Autopsy  4.19.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractIE.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2021 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.BufferedReader;
26 import org.openide.util.NbBundle;
27 import org.sleuthkit.autopsy.coreutils.ExecUtil;
28 import org.sleuthkit.autopsy.coreutils.NetworkUtils;
29 import java.io.File;
30 import java.io.FileInputStream;
31 import java.io.FileNotFoundException;
32 import java.io.IOException;
33 import java.io.InputStreamReader;
34 import java.nio.file.Paths;
35 import java.text.ParseException;
36 import java.text.SimpleDateFormat;
37 import java.util.ArrayList;
38 import java.util.List;
39 import java.util.logging.Level;
40 import org.sleuthkit.autopsy.coreutils.Logger;
41 import java.util.Collection;
42 import java.util.Scanner;
43 import java.util.stream.Collectors;
44 import org.openide.modules.InstalledFileLocator;
45 import org.openide.util.NbBundle.Messages;
46 import org.sleuthkit.autopsy.casemodule.Case;
47 import org.sleuthkit.autopsy.casemodule.services.FileManager;
48 import org.sleuthkit.autopsy.datamodel.ContentUtils;
49 import org.sleuthkit.datamodel.BlackboardArtifact;
50 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
51 import org.sleuthkit.datamodel.BlackboardAttribute;
52 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
53 import org.sleuthkit.datamodel.Content;
54 import org.sleuthkit.autopsy.coreutils.PlatformUtil;
55 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator;
56 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
57 import org.sleuthkit.autopsy.ingest.IngestJobContext;
58 import org.sleuthkit.datamodel.AbstractFile;
59 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY;
60 import org.sleuthkit.datamodel.ReadContentInputStream;
61 import org.sleuthkit.datamodel.TskCoreException;
62 
67 class ExtractIE extends Extract {
68 
69  private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
70  private String PASCO_LIB_PATH;
71  private final String JAVA_PATH;
72  private static final String RESOURCE_URL_PREFIX = "res://";
73  private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
74  private Content dataSource;
75  private IngestJobContext context;
76 
77  @Messages({
78  "Progress_Message_IE_History=IE History",
79  "Progress_Message_IE_Bookmarks=IE Bookmarks",
80  "Progress_Message_IE_Cookies=IE Cookies",
81  "Progress_Message_IE_Downloads=IE Downloads",
82  "Progress_Message_IE_FormHistory=IE Form History",
83  "Progress_Message_IE_AutoFill=IE Auto Fill",
84  "Progress_Message_IE_Logins=IE Logins",})
85 
86  ExtractIE() {
87  super(NbBundle.getMessage(ExtractIE.class, "ExtractIE.moduleName.text"));
88  JAVA_PATH = PlatformUtil.getJavaPath();
89  }
90 
91  @Override
92  public void process(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar) {
93  String moduleTempDir = RAImageIngestModule.getRATempPath(getCurrentCase(), "IE", context.getJobId());
94  String moduleTempResultsDir = Paths.get(moduleTempDir, "results").toString();
95 
96  this.dataSource = dataSource;
97  this.context = context;
98  dataFound = false;
99 
100  progressBar.progress(Bundle.Progress_Message_IE_Bookmarks());
101  this.getBookmark();
102 
103  if (context.dataSourceIngestIsCancelled()) {
104  return;
105  }
106 
107  progressBar.progress(Bundle.Progress_Message_IE_Cookies());
108  this.getCookie();
109 
110  if (context.dataSourceIngestIsCancelled()) {
111  return;
112  }
113 
114  progressBar.progress(Bundle.Progress_Message_IE_History());
115  this.getHistory(moduleTempDir, moduleTempResultsDir);
116  }
117 
121  private void getBookmark() {
122  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
123  List<AbstractFile> favoritesFiles;
124  try {
125  favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); //NON-NLS
126  } catch (TskCoreException ex) {
127  logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
128  this.addErrorMessage(
129  NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
130  this.getName()));
131  return;
132  }
133 
134  if (favoritesFiles.isEmpty()) {
135  logger.log(Level.INFO, "Didn't find any IE bookmark files."); //NON-NLS
136  return;
137  }
138 
139  dataFound = true;
140  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
141  for (AbstractFile fav : favoritesFiles) {
142  if (fav.getSize() == 0) {
143  continue;
144  }
145 
146  if (context.dataSourceIngestIsCancelled()) {
147  break;
148  }
149 
150  String url = getURLFromIEBookmarkFile(fav);
151 
152  String name = fav.getName();
153  Long datetime = fav.getCrtime();
154  String Tempdate = datetime.toString();
155  datetime = Long.valueOf(Tempdate);
156  String domain = extractDomain(url);
157 
158  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
159  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
160  RecentActivityExtracterModuleFactory.getModuleName(), url));
161  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
162  RecentActivityExtracterModuleFactory.getModuleName(), name));
163  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
164  RecentActivityExtracterModuleFactory.getModuleName(), datetime));
165  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
166  RecentActivityExtracterModuleFactory.getModuleName(),
167  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
168  if (domain != null && domain.isEmpty() == false) {
169  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
170  RecentActivityExtracterModuleFactory.getModuleName(), domain));
171  }
172 
173  try {
174  bbartifacts.add(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes));
175  } catch (TskCoreException ex) {
176  logger.log(Level.SEVERE, String.format("Failed to create %s for file %d",ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName(), fav.getId() ), ex);
177  }
178  }
179 
180  if(!context.dataSourceIngestIsCancelled()) {
181  postArtifacts(bbartifacts);
182  }
183  }
184 
185  private String getURLFromIEBookmarkFile(AbstractFile fav) {
