Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractRegistry.java
Go to the documentation of this file.
1  /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2014 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.*;
26 import java.io.File;
27 import java.text.ParseException;
28 import java.text.SimpleDateFormat;
29 import java.util.*;
30 import java.util.logging.Level;
31 import javax.xml.parsers.DocumentBuilder;
32 import javax.xml.parsers.DocumentBuilderFactory;
33 import javax.xml.parsers.ParserConfigurationException;
34 import org.openide.modules.InstalledFileLocator;
35 import org.openide.util.NbBundle;
43 import org.sleuthkit.datamodel.*;
46 import org.sleuthkit.datamodel.OSUtility; // TEMP
48 import org.w3c.dom.Document;
49 import org.w3c.dom.Element;
50 import org.w3c.dom.Node;
51 import org.w3c.dom.NodeList;
52 import org.xml.sax.InputSource;
53 import org.xml.sax.SAXException;
54 
61 class ExtractRegistry extends Extract {
62 
63  private Logger logger = Logger.getLogger(this.getClass().getName());
64  private String RR_PATH;
65  private String RR_FULL_PATH;
66  private String rrHome; // The current version of RegRipper need to be run from its own directory
67  private String rrFullHome;
68  private boolean rrFound = false; // true if we found the Autopsy-specific version of regripper
69  private boolean rrFullFound = false; // true if we found the full version of regripper
70  private Content dataSource;
71  private IngestJobContext context;
72  final private static UsbDeviceIdMapper usbMapper = new UsbDeviceIdMapper();
73 
74  ExtractRegistry() {
75  moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text");
76  final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
77  if (rrRoot == null) {
78  logger.log(Level.SEVERE, "RegRipper not found"); //NON-NLS
79  rrFound = false;
80  return;
81  } else {
82  rrFound = true;
83  }
84 
85  rrHome = rrRoot.getAbsolutePath();
86  logger.log(Level.INFO, "RegRipper home: {0}", rrHome); //NON-NLS
87 
88  if (PlatformUtil.isWindowsOS()) {
89  RR_PATH = rrHome + File.separator + "rip.exe"; //NON-NLS
90  } else {
91  RR_PATH = "perl " + rrHome + File.separator + "rip.pl"; //NON-NLS
92  }
93 
94  final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
95  if (rrFullRoot == null) {
96  logger.log(Level.SEVERE, "RegRipper Full not found"); //NON-NLS
97  rrFullFound = false;
98  } else {
99  rrFullFound = true;
100  }
101 
102  if (rrFullRoot != null) {
103  rrFullHome = rrFullRoot.getAbsolutePath();
104  } else {
105  rrFullHome = "";
106  }
107  logger.log(Level.INFO, "RegRipper Full home: {0}", rrFullHome); //NON-NLS
108 
109  if (PlatformUtil.isWindowsOS()) {
110  RR_FULL_PATH = rrFullHome + File.separator + "rip.exe"; //NON-NLS
111  } else {
112  RR_FULL_PATH = "perl " + rrFullHome + File.separator + "rip.pl"; //NON-NLS
113  }
114  }
115 
119  private List<AbstractFile> findRegistryFiles() {
120  List<AbstractFile> allRegistryFiles = new ArrayList<>();
121  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
122 
123  // find the user-specific ntuser-dat files
124  try {
125  allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); //NON-NLS
126  } catch (TskCoreException ex) {
127  logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); //NON-NLS
128  }
129 
130  // find the system hives'
131  String[] regFileNames = new String[]{"system", "software", "security", "sam"}; //NON-NLS
132  for (String regFileName : regFileNames) {
133  try {
134  allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS
135  } catch (TskCoreException ex) {
136  String msg = NbBundle.getMessage(this.getClass(),
137  "ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
138  logger.log(Level.WARNING, msg);
139  this.addErrorMessage(this.getName() + ": " + msg);
140  }
141  }
142  return allRegistryFiles;
143  }
144 
149  private void analyzeRegistryFiles() {
150  List<AbstractFile> allRegistryFiles = findRegistryFiles();
151 
152  // open the log file
153  FileWriter logFile = null;
154  try {
155  logFile = new FileWriter(RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + "regripper-info.txt"); //NON-NLS
156  } catch (IOException ex) {
157  logger.log(Level.SEVERE, null, ex);
158  }
159 
160  int j = 0;
161  for (AbstractFile regFile : allRegistryFiles) {
162  String regFileName = regFile.getName();
163  String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg") + File.separator + regFileName;
164  String outputPathBase = RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + regFileName + "-regripper-" + Integer.toString(j++); //NON-NLS
165  File regFileNameLocalFile = new File(regFileNameLocal);
166  try {
167  ContentUtils.writeToFile(regFile, regFileNameLocalFile);
168  } catch (IOException ex) {
169  logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); //NON-NLS
170  this.addErrorMessage(
