23 package org.sleuthkit.autopsy.recentactivity;
25 import java.io.BufferedReader;
27 import java.io.FileInputStream;
28 import java.io.FileNotFoundException;
29 import java.io.FileReader;
30 import java.io.FileWriter;
31 import java.io.IOException;
32 import java.io.InputStreamReader;
33 import java.io.StringReader;
34 import java.nio.charset.StandardCharsets;
35 import java.text.ParseException;
36 import java.text.SimpleDateFormat;
37 import java.util.logging.Level;
38 import javax.xml.parsers.DocumentBuilder;
39 import javax.xml.parsers.DocumentBuilderFactory;
40 import javax.xml.parsers.ParserConfigurationException;
41 import org.apache.commons.io.FilenameUtils;
42 import org.openide.modules.InstalledFileLocator;
43 import org.openide.util.NbBundle;
51 import org.
sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
52 import org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
53 import org.w3c.dom.Document;
54 import org.w3c.dom.Element;
55 import org.w3c.dom.Node;
56 import org.w3c.dom.NodeList;
57 import org.xml.sax.InputSource;
58 import org.xml.sax.SAXException;
59 import java.nio.file.Path;
60 import java.util.AbstractMap;
61 import java.util.ArrayList;
62 import java.util.List;
63 import java.util.Collection;
64 import java.util.Collections;
65 import java.util.Date;
66 import java.util.HashMap;
68 import java.util.Scanner;
70 import java.util.HashSet;
71 import static java.util.Locale.US;
72 import java.util.Optional;
73 import static java.util.TimeZone.getTimeZone;
74 import java.util.stream.Collectors;
75 import org.openide.util.Lookup;
82 import org.
sleuthkit.datamodel.Blackboard.BlackboardException;
85 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT;
86 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME;
87 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED;
88 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED;
89 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED;
90 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID;
91 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME;
92 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH;
93 import static org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_HOME_DIR;
99 import org.
sleuthkit.datamodel.OsAccount.OsAccountAttribute;
102 import org.
sleuthkit.datamodel.OsAccountManager.NotUserSIDException;
103 import org.
sleuthkit.datamodel.OsAccountManager.OsAccountUpdateResult;
105 import org.
sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
117 "RegRipperNotFound=Autopsy RegRipper executable not found.",
118 "RegRipperFullNotFound=Full version RegRipper executable not found.",
119 "Progress_Message_Analyze_Registry=Analyzing Registry Files",
120 "Shellbag_Artifact_Display_Name=Shell Bags",
121 "Shellbag_Key_Attribute_Display_Name=Key",
122 "Shellbag_Last_Write_Attribute_Display_Name=Last Write",
123 "Sam_Security_Question_1_Attribute_Display_Name=Security Question 1",
124 "Sam_Security_Answer_1_Attribute_Display_Name=Security Answer 1",
125 "Sam_Security_Question_2_Attribute_Display_Name=Security Question 2",
126 "Sam_Security_Answer_2_Attribute_Display_Name=Security Answer 2",
127 "Sam_Security_Question_3_Attribute_Display_Name=Security Question 3",
128 "Sam_Security_Answer_3_Attribute_Display_Name=Security Answer 3",
129 "Recently_Used_Artifacts_Office_Trustrecords=Stored in TrustRecords because Office security exception was granted",
130 "Recently_Used_Artifacts_ArcHistory=Recently opened by 7Zip",
131 "Recently_Used_Artifacts_Applets=Recently opened according to Applets registry key",
132 "Recently_Used_Artifacts_Mmc=Recently opened according to Windows Management Console MRU",
133 "Recently_Used_Artifacts_Winrar=Recently opened according to WinRAR MRU",
134 "Recently_Used_Artifacts_Officedocs=Recently opened according to Office MRU",
135 "Recently_Used_Artifacts_Adobe=Recently opened according to Adobe MRU",
136 "Recently_Used_Artifacts_Mediaplayer=Recently opened according to Media Player MRU",
137 "Registry_System_Bam=Recently Executed according to Background Activity Moderator (BAM)"
139 class ExtractRegistry extends Extract {
141 private static final String USERNAME_KEY =
"Username";
142 private static final String SID_KEY =
"SID";
143 private static final String RID_KEY =
"RID";
144 private static final String ACCOUNT_CREATED_KEY =
"Account Created";
145 private static final String LAST_LOGIN_KEY =
"Last Login Date";
146 private static final String LOGIN_COUNT_KEY =
"Login Count";
147 private static final String FULL_NAME_KEY =
"Full Name";
148 private static final String USER_COMMENT_KEY =
"User Comment";
149 private static final String ACCOUNT_TYPE_KEY =
"Account Type";
150 private static final String NAME_KEY =
"Name";
151 private static final String PWD_RESET_KEY =
"Pwd Rest Date";
152 private static final String PWD_FAILE_KEY =
"Pwd Fail Date";
153 private static final String INTERNET_NAME_KEY =
"InternetName";
154 private static final String PWD_DOES_NOT_EXPIRE_KEY =
"Password does not expire";
155 private static final String ACCOUNT_DISABLED_KEY =
"Account Disabled";
156 private static final String PWD_NOT_REQUIRED_KEY =
"Password not required";
157 private static final String NORMAL_ACCOUNT_KEY =
"Normal user account";
158 private static final String HOME_DIRECTORY_REQUIRED_KEY =
"Home directory required";
159 private static final String TEMPORARY_DUPLICATE_ACCOUNT =
"Temporary duplicate account";
160 private static final String MNS_LOGON_ACCOUNT_KEY =
"MNS logon user account";
161 private static final String INTERDOMAIN_TRUST_ACCOUNT_KEY =
"Interdomain trust account";
162 private static final String WORKSTATION_TRUST_ACCOUNT =
"Workstation trust account";
163 private static final String SERVER_TRUST_ACCOUNT =
"Server trust account";
164 private static final String ACCOUNT_AUTO_LOCKED =
"Account auto locked";
165 private static final String PASSWORD_HINT =
"Password Hint";
166 private static final String SECURITY_QUESTION_1 =
"Question 1";
167 private static final String SECURITY_ANSWER_1 =
"Answer 1";
168 private static final String SECURITY_QUESTION_2 =
"Question 2";
169 private static final String SECURITY_ANSWER_2 =
"Answer 2";
170 private static final String SECURITY_QUESTION_3 =
"Question 3";
171 private static final String SECURITY_ANSWER_3 =
"Answer 3";
173 private static final String[] PASSWORD_SETTINGS_FLAGS = {PWD_DOES_NOT_EXPIRE_KEY, PWD_NOT_REQUIRED_KEY};
174 private static final String[] ACCOUNT_SETTINGS_FLAGS = {ACCOUNT_AUTO_LOCKED, HOME_DIRECTORY_REQUIRED_KEY, ACCOUNT_DISABLED_KEY};
175 private static final String[] ACCOUNT_TYPE_FLAGS = {NORMAL_ACCOUNT_KEY, SERVER_TRUST_ACCOUNT, WORKSTATION_TRUST_ACCOUNT, INTERDOMAIN_TRUST_ACCOUNT_KEY, MNS_LOGON_ACCOUNT_KEY, TEMPORARY_DUPLICATE_ACCOUNT};
177 final private static UsbDeviceIdMapper USB_MAPPER =
new UsbDeviceIdMapper();
178 final private static String RIP_EXE =
"rip.exe";
179 final private static String RIP_PL =
"rip.pl";
180 final private static String RIP_PL_INCLUDE_FLAG =
"-I";
181 final private static int MS_IN_SEC = 1000;
182 final private static String NEVER_DATE =
"Never";
183 final private static String SECTION_DIVIDER =
"-------------------------";
184 final private static Logger logger = Logger.getLogger(ExtractRegistry.class.getName());
185 private final List<String> rrCmd =
new ArrayList<>();
186 private final List<String> rrFullCmd =
new ArrayList<>();
187 private final Path rrHome;
188 private final Path rrFullHome;
189 private Content dataSource;
190 private final IngestJobContext context;
191 private Map<String, String> userNameMap;
192 private final List<String> samDomainIDsList =
new ArrayList<>();
194 private String compName =
"";
195 private String domainName =
"";
197 private static final String SHELLBAG_ARTIFACT_NAME =
"RA_SHELL_BAG";
198 private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE =
"RA_SHELL_BAG_LAST_WRITE";
199 private static final String SHELLBAG_ATTRIBUTE_KEY =
"RA_SHELL_BAG_KEY";
200 private static final String SAM_SECURITY_QUESTION_1 =
"RA_SAM_QUESTION_1";
201 private static final String SAM_SECURITY_ANSWER_1 =
"RA_SAM_ANSWER_1";
202 private static final String SAM_SECURITY_QUESTION_2 =
"RA_SAM_QUESTION_2";
203 private static final String SAM_SECURITY_ANSWER_2 =
"RA_SAM_ANSWER_2";
204 private static final String SAM_SECURITY_QUESTION_3 =
"RA_SAM_QUESTION_3";
205 private static final String SAM_SECURITY_ANSWER_3 =
"RA_SAM_ANSWER_3";
208 private static final SimpleDateFormat REG_RIPPER_TIME_FORMAT =
new SimpleDateFormat(
"EEE MMM dd HH:mm:ss yyyy 'Z'", US);
210 private BlackboardArtifact.Type shellBagArtifactType = null;
211 private BlackboardAttribute.Type shellBagKeyAttributeType = null;
212 private BlackboardAttribute.Type shellBagLastWriteAttributeType = null;
214 private OSInfo osInfo =
new OSInfo();
217 REG_RIPPER_TIME_FORMAT.setTimeZone(getTimeZone(
"GMT"));
220 ExtractRegistry(IngestJobContext context)
throws IngestModuleException {
221 super(NbBundle.getMessage(ExtractRegistry.class,
"ExtractRegistry.moduleName.text"), context);
