Autopsy  4.10.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EncryptionDetectionFileIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2017-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.encryptiondetection;
20 
21 import com.healthmarketscience.jackcess.CryptCodecProvider;
22 import com.healthmarketscience.jackcess.Database;
23 import com.healthmarketscience.jackcess.DatabaseBuilder;
24 import com.healthmarketscience.jackcess.InvalidCredentialsException;
25 import com.healthmarketscience.jackcess.impl.CodecProvider;
26 import com.healthmarketscience.jackcess.impl.UnsupportedCodecException;
27 import com.healthmarketscience.jackcess.util.MemFileChannel;
28 import java.io.IOException;
29 import java.util.Collections;
30 import java.util.logging.Level;
31 import org.sleuthkit.datamodel.ReadContentInputStream;
32 import java.io.BufferedInputStream;
33 import java.io.InputStream;
34 import java.nio.BufferUnderflowException;
35 import org.apache.tika.exception.EncryptedDocumentException;
36 import org.apache.tika.exception.TikaException;
37 import org.apache.tika.metadata.Metadata;
38 import org.apache.tika.parser.AutoDetectParser;
39 import org.apache.tika.parser.ParseContext;
40 import org.apache.tika.sax.BodyContentHandler;
41 import org.openide.util.NbBundle.Messages;
42 import org.sleuthkit.autopsy.casemodule.Case;
43 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
44 import org.sleuthkit.autopsy.casemodule.services.Blackboard;
45 import org.sleuthkit.autopsy.coreutils.Logger;
46 import org.sleuthkit.autopsy.ingest.FileIngestModuleAdapter;
47 import org.sleuthkit.autopsy.ingest.IngestJobContext;
48 import org.sleuthkit.autopsy.ingest.IngestMessage;
49 import org.sleuthkit.autopsy.ingest.IngestModule;
50 import org.sleuthkit.autopsy.ingest.IngestServices;
51 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
52 import org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector;
53 import org.sleuthkit.datamodel.AbstractFile;
54 import org.sleuthkit.datamodel.BlackboardArtifact;
55 import org.sleuthkit.datamodel.BlackboardAttribute;
56 import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
57 import org.sleuthkit.datamodel.TskCoreException;
58 import org.sleuthkit.datamodel.TskData;
59 import org.xml.sax.ContentHandler;
60 import org.xml.sax.SAXException;
61 
65 final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter {
66 
67  private static final int FILE_SIZE_MODULUS = 512;
68 
69  private static final String DATABASE_FILE_EXTENSION = "db";
70  private static final int MINIMUM_DATABASE_FILE_SIZE = 65536; //64 KB
71 
72  private static final String MIME_TYPE_OOXML_PROTECTED = "application/x-ooxml-protected";
73  private static final String MIME_TYPE_MSWORD = "application/msword";
74  private static final String MIME_TYPE_MSEXCEL = "application/vnd.ms-excel";
75  private static final String MIME_TYPE_MSPOWERPOINT = "application/vnd.ms-powerpoint";
76  private static final String MIME_TYPE_MSACCESS = "application/x-msaccess";
77  private static final String MIME_TYPE_PDF = "application/pdf";
78 
79  private static final String[] FILE_IGNORE_LIST = {"hiberfile.sys", "pagefile.sys"};
80 
81  private final IngestServices services = IngestServices.getInstance();
82  private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName());
83  private FileTypeDetector fileTypeDetector;
84  private Blackboard blackboard;
85  private double calculatedEntropy;
86 
87  private final double minimumEntropy;
88  private final int minimumFileSize;
89  private final boolean fileSizeMultipleEnforced;
90  private final boolean slackFilesAllowed;
91 
99  EncryptionDetectionFileIngestModule(EncryptionDetectionIngestJobSettings settings) {
100  minimumEntropy = settings.getMinimumEntropy();
101  minimumFileSize = settings.getMinimumFileSize();
102  fileSizeMultipleEnforced = settings.isFileSizeMultipleEnforced();
103  slackFilesAllowed = settings.isSlackFilesAllowed();
104  }
105 
106  @Override
107  public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException {
108  try {
109  validateSettings();
110  blackboard = Case.getCurrentCaseThrows().getServices().getBlackboard();
111  fileTypeDetector = new FileTypeDetector();
112  } catch (FileTypeDetector.FileTypeDetectorInitException ex) {
113  throw new IngestModule.IngestModuleException("Failed to create file type detector", ex);
114  } catch (NoCurrentCaseException ex) {
115  throw new IngestModule.IngestModuleException("Exception while getting open case.", ex);
116  }
117  }
118 
119  @Messages({
120  "EncryptionDetectionFileIngestModule.artifactComment.password=Password protection detected.",
121  "EncryptionDetectionFileIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f)."