171  NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
172  this.getName(), regFileName));
173  continue;
174  }
175 
176  if (context.dataSourceIngestIsCancelled()) {
177  break;
178  }
179 
180  try {
181  if (logFile != null) {
182  logFile.write(Integer.toString(j - 1) + "\t" + regFile.getUniquePath() + "\n");
183  }
184  } catch (TskCoreException | IOException ex) {
185  logger.log(Level.SEVERE, null, ex);
186  }
187 
188  logger.log(Level.INFO, "{0}- Now getting registry information from {1}", new Object[]{moduleName, regFileNameLocal}); //NON-NLS
189  RegOutputFiles regOutputFiles = ripRegistryFile(regFileNameLocal, outputPathBase);
190  if (context.dataSourceIngestIsCancelled()) {
191  break;
192  }
193 
194  // parse the autopsy-specific output
195  if (regOutputFiles.autopsyPlugins.isEmpty() == false) {
196  if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) {
197  this.addErrorMessage(
198  NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
199  this.getName(), regFileName));
200  }
201  }
202 
203  // create a report for the full output
204  if (regOutputFiles.fullPlugins.isEmpty() == false) {
205  try {
206  currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), "RegRipper " + regFile.getUniquePath()); //NON-NLS
207  } catch (TskCoreException e) {
208  this.addErrorMessage("Error adding regripper output as Autopsy report: " + e.getLocalizedMessage()); //NON-NLS
209  }
210  }
211 
212  // delete the hive
213  regFileNameLocalFile.delete();
214  }
215 
216  try {
217  if (logFile != null) {
218  logFile.close();
219  }
220  } catch (IOException ex) {
221  logger.log(Level.SEVERE, null, ex);
222  }
223  }
224 
225  private class RegOutputFiles {
226 
227  public String autopsyPlugins = "";
228  public String fullPlugins = "";
229  }
230 
238  private RegOutputFiles ripRegistryFile(String regFilePath, String outFilePathBase) {
239  String autopsyType = ""; // Type argument for rr for autopsy-specific modules
240  String fullType; // Type argument for rr for full set of modules
241 
242  RegOutputFiles regOutputFiles = new RegOutputFiles();
243 
244  if (regFilePath.toLowerCase().contains("system")) { //NON-NLS
245  autopsyType = "autopsysystem"; //NON-NLS
246  fullType = "system"; //NON-NLS
247  } else if (regFilePath.toLowerCase().contains("software")) { //NON-NLS
248  autopsyType = "autopsysoftware"; //NON-NLS
249  fullType = "software"; //NON-NLS
250  } else if (regFilePath.toLowerCase().contains("ntuser")) { //NON-NLS
251  autopsyType = "autopsyntuser"; //NON-NLS
252  fullType = "ntuser"; //NON-NLS
253  } else if (regFilePath.toLowerCase().contains("sam")) { //NON-NLS
254  fullType = "sam"; //NON-NLS
255  } else if (regFilePath.toLowerCase().contains("security")) { //NON-NLS
256  fullType = "security"; //NON-NLS
257  } else {
258  return regOutputFiles;
259  }
260 
261  // run the autopsy-specific set of modules
262  if (!autopsyType.isEmpty() && rrFound) {
263  regOutputFiles.autopsyPlugins = outFilePathBase + "-autopsy.txt"; //NON-NLS
264  String errFilePath = outFilePathBase + "-autopsy.err.txt"; //NON-NLS
265  logger.log(Level.INFO, "Writing RegRipper results to: {0}", regOutputFiles.autopsyPlugins); //NON-NLS
266  executeRegRipper(RR_PATH, rrHome, regFilePath, autopsyType, regOutputFiles.autopsyPlugins, errFilePath);
267  }
268  if (context.dataSourceIngestIsCancelled()) {
269  return regOutputFiles;
270  }
271 
272  // run the full set of rr modules
273  if (!fullType.isEmpty() && rrFullFound) {
274  regOutputFiles.fullPlugins = outFilePathBase + "-full.txt"; //NON-NLS
275  String errFilePath = outFilePathBase + "-full.err.txt"; //NON-NLS
276  logger.log(Level.INFO, "Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins); //NON-NLS
277  executeRegRipper(RR_FULL_PATH, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath);
278  }
279  return regOutputFiles;
280  }
281 
282  private void executeRegRipper(String regRipperPath, String regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) {
283  try {
284  logger.log(Level.INFO, "Writing RegRipper results to: {0}", outputFile); //NON-NLS
285  List<String> commandLine = new ArrayList<>();
286  commandLine.add(regRipperPath);
287  commandLine.add("-r"); //NON-NLS
288  commandLine.add(hiveFilePath);
289  commandLine.add("-f"); //NON-NLS
290  commandLine.add(hiveFileType);
291 
292  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
293  processBuilder.directory(new File(regRipperHomeDir)); // RegRipper 2.8 has to be run from its own directory
294  processBuilder.redirectOutput(new File(outputFile));
295  processBuilder.redirectError(new File(errFile));
296  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context));
297  } catch (IOException ex) {
298  logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS
299  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
300  }
301  }
302 
