Autopsy  4.4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
VMExtractorIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2012-2016 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.vmextractor;
20 
21 import java.io.File;
22 import java.io.IOException;
23 import java.nio.file.Files;
24 import java.nio.file.Path;
25 import java.nio.file.Paths;
26 import java.text.SimpleDateFormat;
27 import java.util.ArrayList;
28 import java.util.Calendar;
29 import java.util.HashMap;
30 import java.util.List;
31 import java.util.UUID;
32 import java.util.logging.Level;
33 import org.openide.util.NbBundle;
34 import org.openide.util.NbBundle.Messages;
51 import org.sleuthkit.datamodel.AbstractFile;
52 import org.sleuthkit.datamodel.Content;
53 import org.sleuthkit.datamodel.DataSource;
54 import org.sleuthkit.datamodel.SleuthkitCase;
55 import org.sleuthkit.datamodel.TskCoreException;
56 import org.sleuthkit.datamodel.TskDataException;
57 
62 @NbBundle.Messages({"# {0} - output directory name", "VMExtractorIngestModule.cannotCreateOutputDir.message=Unable to create output directory: {0}."
63 })
64 final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter {
65 
66  private static final Logger logger = Logger.getLogger(VMExtractorIngestModule.class.getName());
67  private IngestJobContext context;
68  private Path ingestJobOutputDir;
69  private String parentDeviceId;
70  private String parentTimeZone;
71 
72  private final HashMap<String, String> imageFolderToOutputFolder = new HashMap<>();
73  private int folderId = 0;
74 
75  @Messages({"# {0} - data source name", "deviceIdQueryErrMsg=Data source {0} missing Device ID"})
76  @Override
77  public void startUp(IngestJobContext context) throws IngestModuleException {
78  this.context = context;
79  long dataSourceObjId = context.getDataSource().getId();
80  try {
81  Case currentCase = Case.getCurrentCase();
82  SleuthkitCase caseDb = currentCase.getSleuthkitCase();
83  DataSource dataSource = caseDb.getDataSource(dataSourceObjId);
84  parentDeviceId = dataSource.getDeviceId();
85  parentTimeZone = dataSource.getTimeZone();
86  SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy_MM_dd_HH_mm_ss");
87  String timeStamp = dateFormat.format(Calendar.getInstance().getTime());
88  String ingestJobOutputDirName = context.getDataSource().getName() + "_" + context.getDataSource().getId() + "_" + timeStamp;
89  ingestJobOutputDirName = ingestJobOutputDirName.replace(':', '_');
90  ingestJobOutputDir = Paths.get(Case.getCurrentCase().getModuleDirectory(), VMExtractorIngestModuleFactory.getModuleName(), ingestJobOutputDirName);
91  // create module output folder to write extracted virtual machine files to
92  Files.createDirectories(ingestJobOutputDir);
93  } catch (IOException | SecurityException | UnsupportedOperationException ex) {
94  throw new IngestModule.IngestModuleException(Bundle.VMExtractorIngestModule_cannotCreateOutputDir_message(ex.getLocalizedMessage()), ex);
95  } catch (TskDataException | TskCoreException ex) {
96  throw new IngestModule.IngestModuleException(Bundle.deviceIdQueryErrMsg(context.getDataSource().getName()), ex);
97  }
98  }
99 
100  @Override
101  public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
102 
103  String outputFolderForThisVM;
104  List<AbstractFile> vmFiles;
105 
106  // Configure and start progress bar - looking for VM files
107  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.searchingImage.message"));
108  // Not sure how long it will take for search to complete.
