Sleuth Kit Java Bindings (JNI)  4.11.1
Java bindings for using The Sleuth Kit
WebBrowserArtifactsHelper.java
Go to the documentation of this file.
1 /*
2  * Sleuth Kit Data Model
3  *
4  * Copyright 2019-2021 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.datamodel.blackboardutils;
20 
21 import java.net.MalformedURLException;
22 import java.net.URL;
23 import java.util.ArrayList;
24 import java.util.Collection;
25 import java.util.Collections;
26 import java.util.Optional;
27 import java.util.StringTokenizer;
28 import java.util.logging.Level;
29 import java.util.logging.Logger;
30 import org.apache.commons.lang3.StringUtils;
40 
45 public final class WebBrowserArtifactsHelper extends ArtifactHelperBase {
46 
47  private static final Logger LOGGER = Logger.getLogger(WebBrowserArtifactsHelper.class.getName());
52  private static final BlackboardArtifact.Type WEB_FORM_AUTOFILL_TYPE = new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_FORM_AUTOFILL);
54 
66  public WebBrowserArtifactsHelper(SleuthkitCase caseDb, String moduleName, Content srcContent, Long ingestJobId) {
67  super(caseDb, moduleName, srcContent, ingestJobId);
68  }
69 
82  @Deprecated
83  public WebBrowserArtifactsHelper(SleuthkitCase caseDb, String moduleName, Content srcContent) {
84  this(caseDb, moduleName, srcContent, null);
85  }
86 
101  public BlackboardArtifact addWebBookmark(String url, String title, long creationTime, String progName) throws TskCoreException, BlackboardException {
102  return addWebBookmark(url, title, creationTime, progName,
103  Collections.emptyList());
104  }
105 
121  public BlackboardArtifact addWebBookmark(String url, String title, long creationTime, String progName,
122  Collection<BlackboardAttribute> otherAttributesList) throws TskCoreException, BlackboardException {
123 
124  Collection<BlackboardAttribute> attributes = new ArrayList<>();
125 
126  // construct attributes
127  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, getModuleName(), url));
128 
129  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, creationTime, attributes);
130  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE, title, attributes);
131  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, extractDomain(url), attributes);
132  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, progName, attributes);
133 
134  // add attributes to artifact
135  attributes.addAll(otherAttributesList);
136 
137  Content content = getContent();
138  BlackboardArtifact bookMarkArtifact = content.newDataArtifact(WEB_BOOKMARK_TYPE, attributes);
139 
140  // post artifact
141  Optional<Long> ingestJobId = getIngestJobId();
142  getSleuthkitCase().getBlackboard().postArtifact(bookMarkArtifact, getModuleName(), ingestJobId.orElse(null));
143 
144  // return the artifact
145  return bookMarkArtifact;
146  }
147 
163  public BlackboardArtifact addWebCookie(String url, long creationTime,
164  String name, String value, String programName) throws TskCoreException, BlackboardException {
165 
166  return addWebCookie(url, creationTime, name, value, programName,
167  Collections.emptyList());
168  }
169 
189  public BlackboardArtifact addWebCookie(String url,
190  long creationTime, String name, String value, String programName,
191  Collection<BlackboardAttribute> otherAttributesList) throws TskCoreException, BlackboardException {
192 
193  Collection<BlackboardAttribute> attributes = new ArrayList<>();
194 
195  // construct attributes
196  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, getModuleName(), url));
197 
198  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, creationTime, attributes);
199  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, name, attributes);
200  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE, value, attributes);
201  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, extractDomain(url), attributes);
202  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, programName, attributes);
203 
204  // add attributes to artifact
205  attributes.addAll(otherAttributesList);
206 
207  Content content = getContent();
208  BlackboardArtifact cookieArtifact = content.newDataArtifact(WEB_COOKIE_TYPE, attributes);
209 
210  // post artifact
211  Optional<Long> ingestJobId = getIngestJobId();
212  getSleuthkitCase().getBlackboard().postArtifact(cookieArtifact, getModuleName(), ingestJobId.orElse(null));
213 
214  // return the artifact
215  return cookieArtifact;
216  }
217 
232  public BlackboardArtifact addWebDownload(String url, long startTime, String path, String programName) throws TskCoreException, BlackboardException {
233  return addWebDownload(path, startTime, url, programName, Collections.emptyList());
234  }
235 
251  public BlackboardArtifact addWebDownload(String url, long startTime, String path, String programName,
252  Collection<BlackboardAttribute> otherAttributesList) throws TskCoreException, BlackboardException {
253 
254  Collection<BlackboardAttribute> attributes = new ArrayList<>();
255 
256  // construct attributes
257  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, getModuleName(), path));
258  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, getModuleName(), url));
259 
260  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, startTime, attributes);
261  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, programName, attributes);
262  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, extractDomain(url), attributes);
263 
264  // add attributes to artifact
265  attributes.addAll(otherAttributesList);
266 
267  Content content = getContent();
268  BlackboardArtifact webDownloadArtifact = content.newDataArtifact(WEB_DOWNLOAD_TYPE, attributes);
269 
270  // post artifact
271  Optional<Long> ingestJobId = getIngestJobId();
272  getSleuthkitCase().getBlackboard().postArtifact(webDownloadArtifact, getModuleName(), ingestJobId.orElse(null));
273 
274  // return the artifact
275  return webDownloadArtifact;
276  }
277 
