Autopsy  4.17.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractIE.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2020 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.BufferedReader;
26 import org.openide.util.NbBundle;
27 import org.sleuthkit.autopsy.coreutils.ExecUtil;
28 import org.sleuthkit.autopsy.coreutils.NetworkUtils;
29 import java.io.File;
30 import java.io.FileInputStream;
31 import java.io.FileNotFoundException;
32 import java.io.IOException;
33 import java.io.InputStreamReader;
34 import java.text.ParseException;
35 import java.text.SimpleDateFormat;
36 import java.util.ArrayList;
37 import java.util.List;
38 import java.util.logging.Level;
39 import org.sleuthkit.autopsy.coreutils.Logger;
40 import java.util.Collection;
41 import java.util.Scanner;
42 import java.util.stream.Collectors;
43 import org.openide.modules.InstalledFileLocator;
44 import org.openide.util.NbBundle.Messages;
45 import org.sleuthkit.autopsy.casemodule.Case;
46 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
47 import org.sleuthkit.autopsy.casemodule.services.FileManager;
48 import org.sleuthkit.autopsy.datamodel.ContentUtils;
49 import org.sleuthkit.datamodel.BlackboardArtifact;
50 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
51 import org.sleuthkit.datamodel.BlackboardAttribute;
52 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
53 import org.sleuthkit.datamodel.Content;
54 import org.sleuthkit.autopsy.coreutils.PlatformUtil;
55 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator;
56 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
57 import org.sleuthkit.autopsy.ingest.IngestJobContext;
58 import org.sleuthkit.datamodel.AbstractFile;
59 import org.sleuthkit.datamodel.ReadContentInputStream;
60 import org.sleuthkit.datamodel.TskCoreException;
61 
66 class ExtractIE extends Extract {
67 
68  private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
69  private final String moduleTempResultsDir;
70  private String PASCO_LIB_PATH;
71  private final String JAVA_PATH;
72  private static final String RESOURCE_URL_PREFIX = "res://";
73  private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
74  private Content dataSource;
75  private IngestJobContext context;
76 
77  @Messages({
78  "Progress_Message_IE_History=IE History",
79  "Progress_Message_IE_Bookmarks=IE Bookmarks",
80  "Progress_Message_IE_Cookies=IE Cookies",
81  "Progress_Message_IE_Downloads=IE Downloads",
82  "Progress_Message_IE_FormHistory=IE Form History",
83  "Progress_Message_IE_AutoFill=IE Auto Fill",
84  "Progress_Message_IE_Logins=IE Logins",})
85 
86  ExtractIE() throws NoCurrentCaseException {
87  moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractIE.moduleName.text");
88  moduleTempResultsDir = RAImageIngestModule.getRATempPath(Case.getCurrentCaseThrows(), "IE") + File.separator + "results"; //NON-NLS
89  JAVA_PATH = PlatformUtil.getJavaPath();
90  }
91 
92  @Override
93  public void process(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar) {
94  this.dataSource = dataSource;
95  this.context = context;
96  dataFound = false;
97 
98  progressBar.progress(Bundle.Progress_Message_IE_Bookmarks());
99  this.getBookmark();
100 
101  progressBar.progress(Bundle.Progress_Message_IE_Cookies());
102  this.getCookie();
103 
104  progressBar.progress(Bundle.Progress_Message_IE_History());
105  this.getHistory();
106  }
107 
111  private void getBookmark() {
112  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
113  List<AbstractFile> favoritesFiles;
114  try {
115  favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); //NON-NLS
116  } catch (TskCoreException ex) {
117  logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
118  this.addErrorMessage(
119  NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
120  this.getName()));
121  return;
122  }
123 
124  if (favoritesFiles.isEmpty()) {
125  logger.log(Level.INFO, "Didn't find any IE bookmark files."); //NON-NLS
126  return;
127  }
128 
129  dataFound = true;
130  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
131  for (AbstractFile fav : favoritesFiles) {
132  if (fav.getSize() == 0) {
133  continue;
134  }
135 
136  if (context.dataSourceIngestIsCancelled()) {
137  break;
138  }
139 
140  String url = getURLFromIEBookmarkFile(fav);
141 
142  String name = fav.getName();
143  Long datetime = fav.getCrtime();
144  String Tempdate = datetime.toString();
145  datetime = Long.valueOf(Tempdate);
146  String domain = extractDomain(url);
147 
148  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
149  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
150  RecentActivityExtracterModuleFactory.getModuleName(), url));
151  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
152  RecentActivityExtracterModuleFactory.getModuleName(), name));
153  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
154  RecentActivityExtracterModuleFactory.getModuleName(), datetime));
155  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
156  RecentActivityExtracterModuleFactory.getModuleName(),
157  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
158  if (domain != null && domain.isEmpty() == false) {
159  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
160  RecentActivityExtracterModuleFactory.getModuleName(), domain));
161  }
162 
163  BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
164  if (bbart != null) {
165  bbartifacts.add(bbart);
166  }
167  }
168 
169  postArtifacts(bbartifacts);
170  }
171 
172  private String getURLFromIEBookmarkFile(AbstractFile fav) {
173  BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));
