Autopsy 4.23.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Chromium.java
Go to the documentation of this file.
1/*
2 *
3 * Autopsy Forensic Browser
4 *
5 * Copyright 2012-2021 Basis Technology Corp.
6 *
7 * Copyright 2012 42six Solutions.
8 *
9 * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10 *
11 * Licensed under the Apache License, Version 2.0 (the "License");
12 * you may not use this file except in compliance with the License.
13 * You may obtain a copy of the License at
14 *
15 * http://www.apache.org/licenses/LICENSE-2.0
16 *
17 * Unless required by applicable law or agreed to in writing, software
18 * distributed under the License is distributed on an "AS IS" BASIS,
19 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20 * See the License for the specific language governing permissions and
21 * limitations under the License.
22 */
23package org.sleuthkit.autopsy.recentactivity;
24
25import com.google.common.collect.ImmutableMap;
26import com.google.gson.JsonArray;
27import com.google.gson.JsonElement;
28import com.google.gson.JsonIOException;
29import com.google.gson.JsonObject;
30import com.google.gson.JsonParser;
31import com.google.gson.JsonSyntaxException;
32import java.io.BufferedReader;
33import org.openide.util.NbBundle;
34import org.sleuthkit.autopsy.datamodel.ContentUtils;
35import java.util.logging.Level;
36import java.io.File;
37import java.io.FileNotFoundException;
38import java.io.FileReader;
39import java.io.IOException;
40import java.util.Collection;
41import java.util.List;
42import java.util.Map;
43import java.util.HashMap;
44import java.util.ArrayList;
45import java.util.Arrays;
46import java.util.Set;
47import org.apache.commons.io.FilenameUtils;
48import org.apache.commons.lang3.StringUtils;
49import org.openide.util.NbBundle.Messages;
50import org.sleuthkit.autopsy.casemodule.Case;
51import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
52import org.sleuthkit.autopsy.casemodule.services.FileManager;
53import org.sleuthkit.autopsy.coreutils.Logger;
54import org.sleuthkit.autopsy.coreutils.NetworkUtils;
55import org.sleuthkit.autopsy.coreutils.PlatformUtil;
56import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
57import org.sleuthkit.autopsy.ingest.IngestJobContext;
58import org.sleuthkit.datamodel.AbstractFile;
59import org.sleuthkit.datamodel.Blackboard;
60import org.sleuthkit.datamodel.BlackboardArtifact;
61import org.sleuthkit.datamodel.BlackboardAttribute;
62import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
63import org.sleuthkit.datamodel.Content;
64import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
65import org.sleuthkit.datamodel.Score;
66import org.sleuthkit.datamodel.TskCoreException;
67import org.sleuthkit.datamodel.TskData;
68import org.sleuthkit.datamodel.blackboardutils.WebBrowserArtifactsHelper;
69
73class Chromium extends Extract {
74
75 private static final String HISTORY_QUERY = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS
76 + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS
77 private static final String COOKIE_QUERY = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS
78 private static final String DOWNLOAD_QUERY = "SELECT full_path, url, start_time, received_bytes FROM downloads"; //NON-NLS
79 private static final String DOWNLOAD_QUERY_V30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS
80 private static final String LOGIN_QUERY = "SELECT origin_url, username_value, date_created, signon_realm from logins"; //NON-NLS
81 private static final String AUTOFILL_QUERY = "SELECT name, value, count, date_created "
82 + " FROM autofill, autofill_dates "
83 + " WHERE autofill.pair_id = autofill_dates.pair_id"; //NON-NLS
84 private static final String AUTOFILL_QUERY_V8X = "SELECT name, value, count, date_created, date_last_used from autofill"; //NON-NLS
85 private static final String WEBFORM_ADDRESS_QUERY = "SELECT first_name, middle_name, last_name, address_line_1, address_line_2, city, state, zipcode, country_code, number, email, date_modified "
86 + " FROM autofill_profiles, autofill_profile_names, autofill_profile_emails, autofill_profile_phones"
87 + " WHERE autofill_profiles.guid = autofill_profile_names.guid AND autofill_profiles.guid = autofill_profile_emails.guid AND autofill_profiles.guid = autofill_profile_phones.guid";
88
89 private static final String WEBFORM_ADDRESS_QUERY_V8X = "SELECT first_name, middle_name, last_name, full_name, street_address, city, state, zipcode, country_code, number, email, date_modified, use_date, use_count"
90 + " FROM autofill_profiles, autofill_profile_names, autofill_profile_emails, autofill_profile_phones"
91 + " WHERE autofill_profiles.guid = autofill_profile_names.guid AND autofill_profiles.guid = autofill_profile_emails.guid AND autofill_profiles.guid = autofill_profile_phones.guid";
92 private static final String FAVICON_QUERY = "SELECT page_url, last_updated, last_requested FROM icon_mapping, favicon_bitmaps "
93 + " WHERE icon_mapping.icon_id = favicon_bitmaps.icon_id";
94 private static final String LOCALSTATE_FILE_NAME = "Local State";
95 private static final String EXTENSIONS_FILE_NAME = "Secure Preferences";
96 private static final String HISTORY_FILE_NAME = "History";
97 private static final String BOOKMARK_FILE_NAME = "Bookmarks";
98 private static final String COOKIE_FILE_NAME = "Cookies";
99 private static final String LOGIN_DATA_FILE_NAME = "Login Data";
100 private static final String WEB_DATA_FILE_NAME = "Web Data";
101 private static final String FAVICON_DATA_FILE_NAME = "Favicons";
102 private static final String UC_BROWSER_NAME = "UC Browser";
103 private static final String OPERA_BROWSER_NAME = "Opera";
104 private static final String ENCRYPTED_FIELD_MESSAGE = "The data was encrypted.";
105 private static final String GOOGLE_PROFILE_NAME = "Profile";
106 private static final String GOOGLE_PROFILE = "Google Chrome ";
107 private static final String FAVICON_ARTIFACT_NAME = "TSK_FAVICON"; //NON-NLS
108 private static final String LOCAL_STATE_ARTIFACT_NAME = "TSK_LOCAL_STATE"; //NON-NLS
109 private static final String EXTENSIONS_ARTIFACT_NAME = "TSK_CHROME_EXTENSIONS"; //NON-NLS
110 private static final String MALICIOUS_EXTENSION_FOUND = "Malicious Extension Found - ";
111
112 private Boolean databaseEncrypted = false;
113 private Boolean fieldEncrypted = false;
114
115 private static final String MALICIOUS_CHROME_EXTENSION_LIST = "malicious_chrome_extensions.csv";
116 private Map<String, String> maliciousChromeExtensions;
117
118 private final Logger logger = Logger.getLogger(this.getClass().getName());
119 private Content dataSource;
120 private final IngestJobContext context;
121
122 private Map<String, String> userProfiles;
123 private Map<String, String> browserLocations;
124
125 private static final Map<String, String> BROWSERS_MAP = ImmutableMap.<String, String>builder()
126 .put("Microsoft Edge", "Microsoft/Edge/User Data")
127 .put("Yandex", "YandexBrowser/User Data")
128 .put("Opera", "Opera Software/Opera Stable")
129 .put("SalamWeb", "SalamWeb/User Data")
130 .put("UC Browser", "UCBrowser/User Data%")
131 .put("Brave", "BraveSoftware/Brave-Browser/User Data")
132 .put("Google Chrome", "Chrome/User Data")
133 .build();
134
135 @Messages({"# {0} - browserName",
136 "Progress_Message_Chrome_History=Chrome History Browser {0}",
137 "# {0} - browserName",
138 "Progress_Message_Chrome_Bookmarks=Chrome Bookmarks Browser {0}",
139 "# {0} - browserName",
140 "Progress_Message_Chrome_Cookies=Chrome Cookies Browser {0}",
141 "# {0} - browserName",
142 "Progress_Message_Chrome_Downloads=Chrome Downloads Browser {0}",
143 "# {0} - browserName",
144 "Progress_Message_Chrome_Profiles=Chrome Profiles {0}",
145 "# {0} - browserName",
146 "Progress_Message_Chrome_Extensions=Chrome Extensions {0}",
147 "# {0} - browserName",
148 "Progress_Message_Chrome_Favicons=Chrome Downloads Favicons {0}",
149 "Progress_Message_Chrome_FormHistory=Chrome Form History",
150 "# {0} - browserName",
151 "Progress_Message_Chrome_AutoFill=Chrome Auto Fill Browser {0}",
152 "# {0} - browserName",
153 "Progress_Message_Chrome_Logins=Chrome Logins Browser {0}",
154 "Progress_Message_Chrome_Cache=Chrome Cache",})
155
156 Chromium(IngestJobContext context) {
157 super(NbBundle.getMessage(Chromium.class, "Chrome.moduleName"), context);
158 this.context = context;
159 }
160
161 @Override
162 public void process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
163 this.dataSource = dataSource;
164 dataFound = false;
165 long ingestJobId = context.getJobId();
166 String now1 = "";
167 loadMaliciousChromeExetnsions();
168 userProfiles = new HashMap<>();
169 browserLocations = new HashMap<>();
170 for (Map.Entry<String, String> browser : BROWSERS_MAP.entrySet()) {
171 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Profiles", browser.getKey()));
172 getProfiles(browser.getKey(), browser.getValue(), ingestJobId);
173 if (context.dataSourceIngestIsCancelled()) {
174 return;
175 }
176 }