222 this.context = context;
224 final File rrRoot = InstalledFileLocator.getDefault().locate(
"rr", ExtractRegistry.class.getPackage().getName(),
false);
225 if (rrRoot == null) {
226 throw new IngestModuleException(Bundle.RegRipperNotFound());
229 final File rrFullRoot = InstalledFileLocator.getDefault().locate(
"rr-full", ExtractRegistry.class.getPackage().getName(),
false);
230 if (rrFullRoot == null) {
231 throw new IngestModuleException(Bundle.RegRipperFullNotFound());
234 String executableToRun = RIP_EXE;
235 if (!PlatformUtil.isWindowsOS()) {
236 executableToRun = RIP_PL;
238 rrHome = rrRoot.toPath();
239 String rrPath = rrHome.resolve(executableToRun).toString();
240 rrFullHome = rrFullRoot.toPath();
242 if (!(
new File(rrPath).exists())) {
243 throw new IngestModuleException(Bundle.RegRipperNotFound());
245 String rrFullPath = rrFullHome.resolve(executableToRun).toString();
246 if (!(
new File(rrFullPath).exists())) {
247 throw new IngestModuleException(Bundle.RegRipperFullNotFound());
249 if (PlatformUtil.isWindowsOS()) {
251 rrFullCmd.add(rrFullPath);
254 File usrBin =
new File(
"/usr/bin/perl");
255 File usrLocalBin =
new File(
"/usr/local/bin/perl");
256 if (usrBin.canExecute() && usrBin.exists() && !usrBin.isDirectory()) {
257 perl =
"/usr/bin/perl";
258 }
else if (usrLocalBin.canExecute() && usrLocalBin.exists() && !usrLocalBin.isDirectory()) {
259 perl =
"/usr/local/bin/perl";
261 throw new IngestModuleException(
"perl not found in your system");
264 rrCmd.add(RIP_PL_INCLUDE_FLAG);
265 rrCmd.add(rrHome.toString());
268 rrFullCmd.add(RIP_PL_INCLUDE_FLAG);
269 rrFullCmd.add(rrFullHome.toString());
270 rrFullCmd.add(rrFullPath);
277 private List<AbstractFile> findRegistryFiles() {
278 List<AbstractFile> allRegistryFiles =
new ArrayList<>();
283 allRegistryFiles.addAll(fileManager.findFiles(dataSource,
"sam",
"/system32/config"));
284 }
catch (TskCoreException ex) {
285 String msg = NbBundle.getMessage(this.getClass(),
286 "ExtractRegistry.findRegFiles.errMsg.errReadingFile",
"sam");
287 logger.log(Level.WARNING, msg, ex);
288 this.addErrorMessage(this.getDisplayName() +
": " + msg);
293 allRegistryFiles.addAll(fileManager.findFiles(dataSource,
"ntuser.dat"));
294 }
catch (TskCoreException ex) {
295 logger.log(Level.WARNING,
"Error fetching 'ntuser.dat' file.");
300 allRegistryFiles.addAll(fileManager.findFiles(dataSource,
"usrclass.dat"));
301 }
catch (TskCoreException ex) {
302 logger.log(Level.WARNING, String.format(
"Error finding 'usrclass.dat' files."), ex);
306 String[] regFileNames =
new String[]{
"system",
"software",
"security"};
307 for (String regFileName : regFileNames) {
309 allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName,
"/system32/config"));
310 }
catch (TskCoreException ex) {
311 String msg = NbBundle.getMessage(this.getClass(),
312 "ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
313 logger.log(Level.WARNING, msg, ex);
314 this.addErrorMessage(this.getDisplayName() +
": " + msg);
317 return allRegistryFiles;
326 private void analyzeRegistryFiles(
long ingestJobId) {
327 List<AbstractFile> allRegistryFiles = findRegistryFiles();
330 FileWriter logFile = null;
332 logFile =
new FileWriter(RAImageIngestModule.getRAOutputPath(currentCase,
"reg", ingestJobId) + File.separator +
"regripper-info.txt");
333 }
catch (IOException ex) {
334 logger.log(Level.SEVERE, null, ex);
337 for (AbstractFile regFile : allRegistryFiles) {
338 if (context.dataSourceIngestIsCancelled()) {
342 String regFileName = regFile.getName();
343 long regFileId = regFile.getId();
344 String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase,
"reg", ingestJobId) + File.separator + regFileName;
345 String outputPathBase = RAImageIngestModule.getRAOutputPath(currentCase,
"reg", ingestJobId) + File.separator + regFileName +
"-regripper-" + Long.toString(regFileId);
346 File regFileNameLocalFile =
new File(regFileNameLocal);
348 ContentUtils.writeToFile(regFile, regFileNameLocalFile, context::dataSourceIngestIsCancelled);
349 }
catch (ReadContentInputStreamException ex) {
350 logger.log(Level.WARNING, String.format(
"Error reading registry file '%s' (id=%d).",
351 regFile.getName(), regFileId), ex);
352 this.addErrorMessage(
353 NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
354 this.getDisplayName(), regFileName));
356 }
catch (IOException ex) {
357 logger.log(Level.SEVERE, String.format(
"Error writing temp registry file '%s' for registry file '%s' (id=%d).",
358 regFileNameLocal, regFile.getName(), regFileId), ex);
359 this.addErrorMessage(
360 NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
361 this.getDisplayName(), regFileName));
365 if (context.dataSourceIngestIsCancelled()) {
370 if (logFile != null) {
371 logFile.write(Long.toString(regFileId) +
"\t" + regFile.getUniquePath() +
"\n");
373 }
catch (TskCoreException | IOException ex) {
374 logger.log(Level.SEVERE, null, ex);
377 logger.log(Level.INFO,
"{0}- Now getting registry information from {1}",
new Object[]{getDisplayName(), regFileNameLocal});
378 RegOutputFiles regOutputFiles = ripRegistryFile(regFileNameLocal, outputPathBase);
379 if (context.dataSourceIngestIsCancelled()) {
384 if (regOutputFiles.autopsyPlugins.isEmpty() ==
false && parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) ==
false) {
385 this.addErrorMessage(
386 NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.analyzeRegFiles.failedParsingResults",
387 this.getDisplayName(), regFileName));
390 if (context.dataSourceIngestIsCancelled()) {
395 if (!regOutputFiles.fullPlugins.isEmpty()) {
397 if (regFileNameLocal.toLowerCase().contains(
"sam") && parseSamPluginOutput(regOutputFiles.fullPlugins, regFile, ingestJobId) ==
false) {
398 this.addErrorMessage(
399 NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.analyzeRegFiles.failedParsingResults",
400 this.getDisplayName(), regFileName));
401 }
else if (regFileNameLocal.toLowerCase().contains(
"ntuser") || regFileNameLocal.toLowerCase().contains(
"usrclass")) {
403 List<ShellBag> shellbags = ShellBagParser.parseShellbagOutput(regOutputFiles.fullPlugins);
404 createShellBagArtifacts(regFile, shellbags);
405 createRecentlyUsedArtifacts(regOutputFiles.fullPlugins, regFile);
406 }
catch (IOException | TskCoreException ex) {
407 logger.log(Level.WARNING, String.format(
"Unable to get shell bags from file %s", regOutputFiles.fullPlugins), ex);
409 }
else if (regFileNameLocal.toLowerCase().contains(
"system") && parseSystemPluginOutput(regOutputFiles.fullPlugins, regFile) ==
false) {
410 this.addErrorMessage(
411 NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.analyzeRegFiles.failedParsingResults",
412 this.getDisplayName(), regFileName));
415 if (context.dataSourceIngestIsCancelled()) {
420 Report report = currentCase.addReport(regOutputFiles.fullPlugins,
421 NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.parentModuleName.noSpace"),
422 "RegRipper " + regFile.getUniquePath(), regFile);
425 KeywordSearchService searchService = Lookup.getDefault().lookup(KeywordSearchService.class);
426 if (null == searchService) {
427 logger.log(Level.WARNING,
"Keyword search service not found. Report will not be indexed");
429 searchService.index(report);
432 }
catch (TskCoreException e) {
433 this.addErrorMessage(
"Error adding regripper output as Autopsy report: " + e.getLocalizedMessage());
437 regFileNameLocalFile.delete();
444 if(allRegistryFiles.size() > 0) {
445 osInfo.createOSInfo();
449 if (logFile != null) {
452 }
catch (IOException ex) {
453 logger.log(Level.SEVERE, null, ex);
464 private RegOutputFiles ripRegistryFile(String regFilePath, String outFilePathBase) {
465 String autopsyType =
"";
468 RegOutputFiles regOutputFiles =
new RegOutputFiles();
470 if (regFilePath.toLowerCase().contains(
"system")) {
471 autopsyType =
"autopsysystem";
473 }
else if (regFilePath.toLowerCase().contains(
"software")) {
474 autopsyType =
"autopsysoftware";
475 fullType =
"software";
476 }
else if (regFilePath.toLowerCase().contains(
"ntuser")) {
477 autopsyType =
"autopsyntuser";
479 }
else if (regFilePath.toLowerCase().contains(
"sam")) {
482 }
else if (regFilePath.toLowerCase().contains(
"security")) {
483 fullType =
"security";
484 }
else if (regFilePath.toLowerCase().contains(
"usrclass")) {
485 fullType =
"usrclass";
487 return regOutputFiles;
491 if (!autopsyType.isEmpty()) {
492 regOutputFiles.autopsyPlugins = outFilePathBase +
"-autopsy.txt";
493 String errFilePath = outFilePathBase +
"-autopsy.err.txt";
494 logger.log(Level.INFO,
"Writing RegRipper results to: {0}", regOutputFiles.autopsyPlugins);
495 executeRegRipper(rrCmd, rrHome, regFilePath, autopsyType, regOutputFiles.autopsyPlugins, errFilePath);
497 if (context.dataSourceIngestIsCancelled()) {
498 return regOutputFiles;
502 if (!fullType.isEmpty()) {
503 regOutputFiles.fullPlugins = outFilePathBase +
"-full.txt";
504 String errFilePath = outFilePathBase +
"-full.err.txt";
505 logger.log(Level.INFO,
"Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins);
506 executeRegRipper(rrFullCmd, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath);