174  String line, url = "";
175  try {
176  line = reader.readLine();
177  while (null != line) {
178  // The actual shortcut line we are interested in is of the
179  // form URL=http://path/to/website
180  if (line.startsWith("URL")) { //NON-NLS
181  url = line.substring(line.indexOf("=") + 1);
182  break;
183  }
184  line = reader.readLine();
185  }
186  } catch (IOException ex) {
187  logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
188  this.addErrorMessage(
189  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
190  fav.getName()));
191  } catch (IndexOutOfBoundsException ex) {
192  logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
193  this.addErrorMessage(
194  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
195  fav.getName()));
196  } finally {
197  try {
198  reader.close();
199  } catch (IOException ex) {
200  logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS
201  }
202  }
203 
204  return url;
205  }
206 
210  private void getCookie() {
211  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
212  List<AbstractFile> cookiesFiles;
213  try {
214  cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); //NON-NLS
215  } catch (TskCoreException ex) {
216  logger.log(Level.WARNING, "Error getting cookie files for IE"); //NON-NLS
217  this.addErrorMessage(
218  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errGettingFile", this.getName()));
219  return;
220  }
221 
222  if (cookiesFiles.isEmpty()) {
223  logger.log(Level.INFO, "Didn't find any IE cookies files."); //NON-NLS
224  return;
225  }
226 
227  dataFound = true;
228  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
229  for (AbstractFile cookiesFile : cookiesFiles) {
230  if (context.dataSourceIngestIsCancelled()) {
231  break;
232  }
233  if (cookiesFile.getSize() == 0) {
234  continue;
235  }
236 
237  byte[] t = new byte[(int) cookiesFile.getSize()];
238  try {
239  final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize());
240  } catch (TskCoreException ex) {
241  logger.log(Level.WARNING, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
242  this.addErrorMessage(
243  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
244  this.getName(), cookiesFile.getName()));
245  continue;
246  }
247  String cookieString = new String(t);
248  String[] values = cookieString.split("\n");
249  String url = values.length > 2 ? values[2] : "";
250  String value = values.length > 1 ? values[1] : "";
251  String name = values.length > 0 ? values[0] : "";
252  Long datetime = cookiesFile.getCrtime();
253  String tempDate = datetime.toString();
254  datetime = Long.valueOf(tempDate);
255  String domain = extractDomain(url);
256 
257  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
258  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
259  RecentActivityExtracterModuleFactory.getModuleName(), url));
260  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,
261  RecentActivityExtracterModuleFactory.getModuleName(), datetime));
262  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
263  RecentActivityExtracterModuleFactory.getModuleName(), (name != null) ? name : ""));
264  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
265  RecentActivityExtracterModuleFactory.getModuleName(), value));
266  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
267  RecentActivityExtracterModuleFactory.getModuleName(),
268  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
269  if (domain != null && domain.isEmpty() == false) {
270  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
271  RecentActivityExtracterModuleFactory.getModuleName(), domain));
272  }
273  BlackboardArtifact bbart = createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
274  if (bbart != null) {
275  bbartifacts.add(bbart);
276  }
277  }
278 
279  postArtifacts(bbartifacts);
280  }
281 
285  private void getHistory() {
286  logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS
287  boolean foundHistory = false;
288 
289  final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); //NON-NLS
290  if (pascoRoot == null) {
291  this.addErrorMessage(
292  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName()));
293  logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS
294  return;
295  }
296 
297  final String pascoHome = pascoRoot.getAbsolutePath();
298  logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS
299 
300  PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS
301  + pascoHome + File.separator + "*";
302 
303  File resultsDir = new File(moduleTempResultsDir);
304  resultsDir.mkdirs();
305 
306  // get index.dat files
307  FileManager fileManager = currentCase.getServices().getFileManager();
308  List<AbstractFile> indexFiles;
309  try {
310  indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
311  } catch (TskCoreException ex) {
312  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
313  this.getName()));
314  logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
315  return;
316  }
317 
318  if (indexFiles.isEmpty()) {
319  String msg = NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.noHistFiles");
320  logger.log(Level.INFO, msg);
321  return;
322  }
323 
324  dataFound = true;
325  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
326  String temps;
327  String indexFileName;
328  for (AbstractFile indexFile : indexFiles) {
329  // Since each result represent an index.dat file,
330  // just create these files with the following notation:
331  // index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
332  // where <Number> is the obj_id of the file.
