Autopsy  4.10.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractIE.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2011-2019 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.BufferedReader;
26 import org.openide.util.NbBundle;
29 import java.io.File;
30 import java.io.FileInputStream;
31 import java.io.FileNotFoundException;
32 import java.io.IOException;
33 import java.io.InputStreamReader;
34 import java.text.ParseException;
35 import java.text.SimpleDateFormat;
36 import java.util.ArrayList;
37 import java.util.List;
38 import java.util.logging.Level;
40 import java.util.Collection;
41 import java.util.Scanner;
42 import java.util.stream.Collectors;
43 import org.openide.modules.InstalledFileLocator;
44 import org.openide.util.NbBundle.Messages;
50 import org.sleuthkit.datamodel.BlackboardArtifact;
51 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
52 import org.sleuthkit.datamodel.BlackboardAttribute;
53 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
54 import org.sleuthkit.datamodel.Content;
59 import org.sleuthkit.datamodel.*;
60 
65 class ExtractIE extends Extract {
66 
67  private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
68  private final IngestServices services = IngestServices.getInstance();
69  private final String moduleTempResultsDir;
70  private String PASCO_LIB_PATH;
71  private final String JAVA_PATH;
72  private static final String RESOURCE_URL_PREFIX = "res://";
73  private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
74  private Content dataSource;
75  private IngestJobContext context;
76 
77  @Messages({
78  "Progress_Message_IE_History=IE History",
79  "Progress_Message_IE_Bookmarks=IE Bookmarks",
80  "Progress_Message_IE_Cookies=IE Cookies",
81  "Progress_Message_IE_Downloads=IE Downloads",
82  "Progress_Message_IE_FormHistory=IE Form History",
83  "Progress_Message_IE_AutoFill=IE Auto Fill",
84  "Progress_Message_IE_Logins=IE Logins",
85  })
86 
87  ExtractIE() throws NoCurrentCaseException {
88  moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractIE.moduleName.text");
89  moduleTempResultsDir = RAImageIngestModule.getRATempPath(Case.getCurrentCaseThrows(), "IE") + File.separator + "results"; //NON-NLS
90  JAVA_PATH = PlatformUtil.getJavaPath();
91  }
92 
93  @Override
94  public void process(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar) {
95  this.dataSource = dataSource;
96  this.context = context;
97  dataFound = false;
98 
99  progressBar.progress(Bundle.Progress_Message_IE_Bookmarks());
100  this.getBookmark();
101 
102  progressBar.progress(Bundle.Progress_Message_IE_Cookies());
103  this.getCookie();
104 
105  progressBar.progress(Bundle.Progress_Message_IE_History());
106  this.getHistory();
107  }
108 
112  private void getBookmark() {
113  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
114  List<AbstractFile> favoritesFiles;
115  try {
116  favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); //NON-NLS
117  } catch (TskCoreException ex) {
118  logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
119  this.addErrorMessage(
120  NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
121  this.getName()));
122  return;
123  }
124 
125  if (favoritesFiles.isEmpty()) {
126  logger.log(Level.INFO, "Didn't find any IE bookmark files."); //NON-NLS
127  return;
128  }
129 
130  dataFound = true;
131  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
132  for (AbstractFile fav : favoritesFiles) {
133  if (fav.getSize() == 0) {
134  continue;
135  }
136 
137  if (context.dataSourceIngestIsCancelled()) {
138  break;
139  }
140 
141  String url = getURLFromIEBookmarkFile(fav);
142 
143  String name = fav.getName();
144  Long datetime = fav.getCrtime();
145  String Tempdate = datetime.toString();
146  datetime = Long.valueOf(Tempdate);
147  String domain = extractDomain(url);
148 
149  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
150  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
151  RecentActivityExtracterModuleFactory.getModuleName(), url));
152  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
153  RecentActivityExtracterModuleFactory.getModuleName(), name));
154  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
155  RecentActivityExtracterModuleFactory.getModuleName(), datetime));
156  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
157  RecentActivityExtracterModuleFactory.getModuleName(),
158  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
159  if (domain != null && domain.isEmpty() == false) {
160  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
161  RecentActivityExtracterModuleFactory.getModuleName(), domain));
162  }
163 
164  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
165  if (bbart != null) {
166  bbartifacts.add(bbart);
167  }
168  }
169  services.fireModuleDataEvent(new ModuleDataEvent(
170  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
171  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));
172  }
173 
174  private String getURLFromIEBookmarkFile(AbstractFile fav) {
175  BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));
176  String line, url = "";
177  try {
178  line = reader.readLine();
179  while (null != line) {
180  // The actual shortcut line we are interested in is of the
181  // form URL=http://path/to/website
182  if (line.startsWith("URL")) { //NON-NLS
183  url = line.substring(line.indexOf("=") + 1);