508 scanErrorLogs(errFilePath);
509 }
catch (IOException ex) {
510 logger.log(Level.SEVERE, String.format(
"Unable to run RegRipper on %s", regFilePath), ex);
511 this.addErrorMessage(NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getDisplayName(), regFilePath));
514 return regOutputFiles;
517 private void scanErrorLogs(String errFilePath)
throws IOException {
518 File regfile =
new File(errFilePath);
519 try (BufferedReader reader =
new BufferedReader(
new FileReader(regfile))) {
520 String line = reader.readLine();
521 while (line != null) {
523 if (line.toLowerCase().contains(
"error") || line.toLowerCase().contains(
"@inc")) {
524 logger.log(Level.WARNING,
"Regripper file {0} contains errors from run", errFilePath);
527 line = reader.readLine();
532 private void executeRegRipper(List<String> regRipperPath, Path regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) {
534 List<String> commandLine =
new ArrayList<>();
535 for (String cmd : regRipperPath) {
536 commandLine.add(cmd);
538 commandLine.add(
"-r");
539 commandLine.add(hiveFilePath);
540 commandLine.add(
"-f");
541 commandLine.add(hiveFileType);
543 ProcessBuilder processBuilder =
new ProcessBuilder(commandLine);
544 processBuilder.directory(regRipperHomeDir.toFile());
545 processBuilder.redirectOutput(
new File(outputFile));
546 processBuilder.redirectError(
new File(errFile));
547 ExecUtil.execute(processBuilder,
new DataSourceIngestModuleProcessTerminator(context,
true));
548 }
catch (IOException ex) {
549 logger.log(Level.SEVERE, String.format(
"Error running RegRipper on %s", hiveFilePath), ex);
550 this.addErrorMessage(NbBundle.getMessage(
this.getClass(),
"ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getDisplayName(), hiveFilePath));
563 private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
564 FileInputStream fstream = null;
565 List<BlackboardArtifact> newArtifacts =
new ArrayList<>();
566 String parentModuleName = RecentActivityExtracterModuleFactory.getModuleName();
569 File regfile =
new File(regFilePath);
570 fstream =
new FileInputStream(regfile);
571 String regString =
new Scanner(fstream,
"UTF-8").useDelimiter(
"\\Z").next();
572 String startdoc =
"<?xml version=\"1.0\"?><document>";
573 String result = regString.replaceAll(
"----------------------------------------",
"");
574 result = result.replaceAll(
"\\n",
"");
575 result = result.replaceAll(
"\\r",
"");
576 result = result.replaceAll(
"'",
"'");
577 result = result.replaceAll(
"&",
"&");
578 result = result.replace(
'\0',
' ');
579 String enddoc =
"</document>";
580 String stringdoc = startdoc + result + enddoc;
581 DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
582 Document doc = builder.parse(
new InputSource(
new StringReader(stringdoc)));
585 Element oroot = doc.getDocumentElement();
586 NodeList children = oroot.getChildNodes();
587 int len = children.getLength();
588 for (
int i = 0; i < len; i++) {
590 if (context.dataSourceIngestIsCancelled()) {
594 Element tempnode = (Element) children.item(i);
596 String dataType = tempnode.getNodeName();
597 NodeList timenodes = tempnode.getElementsByTagName(
"mtime");
599 if (timenodes.getLength() > 0) {
600 Element timenode = (Element) timenodes.item(0);
601 String etime = timenode.getTextContent().trim();
603 if (etime != null && !etime.isEmpty()) {
605 mtime =
new SimpleDateFormat(
"EEE MMM d HH:mm:ss yyyy", US).parse(etime).getTime();
606 String Tempdate = mtime.toString();
607 mtime = Long.valueOf(Tempdate) / MS_IN_SEC;
608 }
catch (ParseException ex) {
609 logger.log(Level.WARNING,
"Failed to parse epoch time when parsing the registry.", ex);
614 NodeList artroots = tempnode.getElementsByTagName(
"artifacts");
615 if (artroots.getLength() == 0) {
620 Element artroot = (Element) artroots.item(0);
621 NodeList myartlist = artroot.getChildNodes();
627 String systemRoot =
"";
628 String productId =
"";
629 String regOwner =
"";
631 Long installtime = null;
632 for (
int j = 0; j < myartlist.getLength(); j++) {
633 Node artchild = myartlist.item(j);
635 if (artchild.hasAttributes()) {
636 Element artnode = (Element) artchild;
638 String value = artnode.getTextContent();
640 value = value.trim();
642 String name = artnode.getAttribute(
"name");
652 version = version +
" " + value;
660 case "RegisteredOwner":
663 case "RegisteredOrganization":
667 if (value != null && !value.isEmpty()) {
669 installtime =
new SimpleDateFormat(
"EEE MMM d HH:mm:ss yyyyZ", US).parse(value +
"+0000").getTime();
670 String Tempdate = installtime.toString();
671 installtime = Long.valueOf(Tempdate) / MS_IN_SEC;
672 }
catch (ParseException e) {
673 logger.log(Level.WARNING,
"RegRipper::Conversion on DateTime -> ", e);
683 osInfo.setOsName(version);
684 osInfo.setInstalltime(installtime);
685 osInfo.setSystemRoot(systemRoot);
686 osInfo.setProductId(productId);
687 osInfo.setRegOwner(regOwner);
688 osInfo.setRegOrg(regOrg);
692 String procArch =
"";
694 for (
int j = 0; j < myartlist.getLength(); j++) {
695 Node artchild = myartlist.item(j);
697 if (artchild.hasAttributes()) {
698 Element artnode = (Element) artchild;
700 String value = artnode.getTextContent().trim();
701 String name = artnode.getAttribute(
"name");
706 case "PROCESSOR_ARCHITECTURE":
709 case "PROCESSOR_IDENTIFIER":
720 osInfo.setOsName(os);
721 osInfo.setProcessorArchitecture(procArch);
722 osInfo.setTempDir(tempDir);
725 for (
int j = 0; j < myartlist.getLength(); j++) {
726 Node artchild = myartlist.item(j);
728 if (artchild.hasAttributes()) {
729 Element artnode = (Element) artchild;
731 String value = artnode.getTextContent().trim();
732 String name = artnode.getAttribute(
"name");
734 if (name.equals(
"ComputerName")) {
736 }
else if (name.equals(
"Domain")) {
742 osInfo.setCompName(compName);
743 osInfo.setDomain(domainName);
745 for (Map.Entry<String, String> userMap : getUserNameMap().entrySet()) {
748 sid = userMap.getKey();
749 String userName = userMap.getValue();
751 createOrUpdateOsAccount(regFile, sid, userName, null, null, OsAccountRealm.RealmScope.LOCAL);
752 }
catch (TskCoreException | TskDataException | NotUserSIDException ex) {
753 logger.log(Level.WARNING, String.format(
"Failed to update Domain for existing OsAccount: %s, sid: %s", regFile.getId(), sid), ex);
759 for (
int j = 0; j < myartlist.getLength(); j++) {
760 Node artchild = myartlist.item(j);
762 if (artchild.hasAttributes()) {
763 Element artnode = (Element) artchild;
765 String value = artnode.getTextContent().trim();
766 Collection<BlackboardAttribute> bbattributes =
new ArrayList<>();
779 Long usbMtime = Long.valueOf(
"0");
780 if (!artnode.getAttribute(
"mtime").isEmpty()) {
781 usbMtime = Long.parseLong(artnode.getAttribute(
"mtime"));
783 usbMtime = Long.valueOf(usbMtime.toString());
785 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, usbMtime));
787 String dev = artnode.getAttribute(
"dev");
790 if (dev.toLowerCase().contains(
"vid")) {
791 USBInfo info = USB_MAPPER.parseAndLookup(dev);
792 if (info.getVendor() != null) {
793 make = info.getVendor();
795 if (info.getProduct() != null) {
796 model = info.getProduct();
799 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE, parentModuleName, make));
800 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL, parentModuleName, model));
801 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID, parentModuleName, value));
802 newArtifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_DEVICE_ATTACHED, regFile, bbattributes));
803 }
catch (TskCoreException ex) {
804 logger.log(Level.SEVERE, String.format(
"Error adding device_attached artifact to blackboard for file %d.", regFile.getId()), ex);
808 Long itemMtime = null;
810 String mTimeAttr = artnode.getAttribute(
"mtime");
811 if (mTimeAttr != null && !mTimeAttr.isEmpty()) {
812 itemMtime =
new SimpleDateFormat(
"EEE MMM d HH:mm:ss yyyy", US).parse(mTimeAttr).getTime();
813 itemMtime /= MS_IN_SEC;
815 }
catch (ParseException ex) {
816 logger.log(Level.SEVERE,
"Failed to parse epoch time for installed program artifact.", ex);
820 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value));
821 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime));
822 BlackboardArtifact bbart = regFile.newDataArtifact(
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_INSTALLED_PROG), bbattributes);
823 newArtifacts.add(bbart);
824 }
catch (TskCoreException ex) {
825 logger.log(Level.SEVERE,
"Error adding installed program artifact to blackboard.", ex);
829 String officeName = artnode.getAttribute(
"name");
834 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, parentModuleName, mtime));
836 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, officeName));
837 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value));
838 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName()));
839 BlackboardArtifact bbart = regFile.newDataArtifact(
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_RECENT_OBJECT), bbattributes);
841 newArtifacts.add(bbart);
842 }
catch (TskCoreException ex) {