303  // @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT
311  private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
312  FileInputStream fstream = null;
313  try {
314  SleuthkitCase tempDb = currentCase.getSleuthkitCase();
315 
316  // Read the file in and create a Document and elements
317  File regfile = new File(regFilePath);
318  fstream = new FileInputStream(regfile);
319 
320  String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS
321  String startdoc = "<?xml version=\"1.0\"?><document>"; //NON-NLS
322  String result = regString.replaceAll("----------------------------------------", "");
323  result = result.replaceAll("\\n", ""); //NON-NLS
324  result = result.replaceAll("\\r", ""); //NON-NLS
325  result = result.replaceAll("'", "&apos;"); //NON-NLS
326  result = result.replaceAll("&", "&amp;"); //NON-NLS
327  result = result.replace('\0', ' '); // NON-NLS
328  String enddoc = "</document>"; //NON-NLS
329  String stringdoc = startdoc + result + enddoc;
330  DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
331  Document doc = builder.parse(new InputSource(new StringReader(stringdoc)));
332 
333  // cycle through the elements in the doc
334  Element oroot = doc.getDocumentElement();
335  NodeList children = oroot.getChildNodes();
336  int len = children.getLength();
337  for (int i = 0; i < len; i++) {
338  Element tempnode = (Element) children.item(i);
339 
340  String dataType = tempnode.getNodeName();
341 
342  NodeList timenodes = tempnode.getElementsByTagName("mtime"); //NON-NLS
343  Long mtime = null;
344  if (timenodes.getLength() > 0) {
345  Element timenode = (Element) timenodes.item(0);
346  String etime = timenode.getTextContent();
347  try {
348  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime();
349  mtime = epochtime;
350  String Tempdate = mtime.toString();
351  mtime = Long.valueOf(Tempdate) / 1000;
352  } catch (ParseException ex) {
353  logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry."); //NON-NLS
354  }
355  }
356 
357  NodeList artroots = tempnode.getElementsByTagName("artifacts"); //NON-NLS
358  if (artroots.getLength() == 0) {
359  // If there isn't an artifact node, skip this entry
360  continue;
361  }
362 
363  Element artroot = (Element) artroots.item(0);
364  NodeList myartlist = artroot.getChildNodes();
365  String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace");
366  String winver = "";
367 
368  // If all artifact nodes should really go under one Blackboard artifact, need to process it differently
369  if (dataType.equals("WinVersion")) { //NON-NLS
370 
371  String version = "";
372  String systemRoot = "";
373  String productId = "";
374  String regOwner = "";
375  String regOrg = "";
376  Long installtime = null;
377 
378  for (int j = 0; j < myartlist.getLength(); j++) {
379  Node artchild = myartlist.item(j);
380  // If it has attributes, then it is an Element (based off API)
381  if (artchild.hasAttributes()) {
382  Element artnode = (Element) artchild;
383 
384  String value = artnode.getTextContent().trim();
385  String name = artnode.getAttribute("name"); //NON-NLS
386 
387  if (name.equals("ProductName")) { // NON_NLS
388  version = value;
389  } else if (name.equals("CSDVersion")) { // NON_NLS
390  // This is dependant on the fact that ProductName shows up first in the module output
391  version = version + " " + value;
392  } else if (name.equals("SystemRoot")) { //NON-NLS
393  systemRoot = value;
394  } else if (name.equals("ProductId")) { //NON-NLS
395  productId = value;
396  } else if (name.equals("RegisteredOwner")) { //NON-NLS
397  regOwner = value;
398  } else if (name.equals("RegisteredOrganization")) { //NON-NLS
399  regOrg = value;
400  } else if (name.equals("InstallDate")) { //NON-NLS
401  try {
402  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime();
403  installtime = epochtime;
404  String Tempdate = installtime.toString();
405  installtime = Long.valueOf(Tempdate) / 1000;
406  } catch (ParseException e) {
407  logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS
408  }
409  }
410  }
411  }
412 
413  try {
414  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
415  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, version));
416  if (installtime != null) {
417  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, installtime));
418  }
419  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), parentModuleName, systemRoot));
420  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID.getTypeID(), parentModuleName, productId));
421  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER.getTypeID(), parentModuleName, regOwner));
422  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION.getTypeID(), parentModuleName, regOrg));
423 
424  // Check if there is already an OS_INFO artifact for this file, and add to that if possible.
