP addresses."
76 })
77 final class PhotoRecCarverFileIngestModule implements FileIngestModule {
79  private static final String PHOTOREC_DIRECTORY = "photorec_exec"; //NON-NLS
80  private static final String PHOTOREC_EXECUTABLE = "photorec_win.exe"; //NON-NLS
81  private static final String PHOTOREC_RESULTS_BASE = "results"; //NON-NLS
82  private static final String PHOTOREC_RESULTS_EXTENDED = "results.1"; //NON-NLS
83  private static final String PHOTOREC_REPORT = "report.xml"; //NON-NLS
84  private static final String LOG_FILE = "run_log.txt"; //NON-NLS
85  private static final String TEMP_DIR_NAME = "temp"; // NON-NLS
86  private static final String SEP = System.getProperty("line.separator");
87  private static final Logger logger = Logger.getLogger(PhotoRecCarverFileIngestModule.class.getName());
88  private static final HashMap<Long, IngestJobTotals> totalsForIngestJobs = new HashMap<>();
89  private static final IngestModuleReferenceCounter refCounter = new IngestModuleReferenceCounter();
90  private static final Map<Long, WorkingPaths> pathsByJob = new ConcurrentHashMap<>();
91  private IngestJobContext context;
92  private Path rootOutputDirPath;
93  private File executableFile;
94  private IngestServices services;
95  private UNCPathUtilities uncPathUtilities = new UNCPathUtilities();
96  private long jobId;
98  private static class IngestJobTotals {
100  private AtomicLong totalItemsRecovered = new AtomicLong(0);
101  private AtomicLong totalItemsWithErrors = new AtomicLong(0);
102  private AtomicLong totalWritetime = new AtomicLong(0);
103  private AtomicLong totalParsetime = new AtomicLong(0);
104  }
106  private static synchronized IngestJobTotals getTotalsForIngestJobs(long ingestJobId) {
107  IngestJobTotals totals = totalsForIngestJobs.get(ingestJobId);
108  if (totals == null) {
109  totals = new PhotoRecCarverFileIngestModule.IngestJobTotals();
110  totalsForIngestJobs.put(ingestJobId, totals);
111  }
112  return totals;
113  }
115  private static synchronized void initTotalsForIngestJob(long ingestJobId) {
116  IngestJobTotals totals = new PhotoRecCarverFileIngestModule.IngestJobTotals();
117  totalsForIngestJobs.put(ingestJobId, totals);
118  }
123  @Override
124  public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException {
125  this.context = context;
126 = IngestServices.getInstance();
127  this.jobId = this.context.getJobId();
129  // If the global unallocated space processing setting and the module
130  // process unallocated space only setting are not in sych, throw an
131  // exception. Although the result would not be incorrect, it would be
132  // unfortunate for the user to get an accidental no-op for this module.
133  if (!this.context.processingUnallocatedSpace()) {
134  throw new IngestModule.IngestModuleException(Bundle.unallocatedSpaceProcessingSettingsError_message());
135  }
137  this.rootOutputDirPath = createModuleOutputDirectoryForCase();
140  executableFile = locateExecutable(execName.toString());
142  if (PhotoRecCarverFileIngestModule.refCounter.incrementAndGet(this.jobId) == 1) {
143  try {
144  // The first instance creates an output subdirectory with a date and time stamp
145  DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss-SSSS"); // NON-NLS
146  Date date = new Date();
147  String folder = this.context.getDataSource().getId() + "_" + dateFormat.format(date);
148  Path outputDirPath = Paths.get(this.rootOutputDirPath.toAbsolutePath().toString(), folder);
149  Files.createDirectories(outputDirPath);
151  // A temp subdirectory is also created as a location for writing unallocated space files to disk.
152  Path tempDirPath = Paths.get(outputDirPath.toString(), PhotoRecCarverFileIngestModule.TEMP_DIR_NAME);
153  Files.createDirectory(tempDirPath);
155  // Save the directories for the current job.
156  PhotoRecCarverFileIngestModule.pathsByJob.put(this.jobId, new WorkingPaths(outputDirPath, tempDirPath));
158  // Initialize job totals
159  initTotalsForIngestJob(jobId);
160  } catch (SecurityException | IOException | UnsupportedOperationException ex) {
161  throw new IngestModule.IngestModuleException(Bundle.cannotCreateOutputDir_message(ex.getLocalizedMessage()), ex);
162  }
163  }
164  }
169  @Override
170  public IngestModule.ProcessResult process(AbstractFile file) {
171  // Skip everything except unallocated space files.