177 for (Map.Entry<String, String> profile : userProfiles.entrySet()) {
178 String browserLocation = profile.getKey();
179 String browserName = browserLocations.get(browserLocation);
180 String userName = profile.getValue();
181 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Extensions", browserName));
182 this.getExtensions(browserName, browserLocation, userName, ingestJobId);
183 if (context.dataSourceIngestIsCancelled()) {
184 return;
185 }
186 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_History", browserName));
187 this.getHistory(browserName, browserLocation, userName, ingestJobId);
188 if (context.dataSourceIngestIsCancelled()) {
189 return;
190 }
191
192 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Bookmarks", browserName));
193 this.getBookmark(browserName, browserLocation, userName, ingestJobId);
194 if (context.dataSourceIngestIsCancelled()) {
195 return;
196 }
197
198 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Cookies", browserName));
199 this.getCookie(browserName, browserLocation, userName, ingestJobId);
200 if (context.dataSourceIngestIsCancelled()) {
201 return;
202 }
203
204 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Logins", browserName));
205 this.getLogins(browserName, browserLocation, userName, ingestJobId);
206 if (context.dataSourceIngestIsCancelled()) {
207 return;
208 }
209
210 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_AutoFill", browserName));
211 this.getAutofill(browserName, browserLocation, userName, ingestJobId);
212 if (context.dataSourceIngestIsCancelled()) {
213 return;
214 }
215
216 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Downloads", browserName));
217 this.getDownload(browserName, browserLocation, userName, ingestJobId);
218 if (context.dataSourceIngestIsCancelled()) {
219 return;
220 }
221
222 progressBar.progress(NbBundle.getMessage(this.getClass(), "Progress_Message_Chrome_Favicons", browserName));
223 this.getFavicons(browserName, browserLocation, userName, ingestJobId);
224 if (context.dataSourceIngestIsCancelled()) {
225 return;
226 }
227 }
228
229 progressBar.progress(Bundle.Progress_Message_Chrome_Cache());
230 ChromeCacheExtractor chromeCacheExtractor = new ChromeCacheExtractor(dataSource, context, progressBar);
231 chromeCacheExtractor.processCaches();
232 }
233
241 private void getProfiles(String browser, String browserLocation, long ingestJobId) {
242 FileManager fileManager = currentCase.getServices().getFileManager();
243 String browserName = browser;
244 List<AbstractFile> localStateFiles;
245 String localStateName = LOCALSTATE_FILE_NAME;
246 if (browserName.equals(UC_BROWSER_NAME)) {
247 localStateName = LOCALSTATE_FILE_NAME + "%";
248 }
249 try {
250 localStateFiles = fileManager.findFiles(dataSource, localStateName, browserLocation); //NON-NLS
251 } catch (TskCoreException ex) {
252 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLocalState.errMsg.errGettingFiles");
253 logger.log(Level.SEVERE, msg, ex);
254 this.addErrorMessage(this.getDisplayName() + ": " + msg);
255 return;
256 }
257
258 // get only the allocated ones, for now
259 List<AbstractFile> allocatedLocalStateFiles = new ArrayList<>();
260 for (AbstractFile localStateFile : localStateFiles) {
261 if (localStateFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {
262 allocatedLocalStateFiles.add(localStateFile);
263 }
264 }
265
266 // log a message if we don't have any allocated Local State files
267 if (allocatedLocalStateFiles.isEmpty()) {
268 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLocalState.errMsg.couldntFindAnyFiles");
269 logger.log(Level.INFO, msg);
270 return;
271 }
272
273 dataFound = true;
274 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
275 int j = 0;
276 while (j < allocatedLocalStateFiles.size()) {
277 if (browser.contains(GOOGLE_PROFILE_NAME)) {
278 String parentPath = FilenameUtils.normalizeNoEndSeparator(allocatedLocalStateFiles.get(j).getParentPath());
279 browserName = GOOGLE_PROFILE + " " + FilenameUtils.getBaseName(parentPath);
280 }
281 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + allocatedLocalStateFiles.get(j).getName() + j; //NON-NLS
282 final AbstractFile localStateFile = allocatedLocalStateFiles.get(j++);
283 if ((localStateFile.getSize() == 0) || (localStateFile.getName().toLowerCase().contains("-slack"))
284 || (localStateFile.getName().toLowerCase().contains("cache")) || (localStateFile.getName().toLowerCase().contains("media"))
285 || (localStateFile.getName().toLowerCase().contains("index"))) {
286 continue;
287 }
288 try {
289 ContentUtils.writeToFile(localStateFile, new File(temps), context::dataSourceIngestIsCancelled);
290 } catch (ReadContentInputStreamException ex) {
291 logger.log(Level.WARNING, String.format("Error reading Chrome web Local State artifacts file '%s' (id=%d).",
292 localStateFile.getName(), localStateFile.getId()), ex); //NON-NLS
293 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLocalState.errMsg.errAnalyzingFile",
294 this.getDisplayName(), localStateFile.getName()));
295 continue;
296 } catch (IOException ex) {
297 logger.log(Level.SEVERE, String.format("Error writing temp file '%s' for Chrome Local State artifacts file '%s' (id=%d).",
298 temps, localStateFile.getName(), localStateFile.getId()), ex); //NON-NLS
299 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLocalState.errMsg.errAnalyzingFile",
300 this.getDisplayName(), localStateFile.getName()));
301 continue;
302 }
303
304 if (context.dataSourceIngestIsCancelled()) {
305 break;
306 }
307
308 FileReader tempReader;
309 try {
310 tempReader = new FileReader(temps);
311 } catch (FileNotFoundException ex) {
312 logger.log(Level.WARNING, "Error while trying to read into the LocalState file.", ex); //NON-NLS
313 continue;
314 }
315
316 JsonElement jsonElement;
317 JsonObject jElement, jProfile, jInfoCache;
318
319 try {
320 jsonElement = JsonParser.parseReader(tempReader);
321 jElement = jsonElement.getAsJsonObject();
322 if (jElement.has("profile")) {
323 jProfile = jElement.get("profile").getAsJsonObject(); //NON-NLS
324 jInfoCache = jProfile.get("info_cache").getAsJsonObject();
325 } else {
326 userProfiles.put(browserLocation, "Default");
327 browserLocations.put(browserLocation, browser);
328 continue;
329 }
330 } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
331 logger.log(Level.WARNING, "Error parsing Json from LocalState.", ex); //NON-NLS
332 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getlocalState.errMsg.errAnalyzingFile",
333 this.getDisplayName(), localStateFile.getName()));
334 continue;
335 }
336
337 BlackboardArtifact.Type localStateArtifactType;
338
339 try {
340 localStateArtifactType = createArtifactType(LOCAL_STATE_ARTIFACT_NAME, NbBundle.getMessage(this.getClass(), "Chrome.getLocalState.displayName"));
341 } catch (TskCoreException ex) {
342 logger.log(Level.SEVERE, String.format("Error creating artifact type for LocalState."), ex); //NON-NLS
343 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getfavicon.errMsg.errCreateArtifact"));
344 continue;
345
346 }
347 Set<String> profileNames = jInfoCache.keySet();
348 for (String profileName : profileNames) {
349 JsonElement result = jInfoCache.get(profileName);
350 JsonObject profile = result.getAsJsonObject();
351 if (profile == null) {
352 continue;
353 }
354 JsonElement gaiaIdEl = profile.get("gaia_id"); //NON-NLS
355 String gaiaId;
356 if (gaiaIdEl != null) {
357 gaiaId = gaiaIdEl.getAsString();
358 } else {
359 gaiaId = "";
360 }
361 String hostedDomain;
362 JsonElement hostedDomainEl = profile.get("hosted_domain"); //NON-NLS
363 if (hostedDomainEl != null) {
364 hostedDomain = hostedDomainEl.getAsString();
365 } else {
366 hostedDomain= "";
367 }
368 String shortcutName;
369 JsonElement shortcutNameEl = profile.get("shortcut_name"); //NON-NLS
370 if (shortcutNameEl != null) {
371 shortcutName = shortcutNameEl.getAsString();
372 } else {
373 shortcutName = "";
374 }
375 String name;
376 JsonElement nameEl = profile.get("name"); //NON-NLS
377 if (nameEl != null) {
378 name = nameEl.getAsString();
379 } else {
380 name= "";
381 }
382 String userName;
383 JsonElement userNameEl = profile.get("user_name"); //NON-NLS
384 if (userNameEl != null) {
385 userName = userNameEl.getAsString();
386 } else {
387 userName = "";
388 }
389
390 if (userName.contains("")) {
391 userProfiles.put(browserLocation + "/" + profileName, name);
392 browserLocations.put(browserLocation + "/" + profileName, browser);
393 } else {
394 userProfiles.put(browserLocation + "/" + profileName, userName);
395 browserLocations.put(browserLocation + "/" + profileName, browser);
396 }
397
398 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
399 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
400 RecentActivityExtracterModuleFactory.getModuleName(), profileName));
401 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID,
402 RecentActivityExtracterModuleFactory.getModuleName(), gaiaId));
403 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