184  break;
185  }
186  line = reader.readLine();
187  }
188  } catch (IOException ex) {
189  logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
190  this.addErrorMessage(
191  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
192  fav.getName()));
193  } catch (IndexOutOfBoundsException ex) {
194  logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
195  this.addErrorMessage(
196  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
197  fav.getName()));
198  } finally {
199  try {
200  reader.close();
201  } catch (IOException ex) {
202  logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS
203  }
204  }
205 
206  return url;
207  }
208 
212  private void getCookie() {
213  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
214  List<AbstractFile> cookiesFiles;
215  try {
216  cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); //NON-NLS
217  } catch (TskCoreException ex) {
218  logger.log(Level.WARNING, "Error getting cookie files for IE"); //NON-NLS
219  this.addErrorMessage(
220  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errGettingFile", this.getName()));
221  return;
222  }
223 
224  if (cookiesFiles.isEmpty()) {
225  logger.log(Level.INFO, "Didn't find any IE cookies files."); //NON-NLS
226  return;
227  }
228 
229  dataFound = true;
230  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
231  for (AbstractFile cookiesFile : cookiesFiles) {
232  if (context.dataSourceIngestIsCancelled()) {
233  break;
234  }
235  if (cookiesFile.getSize() == 0) {
236  continue;
237  }
238 
239  byte[] t = new byte[(int) cookiesFile.getSize()];
240  try {
241  final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize());
242  } catch (TskCoreException ex) {
243  logger.log(Level.WARNING, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
244  this.addErrorMessage(
245  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
246  this.getName(), cookiesFile.getName()));
247  continue;
248  }
249  String cookieString = new String(t);
250  String[] values = cookieString.split("\n");
251  String url = values.length > 2 ? values[2] : "";
252  String value = values.length > 1 ? values[1] : "";
253  String name = values.length > 0 ? values[0] : "";
254  Long datetime = cookiesFile.getCrtime();
255  String tempDate = datetime.toString();
256  datetime = Long.valueOf(tempDate);
257  String domain = extractDomain(url);
258 
259  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
260  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
261  RecentActivityExtracterModuleFactory.getModuleName(), url));
262  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,
263  RecentActivityExtracterModuleFactory.getModuleName(), datetime));
264  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
265  RecentActivityExtracterModuleFactory.getModuleName(), (name != null) ? name : ""));
266  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
267  RecentActivityExtracterModuleFactory.getModuleName(), value));
268  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
269  RecentActivityExtracterModuleFactory.getModuleName(),
270  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
271  if (domain != null && domain.isEmpty() == false) {
272  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
273  RecentActivityExtracterModuleFactory.getModuleName(), domain));
274  }
275  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
276  if (bbart != null) {
277  bbartifacts.add(bbart);
278  }
279  }
280  services.fireModuleDataEvent(new ModuleDataEvent(
281  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
282  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));
283  }
284 
288  private void getHistory() {
289  logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS
290  boolean foundHistory = false;
291 
292  final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); //NON-NLS
293  if (pascoRoot == null) {
294  this.addErrorMessage(
295  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName()));
296  logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS
297  return;
298  }
299 
300  final String pascoHome = pascoRoot.getAbsolutePath();
301  logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS
302 
303  PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS
304  + pascoHome + File.separator + "*";
305 
306  File resultsDir = new File(moduleTempResultsDir);
307  resultsDir.mkdirs();
308 
309  // get index.dat files
310  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
311  List<AbstractFile> indexFiles;
312  try {
313  indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
314  } catch (TskCoreException ex) {
315  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
316  this.getName()));
317  logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
318  return;
319  }
320 
321  if (indexFiles.isEmpty()) {
322  String msg = NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.noHistFiles");
323  logger.log(Level.INFO, msg);
324  return;
325  }
326 
327  dataFound = true;
328  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
329  String temps;
330  String indexFileName;
331  for (AbstractFile indexFile : indexFiles) {
332  // Since each result represent an index.dat file,
333  // just create these files with the following notation:
334  // index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
335  // Write each index.dat file to a temp directory.
