Autopsy  4.7.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Chrome.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2018 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  *
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import com.google.gson.JsonArray;
26 import com.google.gson.JsonElement;
27 import com.google.gson.JsonIOException;
28 import com.google.gson.JsonObject;
29 import com.google.gson.JsonParser;
30 import com.google.gson.JsonSyntaxException;
31 import org.openide.util.NbBundle;
32 import org.sleuthkit.autopsy.ingest.IngestServices;
33 import org.sleuthkit.autopsy.datamodel.ContentUtils;
34 import java.util.logging.Level;
35 import java.util.*;
36 import java.io.File;
37 import java.io.FileNotFoundException;
38 import java.io.FileReader;
39 import java.io.IOException;
40 import org.sleuthkit.autopsy.casemodule.services.FileManager;
41 import org.sleuthkit.autopsy.coreutils.Logger;
42 import org.sleuthkit.autopsy.ingest.IngestJobContext;
43 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
44 import org.sleuthkit.datamodel.AbstractFile;
45 import org.sleuthkit.datamodel.BlackboardArtifact;
46 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
47 import org.sleuthkit.datamodel.BlackboardAttribute;
48 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
49 import org.sleuthkit.datamodel.Content;
50 import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
51 import org.sleuthkit.datamodel.TskCoreException;
52 import org.sleuthkit.datamodel.TskData;
53 
57 class Chrome extends Extract {
58 
59  private static final String HISTORY_QUERY = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS
60  + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS
61  private static final String COOKIE_QUERY = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS
62  private static final String DOWNLOAD_QUERY = "SELECT full_path, url, start_time, received_bytes FROM downloads"; //NON-NLS
63  private static final String DOWNLOAD_QUERY_V30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS
64  private static final String LOGIN_QUERY = "SELECT origin_url, username_value, signon_realm from logins"; //NON-NLS
65  private final Logger logger = Logger.getLogger(this.getClass().getName());
66  private Content dataSource;
67  private IngestJobContext context;
68 
69  Chrome() {
70  moduleName = NbBundle.getMessage(Chrome.class, "Chrome.moduleName");
71  }
72 
73  @Override
74  public void process(Content dataSource, IngestJobContext context) {
75  this.dataSource = dataSource;
76  this.context = context;
77  dataFound = false;
78  this.getHistory();
79  this.getBookmark();
80  this.getCookie();
81  this.getLogin();
82  this.getDownload();
83  }
84 
88  private void getHistory() {
89  FileManager fileManager = currentCase.getServices().getFileManager();
90  List<AbstractFile> historyFiles;
91  try {
92  historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS
93  } catch (TskCoreException ex) {
94  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
95  logger.log(Level.SEVERE, msg, ex);
96  this.addErrorMessage(this.getName() + ": " + msg);
97  return;
98  }
99 
100  // get only the allocated ones, for now
101  List<AbstractFile> allocatedHistoryFiles = new ArrayList<>();
102  for (AbstractFile historyFile : historyFiles) {
103  if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {
104  allocatedHistoryFiles.add(historyFile);
105  }
106  }
107 
108  // log a message if we don't have any allocated history files
109  if (allocatedHistoryFiles.isEmpty()) {
110  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles");
111  logger.log(Level.INFO, msg);
112  return;
113  }
114 
115  dataFound = true;
116  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
117  int j = 0;
118  while (j < historyFiles.size()) {
119  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName() + j + ".db"; //NON-NLS
120  final AbstractFile historyFile = historyFiles.get(j++);
121  if (historyFile.getSize() == 0) {
122  continue;
123  }
124  try {
125  ContentUtils.writeToFile(historyFile, new File(temps), context::dataSourceIngestIsCancelled);
126  } catch (ReadContentInputStreamException ex) {
127  logger.log(Level.WARNING, String.format("Error reading Chrome web history artifacts file '%s' (id=%d).",
128  historyFile.getName(), historyFile.getId()), ex); //NON-NLS
129  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",
130  this.getName(), historyFile.getName()));
131  continue;
132  } catch (IOException ex) {
133  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome web history artifacts file '%s' (id=%d).",
134  temps, historyFile.getName(), historyFile.getId()), ex); //NON-NLS
135  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",
136  this.getName(), historyFile.getName()));
137  continue;
138  }
139  File dbFile = new File(temps);
140  if (context.dataSourceIngestIsCancelled()) {
141  dbFile.delete();
142  break;
143  }
144  List<HashMap<String, Object>> tempList;
145  tempList = this.dbConnect(temps, HISTORY_QUERY);
146  logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
147  for (HashMap<String, Object> result : tempList) {
148  Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
149  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
150  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
151  ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
152  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
153  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
154  (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
155  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
156  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
157  ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS
158  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
159  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
160  ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS
161  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