294  public BlackboardArtifact addWebFormAddress(String personName, String email,
295  String phoneNumber, String mailingAddress,
296  long creationTime, long accessTime, int count) throws TskCoreException, BlackboardException {
297  return addWebFormAddress(personName, email, phoneNumber,
298  mailingAddress, creationTime, accessTime, count,
299  Collections.emptyList());
300  }
301 
319  public BlackboardArtifact addWebFormAddress(String personName, String email,
320  String phoneNumber, String mailingAddress,
321  long creationTime, long accessTime, int count,
322  Collection<BlackboardAttribute> otherAttributesList) throws TskCoreException, BlackboardException {
323 
324  Collection<BlackboardAttribute> attributes = new ArrayList<>();
325 
326  CommunicationsManager commManager = this.getSleuthkitCase().getCommunicationsManager();
327 
328  Optional<Long> ingestJobId = getIngestJobId();
329  if (StringUtils.isNotEmpty(email)) {
330  try {
331  commManager.createAccountFileInstance(Account.Type.EMAIL, email, this.getModuleName(), this.getContent(), null, ingestJobId.orElse(null));
332  } catch (InvalidAccountIDException ex) {
333  LOGGER.log(Level.WARNING, String.format("Invalid account identifier %s", email), ex);
334  }
335  }
336 
337  if (StringUtils.isNotEmpty(phoneNumber)) {
338  try {
339  commManager.createAccountFileInstance(Account.Type.PHONE, phoneNumber, this.getModuleName(), this.getContent(), null, ingestJobId.orElse(null));
340  } catch (InvalidAccountIDException ex) {
341  LOGGER.log(Level.WARNING, String.format("Invalid account identifier %s", phoneNumber), ex);
342  }
343  }
344 
345  // construct attributes
346  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, getModuleName(), personName));
347 
348  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, email, attributes);
349  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, phoneNumber, attributes);
350  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION, mailingAddress, attributes);
351 
352  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, creationTime, attributes);
353  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, accessTime, attributes);
354  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COUNT, count, attributes);
355 
356  // add artifact
357  Content content = getContent();
358  BlackboardArtifact webFormAddressArtifact = content.newDataArtifact(WEB_FORM_ADDRESS_TYPE, attributes);
359 
360  // post artifact
361  getSleuthkitCase().getBlackboard().postArtifact(webFormAddressArtifact, getModuleName(), ingestJobId.orElse(null));
362 
363  // return the artifact
364  return webFormAddressArtifact;
365  }
366 
381  public BlackboardArtifact addWebFormAutofill(String name, String value,
382  long creationTime, long accessTime, int count) throws TskCoreException, BlackboardException {
383  return addWebFormAutofill(name, value, creationTime, accessTime, count,
384  Collections.emptyList());
385  }
386 
404  public BlackboardArtifact addWebFormAutofill(String name, String value,
405  long creationTime, long accessTime, int count,
406  Collection<BlackboardAttribute> otherAttributesList) throws TskCoreException, BlackboardException {
407 
408  Collection<BlackboardAttribute> attributes = new ArrayList<>();
409 
410  // construct attributes
411  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, getModuleName(), name));
412  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE, getModuleName(), value));
413 
414  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED, creationTime, attributes);
415  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, accessTime, attributes);
416  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COUNT, count, attributes);
417 
418  // add attributes to artifact
419  attributes.addAll(otherAttributesList);
420 
421  Content content = getContent();
422  BlackboardArtifact webFormAutofillArtifact = content.newDataArtifact(WEB_FORM_AUTOFILL_TYPE, attributes);
423 
424  // post artifact
425  Optional<Long> ingestJobId = getIngestJobId();
426  getSleuthkitCase().getBlackboard().postArtifact(webFormAutofillArtifact, getModuleName(), ingestJobId.orElse(null));
427 
428  // return the artifact
429  return webFormAutofillArtifact;
430  }
431 
447  public BlackboardArtifact addWebHistory(String url, long accessTime,
448  String referrer, String title, String programName) throws TskCoreException, BlackboardException {
449  return addWebHistory(url, accessTime, referrer, title, programName,
450  Collections.emptyList());
451  }
452 
469  public BlackboardArtifact addWebHistory(String url, long accessTime,
470  String referrer, String title, String programName,
471  Collection<BlackboardAttribute> otherAttributesList) throws TskCoreException, BlackboardException {
472 
473  Collection<BlackboardAttribute> attributes = new ArrayList<>();
474 
475  // construct attributes
476  attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, getModuleName(), url));
477 
478  addAttributeIfNotZero(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, accessTime, attributes);
479  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE, title, attributes);
480  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REFERRER, referrer, attributes);
481 
482  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, programName, attributes);
483  addAttributeIfNotNull(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, extractDomain(url), attributes);
484 
485  // add attributes to artifact
486  attributes.addAll(otherAttributesList);
487 
488  Content content = getContent();
489  BlackboardArtifact webHistoryArtifact = content.newDataArtifact(WEB_HISTORY_TYPE, attributes);
490 
491  // post artifact
492  Optional<Long> ingestJobId = getIngestJobId();
493  getSleuthkitCase().getBlackboard().postArtifact(webHistoryArtifact, getModuleName(), ingestJobId.orElse(null));
494 
495  // return the artifact
496  return webHistoryArtifact;
497  }
498 
499  // TBD: this is duplicated in Autopsy.