186  BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));
187  String line, url = "";
188  try {
189  line = reader.readLine();
190  while (null != line) {
191  // The actual shortcut line we are interested in is of the
192  // form URL=http://path/to/website
193  if (line.startsWith("URL")) { //NON-NLS
194  url = line.substring(line.indexOf("=") + 1);
195  break;
196  }
197  line = reader.readLine();
198  }
199  } catch (IOException ex) {
200  logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
201  this.addErrorMessage(
202  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
203  fav.getName()));
204  } catch (IndexOutOfBoundsException ex) {
205  logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
206  this.addErrorMessage(
207  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
208  fav.getName()));
209  } finally {
210  try {
211  reader.close();
212  } catch (IOException ex) {
213  logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS
214  }
215  }
216 
217  return url;
218  }
219 
223  private void getCookie() {
224  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
225  List<AbstractFile> cookiesFiles;
226  try {
227  cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); //NON-NLS
228  } catch (TskCoreException ex) {
229  logger.log(Level.WARNING, "Error getting cookie files for IE"); //NON-NLS
230  this.addErrorMessage(
231  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errGettingFile", this.getName()));
232  return;
233  }
234 
235  if (cookiesFiles.isEmpty()) {
236  logger.log(Level.INFO, "Didn't find any IE cookies files."); //NON-NLS
237  return;
238  }
239 
240  dataFound = true;
241  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
242  for (AbstractFile cookiesFile : cookiesFiles) {
243  if (context.dataSourceIngestIsCancelled()) {
244  break;
245  }
246  if (cookiesFile.getSize() == 0) {
247  continue;
248  }
249 
250  byte[] t = new byte[(int) cookiesFile.getSize()];
251  try {
252  final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize());
253  } catch (TskCoreException ex) {
254  logger.log(Level.WARNING, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
255  this.addErrorMessage(
256  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
257  this.getName(), cookiesFile.getName()));
258  continue;
259  }
260  String cookieString = new String(t);
261  String[] values = cookieString.split("\n");
262  String url = values.length > 2 ? values[2] : "";
263  String value = values.length > 1 ? values[1] : "";
264  String name = values.length > 0 ? values[0] : "";
265  Long datetime = cookiesFile.getCrtime();
266  String tempDate = datetime.toString();
267  datetime = Long.valueOf(tempDate);
268  String domain = extractDomain(url);
269 
270  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
271  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
272  RecentActivityExtracterModuleFactory.getModuleName(), url));
273  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
274  RecentActivityExtracterModuleFactory.getModuleName(), datetime));
275  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
276  RecentActivityExtracterModuleFactory.getModuleName(), (name != null) ? name : ""));
277  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
278  RecentActivityExtracterModuleFactory.getModuleName(), value));
279  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
280  RecentActivityExtracterModuleFactory.getModuleName(),
281  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
282  if (domain != null && domain.isEmpty() == false) {
283  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
284  RecentActivityExtracterModuleFactory.getModuleName(), domain));
285  }
286 
287  try {
288  bbartifacts.add(createArtifactWithAttributes(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes));
289  } catch (TskCoreException ex) {
290  logger.log(Level.SEVERE, String.format("Failed to create %s for file %d",ARTIFACT_TYPE.TSK_WEB_COOKIE.getDisplayName(), cookiesFile.getId() ), ex);
291  }
292  }
293 
294  if(!context.dataSourceIngestIsCancelled()) {
295  postArtifacts(bbartifacts);
296  }
297  }
298 
304  private void getHistory(String moduleTempDir, String moduleTempResultsDir) {
305  logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS
306  boolean foundHistory = false;
307 
308  final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); //NON-NLS
309  if (pascoRoot == null) {
310  this.addErrorMessage(
311  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName()));
312  logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS
313  return;
314  }
315 
316  final String pascoHome = pascoRoot.getAbsolutePath();
317  logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS
318 
319  PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS
320  + pascoHome + File.separator + "*";
321 
322  File resultsDir = new File(moduleTempResultsDir);
323  resultsDir.mkdirs();
324 
325  // get index.dat files
326  FileManager fileManager = currentCase.getServices().getFileManager();
327  List<AbstractFile> indexFiles;
328  try {
329  indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
330  } catch (TskCoreException ex) {
331  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
332  this.getName()));
333  logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
334  return;
335  }
336 
337  if (indexFiles.isEmpty()) {
338  String msg = NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.noHistFiles");
339  logger.log(Level.INFO, msg);
340  return;
341  }
342 
343  dataFound = true;
344  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
345  String temps;
346  String indexFileName;
347  for (AbstractFile indexFile : indexFiles) {
348  // Since each result represent an index.dat file,
349  // just create these files with the following notation:
350  // index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
351  // where <Number> is the obj_id of the file.
