Autopsy  4.19.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
ShellBagParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019 Basis Technology Corp.
5  *
6  * Copyright 2012 42six Solutions.
7  * Contact: aebadirad <at> 42six <dot> com
8  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License");
11  * you may not use this file except in compliance with the License.
12  * You may obtain a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS,
18  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  * See the License for the specific language governing permissions and
20  * limitations under the License.
21  */
22 package org.sleuthkit.autopsy.recentactivity;
23 
24 import java.io.BufferedReader;
25 import java.io.File;
26 import java.io.FileInputStream;
27 import java.io.FileNotFoundException;
28 import java.io.IOException;
29 import java.io.InputStreamReader;
30 import java.nio.charset.StandardCharsets;
31 import java.text.ParseException;
32 import java.text.SimpleDateFormat;
33 import java.util.ArrayList;
34 import java.util.List;
35 import java.util.Locale;
36 import java.util.logging.Level;
38 
42 class ShellBagParser {
43  private static final Logger logger = Logger.getLogger(ShellBagParser.class.getName());
44 
45  private static final SimpleDateFormat DATE_TIME_FORMATTER = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss", Locale.getDefault());
46  // Last Write date\time format from itempos plugin
47  private static final SimpleDateFormat DATE_TIME_FORMATTER2 = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyyy", Locale.getDefault());
48 
49  private ShellBagParser() {
50  }
51 
62  static List<ShellBag> parseShellbagOutput(String regFilePath) throws FileNotFoundException, IOException {
63  List<ShellBag> shellbags = new ArrayList<>();
64  File regfile = new File(regFilePath);
65 
66  ShellBagParser sbparser = new ShellBagParser();
67 
68  try (BufferedReader reader = new BufferedReader(new InputStreamReader(new FileInputStream(regfile), StandardCharsets.UTF_8))) {
69  String line = reader.readLine();
70  while (line != null) {
71  line = line.trim();
72 
73  if (line.matches("^shellbags_xp v.*")) {
74  shellbags.addAll(sbparser.parseShellBagsXP(reader));
75  } else if (line.matches("^shellbags v.*")) {
76  shellbags.addAll(sbparser.parseShellBags(reader));
77  } else if (line.matches("^itempos.*")) {
78  shellbags.addAll(sbparser.parseItempos(reader));
79  }
80 
81  line = reader.readLine();
82  }
83  }
84 
85  return shellbags;
86  }
87 
97  List<ShellBag> parseShellBagsXP(BufferedReader reader) throws IOException {
98  List<ShellBag> shellbags = new ArrayList<>();
99  String line = reader.readLine();
100 
101  while (line != null && !isSectionSeparator(line)) {
102 
103  if (isShellbagXPDataLine(line)) {
104  String[] tokens = line.split("\\|");
105  if (tokens.length >= 6) {
106  shellbags.add(new ShellBag(tokens[5].trim(), "Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU", tokens[0].trim(), tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
107  }
108  }
109 
110  line = reader.readLine();
111  }
112 
113  return shellbags;
114  }
115 
124  List<ShellBag> parseShellBags(BufferedReader reader) throws IOException {
125  List<ShellBag> shellbags = new ArrayList<>();
126  String line = reader.readLine();
127  String regPath = "Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU";
128 
129  while (line != null && !isSectionSeparator(line)) {
130 
131  if (isShellbagDataLine(line)) {
132  String[] tokens = line.split("\\|");
133  String path = tokens[6].replaceAll("\\[.*?\\]", "").trim();
134  int index = line.lastIndexOf('[');
135  String endstuff = "";
136  if (index != -1) {
137  endstuff = line.substring(index, line.length() - 1).replace("[Desktop", "");
138  }
139  if (tokens.length >= 7) {
140  shellbags.add(new ShellBag(path, regPath + endstuff, tokens[0].trim(), tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
141  }
142  }
143 
144  line = reader.readLine();
145  }
146 
147  return shellbags;
148  }
149 
159  List<ShellBag> parseItempos(BufferedReader reader) throws IOException {
160  List<ShellBag> shellbags = new ArrayList<>();
161  String bagpath = "";
162  String lastWrite = "";
163  String line = reader.readLine();
164 
165  while (line != null && !isSectionSeparator(line)) {
166 
167  if (isItemposDataLine(line)) {
168  String[] tokens = line.split("\\|");
169  if (tokens.length >= 5) {
170  shellbags.add(new ShellBag(tokens[4].trim(), bagpath, lastWrite, tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
171  }
172  } else if (line.contains("Software\\")) {
173  bagpath = line.trim();
174  lastWrite = "";
175  } else if (line.contains("LastWrite:")) {
176  lastWrite = line.replace("LastWrite:", "").trim();
177  }
178 
179  line = reader.readLine();
180  }
181 
182  return shellbags;
183  }
184 
197  boolean isSectionSeparator(String line) {
198  if (line == null || line.isEmpty()) {
199  return false;
200  }
201 
202  return line.trim().matches("^-+");
203  }
204 
214  boolean isItemposDataLine(String line) {
215  return line.matches("^\\d*?\\s*?\\|.*?\\|.*?\\|.*?\\|.*?");
216  }
217 
229  boolean isShellbagXPDataLine(String line) {
230  return line.matches("^(\\d+?.*?\\s*? | \\s*?)\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?");
231  }
232 
244  boolean isShellbagDataLine(String line) {
245  return line.matches("^(\\d+?.*?\\s*? | \\s*?)\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?");
246  }
247 
252  class ShellBag {
253 
254  private final String resource;
255  private final String key;
256  private final String lastWrite;
257  private final String modified;
258  private final String accessed;
259  private final String created;
260 
273  ShellBag(String resource, String key, String lastWrite, String modified, String accessed, String created) {
274  this.resource = resource;
275  this.key = key;
276  this.lastWrite = lastWrite;
277  this.accessed = accessed;
278  this.modified = modified;
279  this.created = created;
280  }
281 
287  String getResource() {
288  return resource == null ? "" : resource;
289  }
290 
296  String getKey() {
297  return key == null ? "" : key;
298  }
299 
306  long getLastWrite() {
307  return parseDateTime(lastWrite);
308  }
309 
316  long getModified() {
317  return parseDateTime(modified);
318  }
319 
326  long getAccessed() {
327  return parseDateTime(accessed);
328  }
329 
336  long getCreated() {
337  return parseDateTime(created);
338  }
339 
348  long parseDateTime(String dateTimeString) {
349  if (!dateTimeString.isEmpty()) {
350  try {
351  return DATE_TIME_FORMATTER.parse(dateTimeString).getTime() / 1000;
352  } catch (ParseException ex) {
353  // The parse of the string may fail because there are two possible formats.
354  }
355 
356  try {
357  return DATE_TIME_FORMATTER2.parse(dateTimeString).getTime() / 1000;
358  } catch (ParseException ex) {
359  logger.log(Level.WARNING, String.format("ShellBag parse failure. %s is not formated as expected.", dateTimeString), ex);
360  }
361  }
362  return 0;
363  }
364  }
365 
366 }
synchronized static Logger getLogger(String name)
Definition: Logger.java:124

Copyright © 2012-2021 Basis Technology. Generated on: Thu Sep 30 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.