404 RecentActivityExtracterModuleFactory.getModuleName(), hostedDomain));
405 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SHORTCUT,
406 RecentActivityExtracterModuleFactory.getModuleName(), shortcutName));
407 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
408 RecentActivityExtracterModuleFactory.getModuleName(), name));
409 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
410 RecentActivityExtracterModuleFactory.getModuleName(), userName));
411 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
412 RecentActivityExtracterModuleFactory.getModuleName(), browserName));
413
414 try {
415 bbartifacts.add(createArtifactWithAttributes(localStateArtifactType, localStateFile, bbattributes));
416 } catch (TskCoreException ex) {
417 logger.log(Level.SEVERE, String.format("Failed to create bookmark artifact for file (%d)", localStateFile.getId()), ex);
418 }
419
420 }
421
422 if (!context.dataSourceIngestIsCancelled()) {
423 postArtifacts(bbartifacts);
424 }
425 bbartifacts.clear();
426
427 }
428 // Check if Default, Guest Profile and System Profile are in the usersProfiles, if they are not then add them
429 if (!userProfiles.containsKey("Default")) {
430 userProfiles.put(browserLocation + "/" + "Default", "Default");
431 browserLocations.put(browserLocation + "/" + "Default", browser);
432 }
433 if (!userProfiles.containsKey("Guest Profile")) {
434 userProfiles.put(browserLocation + "/" + "Guest Profile", "Guest");
435 browserLocations.put(browserLocation + "/" + "Guest Profile", browser);
436 }
437 if (!userProfiles.containsKey("System Profile")) {
438 userProfiles.put(browserLocation + "/" + "System Profile", "System");
439 browserLocations.put(browserLocation + "/" + "System Profile", browser);
440 }
441 }
442
450 private void getExtensions(String browser, String browserLocation, String userName, long ingestJobId) {
451 FileManager fileManager = currentCase.getServices().getFileManager();
452 String browserName = browser;
453 List<AbstractFile> extensionFiles;
454 String extensionsName = EXTENSIONS_FILE_NAME;
455 if (browserName.equals(UC_BROWSER_NAME)) {
456 extensionsName = EXTENSIONS_FILE_NAME + "%";
457 }
458 try {
459 // Local State file is found in the directory about the browserLocation, that is why it is being removed
460 extensionFiles = fileManager.findFiles(dataSource, extensionsName, browserLocation); //NON-NLS
461 } catch (TskCoreException ex) {
462 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getExtensions.errMsg.errGettingFiles");
463 logger.log(Level.SEVERE, msg, ex);
464 this.addErrorMessage(this.getDisplayName() + ": " + msg);
465 return;
466 }
467
468 // get only the allocated ones, for now
469 List<AbstractFile> allocatedExtensionsFiles = new ArrayList<>();
470 for (AbstractFile extensionFile : extensionFiles) {
471 if (extensionFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {
472 allocatedExtensionsFiles.add(extensionFile);
473 }
474 }
475
476 // log a message if we don't have any allocated Local State files
477 if (allocatedExtensionsFiles.isEmpty()) {
478 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getExtensions.errMsg.couldntFindAnyFiles");
479 logger.log(Level.INFO, msg);
480 return;
481 }
482
483 dataFound = true;
484 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
485 int j = 0;
486 while (j < allocatedExtensionsFiles.size()) {
487 if (browser.contains(GOOGLE_PROFILE_NAME)) {
488 String parentPath = FilenameUtils.normalizeNoEndSeparator(allocatedExtensionsFiles.get(j).getParentPath());
489 browserName = GOOGLE_PROFILE + " " + FilenameUtils.getBaseName(parentPath);
490 }
491 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + allocatedExtensionsFiles.get(j).getName() + j; //NON-NLS
492 final AbstractFile extensionFile = allocatedExtensionsFiles.get(j++);
493 if ((extensionFile.getSize() == 0) || (extensionFile.getName().toLowerCase().contains("-slack"))
494 || (extensionFile.getName().toLowerCase().contains("cache")) || (extensionFile.getName().toLowerCase().contains("media"))
495 || (extensionFile.getName().toLowerCase().contains("index"))) {
496 continue;
497 }
498 try {
499 ContentUtils.writeToFile(extensionFile, new File(temps), context::dataSourceIngestIsCancelled);
500 } catch (ReadContentInputStreamException ex) {
501 logger.log(Level.WARNING, String.format("Error reading Chrome web extension artifacts file '%s' (id=%d).",
502 extensionFile.getName(), extensionFile.getId()), ex); //NON-NLS
503 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getExtensions.errMsg.errAnalyzingFile",
504 this.getDisplayName(), extensionFile.getName()));
505 continue;
506 } catch (IOException ex) {
507 logger.log(Level.SEVERE, String.format("Error writing temp file '%s' for Chrome Extensions artifacts file '%s' (id=%d).",
508 temps, extensionFile.getName(), extensionFile.getId()), ex); //NON-NLS
509 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getExtensions.errMsg.errAnalyzingFile",
510 this.getDisplayName(), extensionFile.getName()));
511 continue;
512 }
513
514 if (context.dataSourceIngestIsCancelled()) {
515 break;
516 }
517
518 FileReader tempReader;
519 try {
520 tempReader = new FileReader(temps);
521 } catch (FileNotFoundException ex) {
522 logger.log(Level.WARNING, "Error while trying to read into the Secure Preferences file.", ex); //NON-NLS
523 continue;
524 }
525
526 BlackboardArtifact.Type localStateArtifactType;
527
528 try {
529 localStateArtifactType = createArtifactType(EXTENSIONS_ARTIFACT_NAME, NbBundle.getMessage(this.getClass(), "Chrome.getExtensions.displayName"));
530 } catch (TskCoreException ex) {
531 logger.log(Level.SEVERE, String.format("Error creating artifact type for Secure Preferences."), ex); //NON-NLS
532 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getExtensions.errMsg.errCreateArtifact"));
533 continue;
534 }
535
536 String profileName = FilenameUtils.getBaseName(StringUtils.chop(extensionFile.getParentPath()));
537
538 JsonElement jsonElement;
539 JsonObject jElement, jExtensions, jSettings;
540
541 try {
542 jsonElement = JsonParser.parseReader(tempReader);
543 jElement = jsonElement.getAsJsonObject();
544 if (jElement.has("extensions")) {
545 logger.log(Level.WARNING, String.format("Processing Secure Preferences from %s", extensionFile.getParentPath()));
546 jExtensions = jElement.get("extensions").getAsJsonObject(); //NON-NLS
547 if (!browserName.equals(OPERA_BROWSER_NAME)) {
548 jSettings = jExtensions.get("settings").getAsJsonObject();
549 } else {
550 jSettings = jExtensions.get("opsettings").getAsJsonObject();
551 }
552 } else {
553 continue;
554 }
555 } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
556 logger.log(Level.WARNING, "Error parsing Json from Secure Preferences.", ex); //NON-NLS
557 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getExtensoins.errMsg.errAnalyzingFile",
558 this.getDisplayName(), extensionFile.getName()));
559 continue;
560 }
561
562 Set<String> extensions = jSettings.keySet();
563 for (String extension : extensions) {
564 JsonElement result = jSettings.get(extension);
565 JsonObject ext = result.getAsJsonObject();
566 if (ext == null) {
567 continue;
568 }
569 JsonElement flagEl = ext.get("state"); //NON-NLS
570 String flag;
571 if (flagEl != null) {
572 if (flagEl.getAsInt() == 1) {
573 flag = "Enabled";
574 } else {
575 flag = "Disabled";
576 }
577 } else {
578 flag = "";
579 }
580 String apiGrantedPermissions = "";
581 if (ext.has("active_permissions")) {
582 JsonObject permissions = ext.get("active_permissions").getAsJsonObject();
583 JsonArray apiPermissions = permissions.get("api").getAsJsonArray();
584 for (JsonElement apiPermission : apiPermissions) {
585 if (apiPermission.isJsonPrimitive()) {
586 String apigrantEl = apiPermission.getAsString();
587 if (apigrantEl != null) {
588 apiGrantedPermissions = apiGrantedPermissions + ", " + apigrantEl;
589 } else {
590 apiGrantedPermissions = apiGrantedPermissions + "";
591 }
592 }
593 }
594 }
595 String version;
596 String description;
597 String extName;
598 if (ext.has("manifest")) {
599 JsonObject manifest = ext.get("manifest").getAsJsonObject();
600 JsonElement descriptionEl = manifest.get("description");
601 if (descriptionEl != null) {
602 description = descriptionEl.getAsString();
603 } else {
604 description = "";
605 }
606 JsonElement versionEl = manifest.get("version");
607 if (versionEl != null) {
608 version = versionEl.getAsString();
609 } else {
610 version = "";
611 }
612 JsonElement extNameEl = manifest.get("name");
613 if (extNameEl != null) {
614 extName = extNameEl.getAsString();
615 } else {
616 extName = "";
617 }
618 } else {
619 version = "";
620 description = "";
621 extName = "";
622 }
623 BlackboardArtifact art = null;
624 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
625 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ID,
626 RecentActivityExtracterModuleFactory.getModuleName(), extension));
627 if (maliciousChromeExtensions.get(extension) != null) {
