Autopsy  4.16.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EncaseHashSetParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011 - 2017 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.hashdatabase;
20 
21 import java.io.InputStream;
22 import java.io.BufferedInputStream;
23 import java.io.FileInputStream;
24 import java.io.IOException;
25 import java.util.Arrays;
26 import java.util.logging.Level;
28 import org.sleuthkit.datamodel.TskCoreException;
29 
33 class EncaseHashSetParser implements HashSetParser {
34 
35  private final byte[] encaseHeader = {(byte) 0x48, (byte) 0x41, (byte) 0x53, (byte) 0x48, (byte) 0x0d, (byte) 0x0a, (byte) 0xff, (byte) 0x00,
36  (byte) 0x02, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x01, (byte) 0x00, (byte) 0x00, (byte) 0x00};
37  private final String filename; // Name of the input file (saved for logging)
38  private InputStream inputStream; // File stream for file being imported
39  private final long expectedHashCount; // Number of hashes we expect to read from the file
40  private int totalHashesRead = 0; // Number of hashes that have been read
41 
50  EncaseHashSetParser(String filename) throws TskCoreException {
51  try {
52  this.filename = filename;
53  inputStream = new BufferedInputStream(new FileInputStream(filename));
54 
55  // Read in and test the 16 byte header
56  byte[] header = new byte[16];
57  readBuffer(header, 16);
58  if (!Arrays.equals(header, encaseHeader)) {
59  close();
60  throw new TskCoreException("File " + filename + " does not have an Encase header");
61  }
62 
63  // Read in the expected number of hashes (little endian)
64  byte[] sizeBuffer = new byte[4];
65  readBuffer(sizeBuffer, 4);
66  expectedHashCount = ((sizeBuffer[3] & 0xff) << 24) | ((sizeBuffer[2] & 0xff) << 16)
67  | ((sizeBuffer[1] & 0xff) << 8) | (sizeBuffer[0] & 0xff);
68 
69  // Read in a bunch of nulls
70  byte[] filler = new byte[0x3f4];
71  readBuffer(filler, 0x3f4);
72 
73  // Read in the hash set name
74  byte[] nameBuffer = new byte[0x50];
75  readBuffer(nameBuffer, 0x50);
76 
77  // Read in the hash set type
78  byte[] typeBuffer = new byte[0x28];
79  readBuffer(typeBuffer, 0x28);
80 
81  // At this point we're past the header and ready to read in the hashes
82  } catch (IOException ex) {
83  close();
84  throw new TskCoreException("Error reading " + filename, ex);
85  } catch (TskCoreException ex) {
86  close();
87  throw ex;
88  }
89  }
90 
97  @Override
98  public long getExpectedHashCount() {
99  return expectedHashCount;
100  }
101 
107  @Override
108  public boolean doneReading() {
109  return (totalHashesRead >= expectedHashCount);
110  }
111 
119  @Override
120  public String getNextHash() throws TskCoreException {
121  if (inputStream == null) {
122  throw new TskCoreException("Attempting to read from null inputStream");
123  }
124 
125  byte[] hashBytes = new byte[16];
126  byte[] divider = new byte[2];
127  try {
128 
129  readBuffer(hashBytes, 16);
130  readBuffer(divider, 2);
131 
132  StringBuilder sb = new StringBuilder();
133  for (byte b : hashBytes) {
134  sb.append(String.format("%02x", b));
135  }
136 
137  totalHashesRead++;
138  return sb.toString();
139  } catch (IOException ex) {
140  throw new TskCoreException("Ran out of data while reading Encase hash set " + filename, ex);
141  }
142  }
143 
147  @Override
148  public final void close() {
149  if (inputStream != null) {
150  try {
151  inputStream.close();
152  } catch (IOException ex) {
153  Logger.getLogger(EncaseHashSetParser.class.getName()).log(Level.SEVERE, "Error closing Encase hash set " + filename, ex);
154  } finally {
155  inputStream = null;
156  }
157  }
158  }
159 
160  private void readBuffer(byte[] buffer, int length) throws TskCoreException, IOException {
161  if (inputStream == null) {
162  throw new TskCoreException("readBuffer called on null inputStream");
163  }
164  if (length != inputStream.read(buffer)) {
165  throw new TskCoreException("Ran out of data unexpectedly while parsing Encase file " + filename);
166  }
167  }
168 }

Copyright © 2012-2020 Basis Technology. Generated on: Tue Sep 22 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.