500  // We should move this to new Util class in TSK, and have Autopsy delegate to it.
509  private static String extractDomain(String urlString) {
510  if (urlString == null) {
511  return "";
512  }
513  String result;
514 
515  try {
516  URL url = new URL(urlString);
517  result = url.getHost();
518  } catch (MalformedURLException ex) {
519  // not a valid URL - we will try to extract it ourselves
520  result = null;
521  }
522 
523  //was not a valid URL, try a less picky method
524  if (result == null || StringUtils.isBlank(result)) {
525  return getBaseDomain(urlString);
526  }
527  return result;
528  }
529 
537  private static String getBaseDomain(String url) {
538  String host;
539 
540  //strip protocol
541  String cleanUrl = url.replaceFirst(".*:\\/\\/", "");
542 
543  //strip after slashes
544  String dirToks[] = cleanUrl.split("\\/");
545  if (dirToks.length > 0) {
546  host = dirToks[0];
547  } else {
548  host = cleanUrl;
549  }
550 
551  //get the domain part from host (last 2)
552  StringTokenizer tok = new StringTokenizer(host, ".");
553  StringBuilder hostB = new StringBuilder();
554  int toks = tok.countTokens();
555 
556  for (int count = 0; count < toks; ++count) {
557  String part = tok.nextToken();
558  int diff = toks - count;
559  if (diff < 3) {
560  hostB.append(part);
561  }
562  if (diff == 2) {
563  hostB.append('.');
564  }
565  }
566 
567  String base = hostB.toString();
568  // verify there are no special characters in there
569  if (base.matches(".*[~`!@#$%^&\\*\\(\\)\\+={}\\[\\];:\\?<>,/ ].*")) {
570  return "";
571  }
572 
573  //verify that the base domain actually has a '.', details JIRA-4609
574  if (!base.contains(".")) {
575  return "";
576  }
577 
578  return base;
579  }
580 }
BlackboardArtifact addWebDownload(String url, long startTime, String path, String programName)
BlackboardArtifact addWebBookmark(String url, String title, long creationTime, String progName)
BlackboardArtifact addWebDownload(String url, long startTime, String path, String programName, Collection< BlackboardAttribute > otherAttributesList)
DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection< BlackboardAttribute > attributesList)
BlackboardArtifact addWebFormAddress(String personName, String email, String phoneNumber, String mailingAddress, long creationTime, long accessTime, int count)
BlackboardArtifact addWebHistory(String url, long accessTime, String referrer, String title, String programName, Collection< BlackboardAttribute > otherAttributesList)
BlackboardArtifact addWebCookie(String url, long creationTime, String name, String value, String programName, Collection< BlackboardAttribute > otherAttributesList)
static final Account.Type PHONE
Definition: Account.java:49
BlackboardArtifact addWebHistory(String url, long accessTime, String referrer, String title, String programName)
BlackboardArtifact addWebFormAutofill(String name, String value, long creationTime, long accessTime, int count)
BlackboardArtifact addWebFormAutofill(String name, String value, long creationTime, long accessTime, int count, Collection< BlackboardAttribute > otherAttributesList)
WebBrowserArtifactsHelper(SleuthkitCase caseDb, String moduleName, Content srcContent, Long ingestJobId)
BlackboardArtifact addWebBookmark(String url, String title, long creationTime, String progName, Collection< BlackboardAttribute > otherAttributesList)
BlackboardArtifact addWebCookie(String url, long creationTime, String name, String value, String programName)
WebBrowserArtifactsHelper(SleuthkitCase caseDb, String moduleName, Content srcContent)
BlackboardArtifact addWebFormAddress(String personName, String email, String phoneNumber, String mailingAddress, long creationTime, long accessTime, int count, Collection< BlackboardAttribute > otherAttributesList)
static final Account.Type EMAIL
Definition: Account.java:50

Copyright © 2011-2021 Brian Carrier. (carrier -at- sleuthkit -dot- org)
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.