628 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
629 RecentActivityExtracterModuleFactory.getModuleName(),
630 MALICIOUS_EXTENSION_FOUND + maliciousChromeExtensions.getOrDefault(extension, "No Source Identified")));
631 }
632 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
633 RecentActivityExtracterModuleFactory.getModuleName(), extName));
634 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DESCRIPTION,
635 RecentActivityExtracterModuleFactory.getModuleName(), description));
636 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VERSION,
637 RecentActivityExtracterModuleFactory.getModuleName(), version));
638 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_FLAG,
639 RecentActivityExtracterModuleFactory.getModuleName(), flag));
640 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PERMISSIONS,
641 RecentActivityExtracterModuleFactory.getModuleName(), apiGrantedPermissions.replaceFirst(", ", "")));
642 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
643 RecentActivityExtracterModuleFactory.getModuleName(), userName));
644 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
645 RecentActivityExtracterModuleFactory.getModuleName(), browserName));
646
647 try {
648 art = createArtifactWithAttributes(localStateArtifactType, extensionFile, bbattributes);
649 bbartifacts.add(art);
650 } catch (TskCoreException ex) {
651 logger.log(Level.SEVERE, String.format("Failed to create Extension artifact for file (%d)", extensionFile.getId()), ex);
652 }
653 }
654
655 if (!context.dataSourceIngestIsCancelled()) {
656 postArtifacts(bbartifacts);
657 }
658 bbartifacts.clear();
659
660 }
661 }
662
670 private void getHistory(String browser, String browserLocation, String userName, long ingestJobId) {
671 FileManager fileManager = currentCase.getServices().getFileManager();
672 String browserName = browser;
673 List<AbstractFile> historyFiles;
674 String historyFileName = HISTORY_FILE_NAME;
675 if (browserName.equals(UC_BROWSER_NAME)) {
676 historyFileName = HISTORY_FILE_NAME + "%";
677 }
678 try {
679 historyFiles = fileManager.findFiles(dataSource, historyFileName, browserLocation); //NON-NLS
680 } catch (TskCoreException ex) {
681 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
682 logger.log(Level.SEVERE, msg, ex);
683 this.addErrorMessage(this.getDisplayName() + ": " + msg);
684 return;
685 }
686
687 // get only the allocated ones, for now
688 List<AbstractFile> allocatedHistoryFiles = new ArrayList<>();
689 for (AbstractFile historyFile : historyFiles) {
690 if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {
691 allocatedHistoryFiles.add(historyFile);
692 }
693 }
694
695 // log a message if we don't have any allocated history files
696 if (allocatedHistoryFiles.isEmpty()) {
697 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles");
698 logger.log(Level.INFO, msg);
699 return;
700 }
701
702 dataFound = true;
703 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
704 int j = 0;
705 while (j < allocatedHistoryFiles.size()) {
706 if (browser.contains(GOOGLE_PROFILE_NAME)) {
707 String parentPath = FilenameUtils.normalizeNoEndSeparator(allocatedHistoryFiles.get(j).getParentPath());
708 browserName = GOOGLE_PROFILE + " " + FilenameUtils.getBaseName(parentPath);
709 }
710 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + allocatedHistoryFiles.get(j).getName() + j + ".db"; //NON-NLS
711 final AbstractFile historyFile = allocatedHistoryFiles.get(j++);
712 if ((historyFile.getSize() == 0) || (historyFile.getName().toLowerCase().contains("-slack"))
713 || (historyFile.getName().toLowerCase().contains("cache")) || (historyFile.getName().toLowerCase().contains("media"))
714 || (historyFile.getName().toLowerCase().contains("index"))) {
715 continue;
716 }
717 try {
718 ContentUtils.writeToFile(historyFile, new File(temps), context::dataSourceIngestIsCancelled);
719 } catch (ReadContentInputStreamException ex) {
720 logger.log(Level.WARNING, String.format("Error reading Chrome web history artifacts file '%s' (id=%d).",
721 historyFile.getName(), historyFile.getId()), ex); //NON-NLS
722 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",
723 this.getDisplayName(), historyFile.getName()));
724 continue;
725 } catch (IOException ex) {
726 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome web history artifacts file '%s' (id=%d).",
727 temps, historyFile.getName(), historyFile.getId()), ex); //NON-NLS
728 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",
729 this.getDisplayName(), historyFile.getName()));
730 continue;
731 }
732 File dbFile = new File(temps);
733 if (context.dataSourceIngestIsCancelled()) {
734 dbFile.delete();
735 break;
736 }
737 List<HashMap<String, Object>> tempList;
738 tempList = this.querySQLiteDb(temps, HISTORY_QUERY);
739 logger.log(Level.INFO, "{0}- Now getting history from {1} with {2} artifacts identified.", new Object[]{getDisplayName(), temps, tempList.size()}); //NON-NLS
740 for (HashMap<String, Object> result : tempList) {
741 String url = result.get("url") == null ? "" : result.get("url").toString();
742 String extractedDomain = NetworkUtils.extractDomain(url);
743
744 try {
745 Collection<BlackboardAttribute> bbattributes = createHistoryAttributes(
746 StringUtils.defaultString(url),
747 (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"),
748 result.get("from_visit") == null ? "" : result.get("from_visit").toString(),
749 result.get("title") == null ? "" : result.get("title").toString(),
750 browserName,
751 extractedDomain,
752 userName);
753
754 bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_WEB_HISTORY, historyFile, bbattributes));
755 } catch (TskCoreException ex) {
756 logger.log(Level.SEVERE, String.format("Failed to create history artifact for file (%d)", historyFile.getId()), ex);
757 }
758 }
759 dbFile.delete();
760 }
761
762 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
763 postArtifacts(bbartifacts);
764 }
765 }
766
774 private void getBookmark(String browser, String browserLocation, String userName, long ingestJobId) {
775 FileManager fileManager = currentCase.getServices().getFileManager();
776 List<AbstractFile> bookmarkFiles;
777 String browserName = browser;
778 String bookmarkFileName = BOOKMARK_FILE_NAME;
779 if (browserName.equals(UC_BROWSER_NAME)) {
780 bookmarkFileName = BOOKMARK_FILE_NAME + "%";
781 }
782 try {
783 bookmarkFiles = fileManager.findFiles(dataSource, bookmarkFileName, browserLocation); //NON-NLS
784 } catch (TskCoreException ex) {
785 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");
786 logger.log(Level.SEVERE, msg, ex);
787 this.addErrorMessage(this.getDisplayName() + ": " + msg);
788 return;
789 }
790
791 if (bookmarkFiles.isEmpty()) {
792 logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); //NON-NLS
793 return;
794 }
795
796 dataFound = true;
797 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
798 int j = 0;
799 while (j < bookmarkFiles.size()) {
800 if (browser.contains(GOOGLE_PROFILE_NAME)) {
801 String parentPath = FilenameUtils.normalizeNoEndSeparator(bookmarkFiles.get(j).getParentPath());
802 browserName = GOOGLE_PROFILE + " " + FilenameUtils.getBaseName(parentPath);
803 }
804
805 AbstractFile bookmarkFile = bookmarkFiles.get(j++);
806 if ((bookmarkFile.getSize() == 0) || (bookmarkFile.getName().toLowerCase().contains("-slack"))
807 || (bookmarkFile.getName().toLowerCase().contains("extras")) || (bookmarkFile.getName().toLowerCase().contains("log"))
808 || (bookmarkFile.getName().toLowerCase().contains("backup")) || (bookmarkFile.getName().toLowerCase().contains("visualized"))
809 || (bookmarkFile.getName().toLowerCase().contains("bak")) || (bookmarkFile.getParentPath().toLowerCase().contains("backup"))) {
810 continue;
811 }
812 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + bookmarkFile.getName() + j + ".db"; //NON-NLS
813 try {
814 ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled);
815 } catch (ReadContentInputStreamException ex) {
816 logger.log(Level.WARNING, String.format("Error reading Chrome bookmark artifacts file '%s' (id=%d).",
817 bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS
818 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",
819 this.getDisplayName(), bookmarkFile.getName()));
820 continue;
821 } catch (IOException ex) {
822 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome bookmark artifacts file '%s' (id=%d).",
823 temps, bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS
824 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",
825 this.getDisplayName(), bookmarkFile.getName()));
826 continue;
827 }
828
829 logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{getDisplayName(), temps}); //NON-NLS
830 File dbFile = new File(temps);
831 if (context.dataSourceIngestIsCancelled()) {
832 dbFile.delete();
833 break;
834 }
835
836 FileReader tempReader;
837 try {
838 tempReader = new FileReader(temps);
839 } catch (FileNotFoundException ex) {
840 logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS
841 continue;