333  // Write each index.dat file to a temp directory.
334  //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
335  indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //NON-NLS
336  //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
337  temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; //NON-NLS
338  File datFile = new File(temps);
339  if (context.dataSourceIngestIsCancelled()) {
340  break;
341  }
342  try {
343  ContentUtils.writeToFile(indexFile, datFile, context::dataSourceIngestIsCancelled);
344  } catch (IOException e) {
345  logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
346  this.addErrorMessage(
347  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
348  datFile.getAbsolutePath()));
349  continue;
350  }
351 
352  String filename = "pasco2Result." + indexFile.getId() + ".txt"; //NON-NLS
353  boolean bPascProcSuccess = executePasco(temps, filename);
354  if (context.dataSourceIngestIsCancelled()) {
355  return;
356  }
357 
358  //At this point pasco2 proccessed the index files.
359  //Now fetch the results, parse them and the delete the files.
360  if (bPascProcSuccess) {
361  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
362  bbartifacts.addAll(parsePascoOutput(indexFile, filename).stream()
363  .filter(bbart -> bbart.getArtifactTypeID() == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID())
364  .collect(Collectors.toList()));
365  if (context.dataSourceIngestIsCancelled()) {
366  return;
367  }
368  foundHistory = true;
369 
370  //Delete index<n>.dat file since it was succcessfully by Pasco
371  datFile.delete();
372  } else {
373  logger.log(Level.WARNING, "pasco execution failed on: {0}", filename); //NON-NLS
374  this.addErrorMessage(
375  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName()));
376  }
377  }
378 
379  postArtifacts(bbartifacts);
380  }
381 
390  @Messages({
391  "# {0} - sub module name",
392  "ExtractIE_executePasco_errMsg_errorRunningPasco={0}: Error analyzing Internet Explorer web history",
393  })
394  private boolean executePasco(String indexFilePath, String outputFileName) {
395  boolean success = true;
396  try {
397  final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName;
398  final String errFileFullPath = moduleTempResultsDir + File.separator + outputFileName + ".err"; //NON-NLS
399  logger.log(Level.INFO, "Writing pasco results to: {0}", outputFileFullPath); //NON-NLS
400  List<String> commandLine = new ArrayList<>();
401  commandLine.add(JAVA_PATH);
402  commandLine.add("-cp"); //NON-NLS
403  commandLine.add(PASCO_LIB_PATH);
404  commandLine.add("isi.pasco2.Main"); //NON-NLS
405  commandLine.add("-T"); //NON-NLS
406  commandLine.add("history"); //NON-NLS
407  commandLine.add(indexFilePath);
408  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
409  processBuilder.redirectOutput(new File(outputFileFullPath));
410  processBuilder.redirectError(new File(errFileFullPath));
411  /*
412  * NOTE on Pasco return codes: There is no documentation for Pasco.
413  * Looking at the Pasco source code I see that when something goes
414  * wrong Pasco returns a negative number as a return code. However,
415  * we should still attempt to parse the Pasco output even if that
416  * happens. I have seen many situations where Pasco output file
417  * contains a lot of useful data and only the last entry is
418  * corrupted.
419  */
420  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context, true));
421  // @@@ Investigate use of history versus cache as type.
