ShellBagParser.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2019 Basis Technology Corp.
 *
 * Copyright 2012 42six Solutions.
 * Contact: aebadirad <at> 42six <dot> com
 * Project Contact/Architect: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.recentactivity;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.List;
import java.util.Locale;
import java.util.logging.Level;
import org.sleuthkit.autopsy.coreutils.Logger;

class ShellBagParser {
    private static final Logger logger = Logger.getLogger(ShellBagParser.class.getName());
    
    private static final SimpleDateFormat DATE_TIME_FORMATTER = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss", Locale.getDefault());
    // Last Write date\time format from itempos plugin
    private static final SimpleDateFormat DATE_TIME_FORMATTER2 = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyyy", Locale.getDefault());

    private ShellBagParser() {
    }

    static List<ShellBag> parseShellbagOutput(String regFilePath) throws FileNotFoundException, IOException {
        List<ShellBag> shellbags = new ArrayList<>();
        File regfile = new File(regFilePath);

        ShellBagParser sbparser = new ShellBagParser();

        try (BufferedReader reader = new BufferedReader(new InputStreamReader(new FileInputStream(regfile), StandardCharsets.UTF_8))) {
            String line = reader.readLine();
            while (line != null) {
                line = line.trim();

                if (line.matches("^shellbags_xp v.*")) {
                    shellbags.addAll(sbparser.parseShellBagsXP(reader));
                } else if (line.matches("^shellbags v.*")) {
                    shellbags.addAll(sbparser.parseShellBags(reader));
                } else if (line.matches("^itempos.*")) {
                    shellbags.addAll(sbparser.parseItempos(reader));
                }

                line = reader.readLine();
            }
        }

        return shellbags;
    }

    List<ShellBag> parseShellBagsXP(BufferedReader reader) throws IOException {
        List<ShellBag> shellbags = new ArrayList<>();
        String line = reader.readLine();

        while (line != null && !isSectionSeparator(line)) {

            if (isShellbagXPDataLine(line)) {
                String[] tokens = line.split("\\|");
                if (tokens.length >= 6) {
                    shellbags.add(new ShellBag(tokens[5].trim(), "Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU", tokens[0].trim(), tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
                }
            }

            line = reader.readLine();
        }

        return shellbags;
    }

    List<ShellBag> parseShellBags(BufferedReader reader) throws IOException {
        List<ShellBag> shellbags = new ArrayList<>();
        String line = reader.readLine();
        String regPath = "Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU";

        while (line != null && !isSectionSeparator(line)) {

            if (isShellbagDataLine(line)) {
                String[] tokens = line.split("\\|");
                String path = tokens[6].replaceAll("\\[.*?\\]", "").trim();
                int index = line.lastIndexOf('[');
                String endstuff = "";
                if (index != -1) {
                    endstuff = line.substring(index, line.length() - 1).replace("[Desktop", "");
                }
                if (tokens.length >= 7) {
                    shellbags.add(new ShellBag(path, regPath + endstuff, tokens[0].trim(), tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
                }
            }

            line = reader.readLine();
        }

        return shellbags;
    }

    List<ShellBag> parseItempos(BufferedReader reader) throws IOException {
        List<ShellBag> shellbags = new ArrayList<>();
        String bagpath = "";
        String lastWrite = "";
        String line = reader.readLine();

        while (line != null && !isSectionSeparator(line)) {

            if (isItemposDataLine(line)) {
                String[] tokens = line.split("\\|");
                if (tokens.length >= 5) {
                    shellbags.add(new ShellBag(tokens[4].trim(), bagpath, lastWrite, tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
                }
            } else if (line.contains("Software\\")) {
                bagpath = line.trim();
                lastWrite = "";
            } else if (line.contains("LastWrite:")) {
                lastWrite = line.replace("LastWrite:", "").trim();
            }

            line = reader.readLine();
        }

        return shellbags;
    }

    boolean isSectionSeparator(String line) {
        if (line == null || line.isEmpty()) {
            return false;
        }

        return line.trim().matches("^-+");
    }

    boolean isItemposDataLine(String line) {
        return line.matches("^\\d*?\\s*?\\|.*?\\|.*?\\|.*?\\|.*?");
    }

    boolean isShellbagXPDataLine(String line) {
        return line.matches("^(\\d+?.*?\\s*? | \\s*?)\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?");
    }

    boolean isShellbagDataLine(String line) {
        return line.matches("^(\\d+?.*?\\s*? | \\s*?)\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?");
    }
    
    class ShellBag {

        private final String resource;
        private final String key;
        private final String lastWrite;
        private final String modified;
        private final String accessed;
        private final String created;

        ShellBag(String resource, String key, String lastWrite, String modified, String accessed, String created) {
            this.resource = resource;
            this.key = key;
            this.lastWrite = lastWrite;
            this.accessed = accessed;
            this.modified = modified;
            this.created = created;
        }

        String getResource() {
            return resource == null ? "" : resource;
        }

        String getKey() {
            return key == null ? "" : key;
        }

        long getLastWrite() {
            return parseDateTime(lastWrite);
        }

        long getModified() {
            return parseDateTime(modified);
        }
        
        long getAccessed() {
            return parseDateTime(accessed);
        }

        long getCreated() {
            return parseDateTime(created);
        }

        long parseDateTime(String dateTimeString) {
            if (!dateTimeString.isEmpty()) {
                try {
                    return DATE_TIME_FORMATTER.parse(dateTimeString).getTime() / 1000;
                } catch (ParseException ex) {
                    // The parse of the string may fail because there are two possible formats.
                }

                try {
                    return DATE_TIME_FORMATTER2.parse(dateTimeString).getTime() / 1000;
                } catch (ParseException ex) {
                    logger.log(Level.WARNING, String.format("ShellBag parse failure.  %s is not formated as expected.", dateTimeString), ex);
                }
            }
            return 0;
        }
    }

}