Autopsy  4.4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractRegistry.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2014 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.*;
26 import java.io.File;
27 import java.text.ParseException;
28 import java.text.SimpleDateFormat;
29 import java.util.*;
30 import java.util.logging.Level;
31 import javax.xml.parsers.DocumentBuilder;
32 import javax.xml.parsers.DocumentBuilderFactory;
33 import javax.xml.parsers.ParserConfigurationException;
34 import org.openide.modules.InstalledFileLocator;
35 import org.openide.util.NbBundle;
43 import org.sleuthkit.datamodel.*;
44 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
45 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
46 import org.w3c.dom.Document;
47 import org.w3c.dom.Element;
48 import org.w3c.dom.Node;
49 import org.w3c.dom.NodeList;
50 import org.xml.sax.InputSource;
51 import org.xml.sax.SAXException;
52 import java.nio.file.Path;
56 
63 @NbBundle.Messages({
64  "RegRipperNotFound=Autopsy RegRipper executable not found.",
65  "RegRipperFullNotFound=Full version RegRipper executable not found."
66 })
67 class ExtractRegistry extends Extract {
68 
69  private final Logger logger = Logger.getLogger(this.getClass().getName());
70  private String RR_PATH;
71  private String RR_FULL_PATH;
72  private Path rrHome; // Path to the Autopsy version of RegRipper
73  private Path rrFullHome; // Path to the full version of RegRipper
74  private Content dataSource;
75  private IngestJobContext context;
76  final private static UsbDeviceIdMapper USB_MAPPER = new UsbDeviceIdMapper();
77  final private static String RIP_EXE = "rip.exe";
78  final private static String RIP_PL = "rip.pl";
79  final private static String PERL = "perl ";
80 
81  ExtractRegistry() throws IngestModuleException {
82  moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text");
83  final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
84  if (rrRoot == null) {
85  throw new IngestModuleException(Bundle.RegRipperNotFound());
86  }
87 
88  final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
89  if (rrFullRoot == null) {
90  throw new IngestModuleException(Bundle.RegRipperFullNotFound());
91  }
92 
93  String executableToRun = RIP_EXE;
94  if (!PlatformUtil.isWindowsOS()) {
95  executableToRun = RIP_PL;
96  }
97  rrHome = rrRoot.toPath();
98  RR_PATH = rrHome.resolve(executableToRun).toString();
99  rrFullHome = rrFullRoot.toPath();
100  RR_FULL_PATH = rrFullHome.resolve(executableToRun).toString();
101 
102  if (!(new File(RR_PATH).exists())) {
103  throw new IngestModuleException(Bundle.RegRipperNotFound());
104  }
105  if (!(new File(RR_FULL_PATH).exists())) {
106  throw new IngestModuleException(Bundle.RegRipperFullNotFound());
107  }
108 
109  if (!PlatformUtil.isWindowsOS()) {
110  RR_PATH = PERL + RR_PATH;
111  RR_FULL_PATH = PERL + RR_FULL_PATH;
112  }
113  }
114 
118  private List<AbstractFile> findRegistryFiles() {
119  List<AbstractFile> allRegistryFiles = new ArrayList<>();
120  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
121 
122  // find the user-specific ntuser-dat files
123  try {
124  allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); //NON-NLS
125  } catch (TskCoreException ex) {
126  logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); //NON-NLS
127  }
128 
129  // find the system hives'
130  String[] regFileNames = new String[]{"system", "software", "security", "sam"}; //NON-NLS
131  for (String regFileName : regFileNames) {
132  try {
133  allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS
134  } catch (TskCoreException ex) {
135  String msg = NbBundle.getMessage(this.getClass(),
136  "ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
137  logger.log(Level.WARNING, msg);
138  this.addErrorMessage(this.getName() + ": " + msg);
139  }
140  }
141  return allRegistryFiles;
142  }
143 
148  private void analyzeRegistryFiles() {
149  List<AbstractFile> allRegistryFiles = findRegistryFiles();
150 
151  // open the log file
152  FileWriter logFile = null;
153  try {
154  logFile = new FileWriter(RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + "regripper-info.txt"); //NON-NLS
155  } catch (IOException ex) {
156  logger.log(Level.SEVERE, null, ex);
157  }
158 
159  int j = 0;
160  for (AbstractFile regFile : allRegistryFiles) {
161  String regFileName = regFile.getName();
162  String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg") + File.separator + regFileName;
163  String outputPathBase = RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + regFileName + "-regripper-" + Integer.toString(j++); //NON-NLS
164  File regFileNameLocalFile = new File(regFileNameLocal);
165  try {
166  ContentUtils.writeToFile(regFile, regFileNameLocalFile, context::dataSourceIngestIsCancelled);
167  } catch (IOException ex) {
168  logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); //NON-NLS
