Autopsy  4.21.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
RecentDocumentsByLnk.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2021 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.File;
26 import java.util.ArrayList;
27 import java.util.List;
28 import java.util.logging.Level;
29 import org.apache.commons.io.FilenameUtils;
30 import org.openide.util.NbBundle;
32 import java.util.Collection;
33 import java.util.HashMap;
34 import org.openide.util.NbBundle.Messages;
40 import org.sleuthkit.datamodel.BlackboardArtifact;
41 import org.sleuthkit.datamodel.BlackboardAttribute;
42 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
43 import org.sleuthkit.datamodel.Content;
44 import org.sleuthkit.datamodel.TskCoreException;
45 import org.sleuthkit.datamodel.AbstractFile;
46 import org.sleuthkit.datamodel.ReadContentInputStream;
47 import org.sleuthkit.datamodel.TskData;
48 
53 class RecentDocumentsByLnk extends Extract {
54 
55  private static final Logger logger = Logger.getLogger(RecentDocumentsByLnk.class.getName());
56  private Content dataSource;
57  private final IngestJobContext context;
58 
59  @Messages({
60  "Progress_Message_Extract_Resent_Docs=Recent Documents",
61  "RecentDocumentsByLnk_displayName=Recent Documents by Link Analyzer"
62  })
63  RecentDocumentsByLnk(IngestJobContext context) {
64  super(Bundle.RecentDocumentsByLnk_displayName(), context);
65  this.context = context;
66  }
67 
75  private void getRecentDocuments() {
76 
77  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
78  List<AbstractFile> recentFiles;
79  try {
80  recentFiles = fileManager.findFiles(dataSource, "%.lnk", "Recent"); //NON-NLS
81  } catch (TskCoreException ex) {
82  logger.log(Level.WARNING, "Error searching for .lnk files."); //NON-NLS
83  this.addErrorMessage(
84  NbBundle.getMessage(this.getClass(), "RecentDocumentsByLnk.getRecDoc.errMsg.errGetLnkFiles",
85  this.getDisplayName()));
86  return;
87  }
88 
89  if (recentFiles.isEmpty()) {
90  logger.log(Level.INFO, "Didn't find any recent files."); //NON-NLS
91  return;
92  }
93 
94  dataFound = true;
95  List<BlackboardArtifact> bbartifacts = new ArrayList<>();
96  HashMap<String, String> recentFileMap = new HashMap<>();
97  for (AbstractFile recentFile : recentFiles) {
98  if (context.dataSourceIngestIsCancelled()) {
99  break;
100  }
101 
102  if (recentFile.getSize() == 0) {
103  continue;
104  }
105  JLNK lnk;
106  JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize());
107  try {
108  lnk = lnkParser.parse();
109  } catch (JLnkParserException e) {
110  //TODO should throw a specific checked exception
111  boolean unalloc = recentFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)
112  || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC);
113  if (unalloc == false) {
114  logger.log(Level.WARNING, "Error lnk parsing the file to get recent files {0}", recentFile); //NON-NLS
115  }
116  continue;
117  }
118 
119  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
120  String path = lnk.getBestPath();
121  if (recentFileMap.get(path + File.separator + recentFile.getName()) == null) {
122  recentFileMap.put(path + File.separator + recentFile.getName(), recentFile.getName());
123  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
124  NbBundle.getMessage(this.getClass(),
125  "RecentDocumentsByLnk.parentModuleName.noSpace"),
126  path));
127  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
128  NbBundle.getMessage(this.getClass(),
129  "RecentDocumentsByLnk.parentModuleName.noSpace"),
130  Util.findID(dataSource, path)));
131  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
132  NbBundle.getMessage(this.getClass(),
133  "RecentDocumentsByLnk.parentModuleName.noSpace"),
134  recentFile.getCrtime()));
135  try {
136  BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, recentFile, bbattributes);
137  if (bba != null) {
138  bbartifacts.add(bba);
139  bba = createAssociatedArtifact(path, bba);
140  if (bba != null) {
141  bbartifacts.add(bba);
142  }
143  }
144  } catch (TskCoreException ex) {
145  logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", recentFile.getId()), ex);
146  }
147  }
148  }
149 
150  if (!context.dataSourceIngestIsCancelled()) {
151  postArtifacts(bbartifacts);
152  }
153  }
154 
165  private BlackboardArtifact createAssociatedArtifact(String filePathName, BlackboardArtifact bba) {
166  String normalizePathName = FilenameUtils.normalize(filePathName, true);
167  String fileName = FilenameUtils.getName(normalizePathName);
168  String filePath = FilenameUtils.getPath(normalizePathName);
169  List<AbstractFile> sourceFiles;
170  if (filePath == null) {
171  return null;
172  }
173  try {
174  sourceFiles = currentCase.getSleuthkitCase().getFileManager().findFilesExactNameExactPath(dataSource, fileName, filePath);
175  for (AbstractFile sourceFile : sourceFiles) {
176  if (sourceFile.getParentPath().endsWith(filePath)) {
177  return createAssociatedArtifact(sourceFile, bba);
178  }
179  }
180  } catch (TskCoreException ex) {
181  logger.log(Level.WARNING, String.format("Error finding actual file %s. file may not exist", filePathName), ex); //NON-NLS
182  }
183 
184  return null;
185  }
186 
187  @Override
188  public void process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
189  this.dataSource = dataSource;
190  dataFound = false;
191 
192  progressBar.progress(Bundle.Progress_Message_Extract_Resent_Docs());
193  this.getRecentDocuments();
194  }
195 }
List< AbstractFile > findFiles(String fileName)

Copyright © 2012-2022 Basis Technology. Generated on: Tue Feb 6 2024
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.