172  if (file.getType() != TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) {
173  return IngestModule.ProcessResult.OK;
174  }
176  // Safely get a reference to the totalsForIngestJobs object
177  IngestJobTotals totals = getTotalsForIngestJobs(jobId);
179  Path tempFilePath = null;
180  try {
181  // Verify initialization succeeded.
182  if (null == this.executableFile) {
183  logger.log(Level.SEVERE, "PhotoRec carver called after failed start up"); // NON-NLS
184  return IngestModule.ProcessResult.ERROR;
185  }
187  // Check that we have roughly enough disk space left to complete the operation
188  // Some network drives always return -1 for free disk space.
189  // In this case, expect enough space and move on.
190  long freeDiskSpace = IngestServices.getInstance().getFreeDiskSpace();
191  if ((freeDiskSpace != IngestMonitor.DISK_FREE_SPACE_UNKNOWN) && ((file.getSize() * 1.2) > freeDiskSpace)) {
192  logger.log(Level.SEVERE, "PhotoRec error processing {0} with {1} Not enough space on primary disk to save unallocated space.", // NON-NLS
193  new Object[]{file.getName(), PhotoRecCarverIngestModuleFactory.getModuleName()}); // NON-NLS
194  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "PhotoRecIngestModule.UnableToCarve", file.getName()),
195  NbBundle.getMessage(this.getClass(), "PhotoRecIngestModule.NotEnoughDiskSpace"));
196  return IngestModule.ProcessResult.ERROR;
197  }
198  if (this.context.fileIngestIsCancelled() == true) {
199  // if it was cancelled by the user, result is OK
200  logger.log(Level.INFO, "PhotoRec cancelled by user"); // NON-NLS
201, NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.cancelledByUser"));
202  return IngestModule.ProcessResult.OK;
203  }
205  // Write the file to disk.
206  long writestart = System.currentTimeMillis();
207  WorkingPaths paths = PhotoRecCarverFileIngestModule.pathsByJob.get(this.jobId);
208  tempFilePath = Paths.get(paths.getTempDirPath().toString(), file.getName());
209  ContentUtils.writeToFile(file, tempFilePath.toFile(), context::fileIngestIsCancelled);
211  if (this.context.fileIngestIsCancelled() == true) {
212  // if it was cancelled by the user, result is OK
213  logger.log(Level.INFO, "PhotoRec cancelled by user"); // NON-NLS
214, NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.cancelledByUser"));
215  return IngestModule.ProcessResult.OK;
216  }
218  // Create a subdirectory for this file.
219  Path outputDirPath = Paths.get(paths.getOutputDirPath().toString(), file.getName());
220  Files.createDirectory(outputDirPath);
221  File log = new File(Paths.get(outputDirPath.toString(), LOG_FILE).toString()); //NON-NLS
223  // Scan the file with Unallocated Carver.
224  ProcessBuilder processAndSettings = new ProcessBuilder(
225  "\"" + executableFile + "\"",
226  "/d", // NON-NLS
227  "\"" + outputDirPath.toAbsolutePath() + File.separator + PHOTOREC_RESULTS_BASE + "\"",
228  "/cmd", // NON-NLS
229  "\"" + tempFilePath.toFile() + "\"",
230  "search"); // NON-NLS
232  // Add environment variable to force PhotoRec to run with the same permissions Autopsy uses
233  processAndSettings.environment().put("__COMPAT_LAYER", "RunAsInvoker"); //NON-NLS
234  processAndSettings.redirectErrorStream(true);
235  processAndSettings.redirectOutput(Redirect.appendTo(log));
237  FileIngestModuleProcessTerminator terminator = new FileIngestModuleProcessTerminator(this.context, true);
238  int exitValue = ExecUtil.execute(processAndSettings, terminator);
240  if (this.context.fileIngestIsCancelled() == true) {
241  // if it was cancelled by the user, result is OK
242  cleanup(outputDirPath, tempFilePath);
243  logger.log(Level.INFO, "PhotoRec cancelled by user"); // NON-NLS
244, NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.cancelledByUser"));
245  return IngestModule.ProcessResult.OK;
246  } else if (terminator.getTerminationCode() == ProcTerminationCode.TIME_OUT) {
247  cleanup(outputDirPath, tempFilePath);
248  String msg = NbBundle.getMessage(this.getClass(), "PhotoRecIngestModule.processTerminated") + file.getName(); // NON-NLS
249  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "PhotoRecIngestModule.moduleError"), msg); // NON-NLS
250  logger.log(Level.SEVERE, msg);
251  return IngestModule.ProcessResult.ERROR;
252  } else if (0 != exitValue) {
253  // if it failed or was cancelled by timeout, result is ERROR
254  cleanup(outputDirPath, tempFilePath);
255  totals.totalItemsWithErrors.incrementAndGet();
256  logger.log(Level.SEVERE, "PhotoRec carver returned error exit value = {0} when scanning {1}", // NON-NLS
257  new Object[]{exitValue, file.getName()}); // NON-NLS
258  MessageNotifyUtil.Notify.error(PhotoRecCarverIngestModuleFactory.getModuleName(), NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.error.exitValue", // NON-NLS
259  new Object[]{exitValue, file.getName()}));
260  return IngestModule.ProcessResult.ERROR;
261  }
263  // Move carver log file to avoid placement into Autopsy results. PhotoRec appends ".1" to the folder name.