842 }
843
844 JsonElement jsonElement;
845 JsonObject jElement, jRoot;
846
847 try {
848 jsonElement = JsonParser.parseReader(tempReader);
849 jElement = jsonElement.getAsJsonObject();
850 jRoot = jElement.get("roots").getAsJsonObject(); //NON-NLS
851 Set<String> bookmarkKeys = jRoot.keySet();
852 } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
853 logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS
854 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3",
855 this.getDisplayName(), bookmarkFile.getName()));
856 continue;
857 }
858
859 Set<String> bookmarkKeys = jRoot.keySet();
860 for (String bookmarkKey : bookmarkKeys) {
861 JsonObject jBookmark = jRoot.get(bookmarkKey).getAsJsonObject(); //NON-NLS
862 if (jBookmark.has("children")) {
863 JsonArray jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS
864 for (JsonElement result : jBookmarkArray) {
865 JsonObject address = result.getAsJsonObject();
866 if (address == null) {
867 continue;
868 }
869 JsonElement urlEl = address.get("url"); //NON-NLS
870 String url;
871 if (urlEl != null) {
872 url = urlEl.getAsString();
873 } else {
874 url = "";
875 }
876 String name;
877 JsonElement nameEl = address.get("name"); //NON-NLS
878 if (nameEl != null) {
879 name = nameEl.getAsString();
880 } else {
881 name = "";
882 }
883 Long date;
884 JsonElement dateEl = address.get("date_added"); //NON-NLS
885 if (dateEl != null) {
886 date = dateEl.getAsLong();
887 } else {
888 date = Long.valueOf(0);
889 }
890 String domain = NetworkUtils.extractDomain(url);
891 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
892 //TODO Revisit usage of deprecated constructor as per TSK-583
893 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
894 RecentActivityExtracterModuleFactory.getModuleName(), url));
895 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
896 RecentActivityExtracterModuleFactory.getModuleName(), name));
897 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
898 RecentActivityExtracterModuleFactory.getModuleName(), (date / 1000000) - Long.valueOf("11644473600")));
899 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
900 RecentActivityExtracterModuleFactory.getModuleName(), browserName));
901 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
902 RecentActivityExtracterModuleFactory.getModuleName(), domain));
903 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
904 RecentActivityExtracterModuleFactory.getModuleName(), userName));
905 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
906 RecentActivityExtracterModuleFactory.getModuleName(), bookmarkKey));
907
908
909 try {
910 bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_WEB_BOOKMARK, bookmarkFile, bbattributes));
911 } catch (TskCoreException ex) {
912 logger.log(Level.SEVERE, String.format("Failed to create bookmark artifact for file (%d)", bookmarkFile.getId()), ex);
913 }
914
915 }
916 }
917 }
918
919 if (!context.dataSourceIngestIsCancelled()) {
920 postArtifacts(bbartifacts);
921 }
922 bbartifacts.clear();
923 dbFile.delete();
924 }
925 }
926
934 private void getCookie(String browser, String browserLocation, String userName, long ingestJobId) {
935
936 FileManager fileManager = currentCase.getServices().getFileManager();
937 List<AbstractFile> cookiesFiles;
938 String browserName = browser;
939 String cookieFileName = COOKIE_FILE_NAME;
940 if (browserName.equals(UC_BROWSER_NAME)) {
941 // Wildcard on front and back of Cookies are there for Cookie files that start with something else
942 // ie: UC browser has "Extension Cookies.9" as well as Cookies.9
943 cookieFileName = "%" + COOKIE_FILE_NAME + "%";
944 }
945 try {
946 cookiesFiles = fileManager.findFiles(dataSource, cookieFileName, browserLocation); //NON-NLS
947 } catch (TskCoreException ex) {
948 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles");
949 logger.log(Level.SEVERE, msg, ex);
950 this.addErrorMessage(this.getDisplayName() + ": " + msg);
951 return;
952 }
953
954 if (cookiesFiles.isEmpty()) {
955 logger.log(Level.INFO, "Didn't find any Chrome cookies files."); //NON-NLS
956 return;
957 }
958
959 dataFound = true;
960 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
961 int j = 0;
962 while (j < cookiesFiles.size()) {
963 if (browser.contains(GOOGLE_PROFILE_NAME)) {
964 String parentPath = FilenameUtils.normalizeNoEndSeparator(cookiesFiles.get(j).getParentPath());
965 browserName = GOOGLE_PROFILE + FilenameUtils.getBaseName(parentPath);
966 }
967
968 AbstractFile cookiesFile = cookiesFiles.get(j++);
969 if ((cookiesFile.getSize() == 0) || (cookiesFile.getName().toLowerCase().contains("-slack"))) {
970 continue;
971 }
972 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + cookiesFile.getName() + j + ".db"; //NON-NLS
973 try {
974 ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled);
975 } catch (ReadContentInputStreamException ex) {
976 logger.log(Level.WARNING, String.format("Error reading Chrome cookie artifacts file '%s' (id=%d).",
977 cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS
978 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",
979 this.getDisplayName(), cookiesFile.getName()));
980 continue;
981 } catch (IOException ex) {
982 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome cookie artifacts file '%s' (id=%d).",
983 temps, cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS
984 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",
985 this.getDisplayName(), cookiesFile.getName()));
986 continue;
987 }
988 File dbFile = new File(temps);
989 if (context.dataSourceIngestIsCancelled()) {
990 dbFile.delete();
991 break;
992 }
993
994 List<HashMap<String, Object>> tempList = this.querySQLiteDb(temps, COOKIE_QUERY);
995 logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2} artifacts identified.", new Object[]{getDisplayName(), temps, tempList.size()}); //NON-NLS
996 for (HashMap<String, Object> result : tempList) {
997 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
998 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
999 RecentActivityExtracterModuleFactory.getModuleName(),
1000 ((result.get("host_key").toString() != null) ? result.get("host_key").toString() : ""))); //NON-NLS
1001 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
1002 RecentActivityExtracterModuleFactory.getModuleName(),
1003 (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
1004
1005 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
1006 RecentActivityExtracterModuleFactory.getModuleName(),
1007 ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS
1008 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
1009 RecentActivityExtracterModuleFactory.getModuleName(),
1010 ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS
1011 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
1012 RecentActivityExtracterModuleFactory.getModuleName(), browserName));
1013 String domain = result.get("host_key").toString(); //NON-NLS
1014 domain = domain.replaceFirst("^\\.+(?!$)", "");
1015 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
1016 RecentActivityExtracterModuleFactory.getModuleName(), domain));
1017 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
1018 RecentActivityExtracterModuleFactory.getModuleName(), userName));
1019
1020 try {
1021 bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_WEB_COOKIE, cookiesFile, bbattributes));
1022 } catch (TskCoreException ex) {
1023 logger.log(Level.SEVERE, String.format("Failed to create cookie artifact for file (%d)", cookiesFile.getId()), ex);
1024 }
1025 }
1026
1027 dbFile.delete();
1028 }
1029
1030 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1031 postArtifacts(bbartifacts);
1032 }
1033 }
1034
1042 private void getDownload(String browser, String browserLocation, String userName, long ingestJobId) {
1043 FileManager fileManager = currentCase.getServices().getFileManager();
1044 List<AbstractFile> downloadFiles;
1045 String browserName = browser;
1046 String historyFileName = HISTORY_FILE_NAME;
1047 if (browserName.equals(UC_BROWSER_NAME)) {
1048 historyFileName = HISTORY_FILE_NAME + "%";
1049 }
1050 try {
1051 downloadFiles = fileManager.findFiles(dataSource, historyFileName, browserLocation); //NON-NLS
1052 } catch (TskCoreException ex) {
1053 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles");
1054 logger.log(Level.SEVERE, msg, ex);
1055 this.addErrorMessage(this.getDisplayName() + ": " + msg);
1056 return;
1057 }
1058
1059 if (downloadFiles.isEmpty()) {
1060 logger.log(Level.INFO, "Didn't find any Chrome download files."); //NON-NLS
1061 return;
1062 }
1063
1064 dataFound = true;
1065 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
1066 int j = 0;
1067 while (j < downloadFiles.size()) {
1068 if (browser.contains(GOOGLE_PROFILE_NAME)) {
1069 String parentPath = FilenameUtils.normalizeNoEndSeparator(downloadFiles.get(j).getParentPath());
1070 browserName = GOOGLE_PROFILE + FilenameUtils.getBaseName(parentPath);
1071 }
1072
1073 AbstractFile downloadFile = downloadFiles.get(j++);