843 logger.log(Level.SEVERE,
"Error adding recent object artifact to blackboard.", ex);
847 case "ProcessorArchitecture":
863 String homeDir = value;
864 String sid = artnode.getAttribute(
"sid");
865 String username = artnode.getAttribute(
"username");
866 String domName = domainName;
870 OsAccountRealm.RealmScope scope = OsAccountRealm.RealmScope.DOMAIN;
871 if (isDomainIdInSAMList(sid)) {
873 scope = OsAccountRealm.RealmScope.LOCAL;
877 createOrUpdateOsAccount(regFile, sid, username, homeDir, domName, scope);
878 }
catch (TskCoreException | TskDataException | NotUserSIDException ex) {
879 logger.log(Level.SEVERE, String.format(
"Failed to create OsAccount for file: %s, sid: %s", regFile.getId(), sid), ex);
883 case "NtuserNetwork":
885 String localPath = artnode.getAttribute(
"localPath");
886 String remoteName = value;
888 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH,
889 parentModuleName, localPath));
890 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH,
891 parentModuleName, remoteName));
892 BlackboardArtifact bbart = regFile.newDataArtifact(
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_REMOTE_DRIVE), bbattributes);
893 newArtifacts.add(bbart);
894 }
catch (TskCoreException ex) {
895 logger.log(Level.SEVERE,
"Error adding network artifact to blackboard.", ex);
899 String adapter = artnode.getAttribute(
"adapter");
901 Long lastWriteTime = Long.parseLong(artnode.getAttribute(
"writeTime"));
902 lastWriteTime = Long.valueOf(lastWriteTime.toString());
903 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SSID, parentModuleName, value));
904 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, lastWriteTime));
905 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID, parentModuleName, adapter));
906 BlackboardArtifact bbart = regFile.newDataArtifact(
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_WIFI_NETWORK), bbattributes);
907 newArtifacts.add(bbart);
908 }
catch (TskCoreException ex) {
909 logger.log(Level.SEVERE,
"Error adding SSID artifact to blackboard.", ex);
919 logger.log(Level.SEVERE,
"Unrecognized node name: {0}", dataType);
928 }
catch (FileNotFoundException ex) {
929 logger.log(Level.WARNING, String.format(
"Error finding the registry file: %s", regFilePath), ex);
930 }
catch (SAXException ex) {
931 logger.log(Level.WARNING, String.format(
"Error parsing the registry XML: %s", regFilePath), ex);
932 }
catch (IOException ex) {
933 logger.log(Level.WARNING, String.format(
"Error building the document parser: %s", regFilePath), ex);
934 }
catch (ParserConfigurationException ex) {
935 logger.log(Level.WARNING, String.format(
"Error configuring the registry parser: %s", regFilePath), ex);
938 if (fstream != null) {
941 }
catch (IOException ex) {
944 if (!context.dataSourceIngestIsCancelled()) {
945 postArtifacts(newArtifacts);
951 private boolean parseSystemPluginOutput(String regfilePath, AbstractFile regAbstractFile) {
952 File regfile =
new File(regfilePath);
953 try (BufferedReader reader =
new BufferedReader(
new FileReader(regfile))) {
954 String line = reader.readLine();
955 while (line != null) {
958 if (line.toLowerCase().matches(
"^bam v.*")) {
959 parseBamKey(regAbstractFile, reader, Bundle.Registry_System_Bam());
960 }
else if (line.toLowerCase().matches(
"^bthport v..*")) {
961 parseBlueToothDevices(regAbstractFile, reader);
963 line = reader.readLine();
966 }
catch (FileNotFoundException ex) {
967 logger.log(Level.WARNING,
"Error finding the registry file.", ex);
968 }
catch (IOException ex) {
969 logger.log(Level.WARNING,
"Error reading the system hive: {0}", ex);
988 private void parseBlueToothDevices(AbstractFile regFile, BufferedReader reader)
throws FileNotFoundException, IOException {
989 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
990 String line = reader.readLine();
991 while ((line != null) && (!line.contains(SECTION_DIVIDER))) {
992 line = reader.readLine();
998 if ((line != null) && (line.toLowerCase().contains(
"device unique id"))) {
1002 while (line != null && !line.contains(SECTION_DIVIDER) && !line.isEmpty() && !line.toLowerCase().contains(
"radio support not found")) {
1003 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1004 addBlueToothAttribute(line, attributes, TSK_DEVICE_ID);
1005 line = reader.readLine();
1007 if ((line != null) && (line.toLowerCase().contains(
"name"))) {
1008 addBlueToothAttribute(line, attributes, TSK_NAME);
1009 line = reader.readLine();
1011 addBlueToothAttribute(line, attributes, TSK_DATETIME);
1012 line = reader.readLine();
1013 addBlueToothAttribute(line, attributes, TSK_DATETIME_ACCESSED);
1016 bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_BLUETOOTH_PAIRING, regFile, attributes));
1017 }
catch (TskCoreException ex) {
1018 logger.log(Level.SEVERE, String.format(
"Failed to create bluetooth_pairing artifact for file %d", regFile.getId()), ex);
1022 line = reader.readLine();
1031 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1032 postArtifacts(bbartifacts);
1036 private void addBlueToothAttribute(String line, Collection<BlackboardAttribute> attributes, ATTRIBUTE_TYPE attributeType) {
1041 String tokens[] = line.split(
": ");
1042 if (tokens.length > 1 && !tokens[1].isEmpty()) {
1043 String tokenString = tokens[1];
1044 if (attributeType.getDisplayName().toLowerCase().contains(
"date")) {
1045 String dateString = tokenString.toLowerCase().replace(
" z",
"");
1047 SimpleDateFormat dateFormat =
new SimpleDateFormat(
"EEE MMM d HH:mm:ss yyyy", US);
1048 Long dateLong = Long.valueOf(0);
1050 Date newDate = dateFormat.parse(dateString);
1051 dateLong = newDate.getTime() / 1000;
1052 }
catch (ParseException ex) {
1055 logger.log(Level.WARNING, String.format(
"Failed to parse date/time %s for Bluetooth Last Seen attribute.", dateString), ex);
1057 attributes.add(
new BlackboardAttribute(attributeType, getDisplayName(), dateLong));
1059 attributes.add(
new BlackboardAttribute(attributeType, getDisplayName(), tokenString));
1074 private boolean parseSamPluginOutput(String regFilePath, AbstractFile regAbstractFile,
long ingestJobId) {
1076 File regfile =
new File(regFilePath);
1077 List<BlackboardArtifact> newArtifacts =
new ArrayList<>();
1078 try (BufferedReader bufferedReader =
new BufferedReader(
new InputStreamReader(
new FileInputStream(regfile), StandardCharsets.UTF_8))) {
1080 String userInfoSection =
"User Information";
1081 String previousLine = null;
1082 String line = bufferedReader.readLine();
1083 Set<Map<String, String>> userSet =
new HashSet<>();
1084 Map<String, List<String>> groupMap = null;
1085 while (line != null) {
1086 if (line.contains(SECTION_DIVIDER) && previousLine != null && previousLine.contains(userInfoSection)) {
1087 readUsers(bufferedReader, userSet);
1090 if (line.contains(SECTION_DIVIDER) && previousLine != null && previousLine.contains(
"Group Membership Information")) {
1091 groupMap = readGroups(bufferedReader);
1094 previousLine = line;
1095 line = bufferedReader.readLine();
1097 Map<String, Map<String, String>> userInfoMap =
new HashMap<>();
1099 for (Map<String, String> userInfo : userSet) {
1100 String sid = userInfo.get(SID_KEY);
1101 userInfoMap.put(sid, userInfo);
1102 addSIDToSAMList(sid);
1106 OsAccountManager accountMgr = tskCase.getOsAccountManager();
1107 HostManager hostMrg = tskCase.getHostManager();
1108 Host host = hostMrg.getHostByDataSource((DataSource) dataSource);
1110 List<OsAccount> existingAccounts = accountMgr.getOsAccounts(host);
1111 for (OsAccount osAccount : existingAccounts) {
1112 Optional<String> optional = osAccount.getAddr();
1113 if (!optional.isPresent()) {
1117 String sid = optional.get();
1118 Map<String, String> userInfo = userInfoMap.remove(sid);
1119 if (userInfo != null) {
1120 addAccountInstance(accountMgr, osAccount, (DataSource) dataSource);
1121 updateOsAccount(osAccount, userInfo, groupMap.get(sid), regAbstractFile, ingestJobId);
1126 for (Map<String, String> userInfo : userInfoMap.values()) {
1127 OsAccount osAccount = accountMgr.newWindowsOsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.LOCAL);
1128 accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
1129 updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile, ingestJobId);
1132 }
catch (FileNotFoundException ex) {
1133 logger.log(Level.WARNING,
"Error finding the registry file.", ex);
1134 }
catch (IOException ex) {
1135 logger.log(Level.WARNING,
"Error building the document parser: {0}", ex);
1136 }
catch (TskDataException | TskCoreException ex) {
1137 logger.log(Level.WARNING,
"Error updating TSK_OS_ACCOUNT artifacts to include newly parsed data.", ex);
1138 }
catch (OsAccountManager.NotUserSIDException ex) {
1139 logger.log(Level.WARNING,
"Error creating OS Account, input SID is not a user SID.", ex);
1141 if (!context.dataSourceIngestIsCancelled()) {
1142 postArtifacts(newArtifacts);
1159 private void readUsers(BufferedReader bufferedReader, Set<Map<String, String>> users) throws IOException {
1160 String line = bufferedReader.readLine();
1162 String userName =
"";
1163 String user_rid =
"";
