Autopsy  4.10.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractZoneIdentifier.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2019 Basis Technology Corp.
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.recentactivity;
20 
21 import java.io.FileNotFoundException;
22 import java.io.IOException;
23 import java.util.ArrayList;
24 import java.util.Arrays;
25 import java.util.Collection;
26 import java.util.HashSet;
27 import java.util.List;
28 import java.util.Properties;
29 import java.util.Set;
30 import java.util.logging.Level;
31 import org.apache.commons.lang3.StringUtils;
32 import org.openide.util.NbBundle.Messages;
33 import org.sleuthkit.autopsy.coreutils.Logger;
34 import org.sleuthkit.autopsy.coreutils.NetworkUtils;
35 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
36 import org.sleuthkit.autopsy.ingest.IngestJobContext;
37 import org.sleuthkit.autopsy.ingest.IngestServices;
38 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.BlackboardArtifact;
41 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE;
42 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD;
43 import org.sleuthkit.datamodel.BlackboardAttribute;
44 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN;
45 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION;
46 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID;
47 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL;
48 import org.sleuthkit.datamodel.Content;
49 import org.sleuthkit.datamodel.ReadContentInputStream;
50 import org.sleuthkit.datamodel.TskCoreException;
51 
57 final class ExtractZoneIdentifier extends Extract {
58 
59  private static final Logger LOG = Logger.getLogger(ExtractEdge.class.getName());
60 
61  private static final String ZONE_IDENTIFIER_FILE = "%:Zone.Identifier"; //NON-NLS
62  private static final String ZONE_IDENTIFIER = ":Zone.Identifier"; //NON-NLS
63 
64  @Messages({
65  "ExtractZone_process_errMsg_find=A failure occured while searching for :Zone.Indentifier files.",
66  "ExtractZone_process_errMsg=An error occured processing ':Zone.Indentifier' files.",
67  "ExtractZone_progress_Msg=Extracting :Zone.Identifer files"
68  })
69 
70  @Override
71  void process(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar) {
72 
73  progressBar.progress(Bundle.ExtractZone_progress_Msg());
74 
75  List<AbstractFile> zoneFiles = null;
76  try {
77  zoneFiles = currentCase.getServices().getFileManager().findFiles(dataSource, ZONE_IDENTIFIER_FILE);
78  } catch (TskCoreException ex) {
79  addErrorMessage(Bundle.ExtractZone_process_errMsg_find());
80  LOG.log(Level.SEVERE, "Unable to find zone identifier files, exception thrown. ", ex); // NON-NLS
81  }
82 
83  if (zoneFiles == null || zoneFiles.isEmpty()) {
84  return;
85  }
86 
87  Set<Long> knownPathIDs = null;
88  try {
89  knownPathIDs = getPathIDsForType(TSK_WEB_DOWNLOAD);
90  } catch (TskCoreException ex) {
91  addErrorMessage(Bundle.ExtractZone_process_errMsg());
92  LOG.log(Level.SEVERE, "Failed to build PathIDs List for TSK_WEB_DOWNLOAD", ex); // NON-NLS
93  }
94 
95  if (knownPathIDs == null) {
96  return;
97  }
98 
99  Collection<BlackboardArtifact> sourceArtifacts = new ArrayList<>();
100  Collection<BlackboardArtifact> downloadArtifacts = new ArrayList<>();
101 
102  for (AbstractFile zoneFile : zoneFiles) {
103  try {
104  processZoneFile(context, dataSource, zoneFile, sourceArtifacts, downloadArtifacts, knownPathIDs);
105  } catch (TskCoreException ex) {