109  progressBar.switchToIndeterminate();
110 
111  logger.log(Level.INFO, "Looking for virtual machine files in data source {0}", dataSource.getName()); //NON-NLS
112 
113  try {
114  // look for all VM files
115  vmFiles = findVirtualMachineFiles(dataSource);
116  } catch (TskCoreException ex) {
117  logger.log(Level.SEVERE, "Error querying case database", ex); //NON-NLS
118  return ProcessResult.ERROR;
119  }
120 
121  if (vmFiles.isEmpty()) {
122  // no VM files found
123  logger.log(Level.INFO, "No virtual machine files found in data source {0}", dataSource.getName()); //NON-NLS
124  return ProcessResult.OK;
125  }
126  // display progress for saving each VM file to disk
127  progressBar.switchToDeterminate(vmFiles.size());
128  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.exportingToDisk.message"));
129 
130  int numFilesSaved = 0;
131  for (AbstractFile vmFile : vmFiles) {
132  if (context.dataSourceIngestIsCancelled()) {
133  break;
134  }
135 
136  logger.log(Level.INFO, "Saving virtual machine file {0} to disk", vmFile.getName()); //NON-NLS
137 
138  // get vmFolderPathInsideTheImage to the folder where VM is located
139  String vmFolderPathInsideTheImage = vmFile.getParentPath();
140 
141  // check if the vmFolderPathInsideTheImage is already in hashmap
142  if (imageFolderToOutputFolder.containsKey(vmFolderPathInsideTheImage)) {
143  // if it is then we have already created output folder to write out all VM files in this parent folder
144  outputFolderForThisVM = imageFolderToOutputFolder.get(vmFolderPathInsideTheImage);
145  } else {
146  // if not - create output folder to write out VM files (can use any unique ID or number for folder name)
147  folderId++;
148  outputFolderForThisVM = Paths.get(ingestJobOutputDir.toString(), Integer.toString(folderId)).toString();
149 
150  // add vmFolderPathInsideTheImage to hashmap
151  imageFolderToOutputFolder.put(vmFolderPathInsideTheImage, outputFolderForThisVM);
152  }
153 
154  // write the vm file to output folder
155  try {
156  writeVirtualMachineToDisk(vmFile, outputFolderForThisVM);
157  } catch (Exception ex) {
158  logger.log(Level.SEVERE, "Failed to write virtual machine file " + vmFile.getName() + " to folder " + outputFolderForThisVM, ex); //NON-NLS
159  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedExtractVM.title.txt"),
160  NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedExtractVM.msg.txt", vmFile.getName()));
161  }
162 
163  // Update progress bar
164  numFilesSaved++;
165  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.exportingToDisk.message"), numFilesSaved);
166  }
167  logger.log(Level.INFO, "Finished saving virtual machine files to disk"); //NON-NLS
168 
169  // update progress bar
170  progressBar.switchToDeterminate(imageFolderToOutputFolder.size());
171  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.queuingIngestJobs.message"));
172  // this is for progress bar purposes because at this point we only know in advance how many job folders to ingest, not how many data sources.
173  int numJobsQueued = 0;
174  // start processing output folders after we are done writing out all vm files
175  for (String folder : imageFolderToOutputFolder.values()) {
176  if (context.dataSourceIngestIsCancelled()) {
177  break;
178  }
179  List<String> vmFilesToIngest = VirtualMachineFinder.identifyVirtualMachines(Paths.get(folder));
180  for (String file : vmFilesToIngest) {
181  try {
182  logger.log(Level.INFO, "Ingesting virtual machine file {0} in folder {1}", new Object[]{file, folder}); //NON-NLS
183 
184  // for extracted virtual machines there is no manifest XML file to read data source ID from so use parent data source ID.
185  // ingest the data sources
186  ingestVirtualMachineImage(Paths.get(folder, file));
187  logger.log(Level.INFO, "Ingest complete for virtual machine file {0} in folder {1}", new Object[]{file, folder}); //NON-NLS
188  } catch (InterruptedException ex) {
189  logger.log(Level.INFO, "Interrupted while ingesting virtual machine file " + file + " in folder " + folder, ex); //NON-NLS
190  } catch (IOException ex) {
191  logger.log(Level.SEVERE, "Failed to ingest virtual machine file " + file + " in folder " + folder, ex); //NON-NLS
192  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedIngestVM.title.txt"),
193  NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedIngestVM.msg.txt", file));
194  }
195  }
196  // Update progress bar
197  numJobsQueued++;
198  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.queuingIngestJobs.message"), numJobsQueued);
199  }
200  logger.log(Level.INFO, "VMExtractorIngestModule completed processing of data source {0}", dataSource.getName()); //NON-NLS
201  return ProcessResult.OK;
202  }
203 
215  private static List<AbstractFile> findVirtualMachineFiles(Content dataSource) throws TskCoreException {
216  List<AbstractFile> vmFiles = new ArrayList<>();
217  for (String vmExtension : GeneralFilter.VIRTUAL_MACHINE_EXTS) {
218  String searchString = "%" + vmExtension; // want a search string that looks like this "%.vmdk"
219  vmFiles.addAll(Case.getCurrentCase().getServices().getFileManager().findFiles(dataSource, searchString));
220  }
221  return vmFiles;
222  }
223 
232  private void writeVirtualMachineToDisk(AbstractFile vmFile, String outputFolderForThisVM) throws IOException {
233 
234  // TODO: check available disk space first? See IngestMonitor.getFreeSpace()
235  // check if output folder exists
236  File destinationFolder = Paths.get(outputFolderForThisVM).toFile();
237  if (!destinationFolder.exists()) {
238  destinationFolder.mkdirs();
239  }
240  /*
241  * Write the virtual machine file to disk.