1164 while (line != null && !line.contains(SECTION_DIVIDER)) {
1166 if (line.contains(USERNAME_KEY)) {
1167 String regx = USERNAME_KEY +
"\\s*?:";
1168 String userNameAndIdString = line.replaceAll(regx,
"");
1169 userName = userNameAndIdString.substring(0, userNameAndIdString.lastIndexOf(
'[')).trim();
1170 user_rid = userNameAndIdString.substring(userNameAndIdString.lastIndexOf(
'['), userNameAndIdString.lastIndexOf(
']'));
1171 }
else if (line.contains(SID_KEY) && !userName.isEmpty()) {
1172 Map.Entry<String, String> entry = getSAMKeyValue(line);
1174 HashMap<String, String> userInfo =
new HashMap<>();
1175 userInfo.put(USERNAME_KEY, userName);
1176 userInfo.put(RID_KEY, user_rid);
1177 userInfo.put(entry.getKey(), entry.getValue());
1180 line = bufferedReader.readLine();
1181 while (line != null && !line.isEmpty()) {
1182 entry = getSAMKeyValue(line);
1183 if (entry != null) {
1184 userInfo.put(entry.getKey(), entry.getValue());
1186 line = bufferedReader.readLine();
1188 users.add(userInfo);
1192 line = bufferedReader.readLine();
1205 private void createRecentlyUsedArtifacts(String regFileName, AbstractFile regFile)
throws FileNotFoundException, IOException {
1206 File regfile =
new File(regFileName);
1207 try (BufferedReader reader =
new BufferedReader(
new FileReader(regfile))) {
1208 String line = reader.readLine();
1209 while (line != null) {
1212 if (line.matches(
"^adoberdr v.*")) {
1213 parseAdobeMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Adobe());
1214 }
else if (line.matches(
"^mpmru v.*")) {
1215 parseMediaPlayerMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Mediaplayer());
1216 }
else if (line.matches(
"^trustrecords v.*")) {
1217 parseOfficeTrustRecords(regFile, reader, Bundle.Recently_Used_Artifacts_Office_Trustrecords());
1218 }
else if (line.matches(
"^ArcHistory:")) {
1219 parse7ZipMRU(regFile, reader, Bundle.Recently_Used_Artifacts_ArcHistory());
1220 }
else if (line.matches(
"^applets v.*")) {
1221 parseGenericMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Applets());
1222 }
else if (line.matches(
"^mmc v.*")) {
1223 parseGenericMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Mmc());
1224 }
else if (line.matches(
"^winrar v.*")) {
1225 parseWinRARMRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Winrar());
1226 }
else if (line.matches(
"^officedocs2010 v.*")) {
1227 parseOfficeDocs2010MRUList(regFile, reader, Bundle.Recently_Used_Artifacts_Officedocs());
1229 line = reader.readLine();
1245 private void parseBamKey(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1246 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1247 String line = reader.readLine();
1249 while (!line.contains(SECTION_DIVIDER)) {
1250 line = reader.readLine();
1253 line = reader.readLine();
1255 while (!line.contains(SECTION_DIVIDER)) {
1258 String tokens[] = line.split(
"\\|");
1259 Long progRunDateTime = Long.valueOf(tokens[0]);
1262 String fileNameSid[] = tokens[4].split(
"\\s+\\(S-");
1263 String userSid =
"S-" + fileNameSid[1].substring(0, fileNameSid[1].length() - 1);
1264 String userName = getUserNameMap().get(userSid);
1265 if (userName == null) {
1268 String fileName = fileNameSid[0];
1269 if (fileName.startsWith(
"\\Device\\HarddiskVolume")) {
1271 int fileNameStart = fileName.indexOf(
'\\', 16);
1272 fileName = fileName.substring(fileNameStart, fileName.length());
1275 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1276 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, getDisplayName(), fileName));
1277 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME, getDisplayName(), userName));
1278 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, getDisplayName(), progRunDateTime));
1279 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, getDisplayName(), comment));
1282 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_PROG_RUN, regFile, attributes);
1283 bbartifacts.add(bba);
1284 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1286 bbartifacts.add(bba);
1288 }
catch (TskCoreException ex) {
1289 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_PROG_RUN artifact for file %d", regFile.getId()), ex);
1291 line = reader.readLine();
1293 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1294 postArtifacts(bbartifacts);
1309 private void parseAdobeMRUList(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1310 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1311 String line = reader.readLine();
1312 SimpleDateFormat adobePluginDateFormat =
new SimpleDateFormat(
"yyyyMMddHHmmssZ", US);
1313 Long adobeUsedTime = Long.valueOf(0);
1314 while (!line.contains(SECTION_DIVIDER)) {
1315 line = reader.readLine();
1317 if (line.matches(
"^Key name,file name,sDate,uFileSize,uPageCount")) {
1318 line = reader.readLine();
1321 while (!line.contains(SECTION_DIVIDER)) {
1324 String tokens[] = line.split(
",(?=([^\"]*\"[^\"]*\")*[^\"]*$)");
1325 String fileName = tokens[1].substring(0, tokens[1].length() - 1);
1326 fileName = fileName.replace(
"\"",
"");
1327 if (fileName.charAt(0) ==
'/') {
1328 fileName = fileName.substring(1, fileName.length() - 1);
1329 fileName = fileName.replaceFirst(
"/",
":/");
1332 if (tokens.length > 2) {
1335 String fileUsedTime = tokens[2].replaceAll(
"'",
"");
1336 Date usedDate = adobePluginDateFormat.parse(fileUsedTime);
1337 adobeUsedTime = usedDate.getTime() / 1000;
1338 }
catch (ParseException ex) {
1341 logger.log(Level.WARNING, String.format(
"Failed to parse date/time %s for adobe file artifact.", tokens[2]), ex);
1344 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1345 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
1346 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), adobeUsedTime));
1347 attributes.add(
new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
1349 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
1351 bbartifacts.add(bba);
1352 fileName = fileName.replace(
"\0",
"");
1353 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1355 bbartifacts.add(bba);
1358 }
catch (TskCoreException ex) {
1359 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
1361 line = reader.readLine();
1366 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1367 postArtifacts(bbartifacts);
1383 private void parseMediaPlayerMRUList(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1384 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1385 String line = reader.readLine();
1386 while (!line.contains(SECTION_DIVIDER)) {
1387 line = reader.readLine();
1389 if (line.contains(
"LastWrite")) {
1390 line = reader.readLine();
1393 while (!line.contains(SECTION_DIVIDER) && !line.contains(
"RecentFileList has no values.")) {
1395 String tokens[] = line.split(
"> ");
1396 String fileName = tokens[1];
1397 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1398 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
1399 attributes.add(
new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
1401 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
1403 bbartifacts.add(bba);
1404 bba = createAssociatedArtifact(fileName, bba);
1406 bbartifacts.add(bba);
1407 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1409 bbartifacts.add(bba);
1413 }
catch (TskCoreException ex) {
1414 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
1416 line = reader.readLine();
1421 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1422 postArtifacts(bbartifacts);
1438 private void parseGenericMRUList(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1439 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1440 String line = reader.readLine();
1441 while (!line.contains(SECTION_DIVIDER)) {
1442 line = reader.readLine();
1444 if (line.contains(
"LastWrite")) {
1445 line = reader.readLine();
1448 while (!line.contains(SECTION_DIVIDER) && !line.isEmpty() && !line.contains(
"Applets")
1449 && !line.contains((
"Recent File List"))) {
1451 String tokens[] = line.split(
"> ");
1452 if (tokens.length > 1) {
1453 String fileName = tokens[1];
1454 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1455 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
1456 attributes.add(
new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
1458 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
1460 bbartifacts.add(bba);
1461 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1463 bbartifacts.add(bba);
1466 }
catch (TskCoreException ex) {
1467 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
1470 line = reader.readLine();
1475 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1476 postArtifacts(bbartifacts);
1492 private void parseWinRARMRUList(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1493 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1494 String line = reader.readLine();
1495 while (!line.contains(SECTION_DIVIDER)) {
1496 line = reader.readLine();
1498 if (line.contains(
"LastWrite")) {
1499 line = reader.readLine();
1502 if (!line.isEmpty()) {
1503 while (!line.contains(SECTION_DIVIDER)) {
1505 String tokens[] = line.split(
"> ");
1506 String fileName = tokens[1];