106  addErrorMessage(Bundle.ExtractZone_process_errMsg());
107  String message = String.format("Failed to process zone identifier file %s", zoneFile.getName()); //NON-NLS
108  LOG.log(Level.WARNING, message, ex);
109  }
110  }
111 
112  IngestServices services = IngestServices.getInstance();
113 
114  if (!sourceArtifacts.isEmpty()) {
115  services.fireModuleDataEvent(new ModuleDataEvent(
116  RecentActivityExtracterModuleFactory.getModuleName(),
117  TSK_DOWNLOAD_SOURCE, sourceArtifacts));
118  }
119 
120  if (!downloadArtifacts.isEmpty()) {
121  services.fireModuleDataEvent(new ModuleDataEvent(
122  RecentActivityExtracterModuleFactory.getModuleName(),
123  TSK_WEB_DOWNLOAD, downloadArtifacts));
124  }
125  }
126 
138  private void processZoneFile(IngestJobContext context, Content dataSource,
139  AbstractFile zoneFile, Collection<BlackboardArtifact> sourceArtifacts,
140  Collection<BlackboardArtifact> downloadArtifacts,
141  Set<Long> knownPathIDs) throws TskCoreException {
142 
143  ZoneIdentifierInfo zoneInfo = null;
144 
145  try {
146  zoneInfo = new ZoneIdentifierInfo(zoneFile);
147  } catch (IOException ex) {
148  String message = String.format("Unable to parse temporary File for %s", zoneFile.getName()); //NON-NLS
149  LOG.log(Level.WARNING, message, ex);
150  }
151 
152  if (zoneInfo == null) {
153  return;
154  }
155 
156  AbstractFile downloadFile = getDownloadFile(dataSource, zoneFile);
157 
158  if (downloadFile != null) {
159  // Only create a new TSK_WEB_DOWNLOAD artifact if one does not exist for downloadFile
160  if (!knownPathIDs.contains(downloadFile.getDataSourceObjectId())) {
161  // The zone identifier file is the parent of this artifact
162  // because it is the file we parsed to get the data
163  BlackboardArtifact downloadBba = createDownloadArtifact(zoneFile, zoneInfo);
164  if (downloadBba != null) {
165  downloadArtifacts.add(downloadBba);
166  }
167  }
168 
169  // check if download has a child TSK_DOWNLOAD_SOURCE artifact, if not create one
170  if (downloadFile.getArtifactsCount(TSK_DOWNLOAD_SOURCE) == 0) {
171  BlackboardArtifact sourceBba = createDownloadSourceArtifact(downloadFile, zoneInfo);
172  if (sourceBba != null) {
173  sourceArtifacts.add(sourceBba);
174  }
175  }
176  }
177  }
178 
189  private AbstractFile getDownloadFile(Content dataSource, AbstractFile zoneFile) throws TskCoreException {
190  AbstractFile downloadFile = null;
191 
192  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager
193  = currentCase.getServices().getFileManager();
194 
195  String downloadFileName = zoneFile.getName().replace(ZONE_IDENTIFIER, ""); //NON-NLS
196 
197  List<AbstractFile> fileList = fileManager.findFiles(dataSource, downloadFileName, zoneFile.getParentPath());
198 
199  if (fileList.size() == 1) {
200  downloadFile = fileList.get(0);
201 
202  // Check that the download file and the zone file came from the same dir
203  if (!downloadFile.getParentPath().equals(zoneFile.getParentPath())) {
204  downloadFile = null;
205  } else if (zoneFile.getMetaAddr() != downloadFile.getMetaAddr()) {
206  downloadFile = null;
207  }
208  }
209 
210  return downloadFile;
211  }
212 
223  private BlackboardArtifact createDownloadSourceArtifact(AbstractFile downloadFile, ZoneIdentifierInfo zoneInfo) {
224 
225  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
226 
227  bbattributes.addAll(Arrays.asList(
228  new BlackboardAttribute(TSK_URL,
229  RecentActivityExtracterModuleFactory.getModuleName(),