169  this.addErrorMessage(
170  NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
171  this.getName(), regFileName));
172  continue;
173  }
174 
175  if (context.dataSourceIngestIsCancelled()) {
176  break;
177  }
178 
179  try {
180  if (logFile != null) {
181  logFile.write(Integer.toString(j - 1) + "\t" + regFile.getUniquePath() + "\n");
182  }
183  } catch (TskCoreException | IOException ex) {
184  logger.log(Level.SEVERE, null, ex);
185  }
186 
187  logger.log(Level.INFO, "{0}- Now getting registry information from {1}", new Object[]{moduleName, regFileNameLocal}); //NON-NLS
188  RegOutputFiles regOutputFiles = ripRegistryFile(regFileNameLocal, outputPathBase);
189  if (context.dataSourceIngestIsCancelled()) {
190  break;
191  }
192 
193  // parse the autopsy-specific output
194  if (regOutputFiles.autopsyPlugins.isEmpty() == false) {
195  if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) {
196  this.addErrorMessage(
197  NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
198  this.getName(), regFileName));
199  }
200  }
201 
202  // create a report for the full output
203  if (!regOutputFiles.fullPlugins.isEmpty()) {
204  try {
205  currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), "RegRipper " + regFile.getUniquePath()); //NON-NLS
206  } catch (TskCoreException e) {
207  this.addErrorMessage("Error adding regripper output as Autopsy report: " + e.getLocalizedMessage()); //NON-NLS
208  }
209  }
210 
211  // delete the hive
212  regFileNameLocalFile.delete();
213  }
214 
215  try {
216  if (logFile != null) {
217  logFile.close();
218  }
219  } catch (IOException ex) {
220  logger.log(Level.SEVERE, null, ex);
221  }
222  }
223 
224  private class RegOutputFiles {
225 
226  public String autopsyPlugins = "";
227  public String fullPlugins = "";
228  }
229 
237  private RegOutputFiles ripRegistryFile(String regFilePath, String outFilePathBase) {
238  String autopsyType = ""; // Type argument for rr for autopsy-specific modules
239  String fullType; // Type argument for rr for full set of modules
240 
241  RegOutputFiles regOutputFiles = new RegOutputFiles();
242 
243  if (regFilePath.toLowerCase().contains("system")) { //NON-NLS
244  autopsyType = "autopsysystem"; //NON-NLS
245  fullType = "system"; //NON-NLS
246  } else if (regFilePath.toLowerCase().contains("software")) { //NON-NLS
247  autopsyType = "autopsysoftware"; //NON-NLS
248  fullType = "software"; //NON-NLS
249  } else if (regFilePath.toLowerCase().contains("ntuser")) { //NON-NLS
250  autopsyType = "autopsyntuser"; //NON-NLS
251  fullType = "ntuser"; //NON-NLS
252  } else if (regFilePath.toLowerCase().contains("sam")) { //NON-NLS
253  fullType = "sam"; //NON-NLS
254  } else if (regFilePath.toLowerCase().contains("security")) { //NON-NLS
255  fullType = "security"; //NON-NLS
256  } else {
257  return regOutputFiles;
258  }
259 
260  // run the autopsy-specific set of modules
261  if (!autopsyType.isEmpty()) {
262  regOutputFiles.autopsyPlugins = outFilePathBase + "-autopsy.txt"; //NON-NLS
263  String errFilePath = outFilePathBase + "-autopsy.err.txt"; //NON-NLS
264  logger.log(Level.INFO, "Writing RegRipper results to: {0}", regOutputFiles.autopsyPlugins); //NON-NLS
265  executeRegRipper(RR_PATH, rrHome, regFilePath, autopsyType, regOutputFiles.autopsyPlugins, errFilePath);
266  }
267  if (context.dataSourceIngestIsCancelled()) {
268  return regOutputFiles;
269  }
270 
271  // run the full set of rr modules
272  if (!fullType.isEmpty()) {
273  regOutputFiles.fullPlugins = outFilePathBase + "-full.txt"; //NON-NLS
274  String errFilePath = outFilePathBase + "-full.err.txt"; //NON-NLS
275  logger.log(Level.INFO, "Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins); //NON-NLS
276  executeRegRipper(RR_FULL_PATH, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath);
277  }
278  return regOutputFiles;
279  }
280 
281  private void executeRegRipper(String regRipperPath, Path regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) {
282  try {
283  List<String> commandLine = new ArrayList<>();
284  commandLine.add(regRipperPath);
285  commandLine.add("-r"); //NON-NLS
286  commandLine.add(hiveFilePath);
287  commandLine.add("-f"); //NON-NLS
288  commandLine.add(hiveFileType);
289 
290  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
291  processBuilder.directory(regRipperHomeDir.toFile()); // RegRipper 2.8 has to be run from its own directory
292  processBuilder.redirectOutput(new File(outputFile));
293  processBuilder.redirectError(new File(errFile));
294  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context));
295  } catch (IOException ex) {
296  logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS
297  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
298  }
299  }
300 
301  // @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT
310  private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