1507 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1508 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
1509 attributes.add(
new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
1511 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
1512 bbartifacts.add(bba);
1513 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1515 bbartifacts.add(bba);
1517 }
catch (TskCoreException ex) {
1518 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
1520 line = reader.readLine();
1526 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1527 postArtifacts(bbartifacts);
1543 private void parse7ZipMRU(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1544 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1545 String line = reader.readLine();
1547 if (!line.contains(
"PathHistory:")) {
1548 while (!line.contains(
"PathHistory:") && !line.isEmpty()) {
1551 String fileName = line;
1552 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1553 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
1554 attributes.add(
new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
1556 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
1557 bbartifacts.add(bba);
1558 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1560 bbartifacts.add(bba);
1563 }
catch (TskCoreException ex) {
1564 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
1566 line = reader.readLine();
1570 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1571 postArtifacts(bbartifacts);
1587 private void parseOfficeDocs2010MRUList(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1588 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1589 String line = reader.readLine();
1593 while (!line.contains(SECTION_DIVIDER)) {
1594 line = reader.readLine();
1596 line = reader.readLine();
1597 while (!line.contains(SECTION_DIVIDER)) {
1600 String tokens[] = line.split(
"\\|");
1601 Long docDate = Long.valueOf(tokens[0]);
1602 String fileNameTokens[] = tokens[4].split(
" - ");
1603 String fileName = fileNameTokens[1];
1604 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1605 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
1606 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), docDate));
1607 attributes.add(
new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
1609 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
1610 bbartifacts.add(bba);
1611 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1613 bbartifacts.add(bba);
1615 }
catch (TskCoreException ex) {
1616 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
1618 line = reader.readLine();
1621 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1622 postArtifacts(bbartifacts);
1638 private void parseOfficeTrustRecords(AbstractFile regFile, BufferedReader reader, String comment)
throws FileNotFoundException, IOException {
1639 String userProfile = regFile.getParentPath();
1640 userProfile = userProfile.substring(0, userProfile.length() - 1);
1641 List<BlackboardArtifact> bbartifacts =
new ArrayList<>();
1642 SimpleDateFormat pluginDateFormat =
new SimpleDateFormat(
"EEE MMM dd HH:mm:ss yyyy", US);
1643 Long usedTime = Long.valueOf(0);
1644 String line = reader.readLine();
1645 while (!line.contains(SECTION_DIVIDER)) {
1646 line = reader.readLine();
1648 usedTime = Long.valueOf(0);
1649 if (!line.contains(
"**") && !line.contains(
"----------") && !line.contains(
"LastWrite")
1650 && !line.contains(SECTION_DIVIDER) && !line.isEmpty() && !line.contains(
"TrustRecords")
1651 && !line.contains(
"VBAWarnings =")) {
1655 String fileName = null;
1656 String tokens[] = line.split(
" : ");
1657 fileName = tokens[1];
1658 fileName = fileName.replace(
"%USERPROFILE%", userProfile);
1661 String fileUsedTime = tokens[0].replaceAll(
" Z",
"");
1662 Date usedDate = pluginDateFormat.parse(fileUsedTime);
1663 usedTime = usedDate.getTime() / 1000;
1664 }
catch (ParseException ex) {
1667 logger.log(Level.WARNING, String.format(
"Failed to parse date/time %s for TrustRecords artifact.", tokens[0]), ex);
1669 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1670 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), fileName));
1671 attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, getDisplayName(), usedTime));
1672 attributes.add(
new BlackboardAttribute(TSK_COMMENT, getDisplayName(), comment));
1674 BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, regFile, attributes);
1675 bbartifacts.add(bba);
1676 bba = createAssociatedArtifact(FilenameUtils.normalize(fileName,
true), bba);
1678 bbartifacts.add(bba);
1680 }
catch (TskCoreException ex) {
1681 logger.log(Level.SEVERE, String.format(
"Failed to create TSK_RECENT_OBJECT artifact for file %d", regFile.getId()), ex);
1686 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1687 postArtifacts(bbartifacts);
1701 private BlackboardArtifact createAssociatedArtifact(String filePathName, BlackboardArtifact bba) {
1702 String fileName = FilenameUtils.getName(filePathName);
1703 String filePath = FilenameUtils.getPath(filePathName);
1704 List<AbstractFile> sourceFiles;
1706 sourceFiles = currentCase.getSleuthkitCase().getFileManager().findFilesExactNameExactPath(dataSource, fileName, filePath);
1707 if (!sourceFiles.isEmpty()) {
1708 return createAssociatedArtifact(sourceFiles.get(0), bba);
1710 }
catch (TskCoreException ex) {
1713 logger.log(Level.WARNING, String.format(
"Error finding actual file %s. file may not exist", filePathName));
1729 private Map<String, String> makeUserNameMap(Content dataSource)
throws TskCoreException {
1730 Map<String, String> map =
new HashMap<>();
1732 for (OsAccount account : tskCase.getOsAccountManager().getOsAccounts(((DataSource) dataSource).getHost())) {
1733 Optional<String> userName = account.getLoginName();
1734 String address = account.getAddr().orElse(
"");
1735 if (!address.isEmpty()) {
1736 map.put(address, userName.isPresent() ? userName.get() :
"");
1762 private String stripRelativeIdentifierFromSID(String osAccountSID) {
1763 if (osAccountSID.split(
"-").length > 4) {
1764 int index = osAccountSID.lastIndexOf(
'-');
1765 return index > 1 ? osAccountSID.substring(0, index) :
"";
1770 private final List<String> machineSIDs =
new ArrayList<>();
1777 private Map<String, String> getUserNameMap() {
1778 if (userNameMap == null) {
1782 userNameMap = makeUserNameMap(dataSource);
1783 }
catch (TskCoreException ex) {
1784 logger.log(Level.WARNING,
"Unable to create OS Account user name map", ex);
1787 userNameMap =
new HashMap<>();
1804 private BlackboardAttribute getAttributeForArtifact(BlackboardArtifact artifact, BlackboardAttribute.ATTRIBUTE_TYPE type) throws TskCoreException {
1805 return artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.fromID(type.getTypeID())));
1816 void createShellBagArtifacts(AbstractFile regFile, List<ShellBag> shellbags)
throws TskCoreException {
1817 List<BlackboardArtifact> artifacts =
new ArrayList<>();
1819 for (ShellBag bag : shellbags) {
1820 Collection<BlackboardAttribute> attributes =
new ArrayList<>();
1821 attributes.add(
new BlackboardAttribute(TSK_PATH, getDisplayName(), bag.getResource()));
1822 attributes.add(
new BlackboardAttribute(getKeyAttribute(), getDisplayName(), bag.getKey()));
1825 time = bag.getLastWrite();
1827 attributes.add(
new BlackboardAttribute(getLastWriteAttribute(), getDisplayName(), time));
1830 time = bag.getModified();
1832 attributes.add(
new BlackboardAttribute(TSK_DATETIME_MODIFIED, getDisplayName(), time));
1835 time = bag.getCreated();
1837 attributes.add(
new BlackboardAttribute(TSK_DATETIME_CREATED, getDisplayName(), time));
1840 time = bag.getAccessed();
1842 attributes.add(
new BlackboardAttribute(TSK_DATETIME_ACCESSED, getDisplayName(), time));
1845 BlackboardArtifact artifact = createArtifactWithAttributes(getShellBagArtifact(), regFile, attributes);
1846 artifacts.add(artifact);
1849 if (!context.dataSourceIngestIsCancelled()) {
1850 postArtifacts(artifacts);
1863 private BlackboardArtifact.Type getShellBagArtifact() throws TskCoreException {
1864 if (shellBagArtifactType == null) {
1866 shellBagArtifactType = tskCase.getBlackboard().getOrAddArtifactType(SHELLBAG_ARTIFACT_NAME, Bundle.Shellbag_Artifact_Display_Name());
1867 }
catch (BlackboardException ex) {
1868 throw new TskCoreException(String.format(
"Failed to get shell bag artifact type", SHELLBAG_ARTIFACT_NAME), ex);
1872 return shellBagArtifactType;
1883 private BlackboardAttribute.Type getLastWriteAttribute() throws TskCoreException {
1884 if (shellBagLastWriteAttributeType == null) {
1886 shellBagLastWriteAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SHELLBAG_ATTRIBUTE_LAST_WRITE,
1887 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME,
1888 Bundle.Shellbag_Last_Write_Attribute_Display_Name());
1889 }
catch (BlackboardException ex) {
1891 throw new TskCoreException(String.format(
"Failed to get custom attribute %s", SHELLBAG_ATTRIBUTE_LAST_WRITE), ex);
1894 return shellBagLastWriteAttributeType;
1905 private BlackboardAttribute.Type getKeyAttribute() throws TskCoreException {
1906 if (shellBagKeyAttributeType == null) {