1074 if ((downloadFile.getSize() == 0) || (downloadFile.getName().toLowerCase().contains("-slack"))
1075 || (downloadFile.getName().toLowerCase().contains("cache")) || (downloadFile.getName().toLowerCase().contains("index"))) {
1076 continue;
1077 }
1078
1079 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + downloadFile.getName() + j + ".db"; //NON-NLS
1080 try {
1081 ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled);
1082 } catch (ReadContentInputStreamException ex) {
1083 logger.log(Level.WARNING, String.format("Error reading Chrome download artifacts file '%s' (id=%d).",
1084 downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS
1085 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",
1086 this.getDisplayName(), downloadFile.getName()));
1087 continue;
1088 } catch (IOException ex) {
1089 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome download artifacts file '%s' (id=%d).",
1090 temps, downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS
1091 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",
1092 this.getDisplayName(), downloadFile.getName()));
1093 continue;
1094 }
1095 File dbFile = new File(temps);
1096 if (context.dataSourceIngestIsCancelled()) {
1097 dbFile.delete();
1098 break;
1099 }
1100
1101 List<HashMap<String, Object>> tempList;
1102
1103 if (isChromePreVersion30(temps)) {
1104 tempList = this.querySQLiteDb(temps, DOWNLOAD_QUERY);
1105 } else {
1106 tempList = this.querySQLiteDb(temps, DOWNLOAD_QUERY_V30);
1107 }
1108
1109 logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2} artifacts identified.", new Object[]{getDisplayName(), temps, tempList.size()}); //NON-NLS
1110 for (HashMap<String, Object> result : tempList) {
1111 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
1112 String fullPath = result.get("full_path").toString(); //NON-NLS
1113 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
1114 RecentActivityExtracterModuleFactory.getModuleName(), fullPath));
1115 long pathID = Util.findID(dataSource, fullPath);
1116 if (pathID != -1) {
1117 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
1118 NbBundle.getMessage(this.getClass(),
1119 "Chrome.parentModuleName"), pathID));
1120 }
1121 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
1122 RecentActivityExtracterModuleFactory.getModuleName(),
1123 ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
1124 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
1125 Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS
1126
1127 //TODO Revisit usage of deprecated constructor as per TSK-583
1128 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", time));
1129 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
1130 RecentActivityExtracterModuleFactory.getModuleName(), time));
1131 String domain = NetworkUtils.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); //NON-NLS
1132 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
1133 RecentActivityExtracterModuleFactory.getModuleName(), domain));
1134 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
1135 RecentActivityExtracterModuleFactory.getModuleName(), userName));
1136 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
1137 RecentActivityExtracterModuleFactory.getModuleName(), browserName));
1138
1139 // find the downloaded file and create a TSK_ASSOCIATED_OBJECT for it, associating it with the TSK_WEB_DOWNLOAD artifact.
1140 try {
1141 BlackboardArtifact webDownloadArtifact = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);
1142 bbartifacts.add(webDownloadArtifact);
1143 String normalizedFullPath = FilenameUtils.normalize(fullPath, true);
1144 for (AbstractFile downloadedFile : currentCase.getSleuthkitCase().getFileManager().findFilesExactNameExactPath(dataSource, FilenameUtils.getName(normalizedFullPath), FilenameUtils.getPath(normalizedFullPath))) {
1145 bbartifacts.add(createAssociatedArtifact(downloadedFile, webDownloadArtifact));
1146 break;
1147 }
1148 } catch (TskCoreException ex) {
1149 logger.log(Level.SEVERE, String.format("Error creating associated object artifact for file '%s'", fullPath), ex); //NON-NLS
1150 }
1151 }
1152
1153 dbFile.delete();
1154 }
1155
1156 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1157 postArtifacts(bbartifacts);
1158 }
1159 }
1160
1168 private void getFavicons(String browser, String browserLocation, String userName, long ingestJobId) {
1169 FileManager fileManager = currentCase.getServices().getFileManager();
1170 List<AbstractFile> faviconFiles;
1171 String browserName = browser;
1172 try {
1173 faviconFiles = fileManager.findFiles(dataSource, FAVICON_DATA_FILE_NAME, browserLocation); //NON-NLS
1174 } catch (TskCoreException ex) {
1175 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getFavicon.errMsg.errGettingFiles");
1176 logger.log(Level.SEVERE, msg, ex);
1177 this.addErrorMessage(this.getDisplayName() + ": " + msg);
1178 return;
1179 }
1180
1181 if (faviconFiles.isEmpty()) {
1182 logger.log(Level.INFO, "Didn't find any Chrome favicon files."); //NON-NLS
1183 return;
1184 }
1185
1186 dataFound = true;
1187 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
1188 int j = 0;
1189 while (j < faviconFiles.size()) {
1190 if (browser.contains(GOOGLE_PROFILE_NAME)) {
1191 String parentPath = FilenameUtils.normalizeNoEndSeparator(faviconFiles.get(j).getParentPath());
1192 browserName = GOOGLE_PROFILE + FilenameUtils.getBaseName(parentPath);
1193 }
1194 AbstractFile faviconFile = faviconFiles.get(j++);
1195 if ((faviconFile.getSize() == 0) || (faviconFile.getName().toLowerCase().contains("-slack"))
1196 || (faviconFile.getName().toLowerCase().contains("cache")) || (faviconFile.getName().toLowerCase().contains("index"))) {
1197 continue;
1198 }
1199
1200 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + faviconFile.getName() + j + ".db"; //NON-NLS
1201 try {
1202 ContentUtils.writeToFile(faviconFile, new File(temps), context::dataSourceIngestIsCancelled);
1203 } catch (ReadContentInputStreamException ex) {
1204 logger.log(Level.WARNING, String.format("Error reading Chrome favicons artifacts file '%s' (id=%d).",
1205 faviconFile.getName(), faviconFile.getId()), ex); //NON-NLS
1206 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getFavicon.errMsg.errAnalyzeFiles1",
1207 this.getDisplayName(), faviconFile.getName()));
1208 continue;
1209 } catch (IOException ex) {
1210 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome favicon artifacts file '%s' (id=%d).",
1211 temps, faviconFile.getName(), faviconFile.getId()), ex); //NON-NLS
1212 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getfavicon.errMsg.errAnalyzeFiles1",
1213 this.getDisplayName(), faviconFile.getName()));
1214 continue;
1215 }
1216 File dbFile = new File(temps);
1217 if (context.dataSourceIngestIsCancelled()) {
1218 dbFile.delete();
1219 break;
1220 }
1221
1222 BlackboardArtifact.Type faviconArtifactType;
1223
1224 try {
1225 faviconArtifactType = createArtifactType(FAVICON_ARTIFACT_NAME, NbBundle.getMessage(this.getClass(), "Chrome.getFavicon.displayName"));
1226 } catch (TskCoreException ex) {
1227 logger.log(Level.SEVERE, String.format("Error creating artifact type for Chrome favicon."), ex); //NON-NLS
1228 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getfavicon.errMsg.errCreateArtifact"));
1229 continue;
1230
1231 }
1232
1233 List<HashMap<String, Object>> tempList;
1234
1235 tempList = this.querySQLiteDb(temps, FAVICON_QUERY);
1236
1237 logger.log(Level.INFO, "{0}- Now getting favicons from {1} with {2} artifacts identified.", new Object[]{getDisplayName(), temps, tempList.size()}); //NON-NLS
1238 for (HashMap<String, Object> result : tempList) {
1239 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
1240 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
1241 RecentActivityExtracterModuleFactory.getModuleName(),
1242 ((result.get("page_url").toString() != null) ? result.get("page_url").toString() : ""))); //NON-NLS
1243 Long updatedTime = (Long.valueOf(result.get("last_updated").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS
1244 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED,
1245 RecentActivityExtracterModuleFactory.getModuleName(), updatedTime));
1246 Long requestedTime = (Long.valueOf(result.get("last_requested").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS
1247 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
1248 RecentActivityExtracterModuleFactory.getModuleName(), requestedTime));
1249 String domain = NetworkUtils.extractDomain((result.get("page_url").toString() != null) ? result.get("page_url").toString() : ""); //NON-NLS
1250 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
1251 RecentActivityExtracterModuleFactory.getModuleName(), domain));
1252 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
1253 RecentActivityExtracterModuleFactory.getModuleName(), userName));
1254 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
1255 RecentActivityExtracterModuleFactory.getModuleName(), browserName));
1256
1257 try {
