Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2016 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  *
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.fileextmismatch;
21 import java.util.Collections;
22 import java.util.HashMap;
23 import java.util.Set;
24 import java.util.logging.Level;
25 import org.openide.util.NbBundle;
26 import org.openide.util.NbBundle.Messages;
50 @NbBundle.Messages({
51  "CannotRunFileTypeDetection=Unable to run file type detection.",
52  "FileExtMismatchIngestModule.readError.message=Could not read settings."
53 })
56  private static final Logger logger = Logger.getLogger(FileExtMismatchIngestModule.class.getName());
57  private final IngestServices services = IngestServices.getInstance();
58  private final FileExtMismatchDetectorModuleSettings settings;
59  private HashMap<String, Set<String>> mimeTypeToExtsMap = new HashMap<>();
60  private long jobId;
61  private static final HashMap<Long, IngestJobTotals> totalsForIngestJobs = new HashMap<>();
62  private static final IngestModuleReferenceCounter refCounter = new IngestModuleReferenceCounter();
63  private static Blackboard blackboard;
66  private static class IngestJobTotals {
68  private long processTime = 0;
69  private long numFiles = 0;
70  }
78  private static synchronized void addToTotals(long ingestJobId, long processTimeInc) {
79  IngestJobTotals ingestJobTotals = totalsForIngestJobs.get(ingestJobId);
80  if (ingestJobTotals == null) {
81  ingestJobTotals = new IngestJobTotals();
82  totalsForIngestJobs.put(ingestJobId, ingestJobTotals);
83  }
85  ingestJobTotals.processTime += processTimeInc;
86  ingestJobTotals.numFiles++;
87  totalsForIngestJobs.put(ingestJobId, ingestJobTotals);
88  }
90  FileExtMismatchIngestModule(FileExtMismatchDetectorModuleSettings settings) {
91  this.settings = settings;
92  }
94  @Override
95  public void startUp(IngestJobContext context) throws IngestModuleException {
96  jobId = context.getJobId();
97  refCounter.incrementAndGet(jobId);
99  try {
100  mimeTypeToExtsMap = FileExtMismatchSettings.readSettings().getMimeTypeToExtsMap();
101  this.detector = new FileTypeDetector();
102  } catch (FileExtMismatchSettings.FileExtMismatchSettingsException ex) {
103  throw new IngestModuleException(Bundle.FileExtMismatchIngestModule_readError_message(), ex);
105  throw new IngestModuleException(Bundle.CannotRunFileTypeDetection(), ex);
106  }
107  }
109  @Override
110  @Messages({"FileExtMismatchIngestModule.indexError.message=Failed to index file extension mismatch artifact for keyword search."})
111  public ProcessResult process(AbstractFile abstractFile) {
112  blackboard = Case.getCurrentCase().getServices().getBlackboard();
113  if (this.settings.skipKnownFiles() && (abstractFile.getKnown() == FileKnown.KNOWN)) {
114  return ProcessResult.OK;
115  }
117  // skip non-files
118  if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
119  || (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
120  || (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.SLACK)
121  || (abstractFile.isFile() == false)) {
122  return ProcessResult.OK;
123  }
125  // deleted files often have content that was not theirs and therefor causes mismatch
128  return ProcessResult.OK;
129  }
131  try {
132  long startTime = System.currentTimeMillis();
134  boolean mismatchDetected = compareSigTypeToExt(abstractFile);
136  addToTotals(jobId, System.currentTimeMillis() - startTime);
138  if (mismatchDetected) {
139  // add artifact
142  try {
143  // index the artifact for keyword search
144  blackboard.indexArtifact(bart);
145  } catch (Blackboard.BlackboardException ex) {
146  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + bart.getArtifactID(), ex); //NON-NLS