1908 shellBagKeyAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SHELLBAG_ATTRIBUTE_KEY,
1909 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
1910 Bundle.Shellbag_Key_Attribute_Display_Name());
1911 }
catch (BlackboardException ex) {
1912 throw new TskCoreException(String.format(
"Failed to get key attribute %s", SHELLBAG_ATTRIBUTE_KEY), ex);
1915 return shellBagKeyAttributeType;
1927 Map<String, List<String>> readGroups(BufferedReader bufferedReader)
throws IOException {
1928 Map<String, List<String>> groupMap =
new HashMap<>();
1930 String line = bufferedReader.readLine();
1933 String groupName = null;
1935 while (line != null && !line.contains(SECTION_DIVIDER)) {
1937 if (line.contains(
"Group Name")) {
1938 String value = line.replaceAll(
"Group Name\\s*?:",
"").trim();
1939 groupName = (value.replaceAll(
"\\[\\d*?\\]",
"")).trim();
1940 int startIndex = value.indexOf(
" [") + 1;
1941 int endIndex = value.indexOf(
']');
1943 if (startIndex != -1 && endIndex != -1) {
1944 String countStr = value.substring(startIndex + 1, endIndex);
1945 userCount = Integer.parseInt(countStr);
1947 }
else if (line.matches(
"Users\\s*?:")) {
1948 for (
int i = 0; i < userCount; i++) {
1949 line = bufferedReader.readLine();
1951 String sid = line.trim();
1952 List<String> groupList = groupMap.get(sid);
1953 if (groupList == null) {
1954 groupList =
new ArrayList<>();
1955 groupMap.put(sid, groupList);
1957 groupList.add(groupName);
1962 line = bufferedReader.readLine();
1975 private Map.Entry<String, String> getSAMKeyValue(String line) {
1976 int index = line.indexOf(
':');
1977 Map.Entry<String, String> returnValue = null;
1979 String value = null;
1982 key = line.substring(0, index).trim();
1983 if (index + 1 < line.length()) {
1984 value = line.substring(index + 1).trim();
1989 }
else if (line.contains(
"-->")) {
1990 key = line.replace(
"-->",
"").trim();
1995 returnValue =
new AbstractMap.SimpleEntry<>(key, value);
2002 public void process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
2003 this.dataSource = dataSource;
2005 progressBar.progress(Bundle.Progress_Message_Analyze_Registry());
2006 analyzeRegistryFiles(context.getJobId());
2014 public String autopsyPlugins =
"";
2015 public String fullPlugins =
"";
2030 private void createOrUpdateOsAccount(AbstractFile file, String sid, String userName, String homeDir, String domainName, OsAccountRealm.RealmScope realmScope) throws TskCoreException, TskDataException, NotUserSIDException {
2031 OsAccountManager accountMgr = tskCase.getOsAccountManager();
2032 HostManager hostMrg = tskCase.getHostManager();
2033 Host host = hostMrg.getHostByDataSource((DataSource) dataSource);
2035 Optional<OsAccount> optional = accountMgr.getWindowsOsAccount(sid, null, null, host);
2036 OsAccount osAccount;
2037 if (!optional.isPresent()) {
2038 osAccount = accountMgr.newWindowsOsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, realmScope);
2039 accountMgr.newOsAccountInstance(osAccount, (DataSource) dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
2041 osAccount = optional.get();
2042 addAccountInstance(accountMgr, osAccount, (DataSource) dataSource);
2043 if (userName != null && !userName.isEmpty()) {
2044 OsAccountUpdateResult updateResult = accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, userName, (domainName == null || domainName.isEmpty()) ? null : domainName, host);
2045 osAccount = updateResult.getUpdatedAccount().orElse(osAccount);
2049 if (homeDir != null && !homeDir.isEmpty()) {
2050 List<OsAccountAttribute> attributes =
new ArrayList<>();
2051 String dir = homeDir.replaceFirst(
"^(%\\w*%)",
"");
2052 dir = dir.replace(
"\\",
"/");
2053 attributes.add(createOsAccountAttribute(TSK_HOME_DIR, dir, osAccount, host, file));
2054 accountMgr.addExtendedOsAccountAttributes(osAccount, attributes);
2066 private void addEmailAccount(AbstractFile regFile, String emailAddress,
long ingestJobId) {
2068 currentCase.getSleuthkitCase()
2069 .getCommunicationsManager()
2070 .createAccountFileInstance(Account.Type.EMAIL,
2071 emailAddress, getRAModuleName(), regFile,
2072 Collections.emptyList(),
2074 }
catch (TskCoreException ex) {
2075 logger.log(Level.SEVERE,
2076 String.format(
"Error adding email account with value "
2077 +
"%s, to the case database for file %s [objId=%d]",
2078 emailAddress, regFile.getName(), regFile.getId()), ex);
2090 private Long parseRegRipTime(String value) {
2092 return REG_RIPPER_TIME_FORMAT.parse(value).getTime() / MS_IN_SEC;
2093 }
catch (ParseException ex) {
2094 logger.log(Level.SEVERE, String.format(
"Failed to parse reg rip time: %s", value));
2111 private void updateOsAccount(OsAccount osAccount, Map<String, String> userInfo, List<String> groupList, AbstractFile regFile,
long ingestJobId)
throws TskDataException, TskCoreException, NotUserSIDException {
2112 Host host = ((DataSource) dataSource).getHost();
2113 SimpleDateFormat regRipperTimeFormat =
new SimpleDateFormat(
"EEE MMM dd HH:mm:ss yyyy 'Z'", US);
2114 regRipperTimeFormat.setTimeZone(getTimeZone(
"GMT"));
2116 List<OsAccountAttribute> attributes =
new ArrayList<>();
2118 Long creationTime = null;
2120 String value = userInfo.get(ACCOUNT_CREATED_KEY);
2121 if (value != null && !value.isEmpty() && !value.equals(NEVER_DATE)) {
2122 creationTime = parseRegRipTime(value);
2125 value = userInfo.get(LAST_LOGIN_KEY);
2126 if (value != null && !value.isEmpty() && !value.equals(NEVER_DATE)) {
2127 Long time = parseRegRipTime(value);
2129 attributes.add(createOsAccountAttribute(TSK_DATETIME_ACCESSED,
2130 parseRegRipTime(value),
2131 osAccount, host, regFile));
2135 String loginName = null;
2136 value = userInfo.get(USERNAME_KEY);
2137 if (value != null && !value.isEmpty()) {
2141 value = userInfo.get(LOGIN_COUNT_KEY);
2142 if (value != null && !value.isEmpty()) {
2143 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_COUNT,
2144 Integer.parseInt(value),
2145 osAccount, host, regFile));
2151 value = userInfo.get(ACCOUNT_TYPE_KEY);
2152 if (value != null && !value.isEmpty() && value.toLowerCase().contains(
"admin")) {
2153 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_IS_ADMIN,
2154 1, osAccount, host, regFile));
2157 value = userInfo.get(USER_COMMENT_KEY);
2158 if (value != null && !value.isEmpty()) {
2159 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_DESCRIPTION,
2160 value, osAccount, host, regFile));
2163 value = userInfo.get(INTERNET_NAME_KEY);
2164 if (value != null && !value.isEmpty()) {
2165 addEmailAccount(regFile, value, ingestJobId);
2167 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_EMAIL,
2168 value, osAccount, host, regFile));
2172 String fullName = null;
2173 value = userInfo.get(FULL_NAME_KEY);
2174 if (value != null && !value.isEmpty()) {
2177 value = userInfo.get(NAME_KEY);
2178 if (value != null && !value.isEmpty()) {
2183 value = userInfo.get(PWD_RESET_KEY);
2184 if (value != null && !value.isEmpty() && !value.equals(NEVER_DATE)) {
2185 Long time = parseRegRipTime(value);
2187 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_PASSWORD_RESET,
2188 time, osAccount, host, regFile));
2192 value = userInfo.get(SECURITY_QUESTION_1);
2193 if (value != null && !value.isEmpty()) {
2194 BlackboardAttribute.Type securityQuestionAttributeType = null;
2196 securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_1,
2197 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
2198 Bundle.Sam_Security_Question_1_Attribute_Display_Name());
2199 }
catch (BlackboardException ex) {
2200 throw new TskCoreException(String.format(
"Failed to get key attribute %s", SAM_SECURITY_QUESTION_1), ex);
2202 attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
2205 value = userInfo.get(SECURITY_ANSWER_1);
2206 if (value != null && !value.isEmpty()) {
2207 BlackboardAttribute.Type securityAnswerAttributeType = null;
2209 securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_1,
2210 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
2211 Bundle.Sam_Security_Answer_1_Attribute_Display_Name());
2212 }
catch (BlackboardException ex) {
2213 throw new TskCoreException(String.format(
"Failed to get key attribute %s", SAM_SECURITY_ANSWER_1), ex);
2215 attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
2218 value = userInfo.get(SECURITY_QUESTION_2);
2219 if (value != null && !value.isEmpty()) {
2220 BlackboardAttribute.Type securityQuestionAttributeType = null;
2222 securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_2,
2223 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
2224 Bundle.Sam_Security_Question_2_Attribute_Display_Name());
2225 }
catch (BlackboardException ex) {
2226 throw new TskCoreException(String.format(
"Failed to get key attribute %s", SAM_SECURITY_QUESTION_2), ex);
2228 attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
2231 value = userInfo.get(SECURITY_ANSWER_2);
2232 if (value != null && !value.isEmpty()) {
2233 BlackboardAttribute.Type securityAnswerAttributeType = null;
2235 securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_2,
2236 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