1258 bbartifacts.add(createArtifactWithAttributes(faviconArtifactType, faviconFile, bbattributes));
1259 } catch (TskCoreException ex) {
1260 logger.log(Level.SEVERE, String.format("Failed to create cookie artifact for file (%d)", faviconFile.getId()), ex);
1261 }
1262
1263 }
1264
1265 dbFile.delete();
1266 }
1267
1268 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1269 postArtifacts(bbartifacts);
1270 }
1271 }
1272
1280 private void getLogins(String browser, String browserLocation, String userName, long ingestJobId) {
1281
1282 FileManager fileManager = currentCase.getServices().getFileManager();
1283 List<AbstractFile> loginDataFiles;
1284 String browserName = browser;
1285 String loginDataFileName = LOGIN_DATA_FILE_NAME;
1286 if (browserName.equals(UC_BROWSER_NAME)) {
1287 loginDataFileName = LOGIN_DATA_FILE_NAME + "%";
1288 }
1289
1290 try {
1291 loginDataFiles = fileManager.findFiles(dataSource, loginDataFileName, browserLocation); //NON-NLS
1292 } catch (TskCoreException ex) {
1293 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles");
1294 logger.log(Level.SEVERE, msg, ex);
1295 this.addErrorMessage(this.getDisplayName() + ": " + msg);
1296 return;
1297 }
1298
1299 if (loginDataFiles.isEmpty()) {
1300 logger.log(Level.INFO, "Didn't find any Chrome Login Data files."); //NON-NLS
1301 return;
1302 }
1303
1304 dataFound = true;
1305 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
1306 int j = 0;
1307 while (j < loginDataFiles.size()) {
1308 if (browser.contains(GOOGLE_PROFILE_NAME)) {
1309 String parentPath = FilenameUtils.normalizeNoEndSeparator(loginDataFiles.get(j).getParentPath());
1310 browserName = GOOGLE_PROFILE + FilenameUtils.getBaseName(parentPath);
1311 }
1312 AbstractFile loginDataFile = loginDataFiles.get(j++);
1313 if ((loginDataFile.getSize() == 0) || (loginDataFile.getName().toLowerCase().contains("-slack"))) {
1314 continue;
1315 }
1316 String temps = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + loginDataFile.getName() + j + ".db"; //NON-NLS
1317 try {
1318 ContentUtils.writeToFile(loginDataFile, new File(temps), context::dataSourceIngestIsCancelled);
1319 } catch (ReadContentInputStreamException ex) {
1320 logger.log(Level.WARNING, String.format("Error reading Chrome login artifacts file '%s' (id=%d).",
1321 loginDataFile.getName(), loginDataFile.getId()), ex); //NON-NLS
1322 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",
1323 this.getDisplayName(), loginDataFile.getName()));
1324 continue;
1325 } catch (IOException ex) {
1326 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome login artifacts file '%s' (id=%d).",
1327 temps, loginDataFile.getName(), loginDataFile.getId()), ex); //NON-NLS
1328 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",
1329 this.getDisplayName(), loginDataFile.getName()));
1330 continue;
1331 }
1332 File dbFile = new File(temps);
1333 if (context.dataSourceIngestIsCancelled()) {
1334 dbFile.delete();
1335 break;
1336 }
1337 List<HashMap<String, Object>> tempList = this.querySQLiteDb(temps, LOGIN_QUERY);
1338 logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2} artifacts identified.", new Object[]{getDisplayName(), temps, tempList.size()}); //NON-NLS
1339 for (HashMap<String, Object> result : tempList) {
1340 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
1341
1342 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
1343 RecentActivityExtracterModuleFactory.getModuleName(),
1344 ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); //NON-NLS
1345
1346 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
1347 RecentActivityExtracterModuleFactory.getModuleName(),
1348 (Long.valueOf(result.get("date_created").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
1349
1350 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED,
1351 RecentActivityExtracterModuleFactory.getModuleName(),
1352 (NetworkUtils.extractDomain((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : "")))); //NON-NLS
1353
1354 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
1355 RecentActivityExtracterModuleFactory.getModuleName(),
1356 ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS
1357
1358 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REALM,
1359 RecentActivityExtracterModuleFactory.getModuleName(),
1360 ((result.get("signon_realm") != null && result.get("signon_realm").toString() != null) ? result.get("signon_realm").toString() : ""))); //NON-NLS
1361
1362 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
1363 RecentActivityExtracterModuleFactory.getModuleName(),
1364 result.containsKey("signon_realm") ? NetworkUtils.extractDomain(result.get("signon_realm").toString()) : "")); //NON-NLS
1365
1366 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
1367 RecentActivityExtracterModuleFactory.getModuleName(), browserName));
1368
1369 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
1370 RecentActivityExtracterModuleFactory.getModuleName(), userName));
1371
1372 try {
1373 bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_SERVICE_ACCOUNT, loginDataFile, bbattributes));
1374 } catch (TskCoreException ex) {
1375 logger.log(Level.SEVERE, String.format("Failed to create service account artifact for file (%d)", loginDataFile.getId()), ex);
1376 }
1377 }
1378
1379 dbFile.delete();
1380 }
1381
1382 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1383 postArtifacts(bbartifacts);
1384 }
1385 }
1386
1395 private void getAutofill(String browser, String browserLocation, String userName, long ingestJobId) {
1396
1397 FileManager fileManager = currentCase.getServices().getFileManager();
1398 List<AbstractFile> webDataFiles;
1399 String browserName = browser;
1400 String webDataFileName = WEB_DATA_FILE_NAME;
1401 if (browserName.equals(UC_BROWSER_NAME)) {
1402 webDataFileName = WEB_DATA_FILE_NAME + "%";
1403 }
1404
1405 try {
1406 webDataFiles = fileManager.findFiles(dataSource, webDataFileName, browserLocation); //NON-NLS
1407 } catch (TskCoreException ex) {
1408 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getAutofills.errMsg.errGettingFiles");
1409 logger.log(Level.SEVERE, msg, ex);
1410 this.addErrorMessage(this.getDisplayName() + ": " + msg);
1411 return;
1412 }
1413
1414 if (webDataFiles.isEmpty()) {
1415 logger.log(Level.INFO, "Didn't find any Chrome Web Data files."); //NON-NLS
1416 return;
1417 }
1418
1419 dataFound = true;
1420 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
1421 int j = 0;
1422 while (j < webDataFiles.size()) {
1423 if (browser.contains(GOOGLE_PROFILE_NAME)) {
1424 String parentPath = FilenameUtils.normalizeNoEndSeparator(webDataFiles.get(j).getParentPath());
1425 browserName = GOOGLE_PROFILE + FilenameUtils.getBaseName(parentPath);
1426 }
1427 databaseEncrypted = false;
1428 AbstractFile webDataFile = webDataFiles.get(j++);
1429 if ((webDataFile.getSize() == 0) || (webDataFile.getName().toLowerCase().contains("-slack"))) {
1430 continue;
1431 }
1432 String tempFilePath = RAImageIngestModule.getRATempPath(currentCase, browserName, ingestJobId) + File.separator + webDataFile.getName() + j + ".db"; //NON-NLS
1433 try {
1434 ContentUtils.writeToFile(webDataFile, new File(tempFilePath), context::dataSourceIngestIsCancelled);
1435 } catch (ReadContentInputStreamException ex) {
1436 logger.log(Level.WARNING, String.format("Error reading Chrome Autofill artifacts file '%s' (id=%d).",
1437 webDataFile.getName(), webDataFile.getId()), ex); //NON-NLS
1438 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getAutofill.errMsg.errAnalyzingFiles",
1439 this.getDisplayName(), webDataFile.getName()));
1440 continue;
1441 } catch (IOException ex) {
1442 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome Web data file '%s' (id=%d).",
1443 tempFilePath, webDataFile.getName(), webDataFile.getId()), ex); //NON-NLS
1444 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",
1445 this.getDisplayName(), webDataFile.getName()));
1446 continue;
1447 }
1448 File dbFile = new File(tempFilePath);
1449 if (context.dataSourceIngestIsCancelled()) {
1450 dbFile.delete();
1451 break;
1452 }
1453
1454 // The DB schema is little different in schema version 8x vs older versions
1455 boolean isSchemaV8X = Util.checkColumn("date_created", "autofill", tempFilePath);
1456
1457 // get form autofill artifacts
1458 bbartifacts.addAll(getFormAutofillArtifacts(webDataFile, tempFilePath, isSchemaV8X, userName, browserName));
1459 try {
1460 // get form address atifacts
1461 getFormAddressArtifacts(webDataFile, tempFilePath, isSchemaV8X);
1462 if (databaseEncrypted) {
1463 String comment = String.format("%s Autofill Database Encryption Detected", browserName);
1464 Collection<BlackboardAttribute> bbattributes = Arrays.asList(
1465 new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
1466 RecentActivityExtracterModuleFactory.getModuleName(), comment));
1467
1468 bbartifacts.add(
1469 webDataFile.newAnalysisResult(
1470 BlackboardArtifact.Type.TSK_ENCRYPTION_DETECTED, Score.SCORE_NOTABLE,
1471 null, null, comment, bbattributes).getAnalysisResult());
