19 package org.sleuthkit.autopsy.recentactivity;
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.HashMap;
25 import java.util.Collection;
26 import java.util.List;
27 import java.util.Objects;
28 import java.util.logging.Level;
29 import org.openide.util.NbBundle;
35 import org.
sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
43 class ExtractWebAccountType
extends Extract {
45 private static final Logger logger = Logger.getLogger(ExtractWebAccountType.class.getName());
46 private final IngestJobContext context;
48 ExtractWebAccountType(IngestJobContext context) {
49 super(NbBundle.getMessage(ExtractWebAccountType.class,
"ExtractWebAccountType.moduleName.text"), context);
50 this.context = context;
53 private static final List<BlackboardArtifact.Type> QUERY_ARTIFACTS = Arrays.asList(
54 new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY),
55 new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_SERVICE_ACCOUNT)
58 private void extractDomainRoles(Content dataSource) {
61 Collection<BlackboardArtifact> listArtifacts = currentCase.getSleuthkitCase().getBlackboard().getArtifacts(
62 QUERY_ARTIFACTS, Arrays.asList(dataSource.getId()));
64 logger.log(Level.INFO,
"Processing {0} blackboard artifacts.", listArtifacts.size());
67 RoleProcessor roleProcessor =
new RoleProcessor(context);
70 for (BlackboardArtifact artifact : listArtifacts) {
71 if (context.dataSourceIngestIsCancelled()) {
75 findRolesForUrl(artifact, roleProcessor);
79 roleProcessor.createArtifacts();
81 }
catch (TskCoreException e) {
82 logger.log(Level.SEVERE,
"Encountered error retrieving artifacts for domain role analysis", e);
94 private void findRolesForUrl(BlackboardArtifact artifact, RoleProcessor roleProcessor)
throws TskCoreException {
96 BlackboardAttribute urlAttr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL));
97 if (urlAttr == null) {
101 BlackboardAttribute domainAttr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN));
102 if (domainAttr == null) {
106 String url = urlAttr.getValueString().toLowerCase();
107 String domain = domainAttr.getValueString().toLowerCase();
109 boolean roleFound =
false;
110 roleFound = findMyBbRole(url, domain, artifact, roleProcessor) || roleFound;
111 roleFound = findPhpBbRole(url, domain, artifact, roleProcessor) || roleFound;
112 roleFound = findJoomlaRole(url, domain, artifact, roleProcessor) || roleFound;
113 roleFound = findWordPressRole(url, domain, artifact, roleProcessor) || roleFound;
116 if (!roleFound && artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_SERVICE_ACCOUNT.getTypeID()) {
117 roleProcessor.addRole(domain, domain, Role.USER, url, artifact);
131 private boolean findMyBbRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
132 String platformName =
"myBB platform";
134 if (url.contains(
"/admin/index.php")) {
135 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
137 }
else if (url.contains(
"/modcp.php")) {
138 roleProcessor.addRole(domain, platformName, Role.MOD, url, artifact);
140 }
else if (url.contains(
"/usercp.php")) {
141 roleProcessor.addRole(domain, platformName, Role.USER, url, artifact);
158 private boolean findPhpBbRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
159 String platformName =
"phpBB platform";
161 if (url.contains(
"/adm/index.php")) {
162 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
164 }
else if (url.contains(
"/mcp.php")) {
165 roleProcessor.addRole(domain, platformName, Role.MOD, url, artifact);
167 }
else if (url.contains(
"/ucp.php")) {
168 roleProcessor.addRole(domain, platformName, Role.USER, url, artifact);
185 private boolean findJoomlaRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
186 String platformName =
"Joomla platform";
188 if (url.contains(
"/administrator/index.php")) {
189 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
206 private boolean findWordPressRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
207 String platformName =
"WordPress platform";
211 if (url.contains(
"/wp-admin/")) {
213 if (url.endsWith(
"/wp-admin/")
214 || url.contains(
"/wp-admin/index.php")
215 || url.contains(
"/wp-admin/profile.php")) {
216 roleProcessor.addRole(domain, platformName, Role.USER, url, artifact);
219 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
228 void process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
229 extractDomainRoles(dataSource);
242 private final Map<RoleKey, DomainRole>
roles =
new HashMap<>();
259 void addRole(String domain, String platform,
Role role, String url, BlackboardArtifact artifact) {
261 if ((!roles.containsKey(key))
262 || (roles.containsKey(key) && (role.
getRank() > roles.get(key).getRole().getRank()))) {
263 roles.put(key,
new DomainRole(domain, platform, role, url, artifact));
270 void createArtifacts() {
272 if (roles.isEmpty()) {
273 logger.log(Level.INFO,
"Didn't find any web accounts.");
276 logger.log(Level.INFO,
"Found {0} web accounts.", roles.keySet().size());
280 List<BlackboardArtifact> artifactList =
new ArrayList<>();
281 for (RoleKey key : roles.keySet()) {
286 DomainRole role = roles.get(key);
288 AbstractFile file = tskCase.getAbstractFileById(role.getArtifact().getObjectID());
293 String desc = role.getRole().
getDesc() +
" (" + role.getPlatform() +
")";
295 Collection<BlackboardAttribute> bbattributes =
new ArrayList<>();
296 bbattributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN,
297 NbBundle.getMessage(
this.getClass(),
298 "ExtractWebAccountType.parentModuleName"), role.getDomain()));
299 bbattributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT,
300 NbBundle.getMessage(
this.getClass(),
301 "ExtractWebAccountType.parentModuleName"), desc));
302 bbattributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL,
303 NbBundle.getMessage(
this.getClass(),
304 "ExtractWebAccountType.parentModuleName"), role.getUrl()));
306 artifactList.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_WEB_ACCOUNT_TYPE, file, bbattributes));
310 postArtifacts(artifactList);
312 }
catch (TskCoreException ex) {
313 logger.log(Level.SEVERE,
"Error creating web accounts", ex);
322 "ExtractWebAccountType.role.user=User role",
323 "ExtractWebAccountType.role.moderator=Moderator role",
324 "ExtractWebAccountType.role.admin=Administrator role"
327 USER(Bundle.ExtractWebAccountType_role_user(), 0),
328 MOD(Bundle.ExtractWebAccountType_role_moderator(), 1),
329 ADMIN(Bundle.ExtractWebAccountType_role_admin(), 2);
356 RoleKey(String domain, String platform) {
363 if (!(other instanceof
RoleKey)) {
367 RoleKey otherKey = (RoleKey) other;
368 return (domain.equals(otherKey.
domain)
369 && platform.equals(otherKey.
platform));
375 hash = 79 * hash + Objects.hashCode(this.domain);
376 hash = 79 * hash + Objects.hashCode(this.platform);
387 final String platform;
390 final BlackboardArtifact artifact;
392 DomainRole(String domain, String platform,
Role role, String url, BlackboardArtifact artifact) {
393 this.domain = domain;
395 this.platform = platform;
397 this.artifact = artifact;
404 String getPlatform() {
416 BlackboardArtifact getArtifact() {
boolean dataSourceIngestIsCancelled()