265 newAuditFile = new, PHOTOREC_REPORT).toString()); //NON-NLS
266  oldAuditFile.renameTo(newAuditFile);
268  if (this.context.fileIngestIsCancelled() == true) {
269  // if it was cancelled by the user, result is OK
270  logger.log(Level.INFO, "PhotoRec cancelled by user"); // NON-NLS
271, NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.cancelledByUser"));
272  return IngestModule.ProcessResult.OK;
273  }
274  Path pathToRemove = Paths.get(outputDirPath.toAbsolutePath().toString());
275  try (DirectoryStream<Path> stream = Files.newDirectoryStream(pathToRemove)) {
276  for (Path entry : stream) {
277  if (Files.isDirectory(entry)) {
278  FileUtil.deleteDir(new File(entry.toString()));
279  }
280  }
281  }
282  long writedelta = (System.currentTimeMillis() - writestart);
283  totals.totalWritetime.addAndGet(writedelta);
285  // Now that we've cleaned up the folders and data files, parse the xml output file to add carved items into the database
286  long calcstart = System.currentTimeMillis();
287  PhotoRecCarverOutputParser parser = new PhotoRecCarverOutputParser(outputDirPath);
288  if (this.context.fileIngestIsCancelled() == true) {
289  // if it was cancelled by the user, result is OK
290  logger.log(Level.INFO, "PhotoRec cancelled by user"); // NON-NLS
291, NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.cancelledByUser"));
292  return IngestModule.ProcessResult.OK;
293  }
294  List<LayoutFile> carvedItems = parser.parse(newAuditFile, file, context);
295  long calcdelta = (System.currentTimeMillis() - calcstart);
296  totals.totalParsetime.addAndGet(calcdelta);
297  if (carvedItems != null && !carvedItems.isEmpty()) { // if there were any results from carving, add the unallocated carving event to the reports list.
298  totals.totalItemsRecovered.addAndGet(carvedItems.size());
299  context.addFilesToJob(new ArrayList<>(carvedItems));
300  services.fireModuleContentEvent(new ModuleContentEvent(carvedItems.get(0))); // fire an event to update the tree
301  }
302  } catch (IOException ex) {
303  totals.totalItemsWithErrors.incrementAndGet();
304  logger.log(Level.SEVERE, "Error processing " + file.getName() + " with PhotoRec carver", ex); // NON-NLS
305  MessageNotifyUtil.Notify.error(PhotoRecCarverIngestModuleFactory.getModuleName(), NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.error.msg", file.getName()));
306  return IngestModule.ProcessResult.ERROR;
307  } finally {
308  if (null != tempFilePath && Files.exists(tempFilePath)) {
309  // Get rid of the unallocated space file.