422  } catch (IOException ex) {
423  logger.log(Level.SEVERE, "Error executing Pasco to process Internet Explorer web history", ex); //NON-NLS
424  addErrorMessage(Bundle.ExtractIE_executePasco_errMsg_errorRunningPasco(getName()));
425  success = false;
426  }
427  return success;
428  }
429 
439  private Collection<BlackboardArtifact> parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
440 
441  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
442  String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
443 
444  File file = new File(fnAbs);
445  if (file.exists() == false) {
446  this.addErrorMessage(
447  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
448  file.getName()));
449  logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
450  return bbartifacts;
451  }
452 
453  // Make sure the file the is not empty or the Scanner will
454  // throw a "No Line found" Exception
455  if (file.length() == 0) {
456  return bbartifacts;
457  }
458 
459  Scanner fileScanner;
460  try {
461  fileScanner = new Scanner(new FileInputStream(file.toString()));
462  } catch (FileNotFoundException ex) {
463  this.addErrorMessage(
464  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
465  file.getName()));
466  logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
467  return bbartifacts;
468  }
469  while (fileScanner.hasNext()) {
470 
471  if (context.dataSourceIngestIsCancelled()) {
472  return bbartifacts;
473  }
474 
475  String line = fileScanner.nextLine();
476  if (!line.startsWith("URL")) { //NON-NLS
477  continue;
478  }
479 
480  String[] lineBuff = line.split("\\t"); //NON-NLS
481 
482  if (lineBuff.length < 4) {
483  logger.log(Level.INFO, "Found unrecognized IE history format."); //NON-NLS
484  continue;
485  }
486 
487  String actime = lineBuff[3];
488  Long ftime = (long) 0;
489  String user = "";
490  String realurl = null;
491  String domain;
492 
493  /*
494  * We've seen two types of lines: URL http://XYZ.com .... URL
495  * Visited: Joe@http://XYZ.com ....
496  */
497  if (lineBuff[1].contains("@")) {
498  String url[] = lineBuff[1].split("@", 2);
499 
500  /*
501  * Verify the left portion of the URL is valid.
502  */
503  domain = extractDomain(url[0]);
504 
505  if (domain != null && domain.isEmpty() == false) {
506  /*
507  * Use the entire input for the URL.
508  */
509  realurl = lineBuff[1].trim();
510  } else {
511  /*
512  * Use the left portion of the input for the user, and the
513  * right portion for the host.
514  */
515  user = url[0];
516  user = user.replace("Visited:", ""); //NON-NLS
517  user = user.replace(":Host:", ""); //NON-NLS
518  user = user.replaceAll("(:)(.*?)(:)", "");
519  user = user.trim();
520  realurl = url[1];
521  realurl = realurl.replace("Visited:", ""); //NON-NLS
522  realurl = realurl.replaceAll(":(.*?):", "");
523  realurl = realurl.replace(":Host:", ""); //NON-NLS
524  realurl = realurl.trim();
525  domain = extractDomain(realurl);
526  }
527  } else {
528  /*
529  * Use the entire input for the URL.
530  */
531  realurl = lineBuff[1].trim();
532  domain = extractDomain(realurl);
533  }
534 
535  if (!actime.isEmpty()) {
536  try {
537  Long epochtime = dateFormatter.parse(actime).getTime();
538  ftime = epochtime / 1000;
539  } catch (ParseException e) {
540  this.addErrorMessage(
541  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
542  this.getName()));
543  logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS
544  }
545  }
546 
547  try {
548  BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
549  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
550  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
551  RecentActivityExtracterModuleFactory.getModuleName(), realurl));
552  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
553 
554  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
555  RecentActivityExtracterModuleFactory.getModuleName(), ftime));
556  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
557  RecentActivityExtracterModuleFactory.getModuleName(), ""));
558  // @@@ NOte that other browser modules are adding TITLE in hre for the title
559  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
560  RecentActivityExtracterModuleFactory.getModuleName(),
561  NbBundle.getMessage(this.getClass(),
562  "ExtractIE.moduleName.text")));
563  if (domain != null && domain.isEmpty() == false) {
564  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
565  RecentActivityExtracterModuleFactory.getModuleName(), domain));
566  }
567  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
568  RecentActivityExtracterModuleFactory.getModuleName(), user));
569  bbart.addAttributes(bbattributes);
570 
571  bbartifacts.add(bbart);
572  } catch (TskCoreException ex) {
573  logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard. Pasco results will be incomplete", ex); //NON-NLS
574  }
575  }
576  fileScanner.close();
577  return bbartifacts;
578  }
579 
588  private String extractDomain(String url) {
589  if (url == null || url.isEmpty()) {
590  return url;
591  }
592 
593  if (url.toLowerCase().startsWith(RESOURCE_URL_PREFIX)) {
594  /*
595  * Ignore URLs that begin with the matched text.
596  */
597  return null;
598  }
599 
600  return NetworkUtils.extractDomain(url);
601  }
602 }
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:185

Copyright © 2012-2021 Basis Technology. Generated on: Tue Jan 19 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.