336  //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
337  indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //NON-NLS
338  //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
339  temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; //NON-NLS
340  File datFile = new File(temps);
341  if (context.dataSourceIngestIsCancelled()) {
342  break;
343  }
344  try {
345  ContentUtils.writeToFile(indexFile, datFile, context::dataSourceIngestIsCancelled);
346  } catch (IOException e) {
347  logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
348  this.addErrorMessage(
349  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
350  datFile.getAbsolutePath()));
351  continue;
352  }
353 
354  String filename = "pasco2Result." + indexFile.getId() + ".txt"; //NON-NLS
355  boolean bPascProcSuccess = executePasco(temps, filename);
356  if (context.dataSourceIngestIsCancelled()) {
357  return;
358  }
359 
360  //At this point pasco2 proccessed the index files.
361  //Now fetch the results, parse them and the delete the files.
362  if (bPascProcSuccess) {
363  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
364  bbartifacts.addAll(parsePascoOutput(indexFile, filename).stream()
365  .filter(bbart -> bbart.getArtifactTypeID() == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID())
366  .collect(Collectors.toList()));
367  foundHistory = true;
368 
369  //Delete index<n>.dat file since it was succcessfully by Pasco
370  datFile.delete();
371  } else {
372  logger.log(Level.WARNING, "pasco execution failed on: {0}", this.getName()); //NON-NLS
373  this.addErrorMessage(
374  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName()));
375  }
376  }
377 
378  if (foundHistory) {
379  services.fireModuleDataEvent(new ModuleDataEvent(
380  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
381  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
382  }
383  }
384 
393  private boolean executePasco(String indexFilePath, String outputFileName) {
394  boolean success = true;
395  try {
396  final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName;
397  final String errFileFullPath = moduleTempResultsDir + File.separator + outputFileName + ".err"; //NON-NLS
398  logger.log(Level.INFO, "Writing pasco results to: {0}", outputFileFullPath); //NON-NLS
399  List<String> commandLine = new ArrayList<>();
400  commandLine.add(JAVA_PATH);
401  commandLine.add("-cp"); //NON-NLS
402  commandLine.add(PASCO_LIB_PATH);
403  commandLine.add("isi.pasco2.Main"); //NON-NLS
404  commandLine.add("-T"); //NON-NLS
405  commandLine.add("history"); //NON-NLS
406  commandLine.add(indexFilePath);
407  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
408  processBuilder.redirectOutput(new File(outputFileFullPath));
409  processBuilder.redirectError(new File(errFileFullPath));
410  /*
411  * NOTE on Pasco return codes: There is no documentation for Pasco.
412  * Looking at the Pasco source code I see that when something goes
413  * wrong Pasco returns a negative number as a return code. However,
414  * we should still attempt to parse the Pasco output even if that
415  * happens. I have seen many situations where Pasco output file
416  * contains a lot of useful data and only the last entry is
417  * corrupted.
418  */
419  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context));
420  // @@@ Investigate use of history versus cache as type.