425  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
426  if (results.isEmpty()) {
427  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
428  bbart.addAttributes(bbattributes);
429  } else {
430  results.get(0).addAttributes(bbattributes);
431  }
432 
433  } catch (TskCoreException ex) {
434  logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
435  }
436  } else if (dataType.equals("Profiler")) { // NON-NLS
437 
438  String os = "";
439  String procArch = "";
440  String procId = "";
441  String tempDir = "";
442 
443  for (int j = 0; j < myartlist.getLength(); j++) {
444  Node artchild = myartlist.item(j);
445  // If it has attributes, then it is an Element (based off API)
446  if (artchild.hasAttributes()) {
447  Element artnode = (Element) artchild;
448 
449  String value = artnode.getTextContent().trim();
450  String name = artnode.getAttribute("name"); //NON-NLS
451 
452  if (name.equals("OS")) { // NON-NLS
453  os = value;
454  } else if (name.equals("PROCESSOR_ARCHITECTURE")) { // NON-NLS
455  procArch = value;
456  } else if (name.equals("PROCESSOR_IDENTIFIER")) { //NON-NLS
457  procId = value;
458  } else if (name.equals("TEMP")) { //NON-NLS
459  tempDir = value;
460  }
461  }
462  }
463 
464  try {
465  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
466  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VERSION.getTypeID(), parentModuleName, os));
467  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, procArch));
468  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR.getTypeID(), parentModuleName, tempDir));
469 
470  // Check if there is already an OS_INFO artifact for this file and add to that if possible
471  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
472  if (results.isEmpty()) {
473  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
474  bbart.addAttributes(bbattributes);
475  } else {
476  results.get(0).addAttributes(bbattributes);
477  }
478  } catch (TskCoreException ex) {
479  logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
480  }
481  } else if (dataType.equals("CompName")) { // NON-NLS
482 
483  String compName = "";
484  String domain = "";
485 
486  for (int j = 0; j < myartlist.getLength(); j++) {
487  Node artchild = myartlist.item(j);
488  // If it has attributes, then it is an Element (based off API)
489  if (artchild.hasAttributes()) {
490  Element artnode = (Element) artchild;
491 
492  String value = artnode.getTextContent().trim();
493  String name = artnode.getAttribute("name"); //NON-NLS
494 
495  if (name.equals("ComputerName")) { // NON-NLS
496  compName = value;
497  } else if (name.equals("Domain")) { // NON-NLS
498  domain = value;
499  }
500  }
501  }
502 
503  try {
504  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
505  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), parentModuleName, compName));
506  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), parentModuleName, domain));
507 
508  // Check if there is already an OS_INFO artifact for this file and add to that if possible
509  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
510  if (results.isEmpty()) {
511  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
512  bbart.addAttributes(bbattributes);
513  } else {
514  results.get(0).addAttributes(bbattributes);
515  }
516  } catch (TskCoreException ex) {
517  logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
518  }
519  } else {
520  for (int j = 0; j < myartlist.getLength(); j++) {
521  Node artchild = myartlist.item(j);
522  // If it has attributes, then it is an Element (based off API)
523  if (artchild.hasAttributes()) {
524  Element artnode = (Element) artchild;
525 
526  String value = artnode.getTextContent().trim();
527  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
528 
529  switch (dataType) {
530  case "recentdocs": //NON-NLS
531  // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
532  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime));
533  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem));
534  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value));
535  // bbart.addAttributes(bbattributes);
536  // @@@ BC: Why are we ignoring this...