122  })
123  @Override
124  public IngestModule.ProcessResult process(AbstractFile file) {
125 
126  try {
127  /*
128  * Qualify the file type, qualify it against hash databases, and
129  * verify the file hasn't been deleted.
130  */
131  if (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
132  && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
133  && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR)
134  && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR)
135  && (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed)
136  && !file.getKnown().equals(TskData.FileKnown.KNOWN)
137  && !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) {
138  /*
139  * Is the file in FILE_IGNORE_LIST?
140  */
141  String filePath = file.getParentPath();
142  if (filePath.equals("/")) {
143  String fileName = file.getName();
144  for (String listEntry : FILE_IGNORE_LIST) {
145  if (fileName.equalsIgnoreCase(listEntry)) {
146  // Skip this file.
147  return IngestModule.ProcessResult.OK;
148  }
149  }
150  }
151 
152  /*
153  * Qualify the MIME type.
154  */
155  String mimeType = fileTypeDetector.getMIMEType(file);
156  if (mimeType.equals("application/octet-stream") && isFileEncryptionSuspected(file)) {
157  return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED,
158  String.format(Bundle.EncryptionDetectionFileIngestModule_artifactComment_suspected(), calculatedEntropy));
159  } else if (isFilePasswordProtected(file)) {
160  return flagFile(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionFileIngestModule_artifactComment_password());
161  }
162  }
163  } catch (ReadContentInputStreamException | SAXException | TikaException | UnsupportedCodecException ex) {
164  logger.log(Level.WARNING, String.format("Unable to read file '%s'", file.getParentPath() + file.getName()), ex);
165  return IngestModule.ProcessResult.ERROR;
166  } catch (IOException ex) {
167  logger.log(Level.SEVERE, String.format("Unable to process file '%s'", file.getParentPath() + file.getName()), ex);
168  return IngestModule.ProcessResult.ERROR;
169  }
170 
171  return IngestModule.ProcessResult.OK;
172  }
173 
180  private void validateSettings() throws IngestModule.IngestModuleException {
181  EncryptionDetectionTools.validateMinEntropyValue(minimumEntropy);
182  EncryptionDetectionTools.validateMinFileSizeValue(minimumFileSize);
183  }
184 
195  private IngestModule.ProcessResult flagFile(AbstractFile file, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) {
196  try {
197  BlackboardArtifact artifact = file.newArtifact(artifactType);
198  artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
199  EncryptionDetectionModuleFactory.getModuleName(), comment));
200 
201  try {
202  /*
203  * Index the artifact for keyword search.
204  */
205  blackboard.indexArtifact(artifact);
206  } catch (Blackboard.BlackboardException ex) {
207  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
208  }
209 
210  /*
211  * Send an event to update the view with the new result.
212  */
213  services.fireModuleDataEvent(new ModuleDataEvent(EncryptionDetectionModuleFactory.getModuleName(), artifactType, Collections.singletonList(artifact)));
214 
215  /*
216  * Make an ingest inbox message.
217  */
218  StringBuilder detailsSb = new StringBuilder();
219  detailsSb.append("File: ").append(file.getParentPath()).append(file.getName());
220  if (artifactType.equals(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED)) {
221  detailsSb.append("<br/>\nEntropy: ").append(calculatedEntropy);
222  }
223 
224  services.postMessage(IngestMessage.createDataMessage(EncryptionDetectionModuleFactory.getModuleName(),
225  artifactType.getDisplayName() + " Match: " + file.getName(),
226  detailsSb.toString(),
227  file.getName(),
228  artifact));
229 
230  return IngestModule.ProcessResult.OK;
231  } catch (TskCoreException ex) {
232  logger.log(Level.SEVERE, String.format("Failed to create blackboard artifact for '%s'.", file.getParentPath() + file.getName()), ex); //NON-NLS
233  return IngestModule.ProcessResult.ERROR;
234  }
235  }
236 
256  private boolean isFilePasswordProtected(AbstractFile file) throws ReadContentInputStreamException, IOException, SAXException, TikaException, UnsupportedCodecException {
257 
258  boolean passwordProtected = false;
259 
260  switch (file.getMIMEType()) {
261  case MIME_TYPE_OOXML_PROTECTED:
262  /*
263  * Office Open XML files that are password protected can be
264  * determined so simply by checking the MIME type.