352  // Write each index.dat file to a temp directory.
353  //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
354  indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //NON-NLS
355  //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
356  temps = moduleTempDir + File.separator + indexFileName; //NON-NLS
357  File datFile = new File(temps);
358  if (context.dataSourceIngestIsCancelled()) {
359  break;
360  }
361  try {
362  ContentUtils.writeToFile(indexFile, datFile, context::dataSourceIngestIsCancelled);
363  } catch (IOException e) {
364  logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
365  this.addErrorMessage(
366  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
367  datFile.getAbsolutePath()));
368  continue;
369  }
370 
371  String filename = "pasco2Result." + indexFile.getId() + ".txt"; //NON-NLS
372  boolean bPascProcSuccess = executePasco(temps, filename, moduleTempResultsDir);
373  if (context.dataSourceIngestIsCancelled()) {
374  return;
375  }
376 
377  //At this point pasco2 proccessed the index files.
378  //Now fetch the results, parse them and the delete the files.
379  if (bPascProcSuccess) {
380  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
381  bbartifacts.addAll(parsePascoOutput(indexFile, filename, moduleTempResultsDir).stream()
382  .filter(bbart -> bbart.getArtifactTypeID() == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID())
383  .collect(Collectors.toList()));
384  if (context.dataSourceIngestIsCancelled()) {
385  return;
386  }
387  foundHistory = true;
388 
389  //Delete index<n>.dat file since it was succcessfully by Pasco
390  datFile.delete();
391  } else {
392  logger.log(Level.WARNING, "pasco execution failed on: {0}", filename); //NON-NLS
393  this.addErrorMessage(
394  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName()));
395  }
396  }
397 
398  if(!context.dataSourceIngestIsCancelled()) {
399  postArtifacts(bbartifacts);
400  }
401  }
402 
412  @Messages({
413  "# {0} - sub module name",
414  "ExtractIE_executePasco_errMsg_errorRunningPasco={0}: Error analyzing Internet Explorer web history",
415  })
416  private boolean executePasco(String indexFilePath, String outputFileName, String moduleTempResultsDir) {
417  boolean success = true;
418  try {
419  final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName;
420  final String errFileFullPath = moduleTempResultsDir + File.separator + outputFileName + ".err"; //NON-NLS
421  logger.log(Level.INFO, "Writing pasco results to: {0}", outputFileFullPath); //NON-NLS
422  List<String> commandLine = new ArrayList<>();
423  commandLine.add(JAVA_PATH);
424  commandLine.add("-cp"); //NON-NLS
425  commandLine.add(PASCO_LIB_PATH);
426  commandLine.add("isi.pasco2.Main"); //NON-NLS
427  commandLine.add("-T"); //NON-NLS
428  commandLine.add("history"); //NON-NLS
429  commandLine.add(indexFilePath);
430  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
431  processBuilder.redirectOutput(new File(outputFileFullPath));
432  processBuilder.redirectError(new File(errFileFullPath));
433  /*
434  * NOTE on Pasco return codes: There is no documentation for Pasco.
435  * Looking at the Pasco source code I see that when something goes
436  * wrong Pasco returns a negative number as a return code. However,
437  * we should still attempt to parse the Pasco output even if that
438  * happens. I have seen many situations where Pasco output file
439  * contains a lot of useful data and only the last entry is
440  * corrupted.
441  */
442  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context, true));
443  // @@@ Investigate use of history versus cache as type.