311  FileInputStream fstream = null;
312  try {
313  SleuthkitCase tempDb = currentCase.getSleuthkitCase();
314 
315  // Read the file in and create a Document and elements
316  File regfile = new File(regFilePath);
317  fstream = new FileInputStream(regfile);
318 
319  String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS
320  String startdoc = "<?xml version=\"1.0\"?><document>"; //NON-NLS
321  String result = regString.replaceAll("----------------------------------------", "");
322  result = result.replaceAll("\\n", ""); //NON-NLS
323  result = result.replaceAll("\\r", ""); //NON-NLS
324  result = result.replaceAll("'", "&apos;"); //NON-NLS
325  result = result.replaceAll("&", "&amp;"); //NON-NLS
326  result = result.replace('\0', ' '); // NON-NLS
327  String enddoc = "</document>"; //NON-NLS
328  String stringdoc = startdoc + result + enddoc;
329  DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
330  Document doc = builder.parse(new InputSource(new StringReader(stringdoc)));
331 
332  // cycle through the elements in the doc
333  Element oroot = doc.getDocumentElement();
334  NodeList children = oroot.getChildNodes();
335  int len = children.getLength();
336  // Add all "usb" dataType nodes to collection of BlackboardArtifacts
337  // that we will submit in a ModuleDataEvent for additional processing.
338  Collection<BlackboardArtifact> usbBBartifacts = new ArrayList<>();
339 
340  for (int i = 0; i < len; i++) {
341  Element tempnode = (Element) children.item(i);
342 
343  String dataType = tempnode.getNodeName();
344 
345  NodeList timenodes = tempnode.getElementsByTagName("mtime"); //NON-NLS
346  Long mtime = null;
347  if (timenodes.getLength() > 0) {
348  Element timenode = (Element) timenodes.item(0);
349  String etime = timenode.getTextContent();
350  try {
351  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime();
352  mtime = epochtime;
353  String Tempdate = mtime.toString();
354  mtime = Long.valueOf(Tempdate) / 1000;
355  } catch (ParseException ex) {
356  logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry."); //NON-NLS
357  }
358  }
359 
360  NodeList artroots = tempnode.getElementsByTagName("artifacts"); //NON-NLS
361  if (artroots.getLength() == 0) {
362  // If there isn't an artifact node, skip this entry
363  continue;
364  }
365 
366  Element artroot = (Element) artroots.item(0);
367  NodeList myartlist = artroot.getChildNodes();
368  String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace");
369  String winver = "";
370 
371  // If all artifact nodes should really go under one Blackboard artifact, need to process it differently
372  switch (dataType) {
373  case "WinVersion": //NON-NLS
374  String version = "";
375  String systemRoot = "";
376  String productId = "";
377  String regOwner = "";
378  String regOrg = "";
379  Long installtime = null;
380  for (int j = 0; j < myartlist.getLength(); j++) {
381  Node artchild = myartlist.item(j);
382  // If it has attributes, then it is an Element (based off API)
383  if (artchild.hasAttributes()) {
384  Element artnode = (Element) artchild;
385 
386  String value = artnode.getTextContent().trim();
387  String name = artnode.getAttribute("name"); //NON-NLS
388  switch (name) {
389  case "ProductName": // NON-NLS
390  version = value;
391  break;
392  case "CSDVersion": // NON-NLS
393  // This is dependant on the fact that ProductName shows up first in the module output
394  version = version + " " + value;
395  break;
396  case "SystemRoot": //NON-NLS
397  systemRoot = value;
398  break;
399  case "ProductId": //NON-NLS
400  productId = value;
401  break;
402  case "RegisteredOwner": //NON-NLS
403  regOwner = value;
404  break;
405  case "RegisteredOrganization": //NON-NLS
406  regOrg = value;
407  break;
408  case "InstallDate": //NON-NLS
409  try {
410  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime();
411  installtime = epochtime;
412  String Tempdate = installtime.toString();
413  installtime = Long.valueOf(Tempdate) / 1000;
414  } catch (ParseException e) {
415  logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS
416  } break;
417  default:
418  break;
419  }
420  }
421  } try {
422  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
423  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, version));
424  if (installtime != null) {
425  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, installtime));
426  }
427  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, parentModuleName, systemRoot));
428  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID, parentModuleName, productId));
429  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER, parentModuleName, regOwner));
430  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION, parentModuleName, regOrg));
431 
432  // Check if there is already an OS_INFO artifact for this file, and add to that if possible.