537  break;
538  case "usb": //NON-NLS
539  try {
540  Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS
541  usbMtime = Long.valueOf(usbMtime.toString());
542 
543  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
544  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, usbMtime));
545  String dev = artnode.getAttribute("dev"); //NON-NLS
546  String make = "";
547  String model = dev;
548  if (dev.toLowerCase().contains("vid")) { //NON-NLS
549  USBInfo info = usbMapper.parseAndLookup(dev);
550  if (info.getVendor() != null) {
551  make = info.getVendor();
552  }
553  if (info.getProduct() != null) {
554  model = info.getProduct();
555  }
556  }
557  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE.getTypeID(), parentModuleName, make));
558  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), parentModuleName, model));
559  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), parentModuleName, value));
560  bbart.addAttributes(bbattributes);
561  } catch (TskCoreException ex) {
562  logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS
563  }
564  break;
565  case "uninstall": //NON-NLS
566  Long itemMtime = null;
567  try {
568  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS
569  itemMtime = epochtime;
570  itemMtime = itemMtime / 1000;
571  } catch (ParseException e) {
572  logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS
573  }
574 
575  try {
576  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, value));
577  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), parentModuleName, itemMtime));
578  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
579  bbart.addAttributes(bbattributes);
580  } catch (TskCoreException ex) {
581  logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
582  }
583  break;
584  case "office": //NON-NLS
585  String officeName = artnode.getAttribute("name"); //NON-NLS
586 
587  try {
588  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
589  // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
590  if (mtime != null) {
591  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), parentModuleName, mtime));
592  }
593  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), parentModuleName, officeName));
594  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), parentModuleName, value));
595  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), parentModuleName, artnode.getNodeName()));
596  bbart.addAttributes(bbattributes);
597  } catch (TskCoreException ex) {
598  logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS
599  }
600  break;
601 
602  case "ProcessorArchitecture": //NON-NLS
603  // Architecture is now included under Profiler
604  //try {
605  // String processorArchitecture = value;
606  // if (processorArchitecture.equals("AMD64"))
607  // processorArchitecture = "x86-64";
608 
609  // BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
610  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, processorArchitecture));
611  // bbart.addAttributes(bbattributes);
612  //} catch (TskCoreException ex) {
613  // logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
614  //}
615  break;
616 
617  case "ProfileList": //NON-NLS
618  try {
619 
620  String homeDir = value;
621  String sid = artnode.getAttribute("sid"); //NON-NLS
622  String username = artnode.getAttribute("username"); //NON-NLS
623 
624  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
625  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
626  parentModuleName, username));
627  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID.getTypeID(),
628  parentModuleName, sid));
629  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),
630  parentModuleName, homeDir));
631  } catch (TskCoreException ex) {
632  logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS
633  }
634  break;
635 
636  case "NtuserNetwork": // NON-NLS
637  try {
638  String localPath = artnode.getAttribute("localPath"); //NON-NLS
639  String remoteName = value;
640  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
641  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH.getTypeID(),
642  parentModuleName, localPath));
643  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH.getTypeID(),
644  parentModuleName, remoteName));
645 
646  } catch (TskCoreException ex) {
647  logger.log(Level.SEVERE, "Error adding network artifact to blackboard."); //NON-NLS
648  }
649  break;
650 
651  default:
652  logger.log(Level.WARNING, "Unrecognized node name: {0}", dataType); //NON-NLS
653  break;
654  }
655  }
656  }
657  }
658  }
659  return true;
660  } catch (FileNotFoundException ex) {
661  logger.log(Level.SEVERE, "Error finding the registry file."); //NON-NLS
662  } catch (SAXException ex) {
663  logger.log(Level.SEVERE, "Error parsing the registry XML: {0}", ex); //NON-NLS
664  } catch (IOException ex) {
665  logger.log(Level.SEVERE, "Error building the document parser: {0}", ex); //NON-NLS
666  } catch (ParserConfigurationException ex) {
667  logger.log(Level.SEVERE, "Error configuring the registry parser: {0}", ex); //NON-NLS
668  } finally {
669  try {
670  if (fstream != null) {
671  fstream.close();
672  }
673  } catch (IOException ex) {
674  }
675  }
676  return false;
677  }
678 
679  @Override
680  public void process(Content dataSource, IngestJobContext context) {
681  this.dataSource = dataSource;
682  this.context = context;
683  analyzeRegistryFiles();
684  }
685 
686 }
ArrayList< BlackboardArtifact > getBlackboardArtifacts(int artifactTypeID)
void addAttributes(Collection< BlackboardAttribute > attributes)
void addAttribute(BlackboardAttribute attr)
BlackboardArtifact newArtifact(int artifactTypeID)
String toString(boolean preserveState)

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.