2237 Bundle.Sam_Security_Answer_2_Attribute_Display_Name());
2238 }
catch (BlackboardException ex) {
2239 throw new TskCoreException(String.format(
"Failed to get key attribute %s", SAM_SECURITY_ANSWER_2), ex);
2241 attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
2244 value = userInfo.get(SECURITY_QUESTION_3);
2245 if (value != null && !value.isEmpty()) {
2246 BlackboardAttribute.Type securityQuestionAttributeType = null;
2248 securityQuestionAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_QUESTION_3,
2249 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
2250 Bundle.Sam_Security_Question_2_Attribute_Display_Name());
2251 }
catch (BlackboardException ex) {
2252 throw new TskCoreException(String.format(
"Failed to get key attribute %s", SAM_SECURITY_QUESTION_3), ex);
2254 attributes.add(createOsAccountAttribute(securityQuestionAttributeType, value, osAccount, host, regFile));
2257 value = userInfo.get(SECURITY_ANSWER_3);
2258 if (value != null && !value.isEmpty()) {
2259 BlackboardAttribute.Type securityAnswerAttributeType = null;
2261 securityAnswerAttributeType = tskCase.getBlackboard().getOrAddAttributeType(SAM_SECURITY_ANSWER_3,
2262 BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
2263 Bundle.Sam_Security_Answer_3_Attribute_Display_Name());
2264 }
catch (BlackboardException ex) {
2265 throw new TskCoreException(String.format(
"Failed to get key attribute %s", SAM_SECURITY_ANSWER_3), ex);
2267 attributes.add(createOsAccountAttribute(securityAnswerAttributeType, value, osAccount, host, regFile));
2270 value = userInfo.get(PASSWORD_HINT);
2271 if (value != null && !value.isEmpty()) {
2272 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_PASSWORD_HINT,
2273 value, osAccount, host, regFile));
2276 value = userInfo.get(PWD_FAILE_KEY);
2277 if (value != null && !value.isEmpty() && !value.equals(NEVER_DATE)) {
2278 Long time = parseRegRipTime(value);
2280 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_PASSWORD_FAIL,
2281 time, osAccount, host, regFile));
2285 String settingString = getSettingsFromMap(PASSWORD_SETTINGS_FLAGS, userInfo);
2286 if (!settingString.isEmpty()) {
2287 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_PASSWORD_SETTINGS,
2288 settingString, osAccount, host, regFile));
2291 settingString = getSettingsFromMap(ACCOUNT_SETTINGS_FLAGS, userInfo);
2292 if (!settingString.isEmpty()) {
2293 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_ACCOUNT_SETTINGS,
2294 settingString, osAccount, host, regFile));
2297 settingString = getSettingsFromMap(ACCOUNT_TYPE_FLAGS, userInfo);
2298 if (!settingString.isEmpty()) {
2299 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_FLAG,
2300 settingString, osAccount, host, regFile));
2303 if (groupList != null && groupList.isEmpty()) {
2304 String groups = groupList.stream()
2305 .map(String::valueOf)
2306 .collect(Collectors.joining(
", "));
2308 attributes.add(createOsAccountAttribute(ATTRIBUTE_TYPE.TSK_GROUPS,
2309 groups, osAccount, host, regFile));
2313 OsAccountManager accountMgr = tskCase.getOsAccountManager();
2314 accountMgr.addExtendedOsAccountAttributes(osAccount, attributes);
2317 accountMgr.updateCoreWindowsOsAccountAttributes(osAccount, null, loginName, null, host);
2320 accountMgr.updateStandardOsAccountAttributes(osAccount, fullName, null, null, creationTime);
2332 private String getSettingsFromMap(String[] keys, Map<String, String> map) {
2333 List<String> settingsList =
new ArrayList<>();
2334 for (String setting : keys) {
2335 if (map.containsKey(setting)) {
2336 settingsList.add(setting);
2340 if (!settingsList.isEmpty()) {
2341 return settingsList.stream()
2342 .map(String::valueOf)
2343 .collect(Collectors.joining(
", "));
2360 private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.Type type, String value, OsAccount osAccount, Host host, AbstractFile file) {
2361 return osAccount.new OsAccountAttribute(type, value, osAccount, host, file);
2375 private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.ATTRIBUTE_TYPE type, String value, OsAccount osAccount, Host host, AbstractFile file) {
2376 return osAccount.new OsAccountAttribute(
new BlackboardAttribute.Type(type), value, osAccount, host, file);
2390 private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.ATTRIBUTE_TYPE type, Long value, OsAccount osAccount, Host host, AbstractFile file) {
2391 return osAccount.new OsAccountAttribute(
new BlackboardAttribute.Type(type), value, osAccount, host, file);
2405 private OsAccountAttribute createOsAccountAttribute(BlackboardAttribute.ATTRIBUTE_TYPE type, Integer value, OsAccount osAccount, Host host, AbstractFile file) {
2406 return osAccount.new OsAccountAttribute(
new BlackboardAttribute.Type(type), value, osAccount, host, file);
2419 private void addAccountInstance(OsAccountManager accountMgr, OsAccount osAccount, DataSource dataSource)
throws TskCoreException {
2420 accountMgr.newOsAccountInstance(osAccount, dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
2428 private void addSIDToSAMList(String sid) {
2429 String relativeID = stripRelativeIdentifierFromSID(sid);
2430 if (!relativeID.isEmpty() && !samDomainIDsList.contains(relativeID)) {
2431 samDomainIDsList.add(relativeID);
2443 private boolean isDomainIdInSAMList(String osAccountSID) {
2444 String relativeID = stripRelativeIdentifierFromSID(osAccountSID);
2445 return samDomainIDsList.contains(relativeID);
2451 private String compName = null;
2452 private String progName =
"Windows";
2453 private String processorArchitecture = null;
2454 private String tempDir = null;
2455 private String domain = null;
2456 private Long installtime = null;
2457 private String systemRoot = null;
2458 private String productId = null;
2459 private String regOwner = null;
2460 private String regOrg = null;
2464 void createOSInfo() {
2467 ArrayList<BlackboardArtifact> results = tskCase.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, context.getDataSource().getId());
2469 if (results.isEmpty()) {
2470 Collection<BlackboardAttribute> bbattributes =
new ArrayList<>();
2471 if (compName != null && !compName.isEmpty()) {
2472 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, compName));
2474 if (domain != null && !domain.isEmpty()) {
2475 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, parentModuleName, domain));
2477 if (progName != null && !progName.isEmpty()) {
2478 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, progName));
2480 if (processorArchitecture != null && !processorArchitecture.isEmpty()) {
2481 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE, parentModuleName, processorArchitecture));
2483 if (tempDir != null && !tempDir.isEmpty()) {
2484 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR, parentModuleName, tempDir));
2486 if (installtime != null) {
2487 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, installtime));
2489 if (systemRoot != null && !systemRoot.isEmpty()) {
2490 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, parentModuleName, systemRoot));
2492 if (productId != null && !productId.isEmpty()) {
2493 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID, parentModuleName, productId));
2495 if (regOwner != null && !regOwner.isEmpty()) {
2496 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER, parentModuleName, regOwner));
2498 if (regOrg != null && !regOrg.isEmpty()) {
2499 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION, parentModuleName, regOrg));
2502 postArtifact(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_OS_INFO, context.getDataSource(), bbattributes));
2504 }
catch (TskCoreException ex) {
2505 logger.log(Level.SEVERE,
"Failed to create default OS_INFO artifact", ex);
2509 void setCompName(String compName) {
2510 if(this.compName == null || this.compName.isEmpty()) {
2511 this.compName = compName;
2515 void setOsName(String progName) {
2516 if(progName != null && !progName.isEmpty()) {
2517 this.progName = progName;
2521 void setProcessorArchitecture(String processorArchitecture) {
2522 if(this.processorArchitecture == null || this.processorArchitecture.isEmpty()) {
2523 this.processorArchitecture = processorArchitecture;
2527 void setTempDir(String tempDir) {
2528 if(this.tempDir == null || this.tempDir.isEmpty()) {
2529 this.tempDir = tempDir;
2533 void setDomain(String domain) {
2534 if(this.domain == null || this.domain.isEmpty()) {
2535 this.domain = domain;
2539 void setInstalltime(Long installtime) {
2540 if(this.domain == null) {
2541 this.installtime = installtime;
2545 void setSystemRoot(String systemRoot) {
2546 if(this.systemRoot == null || this.systemRoot.isEmpty()) {
2547 this.systemRoot = systemRoot;
2551 void setProductId(String productId) {
2552 if(this.productId == null || this.productId.isEmpty()) {
2553 this.productId = productId;
2557 void setRegOwner(String regOwner) {
2558 if(this.regOwner == null || this.regOwner.isEmpty()) {
2559 this.regOwner = regOwner;
2563 void setRegOrg(String regOrg) {
2564 if(this.regOrg == null || this.regOrg.isEmpty()) {
2565 this.regOrg = regOrg;