433  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
434  if (results.isEmpty()) {
435  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
436  bbart.addAttributes(bbattributes);
437 
438  // index the artifact for keyword search
439  this.indexArtifact(bbart);
440  } else {
441  results.get(0).addAttributes(bbattributes);
442  }
443 
444  } catch (TskCoreException ex) {
445  logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
446  }
447  break;
448  case "Profiler": // NON-NLS
449  String os = "";
450  String procArch = "";
451  String procId = "";
452  String tempDir = "";
453  for (int j = 0; j < myartlist.getLength(); j++) {
454  Node artchild = myartlist.item(j);
455  // If it has attributes, then it is an Element (based off API)
456  if (artchild.hasAttributes()) {
457  Element artnode = (Element) artchild;
458 
459  String value = artnode.getTextContent().trim();
460  String name = artnode.getAttribute("name"); //NON-NLS
461  switch (name) {
462  case "OS": // NON-NLS
463  os = value;
464  break;
465  case "PROCESSOR_ARCHITECTURE": // NON-NLS
466  procArch = value;
467  break;
468  case "PROCESSOR_IDENTIFIER": //NON-NLS
469  procId = value;
470  break;
471  case "TEMP": //NON-NLS
472  tempDir = value;
473  break;
474  default:
475  break;
476  }
477  }
478  } try {
479  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
480  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VERSION, parentModuleName, os));
481  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE, parentModuleName, procArch));
482  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR, parentModuleName, tempDir));
483 
484  // Check if there is already an OS_INFO artifact for this file and add to that if possible
485  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
486  if (results.isEmpty()) {
487  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
488  bbart.addAttributes(bbattributes);
489 
490  // index the artifact for keyword search
491  this.indexArtifact(bbart);
492  } else {
493  results.get(0).addAttributes(bbattributes);
494  }
495  } catch (TskCoreException ex) {
496  logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
497  }
498  break;
499  case "CompName": // NON-NLS
500  String compName = "";
501  String domain = "";
502  for (int j = 0; j < myartlist.getLength(); j++) {
503  Node artchild = myartlist.item(j);
504  // If it has attributes, then it is an Element (based off API)
505  if (artchild.hasAttributes()) {
506  Element artnode = (Element) artchild;
507 
508  String value = artnode.getTextContent().trim();
509  String name = artnode.getAttribute("name"); //NON-NLS
510 
511  if (name.equals("ComputerName")) { // NON-NLS
512  compName = value;
513  } else if (name.equals("Domain")) { // NON-NLS
514  domain = value;
515  }
516  }
517  } try {
518  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
519  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, compName));
520  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, parentModuleName, domain));
521 
522  // Check if there is already an OS_INFO artifact for this file and add to that if possible
523  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
524  if (results.isEmpty()) {
525  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
526  bbart.addAttributes(bbattributes);
527 
528  // index the artifact for keyword search
529  this.indexArtifact(bbart);
530  } else {
531  results.get(0).addAttributes(bbattributes);
532  }
533  } catch (TskCoreException ex) {
534  logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
535  }
536  break;
537  default:
538  for (int j = 0; j < myartlist.getLength(); j++) {
539  Node artchild = myartlist.item(j);
540  // If it has attributes, then it is an Element (based off API)
541  if (artchild.hasAttributes()) {
542  Element artnode = (Element) artchild;
543 
544  String value = artnode.getTextContent().trim();
545  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
546 
547  switch (dataType) {
548  case "recentdocs": //NON-NLS
549  // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
550  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime));
551  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem));
552  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value));
553  // bbart.addAttributes(bbattributes);
554  // @@@ BC: Why are we ignoring this...