162  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
163  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
164  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
165  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
166  (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
167 
168  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
169  if (bbart != null) {
170  bbartifacts.add(bbart);
171  }
172  }
173  dbFile.delete();
174  }
175 
176  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
177  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
178  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
179  }
180 
184  private void getBookmark() {
185  FileManager fileManager = currentCase.getServices().getFileManager();
186  List<AbstractFile> bookmarkFiles;
187  try {
188  bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS
189  } catch (TskCoreException ex) {
190  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");
191  logger.log(Level.SEVERE, msg, ex);
192  this.addErrorMessage(this.getName() + ": " + msg);
193  return;
194  }
195 
196  if (bookmarkFiles.isEmpty()) {
197  logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); //NON-NLS
198  return;
199  }
200 
201  dataFound = true;
202  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
203  int j = 0;
204 
205  while (j < bookmarkFiles.size()) {
206  AbstractFile bookmarkFile = bookmarkFiles.get(j++);
207  if (bookmarkFile.getSize() == 0) {
208  continue;
209  }
210  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName() + j + ".db"; //NON-NLS
211  try {
212  ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled);
213  } catch (ReadContentInputStreamException ex) {
214  logger.log(Level.WARNING, String.format("Error reading Chrome bookmark artifacts file '%s' (id=%d).",
215  bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS
216  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",
217  this.getName(), bookmarkFile.getName()));
218  continue;
219  } catch (IOException ex) {
220  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome bookmark artifacts file '%s' (id=%d).",
221  temps, bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS
222  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",
223  this.getName(), bookmarkFile.getName()));
224  continue;
225  }
226 
227  logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{moduleName, temps}); //NON-NLS
228  File dbFile = new File(temps);
229  if (context.dataSourceIngestIsCancelled()) {
230  dbFile.delete();
231  break;
232  }
233 
234  FileReader tempReader;
235  try {
236  tempReader = new FileReader(temps);
237  } catch (FileNotFoundException ex) {
238  logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS
239  this.addErrorMessage(
240  NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getName(),
241  bookmarkFile.getName()));
242  continue;
243  }
244 
245  final JsonParser parser = new JsonParser();
246  JsonElement jsonElement;
247  JsonObject jElement, jRoot, jBookmark;
248  JsonArray jBookmarkArray;
249 
250  try {
251  jsonElement = parser.parse(tempReader);
252  jElement = jsonElement.getAsJsonObject();
253  jRoot = jElement.get("roots").getAsJsonObject(); //NON-NLS
254  jBookmark = jRoot.get("bookmark_bar").getAsJsonObject(); //NON-NLS
255  jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS
256  } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
257  logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS
258  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3",
259  this.getName(), bookmarkFile.getName()));
260  continue;
261  }
262 
263  for (JsonElement result : jBookmarkArray) {
264  JsonObject address = result.getAsJsonObject();
265  if (address == null) {
266  continue;
267  }
268  JsonElement urlEl = address.get("url"); //NON-NLS
269  String url;
270  if (urlEl != null) {
271  url = urlEl.getAsString();
272  } else {
273  url = "";
274  }
275  String name;
276  JsonElement nameEl = address.get("name"); //NON-NLS
277  if (nameEl != null) {
278  name = nameEl.getAsString();
279  } else {
280  name = "";
281  }
282  Long date;
283  JsonElement dateEl = address.get("date_added"); //NON-NLS
284  if (dateEl != null) {
285  date = dateEl.getAsLong();
286  } else {
287  date = Long.valueOf(0);
288  }
289  String domain = Util.extractDomain(url);
290  try {
291  BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
292  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
293  //TODO Revisit usage of deprecated constructor as per TSK-583
294  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
295  NbBundle.getMessage(this.getClass(),
296  "Chrome.parentModuleName"), url));
297  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
298  NbBundle.getMessage(this.getClass(),
299  "Chrome.parentModuleName"), name));
300  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
301  NbBundle.getMessage(this.getClass(),
302  "Chrome.parentModuleName"), (date / 1000000) - Long.valueOf("11644473600")));
303  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
304  NbBundle.getMessage(this.getClass(),
305  "Chrome.parentModuleName"),
306  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
307  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
308  NbBundle.getMessage(this.getClass(),
309  "Chrome.parentModuleName"), domain));
310  bbart.addAttributes(bbattributes);
311 
312  // index the artifact for keyword search
313  this.indexArtifact(bbart);
314  bbartifacts.add(bbart);
315  } catch (TskCoreException ex) {
316  logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS
317  this.addErrorMessage(
318  NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4",
319  this.getName(), bookmarkFile.getName()));
320  }
321  }
322  dbFile.delete();
323  }
324 
325  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
326  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
327  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));