242  */
243  File localFile = Paths.get(outputFolderForThisVM, vmFile.getName()).toFile();
244  ContentUtils.writeToFile(vmFile, localFile, context::dataSourceIngestIsCancelled);
245  }
246 
253  private void ingestVirtualMachineImage(Path vmFile) throws InterruptedException, IOException {
254 
255  /*
256  * Try to add the virtual machine file to the case as a data source.
257  */
258  UUID taskId = UUID.randomUUID();
259  Case.getCurrentCase().notifyAddingDataSource(taskId);
260  ImageDSProcessor dataSourceProcessor = new ImageDSProcessor();
261  AddDataSourceCallback dspCallback = new AddDataSourceCallback(vmFile);
262  synchronized (this) {
263  dataSourceProcessor.run(parentDeviceId, vmFile.toString(), parentTimeZone, false, new AddDataSourceProgressMonitor(), dspCallback);
264  /*
265  * Block the ingest thread until the data source processor finishes.
266  */
267  this.wait();
268  }
269 
270  /*
271  * If the image was added, analyze it with the ingest modules for this
272  * ingest context.
273  */
274  if (!dspCallback.vmDataSources.isEmpty()) {
275  Case.getCurrentCase().notifyDataSourceAdded(dspCallback.vmDataSources.get(0), taskId);
276  List<Content> dataSourceContent = new ArrayList<>(dspCallback.vmDataSources);
277  IngestJobSettings ingestJobSettings = new IngestJobSettings(context.getExecutionContext());
278  for (String warning : ingestJobSettings.getWarnings()) {
279  logger.log(Level.WARNING, String.format("Ingest job settings warning for virtual machine file %s : %s", vmFile.toString(), warning)); //NON-NLS
280  }
281  IngestServices.getInstance().postMessage(IngestMessage.createMessage(IngestMessage.MessageType.INFO,
282  VMExtractorIngestModuleFactory.getModuleName(),
283  NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.addedVirtualMachineImage.message", vmFile.toString())));
284  IngestManager.getInstance().queueIngestJob(dataSourceContent, ingestJobSettings);
285  } else {
286  Case.getCurrentCase().notifyFailedAddingDataSource(taskId);
287  }
288  }
289 
293  private static final class AddDataSourceProgressMonitor implements DataSourceProcessorProgressMonitor {
294 
295  @Override
296  public void setIndeterminate(final boolean indeterminate) {
297  }
298 
299  @Override
300  public void setProgress(final int progress) {
301  }
302 
303  @Override
304  public void setProgressText(final String text) {
305  }
306 
307  }
308 
314 
315  private final Path vmFile;
316  private final List<Content> vmDataSources;
317 
323  private AddDataSourceCallback(Path vmFile) {
324  this.vmFile = vmFile;
325  vmDataSources = new ArrayList<>();
326  }
327 
328  @Override
329  public void done(DataSourceProcessorCallback.DataSourceProcessorResult result, List<String> errList, List<Content> content) {
330  for (String error : errList) {
331  String logMessage = String.format("Data source processor error for virtual machine file %s: %s", vmFile.toString(), error); //NON-NLS
333  logger.log(Level.SEVERE, logMessage);
334  } else {
335  logger.log(Level.WARNING, logMessage);
336  }
337  }
338 
339  /*
340  * Save a reference to the content object so it can be used to
341  * create a new ingest job.
342  */
343  if (!content.isEmpty()) {
344  vmDataSources.add(content.get(0));
345  }
346 
347  /*
348  * Unblock the ingest thread.
349  */
350  synchronized (VMExtractorIngestModule.this) {
351  VMExtractorIngestModule.this.notify();
352  }
353  }
354 
355  @Override
356  public void doneEDT(DataSourceProcessorResult result, List<String> errList, List<Content> newContents) {
357  done(result, errList, newContents);
358  }
359 
360  }
361 
362 }
void doneEDT(DataSourceProcessorResult result, List< String > errList, List< Content > newContents)
void done(DataSourceProcessorCallback.DataSourceProcessorResult result, List< String > errList, List< Content > content)

Copyright © 2012-2016 Basis Technology. Generated on: Fri Sep 29 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.