148  Bundle.FileExtMismatchIngestModule_indexError_message(), bart.getDisplayName());
149  }
151  services.fireModuleDataEvent(new ModuleDataEvent(FileExtMismatchDetectorModuleFactory.getModuleName(), ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED, Collections.singletonList(bart)));
152  }
153  return ProcessResult.OK;
154  } catch (TskException ex) {
155  logger.log(Level.WARNING, "Error matching file signature", ex); //NON-NLS
156  return ProcessResult.ERROR;
157  }
158  }
167  private boolean compareSigTypeToExt(AbstractFile abstractFile) throws TskCoreException {
168  String currActualExt = abstractFile.getNameExtension();
170  // If we are skipping names with no extension
171  if (settings.skipFilesWithNoExtension() && currActualExt.isEmpty()) {
172  return false;
173  }
174  String currActualSigType = detector.getFileType(abstractFile);
175  if (currActualSigType == null) {
176  return false;
177  }
178  if (settings.getCheckType() != CHECK_TYPE.ALL) {
179  if (settings.getCheckType() == CHECK_TYPE.NO_TEXT_FILES) {
180  if (!currActualExt.isEmpty() && currActualSigType.equals("text/plain")) { //NON-NLS
181  return false;
182  }
183  }
184  if (settings.getCheckType() == CHECK_TYPE.ONLY_MEDIA_AND_EXE) {
185  if (!FileExtMismatchDetectorModuleSettings.MEDIA_AND_EXE_MIME_TYPES.contains(currActualSigType)) {
186  return false;
187  }
188  }
189  }
191  //get known allowed values from the map for this type
192  Set<String> allowedExtSet = mimeTypeToExtsMap.get(currActualSigType);
193  if (allowedExtSet != null) {
194  // see if the filename ext is in the allowed list
195  for (String e : allowedExtSet) {
196  if (e.equals(currActualExt)) {
197  return false;
198  }
199  }
200  return true; //potential mismatch
201  }
203  return false;
204  }
206  @Override
207  public void shutDown() {
208  // We only need to post the summary msg from the last module per job
209  if (refCounter.decrementAndGet(jobId) == 0) {
210  IngestJobTotals jobTotals;
211  synchronized (this) {
212  jobTotals = totalsForIngestJobs.remove(jobId);
213  }
214  if (jobTotals != null) {
215  StringBuilder detailsSb = new StringBuilder();
216  detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
217  detailsSb.append("<tr><td>").append(FileExtMismatchDetectorModuleFactory.getModuleName()).append("</td></tr>"); //NON-NLS
218  detailsSb.append("<tr><td>").append( //NON-NLS
219  NbBundle.getMessage(this.getClass(), "FileExtMismatchIngestModule.complete.totalProcTime"))
220  .append("</td><td>").append(jobTotals.processTime).append("</td></tr>\n"); //NON-NLS
221  detailsSb.append("<tr><td>").append( //NON-NLS
222  NbBundle.getMessage(this.getClass(), "FileExtMismatchIngestModule.complete.totalFiles"))
223  .append("</td><td>").append(jobTotals.numFiles).append("</td></tr>\n"); //NON-NLS
224  detailsSb.append("</table>"); //NON-NLS
227  NbBundle.getMessage(this.getClass(),
228  "FileExtMismatchIngestModule.complete.svcMsg.text"),
229  detailsSb.toString()));
230  }
231  }
232  }
233 }
boolean isDirNameFlagSet(TSK_FS_NAME_FLAG_ENUM flag)
static IngestMessage createMessage(MessageType messageType, String source, String subject, String detailsHtml)
boolean isMetaFlagSet(TSK_FS_META_FLAG_ENUM metaFlag)
void postMessage(final IngestMessage message)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
BlackboardArtifact newArtifact(int artifactTypeID)
synchronized void indexArtifact(BlackboardArtifact artifact)
synchronized static Logger getLogger(String name)
static synchronized void addToTotals(long ingestJobId, long processTimeInc)
static synchronized IngestServices getInstance()

Copyright © 2012-2016 Basis Technology. Generated on: Mon Apr 24 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.