328  }
329 
333  private void getCookie() {
334 
335  FileManager fileManager = currentCase.getServices().getFileManager();
336  List<AbstractFile> cookiesFiles;
337  try {
338  cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS
339  } catch (TskCoreException ex) {
340  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles");
341  logger.log(Level.SEVERE, msg, ex);
342  this.addErrorMessage(this.getName() + ": " + msg);
343  return;
344  }
345 
346  if (cookiesFiles.isEmpty()) {
347  logger.log(Level.INFO, "Didn't find any Chrome cookies files."); //NON-NLS
348  return;
349  }
350 
351  dataFound = true;
352  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
353  int j = 0;
354  while (j < cookiesFiles.size()) {
355  AbstractFile cookiesFile = cookiesFiles.get(j++);
356  if (cookiesFile.getSize() == 0) {
357  continue;
358  }
359  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName() + j + ".db"; //NON-NLS
360  try {
361  ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled);
362  } catch (ReadContentInputStreamException ex) {
363  logger.log(Level.WARNING, String.format("Error reading Chrome cookie artifacts file '%s' (id=%d).",
364  cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS
365  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",
366  this.getName(), cookiesFile.getName()));
367  continue;
368  } catch (IOException ex) {
369  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome cookie artifacts file '%s' (id=%d).",
370  temps, cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS
371  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",
372  this.getName(), cookiesFile.getName()));
373  continue;
374  }
375  File dbFile = new File(temps);
376  if (context.dataSourceIngestIsCancelled()) {
377  dbFile.delete();
378  break;
379  }
380 
381  List<HashMap<String, Object>> tempList = this.dbConnect(temps, COOKIE_QUERY);
382  logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
383  for (HashMap<String, Object> result : tempList) {
384  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
385  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
386  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
387  ((result.get("host_key").toString() != null) ? result.get("host_key").toString() : ""))); //NON-NLS
388  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,
389  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
390  (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
391 
392  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
393  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
394  ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS
395  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
396  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
397  ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS
398  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
399  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
400  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
401  String domain = result.get("host_key").toString(); //NON-NLS
402  domain = domain.replaceFirst("^\\.+(?!$)", "");
403  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
404  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));
405 
406  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
407  if (bbart != null) {
408  bbartifacts.add(bbart);
409  }
410  }
411 
412  dbFile.delete();
413  }
414 
415  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
416  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
417  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));
418  }
419 
423  private void getDownload() {
424  FileManager fileManager = currentCase.getServices().getFileManager();
425  List<AbstractFile> downloadFiles;
426  try {
427  downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS
428  } catch (TskCoreException ex) {
429  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles");
430  logger.log(Level.SEVERE, msg, ex);
431  this.addErrorMessage(this.getName() + ": " + msg);
432  return;
433  }
434 
435  if (downloadFiles.isEmpty()) {
436  logger.log(Level.INFO, "Didn't find any Chrome download files."); //NON-NLS
437  return;
438  }
439 
440  dataFound = true;
441  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
442  int j = 0;
443  while (j < downloadFiles.size()) {
444  AbstractFile downloadFile = downloadFiles.get(j++);
445  if (downloadFile.getSize() == 0) {
446  continue;
447  }
448  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName() + j + ".db"; //NON-NLS
449  try {
450  ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled);
451  } catch (ReadContentInputStreamException ex) {
452  logger.log(Level.WARNING, String.format("Error reading Chrome download artifacts file '%s' (id=%d).",
453  downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS
454  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",
455  this.getName(), downloadFile.getName()));
456  continue;
457  } catch (IOException ex) {
458  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome download artifacts file '%s' (id=%d).",
459  temps, downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS
460  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",
461  this.getName(), downloadFile.getName()));
462  continue;
463  }
464  File dbFile = new File(temps);
465  if (context.dataSourceIngestIsCancelled()) {
466  dbFile.delete();
467  break;
468  }
469 
470  List<HashMap<String, Object>> tempList;
471 
472  if (isChromePreVersion30(temps)) {
473  tempList = this.dbConnect(temps, DOWNLOAD_QUERY);
474  } else {
475  tempList = this.dbConnect(temps, DOWNLOAD_QUERY_V30);
476  }
477 
478  logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
479  for (HashMap<String, Object> result : tempList) {
480  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
481  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