555  break;
556  case "usb": //NON-NLS
557  try {
558  Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS
559  usbMtime = Long.valueOf(usbMtime.toString());
560 
561  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
562  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, usbMtime));
563  String dev = artnode.getAttribute("dev"); //NON-NLS
564  String make = "";
565  String model = dev;
566  if (dev.toLowerCase().contains("vid")) { //NON-NLS
567  USBInfo info = USB_MAPPER.parseAndLookup(dev);
568  if (info.getVendor() != null) {
569  make = info.getVendor();
570  }
571  if (info.getProduct() != null) {
572  model = info.getProduct();
573  }
574  }
575  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE, parentModuleName, make));
576  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL, parentModuleName, model));
577  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID, parentModuleName, value));
578  bbart.addAttributes(bbattributes);
579 
580  // index the artifact for keyword search
581  this.indexArtifact(bbart);
582  // add to collection for ModuleDataEvent
583  usbBBartifacts.add(bbart);
584  } catch (TskCoreException ex) {
585  logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS
586  }
587  break;
588  case "uninstall": //NON-NLS
589  Long itemMtime = null;
590  try {
591  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS
592  itemMtime = epochtime;
593  itemMtime = itemMtime / 1000;
594  } catch (ParseException e) {
595  logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS
596  }
597 
598  try {
599  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value));
600  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime));
601  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
602  bbart.addAttributes(bbattributes);
603 
604  // index the artifact for keyword search
605  this.indexArtifact(bbart);
606  } catch (TskCoreException ex) {
607  logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
608  }
609  break;
610  case "office": //NON-NLS
611  String officeName = artnode.getAttribute("name"); //NON-NLS
612 
613  try {
614  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
615  // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
616  if (mtime != null) {
617  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, parentModuleName, mtime));
618  }
619  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, officeName));
620  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value));
621  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName()));
622  bbart.addAttributes(bbattributes);
623 
624  // index the artifact for keyword search
625  this.indexArtifact(bbart);
626  } catch (TskCoreException ex) {
627  logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS
628  }
629  break;
630 
631  case "ProcessorArchitecture": //NON-NLS
632  // Architecture is now included under Profiler
633  //try {
634  // String processorArchitecture = value;
635  // if (processorArchitecture.equals("AMD64"))
636  // processorArchitecture = "x86-64";
637 
638  // BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
639  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, processorArchitecture));
640  // bbart.addAttributes(bbattributes);
641  //} catch (TskCoreException ex) {
642  // logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
643  //}
644  break;
645 
646  case "ProfileList": //NON-NLS
647  try {
648 
649  String homeDir = value;
650  String sid = artnode.getAttribute("sid"); //NON-NLS
651  String username = artnode.getAttribute("username"); //NON-NLS
652 
653  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
654  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
655  parentModuleName, username));
656  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID,
657  parentModuleName, sid));
658  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
659  parentModuleName, homeDir));
660  // index the artifact for keyword search
661  this.indexArtifact(bbart);
662  } catch (TskCoreException ex) {
663  logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS
664  }
665  break;
666 
667  case "NtuserNetwork": // NON-NLS
668  try {
669  String localPath = artnode.getAttribute("localPath"); //NON-NLS
670  String remoteName = value;
671  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
672  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH,
673  parentModuleName, localPath));
674  bbart.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH,
675  parentModuleName, remoteName));
676  // index the artifact for keyword search
677  this.indexArtifact(bbart);
678  } catch (TskCoreException ex) {
679  logger.log(Level.SEVERE, "Error adding network artifact to blackboard."); //NON-NLS
680  }
681  break;
682 
683  case "shellfolders": // NON-NLS
684  // The User Shell Folders subkey stores the paths to Windows Explorer folders for the current user of the computer
685  // (https://technet.microsoft.com/en-us/library/Cc962613.aspx).
686  // No useful information. Skip.
687  break;
688 
689  default:
690  logger.log(Level.WARNING, "Unrecognized node name: {0}", dataType); //NON-NLS
691  break;
692  }
693  }
694  }
695  break;
696  }
697  } // for
698  if (!usbBBartifacts.isEmpty()) {
699  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, usbBBartifacts));
700  }
701  return true;
702  } catch (FileNotFoundException ex) {
703  logger.log(Level.SEVERE, "Error finding the registry file."); //NON-NLS
704  } catch (SAXException ex) {
705  logger.log(Level.SEVERE, "Error parsing the registry XML: {0}", ex); //NON-NLS
706  } catch (IOException ex) {
707  logger.log(Level.SEVERE, "Error building the document parser: {0}", ex); //NON-NLS
708  } catch (ParserConfigurationException ex) {
709  logger.log(Level.SEVERE, "Error configuring the registry parser: {0}", ex); //NON-NLS
710  } finally {
711  try {
712  if (fstream != null) {
713  fstream.close();
714  }
715  } catch (IOException ex) {
716  }
717  }
718  return false;
719  }
720 
721  @Override
722  public void process(Content dataSource, IngestJobContext context) {
723  this.dataSource = dataSource;
724  this.context = context;
725  analyzeRegistryFiles();
726  }
727 }

Copyright © 2012-2016 Basis Technology. Generated on: Fri Sep 29 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.