310  tempFilePath.toFile().delete();
311  }
312  }
313  return IngestModule.ProcessResult.OK;
315  }
317  private void cleanup(Path outputDirPath, Path tempFilePath) {
318  // cleanup the output path
319  FileUtil.deleteDir(new File(outputDirPath.toString()));
320  if (null != tempFilePath && Files.exists(tempFilePath)) {
321  tempFilePath.toFile().delete();
322  }
323  }
325  private static synchronized void postSummary(long jobId) {
326  IngestJobTotals jobTotals = totalsForIngestJobs.remove(jobId);
328  StringBuilder detailsSb = new StringBuilder();
329  //details
330  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
332  detailsSb.append("<tr><td>") //NON-NLS
333  .append(NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.complete.numberOfCarved"))
334  .append("</td>"); //NON-NLS
335  detailsSb.append("<td>").append(jobTotals.totalItemsRecovered.get()).append("</td></tr>"); //NON-NLS
337  detailsSb.append("<tr><td>") //NON-NLS
338  .append(NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.complete.numberOfErrors"))
339  .append("</td>"); //NON-NLS
340  detailsSb.append("<td>").append(jobTotals.totalItemsWithErrors.get()).append("</td></tr>"); //NON-NLS
342  detailsSb.append("<tr><td>") //NON-NLS
343  .append(NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.complete.totalWritetime"))
344  .append("</td><td>").append(jobTotals.totalWritetime.get()).append("</td></tr>\n"); //NON-NLS
345  detailsSb.append("<tr><td>") //NON-NLS
346  .append(NbBundle.getMessage(PhotoRecCarverFileIngestModule.class, "PhotoRecIngestModule.complete.totalParsetime"))
347  .append("</td><td>").append(jobTotals.totalParsetime.get()).append("</td></tr>\n"); //NON-NLS
348  detailsSb.append("</table>"); //NON-NLS
350  IngestServices.getInstance().postMessage(IngestMessage.createMessage(
351  IngestMessage.MessageType.INFO,
352  PhotoRecCarverIngestModuleFactory.getModuleName(),
353  NbBundle.getMessage(PhotoRecCarverFileIngestModule.class,
354  "PhotoRecIngestModule.complete.photoRecResults"),
355  detailsSb.toString()));
357  }
362  @Override
363  public void shutDown() {
364  if (this.context != null && refCounter.decrementAndGet(this.jobId) == 0) {
365  try {
366  // The last instance of this module for an ingest job cleans out
367  // the working paths map entry for the job and deletes the temp dir.
368  WorkingPaths paths = PhotoRecCarverFileIngestModule.pathsByJob.remove(this.jobId);
369  FileUtil.deleteDir(new File(paths.getTempDirPath().toString()));
370  postSummary(jobId);
371  } catch (SecurityException ex) {
372  logger.log(Level.SEVERE, "Error shutting down PhotoRec carver module", ex); // NON-NLS
373  }
374  }
375  }
377  private static final class WorkingPaths {
379  private final Path outputDirPath;
380  private final Path tempDirPath;
382  WorkingPaths(Path outputDirPath, Path tempDirPath) {
383  this.outputDirPath = outputDirPath;
384  this.tempDirPath = tempDirPath;
385  }
387  Path getOutputDirPath() {
388  return this.outputDirPath;
389  }
391  Path getTempDirPath() {
392  return this.tempDirPath;
393  }
394  }
404  synchronized Path createModuleOutputDirectoryForCase() throws IngestModule.IngestModuleException {
405  Path path = Paths.get(Case.getCurrentCase().getModuleDirectory(), PhotoRecCarverIngestModuleFactory.getModuleName());
406  try {
407  Files.createDirectory(path);
408  if (UNCPathUtilities.isUNC(path)) {
409  // if the UNC path is using an IP address, convert to hostname
410  path = uncPathUtilities.ipToHostName(path);
411  if (path == null) {
412  throw new IngestModule.IngestModuleException(Bundle.PhotoRecIngestModule_nonHostnameUNCPathUsed());
413  }
414  if (false == FileUtil.hasReadWriteAccess(path)) {
415  throw new IngestModule.IngestModuleException(
416  Bundle.PhotoRecIngestModule_PermissionsNotSufficient() + SEP + path.toString() + SEP
417  + Bundle.PhotoRecIngestModule_PermissionsNotSufficientSeeReference()
418  );
419  }
420  }
421  } catch (FileAlreadyExistsException ex) {
422  // No worries.
423  } catch (IOException | SecurityException | UnsupportedOperationException ex) {
424  throw new IngestModule.IngestModuleException(Bundle.cannotCreateOutputDir_message(ex.getLocalizedMessage()), ex);
425  }
426  return path;
427  }
438  public static File locateExecutable(String executableToFindName) throws IngestModule.IngestModuleException {
439  // Must be running under a Windows operating system.
440  if (!PlatformUtil.isWindowsOS()) {
441  throw new IngestModule.IngestModuleException(Bundle.unsupportedOS_message());
442  }
444  File exeFile = InstalledFileLocator.getDefault().locate(executableToFindName, PhotoRecCarverFileIngestModule.class.getPackage().getName(), false);
445  if (null == exeFile) {
446  throw new IngestModule.IngestModuleException(Bundle.missingExecutable_message());
447  }
449  if (!exeFile.canExecute()) {
450  throw new IngestModule.IngestModuleException(Bundle.cannotRunExecutable_message());
451  }
453  return exeFile;
454  }
456 }
void fireModuleContentEvent(ModuleContentEvent moduleContentEvent)
synchronized static Logger getLogger(String name)
synchronized Path ipToHostName(Path inputPath)
static synchronized IngestServices getInstance()

Copyright © 2012-2016 Basis Technology. Generated on: Tue Oct 25 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.