230  StringUtils.defaultString(zoneInfo.getURL(), "")),
231 
232  new BlackboardAttribute(TSK_DOMAIN,
233  RecentActivityExtracterModuleFactory.getModuleName(),
234  (zoneInfo.getURL() != null) ? NetworkUtils.extractDomain(zoneInfo.getURL()) : ""),
235 
236  new BlackboardAttribute(TSK_LOCATION,
237  RecentActivityExtracterModuleFactory.getModuleName(),
238  StringUtils.defaultString(zoneInfo.getZoneIdAsString(), "")))); //NON-NLS
239 
240  return addArtifact(TSK_DOWNLOAD_SOURCE, downloadFile, bbattributes);
241  }
242 
251  private BlackboardArtifact createDownloadArtifact(AbstractFile zoneFile, ZoneIdentifierInfo zoneInfo) {
252 
253  Collection<BlackboardAttribute> bbattributes = createDownloadAttributes(
254  null, null,
255  zoneInfo.getURL(), null,
256  (zoneInfo.getURL() != null ? NetworkUtils.extractDomain(zoneInfo.getURL()) : ""),
257  null);
258  return addArtifact(TSK_WEB_DOWNLOAD, zoneFile, bbattributes);
259  }
260 
270  private Set<Long> getPathIDsForType(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
271  Set<Long> idList = new HashSet<>();
272  for (BlackboardArtifact artifact : currentCase.getSleuthkitCase().getBlackboardArtifacts(type)) {
273  BlackboardAttribute pathIDAttribute = artifact.getAttribute(new BlackboardAttribute.Type(TSK_PATH_ID));
274 
275  if (pathIDAttribute != null) {
276  long contentID = pathIDAttribute.getValueLong();
277  if (contentID != -1) {
278  idList.add(contentID);
279  }
280  }
281  }
282  return idList;
283  }
284 
285  @Messages({
286  "ExtractZone_Local_Machine=Local Machine Zone",
287  "ExtractZone_Local_Intranet=Local Intranet Zone",
288  "ExtractZone_Trusted=Trusted Sites Zone",
289  "ExtractZone_Internet=Internet Zone",
290  "ExtractZone_Restricted=Restricted Sites Zone"
291  })
292 
301  private final static class ZoneIdentifierInfo {
302 
303  private static final String ZONE_ID = "ZoneId"; //NON-NLS
304  private static final String REFERRER_URL = "ReferrerUrl"; //NON-NLS
305  private static final String HOST_URL = "HostUrl"; //NON-NLS
306  private static final String FAMILY_NAME = "LastWriterPackageFamilyName"; //NON-NLS
307 
308  private final Properties properties = new Properties(null);
309 
319  ZoneIdentifierInfo(AbstractFile zoneFile) throws IOException {
320  properties.load(new ReadContentInputStream(zoneFile));
321  }
322 
328  private int getZoneId() {
329  int zoneValue = -1;
330  String value = properties.getProperty(ZONE_ID);
331  if (value != null) {
332  zoneValue = Integer.parseInt(value);
333  }
334 
335  return zoneValue;
336  }
337 
343  private String getZoneIdAsString() {
344  switch (getZoneId()) {
345  case 0:
346  return Bundle.ExtractZone_Local_Machine();
347  case 1:
348  return Bundle.ExtractZone_Local_Intranet();
349  case 2:
350  return Bundle.ExtractZone_Trusted();
351  case 3:
352  return Bundle.ExtractZone_Internet();
353  case 4:
354  return Bundle.ExtractZone_Restricted();
355  default:
356  return null;
357  }
358  }
359 
365  private String getURL() {
366  return properties.getProperty(HOST_URL);
367  }
368 
374  private String getReferrer() {
375  return properties.getProperty(REFERRER_URL);
376  }
377 
383  private String getFamilyName() {
384  return properties.getProperty(FAMILY_NAME);
385  }
386  }
387 
388 }
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:165

Copyright © 2012-2018 Basis Technology. Generated on: Fri Mar 22 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.