1472 }
1473 } catch (NoCurrentCaseException | TskCoreException | Blackboard.BlackboardException ex) {
1474 logger.log(Level.SEVERE, String.format("Error adding artifacts to the case database "
1475 + "for chrome file %s [objId=%d]", webDataFile.getName(), webDataFile.getId()), ex);
1476 }
1477
1478 dbFile.delete();
1479 }
1480
1481 if (!bbartifacts.isEmpty() && !context.dataSourceIngestIsCancelled()) {
1482 postArtifacts(bbartifacts);
1483 }
1484 }
1485
1496 private Collection<BlackboardArtifact> getFormAutofillArtifacts(AbstractFile webDataFile, String dbFilePath, boolean isSchemaV8X, String userName, String browser) {
1497
1498 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
1499
1500 // The DB Schema is little different in version 8x vs older versions
1501 String autoFillquery = (isSchemaV8X) ? AUTOFILL_QUERY_V8X
1502 : AUTOFILL_QUERY;
1503
1504 List<HashMap<String, Object>> autofills = this.querySQLiteDb(dbFilePath, autoFillquery);
1505 logger.log(Level.INFO, "{0}- Now getting Autofill information from {1} with {2} artifacts identified.", new Object[]{getDisplayName(), dbFilePath, autofills.size()}); //NON-NLS
1506 for (HashMap<String, Object> result : autofills) {
1507 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
1508
1509 // extract all common attributes
1510 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
1511 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
1512 ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS
1513
1514 fieldEncrypted = false;
1515 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
1516 RecentActivityExtracterModuleFactory.getModuleName(),
1517 processFields(result.get("value")))); //NON-NLS
1518
1519 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COUNT,
1520 RecentActivityExtracterModuleFactory.getModuleName(),
1521 (Integer.valueOf(result.get("count").toString())))); //NON-NLS
1522
1523 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
1524 RecentActivityExtracterModuleFactory.getModuleName(),
1525 Long.valueOf(result.get("date_created").toString()))); //NON-NLS
1526
1527 // get schema version specific attributes
1528 if (isSchemaV8X) {
1529 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
1530 RecentActivityExtracterModuleFactory.getModuleName(),
1531 Long.valueOf(result.get("date_last_used").toString()))); //NON-NLS
1532 }
1533
1534 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
1535 RecentActivityExtracterModuleFactory.getModuleName(), userName));
1536 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
1537 RecentActivityExtracterModuleFactory.getModuleName(), browser));
1538 if (fieldEncrypted) {
1539 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
1540 RecentActivityExtracterModuleFactory.getModuleName(), ENCRYPTED_FIELD_MESSAGE));
1541 }
1542
1543 // Add an artifact
1544 try {
1545 bbartifacts.add(createArtifactWithAttributes(BlackboardArtifact.Type.TSK_WEB_FORM_AUTOFILL, webDataFile, bbattributes));
1546 } catch (TskCoreException ex) {
1547 logger.log(Level.SEVERE, String.format("Failed to create web form autopfill artifact for file (%d)", webDataFile.getId()), ex);
1548 }
1549 }
1550
1551 // return all extracted artifacts
1552 return bbartifacts;
1553 }
1554
1566 private void getFormAddressArtifacts(AbstractFile webDataFile, String dbFilePath, boolean isSchemaV8X) throws NoCurrentCaseException,
1567 TskCoreException, Blackboard.BlackboardException {
1568
1569 String webformAddressQuery = (isSchemaV8X) ? WEBFORM_ADDRESS_QUERY_V8X
1570 : WEBFORM_ADDRESS_QUERY;
1571
1572 // Helper to create web form address artifacts.
1573 WebBrowserArtifactsHelper helper = new WebBrowserArtifactsHelper(
1574 Case.getCurrentCaseThrows().getSleuthkitCase(),
1575 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
1576 webDataFile, context.getJobId()
1577 );
1578
1579 // Get Web form addresses
1580 List<HashMap<String, Object>> addresses = this.querySQLiteDb(dbFilePath, webformAddressQuery);
1581 logger.log(Level.INFO, "{0}- Now getting Web form addresses from {1} with {2} artifacts identified.", new Object[]{getDisplayName(), dbFilePath, addresses.size()}); //NON-NLS
1582 for (HashMap<String, Object> result : addresses) {
1583
1584 fieldEncrypted = false;
1585
1586 String first_name = processFields(result.get("first_name"));
1587 String middle_name = processFields(result.get("middle_name"));
1588 String last_name = processFields(result.get("last_name"));
1589
1590 // get email and phone
1591 String email_Addr = processFields(result.get("email"));
1592 String phone_number = processFields(result.get("number"));
1593
1594 // Get the address fields
1595 String city = processFields(result.get("city"));
1596 String state = processFields(result.get("state"));
1597 String zipcode = processFields(result.get("zipcode"));
1598 String country_code = processFields(result.get("country_code"));
1599
1600 // schema version specific fields
1601 String full_name = "";
1602 String street_address = "";
1603 long date_modified = 0;
1604 int use_count = 0;
1605 long use_date = 0;
1606
1607 if (isSchemaV8X) {
1608
1609 full_name = processFields(result.get("full_name"));
1610 street_address = processFields(result.get("street_address"));
1611 date_modified = result.get("date_modified").toString() != null ? Long.valueOf(result.get("date_modified").toString()) : 0;
1612 use_count = result.get("use_count").toString() != null ? Integer.valueOf(result.get("use_count").toString()) : 0;
1613 use_date = result.get("use_date").toString() != null ? Long.valueOf(result.get("use_date").toString()) : 0;
1614 } else {
1615 String address_line_1 = processFields(result.get("address_line_1"));
1616 String address_line_2 = processFields(result.get("address_line_2"));
1617 street_address = String.join(" ", address_line_1, address_line_2);
1618 }
1619
1620 // Create atrributes from extracted fields
1621 if (full_name == null || full_name.isEmpty()) {
1622 full_name = String.join(" ", first_name, middle_name, last_name);
1623 }
1624
1625 String locationAddress = String.join(", ", street_address, city, state, zipcode, country_code);
1626
1627 List<BlackboardAttribute> otherAttributes = new ArrayList<>();
1628 if (date_modified > 0) {
1629 otherAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED,
1630 RecentActivityExtracterModuleFactory.getModuleName(),
1631 date_modified)); //NON-NLS
1632 if (fieldEncrypted) {
1633 otherAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT,
1634 RecentActivityExtracterModuleFactory.getModuleName(), ENCRYPTED_FIELD_MESSAGE)); //NON-NLS
1635
1636 }
1637 }
1638
1639 helper.addWebFormAddress(
1640 full_name, email_Addr, phone_number,
1641 locationAddress, 0, use_date,
1642 use_count, otherAttributes);
1643 }
1644 }
1645
1655 private String processFields(Object dataValue) {
1656
1657 if (dataValue instanceof byte[]) {
1658 fieldEncrypted = true;
1659 databaseEncrypted = true;
1660 }
1661
1662 return dataValue.toString() != null ? dataValue.toString() : "";
1663
1664 }
1665
1666 private boolean isChromePreVersion30(String temps) {
1667 String query = "PRAGMA table_info(downloads)"; //NON-NLS
1668 List<HashMap<String, Object>> columns = this.querySQLiteDb(temps, query);
1669 for (HashMap<String, Object> col : columns) {
1670 if (col.get("name").equals("url")) { //NON-NLS
1671 return true;
1672 }
1673 }
1674
1675 return false;
1676 }
1677
1678 @Messages({
1679 "ExtractFavicon_Display_Name=Favicon"
1680 })
1687 private BlackboardArtifact.Type createArtifactType(String artifactName, String displayName) throws TskCoreException {
1688 BlackboardArtifact.Type faviconArtifactType;
1689 try {
1690 faviconArtifactType = tskCase.getBlackboard().getOrAddArtifactType(artifactName, displayName); //NON-NLS
1691 } catch (Blackboard.BlackboardException ex) {
1692 throw new TskCoreException(String.format("An exception was thrown while defining artifact type %s", artifactName), ex);
1693 }
1694 return faviconArtifactType;
1695 }
1696
1700 private void loadMaliciousChromeExetnsions() {
1701 maliciousChromeExtensions = new HashMap<>();
1702 try {
1703 configExtractor();
1704 String malChromeExtenList = PlatformUtil.getUserConfigDirectory() + File.separator + MALICIOUS_CHROME_EXTENSION_LIST;
1705 BufferedReader csvReader = new BufferedReader(new FileReader(malChromeExtenList));
1706 String row;
1707 while ((row = csvReader.readLine()) != null) {
1708 if (!row.startsWith("#", 0)) {
1709 String[] data = row.split(",");
1710 maliciousChromeExtensions.put(data[0], data[1]);
1711 }
1712 }
1713 } catch (IOException ex) {
1714 logger.log(Level.SEVERE, String.format("Failed to load Malicious Chrome Extension List file (%s)", MALICIOUS_CHROME_EXTENSION_LIST), ex);
1715 }
1716 }
1717
1723 private void configExtractor() throws IOException {
1724 PlatformUtil.extractResourceToUserConfigDir(Chromium.class,
1725 MALICIOUS_CHROME_EXTENSION_LIST, true);
1726 }
1727
1728}

Copyright © 2012-2024 Sleuth Kit Labs. Generated on:
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.