421  } catch (IOException ex) {
422  success = false;
423  logger.log(Level.SEVERE, "Unable to execute Pasco to process Internet Explorer web history.", ex); //NON-NLS
424  }
425  return success;
426  }
427 
437  private Collection<BlackboardArtifact> parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
438 
439  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
440  String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
441 
442  File file = new File(fnAbs);
443  if (file.exists() == false) {
444  this.addErrorMessage(
445  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
446  file.getName()));
447  logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
448  return bbartifacts;
449  }
450 
451  // Make sure the file the is not empty or the Scanner will
452  // throw a "No Line found" Exception
453  if (file.length() == 0) {
454  return bbartifacts;
455  }
456 
457  Scanner fileScanner;
458  try {
459  fileScanner = new Scanner(new FileInputStream(file.toString()));
460  } catch (FileNotFoundException ex) {
461  this.addErrorMessage(
462  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
463  file.getName()));
464  logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
465  return bbartifacts;
466  }
467  while (fileScanner.hasNext()) {
468  String line = fileScanner.nextLine();
469  if (!line.startsWith("URL")) { //NON-NLS
470  continue;
471  }
472 
473  String[] lineBuff = line.split("\\t"); //NON-NLS
474 
475  if (lineBuff.length < 4) {
476  logger.log(Level.INFO, "Found unrecognized IE history format."); //NON-NLS
477  continue;
478  }
479 
480  String actime = lineBuff[3];
481  Long ftime = (long) 0;
482  String user = "";
483  String realurl = null;
484  String domain;
485 
486  /*
487  * We've seen two types of lines: URL http://XYZ.com .... URL
488  * Visited: Joe@http://XYZ.com ....
489  */
490  if (lineBuff[1].contains("@")) {
491  String url[] = lineBuff[1].split("@", 2);
492 
493  /*
494  * Verify the left portion of the URL is valid.
495  */
496  domain = extractDomain(url[0]);
497 
498  if (domain != null && domain.isEmpty() == false) {
499  /*
500  * Use the entire input for the URL.
501  */
502  realurl = lineBuff[1].trim();
503  } else {
504  /*
505  * Use the left portion of the input for the user, and the
506  * right portion for the host.
507  */
508  user = url[0];
509  user = user.replace("Visited:", ""); //NON-NLS
510  user = user.replace(":Host:", ""); //NON-NLS
511  user = user.replaceAll("(:)(.*?)(:)", "");
512  user = user.trim();
513  realurl = url[1];
514  realurl = realurl.replace("Visited:", ""); //NON-NLS
515  realurl = realurl.replaceAll(":(.*?):", "");
516  realurl = realurl.replace(":Host:", ""); //NON-NLS
517  realurl = realurl.trim();
518  domain = extractDomain(realurl);
519  }
520  } else {
521  /*
522  * Use the entire input for the URL.
523  */
524  realurl = lineBuff[1].trim();
525  domain = extractDomain(realurl);
526  }
527 
528  if (!actime.isEmpty()) {
529  try {
530  Long epochtime = dateFormatter.parse(actime).getTime();
531  ftime = epochtime / 1000;
532  } catch (ParseException e) {
533  this.addErrorMessage(
534  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
535  this.getName()));
536  logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS
537  }
538  }
539 
540  try {
541  BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
542  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
543  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
544  RecentActivityExtracterModuleFactory.getModuleName(), realurl));
545  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
546 
547  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
548  RecentActivityExtracterModuleFactory.getModuleName(), ftime));
549  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
550  RecentActivityExtracterModuleFactory.getModuleName(), ""));
551  // @@@ NOte that other browser modules are adding TITLE in hre for the title
552  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
553  RecentActivityExtracterModuleFactory.getModuleName(),
554  NbBundle.getMessage(this.getClass(),
555  "ExtractIE.moduleName.text")));
556  if (domain != null && domain.isEmpty() == false) {
557  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
558  RecentActivityExtracterModuleFactory.getModuleName(), domain));
559  }
560  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
561  RecentActivityExtracterModuleFactory.getModuleName(), user));
562  bbart.addAttributes(bbattributes);
563 
564  // index the artifact for keyword search
565  this.indexArtifact(bbart);
566  bbartifacts.add(bbart);
567  } catch (TskCoreException ex) {
568  logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS
569  }
570  }
571  fileScanner.close();
572  return bbartifacts;
573  }
574 
583  private String extractDomain(String url) {
584  if (url == null || url.isEmpty()) {
585  return url;
586  }
587 
588  if (url.toLowerCase().startsWith(RESOURCE_URL_PREFIX)) {
589  /*
590  * Ignore URLs that begin with the matched text.
591  */
592  return null;
593  }
594 
595  return NetworkUtils.extractDomain(url);
596  }
597 }
synchronized List< AbstractFile > findFiles(String fileName)

Copyright © 2012-2018 Basis Technology. Generated on: Fri Mar 22 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.