444  } catch (IOException ex) {
445  logger.log(Level.SEVERE, "Error executing Pasco to process Internet Explorer web history", ex); //NON-NLS
446  addErrorMessage(Bundle.ExtractIE_executePasco_errMsg_errorRunningPasco(getName()));
447  success = false;
448  }
449  return success;
450  }
451 
462  private Collection<BlackboardArtifact> parsePascoOutput(AbstractFile origFile, String pascoOutputFileName, String moduleTempResultsDir) {
463 
464  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
465  String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
466 
467  File file = new File(fnAbs);
468  if (file.exists() == false) {
469  this.addErrorMessage(
470  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
471  file.getName()));
472  logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
473  return bbartifacts;
474  }
475 
476  // Make sure the file the is not empty or the Scanner will
477  // throw a "No Line found" Exception
478  if (file.length() == 0) {
479  return bbartifacts;
480  }
481 
482  Scanner fileScanner;
483  try {
484  fileScanner = new Scanner(new FileInputStream(file.toString()));
485  } catch (FileNotFoundException ex) {
486  this.addErrorMessage(
487  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
488  file.getName()));
489  logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
490  return bbartifacts;
491  }
492  while (fileScanner.hasNext()) {
493 
494  if (context.dataSourceIngestIsCancelled()) {
495  return bbartifacts;
496  }
497 
498  String line = fileScanner.nextLine();
499  if (!line.startsWith("URL")) { //NON-NLS
500  continue;
501  }
502 
503  String[] lineBuff = line.split("\\t"); //NON-NLS
504 
505  if (lineBuff.length < 4) {
506  logger.log(Level.INFO, "Found unrecognized IE history format."); //NON-NLS
507  continue;
508  }
509 
510  String actime = lineBuff[3];
511  Long ftime = (long) 0;
512  String user = "";
513  String realurl = null;
514  String domain;
515 
516  /*
517  * We've seen two types of lines: URL http://XYZ.com .... URL
518  * Visited: Joe@http://XYZ.com ....
519  */
520  if (lineBuff[1].contains("@")) {
521  String url[] = lineBuff[1].split("@", 2);
522 
523  /*
524  * Verify the left portion of the URL is valid.
525  */
526  domain = extractDomain(url[0]);
527 
528  if (domain != null && domain.isEmpty() == false) {
529  /*
530  * Use the entire input for the URL.
531  */
532  realurl = lineBuff[1].trim();
533  } else {
534  /*
535  * Use the left portion of the input for the user, and the
536  * right portion for the host.
537  */
538  user = url[0];
539  user = user.replace("Visited:", ""); //NON-NLS
540  user = user.replace(":Host:", ""); //NON-NLS
541  user = user.replaceAll("(:)(.*?)(:)", "");
542  user = user.trim();
543  realurl = url[1];
544  realurl = realurl.replace("Visited:", ""); //NON-NLS
545  realurl = realurl.replaceAll(":(.*?):", "");
546  realurl = realurl.replace(":Host:", ""); //NON-NLS
547  realurl = realurl.trim();
548  domain = extractDomain(realurl);
549  }
550  } else {
551  /*
552  * Use the entire input for the URL.
553  */
554  realurl = lineBuff[1].trim();
555  domain = extractDomain(realurl);
556  }
557 
558  if (!actime.isEmpty()) {
559  try {
560  Long epochtime = dateFormatter.parse(actime).getTime();
561  ftime = epochtime / 1000;
562  } catch (ParseException e) {
563  this.addErrorMessage(
564  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
565  this.getName()));
566  logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS
567  }
568  }
569 
570  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
571  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
572  RecentActivityExtracterModuleFactory.getModuleName(), realurl));
573  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
574 
575  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
576  RecentActivityExtracterModuleFactory.getModuleName(), ftime));
577  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
578  RecentActivityExtracterModuleFactory.getModuleName(), ""));
579  // @@@ NOte that other browser modules are adding TITLE in here for the title
580  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
581  RecentActivityExtracterModuleFactory.getModuleName(),
582  NbBundle.getMessage(this.getClass(),
583  "ExtractIE.moduleName.text")));
584  if (domain != null && domain.isEmpty() == false) {
585  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
586  RecentActivityExtracterModuleFactory.getModuleName(), domain));
587  }
588  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
589  RecentActivityExtracterModuleFactory.getModuleName(), user));
590 
591  try {
592  bbartifacts.add(createArtifactWithAttributes(TSK_WEB_HISTORY, origFile, bbattributes));
593  } catch (TskCoreException ex) {
594  logger.log(Level.SEVERE, String.format("Failed to create %s for file %d",ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName(), origFile.getId() ), ex);
595  }
596  }
597  fileScanner.close();
598  return bbartifacts;
599  }
600 
609  private String extractDomain(String url) {
610  if (url == null || url.isEmpty()) {
611  return url;
612  }
613 
614  if (url.toLowerCase().startsWith(RESOURCE_URL_PREFIX)) {
615  /*
616  * Ignore URLs that begin with the matched text.
617  */
618  return null;
619  }
620 
621  return NetworkUtils.extractDomain(url);
622  }
623 }
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:173
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:52

Copyright © 2012-2021 Basis Technology. Generated on: Thu Sep 30 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.