265  */
266  passwordProtected = true;
267  break;
268 
269  case MIME_TYPE_MSWORD:
270  case MIME_TYPE_MSEXCEL:
271  case MIME_TYPE_MSPOWERPOINT:
272  case MIME_TYPE_PDF: {
273  /*
274  * A file of one of these types will be determined to be
275  * password protected or not by attempting to parse it via Tika.
276  */
277  InputStream in = null;
278  BufferedInputStream bin = null;
279 
280  try {
281  in = new ReadContentInputStream(file);
282  bin = new BufferedInputStream(in);
283  ContentHandler handler = new BodyContentHandler(-1);
284  Metadata metadata = new Metadata();
285  metadata.add(Metadata.RESOURCE_NAME_KEY, file.getName());
286  AutoDetectParser parser = new AutoDetectParser();
287  parser.parse(bin, handler, metadata, new ParseContext());
288  } catch (EncryptedDocumentException ex) {
289  /*
290  * File is determined to be password protected.
291  */
292  passwordProtected = true;
293  } finally {
294  if (in != null) {
295  in.close();
296  }
297  if (bin != null) {
298  bin.close();
299  }
300  }
301  break;
302  }
303 
304  case MIME_TYPE_MSACCESS: {
305  /*
306  * Access databases are determined to be password protected
307  * using Jackcess. If the database can be opened, the password
308  * is read from it to see if it's null. If the database can not
309  * be opened due to an InvalidCredentialException being thrown,
310  * it is automatically determined to be password protected.
311  */
312  InputStream in = null;
313  BufferedInputStream bin = null;
314 
315  try {
316  in = new ReadContentInputStream(file);
317  bin = new BufferedInputStream(in);
318  MemFileChannel memFileChannel = MemFileChannel.newChannel(bin);
319  CodecProvider codecProvider = new CryptCodecProvider();
320  DatabaseBuilder databaseBuilder = new DatabaseBuilder();
321  databaseBuilder.setChannel(memFileChannel);
322  databaseBuilder.setCodecProvider(codecProvider);
323  Database accessDatabase;
324  try {
325  accessDatabase = databaseBuilder.open();
326  } catch (IOException | BufferUnderflowException | IndexOutOfBoundsException ignored) {
327  return passwordProtected;
328  }
329  /*
330  * No exception has been thrown at this point, so the file
331  * is either a JET database, or an unprotected ACE database.
332  * Read the password from the database to see if it exists.
333  */
334  if (accessDatabase.getDatabasePassword() != null) {
335  passwordProtected = true;
336  }
337  } catch (InvalidCredentialsException ex) {
338  /*
339  * The ACE database is determined to be password protected.
340  */
341  passwordProtected = true;
342  } finally {
343  if (in != null) {
344  in.close();
345  }
346  if (bin != null) {
347  bin.close();
348  }
349  }
350  }
351  }
352 
353  return passwordProtected;
354  }
355 
371  private boolean isFileEncryptionSuspected(AbstractFile file) throws ReadContentInputStreamException, IOException {
372  /*
373  * Criteria for the checks in this method are partially based on
374  * http://www.forensicswiki.org/wiki/TrueCrypt#Detection
375  */
376 
377  boolean possiblyEncrypted = false;
378 
379  /*
380  * Qualify the size.
381  */
382  boolean fileSizeQualified = false;
383  String fileExtension = file.getNameExtension();
384  long contentSize = file.getSize();
385  // Database files qualify at 64 KB minimum for SQLCipher detection.
386  if (fileExtension.equalsIgnoreCase(DATABASE_FILE_EXTENSION)) {
387  if (contentSize >= MINIMUM_DATABASE_FILE_SIZE) {
388  fileSizeQualified = true;
389  }
390  } else if (contentSize >= minimumFileSize) {
391  if (!fileSizeMultipleEnforced || (contentSize % FILE_SIZE_MODULUS) == 0) {
392  fileSizeQualified = true;
393  }
394  }
395 
396  if (fileSizeQualified) {
397  /*
398  * Qualify the entropy.
399  */
400  calculatedEntropy = EncryptionDetectionTools.calculateEntropy(file);
401  if (calculatedEntropy >= minimumEntropy) {
402  possiblyEncrypted = true;
403  }
404  }
405 
406  return possiblyEncrypted;
407  }
408 }

Copyright © 2012-2018 Basis Technology. Generated on: Fri Mar 22 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.