482  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (result.get("full_path").toString()))); //NON-NLS
483  long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS
484  if (pathID != -1) {
485  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
486  NbBundle.getMessage(this.getClass(),
487  "Chrome.parentModuleName"), pathID));
488  }
489  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
490  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
491  ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
492  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
493  Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS
494 
495  //TODO Revisit usage of deprecated constructor as per TSK-583
496  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", time));
497  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
498  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), time));
499  String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); //NON-NLS
500  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
501  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));
502  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
503  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
504  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
505 
506  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);
507  if (bbart != null) {
508  bbartifacts.add(bbart);
509  }
510  }
511 
512  dbFile.delete();
513  }
514 
515  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
516  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
517  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts));
518  }
519 
523  private void getLogin() {
524  FileManager fileManager = currentCase.getServices().getFileManager();
525  List<AbstractFile> signonFiles;
526  try {
527  signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); //NON-NLS
528  } catch (TskCoreException ex) {
529  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles");
530  logger.log(Level.SEVERE, msg, ex);
531  this.addErrorMessage(this.getName() + ": " + msg);
532  return;
533  }
534 
535  if (signonFiles.isEmpty()) {
536  logger.log(Level.INFO, "Didn't find any Chrome signon files."); //NON-NLS
537  return;
538  }
539 
540  dataFound = true;
541  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
542  int j = 0;
543  while (j < signonFiles.size()) {
544  AbstractFile signonFile = signonFiles.get(j++);
545  if (signonFile.getSize() == 0) {
546  continue;
547  }
548  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName() + j + ".db"; //NON-NLS
549  try {
550  ContentUtils.writeToFile(signonFile, new File(temps), context::dataSourceIngestIsCancelled);
551  } catch (ReadContentInputStreamException ex) {
552  logger.log(Level.WARNING, String.format("Error reading Chrome login artifacts file '%s' (id=%d).",
553  signonFile.getName(), signonFile.getId()), ex); //NON-NLS
554  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",
555  this.getName(), signonFile.getName()));
556  continue;
557  } catch (IOException ex) {
558  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome login artifacts file '%s' (id=%d).",
559  temps, signonFile.getName(), signonFile.getId()), ex); //NON-NLS
560  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",
561  this.getName(), signonFile.getName()));
562  continue;
563  }
564  File dbFile = new File(temps);
565  if (context.dataSourceIngestIsCancelled()) {
566  dbFile.delete();
567  break;
568  }
569  List<HashMap<String, Object>> tempList = this.dbConnect(temps, LOGIN_QUERY);
570  logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
571  for (HashMap<String, Object> result : tempList) {
572  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
573  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
574  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
575  ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); //NON-NLS
576  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("origin_url").toString() != null) ? EscapeUtil.decodeURL(result.get("origin_url").toString()) : "")));
577  //TODO Revisit usage of deprecated constructor as per TSK-583
578  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000)));
579  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
580  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
581  (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
582  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
583  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
584  ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS
585  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
586  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
587  ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS
588  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
589  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
590  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
591  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED,
592  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
593  (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
594  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
595  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
596  ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS
597  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
598  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
599  result.get("signon_realm").toString())); //NON-NLS
600 
601  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes);
602  if (bbart != null) {
603  bbartifacts.add(bbart);
604  }
605 
606  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
607  Collection<BlackboardAttribute> osAcctAttributes = new ArrayList<>();
608  osAcctAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
609  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
610  ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS
611  this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes);
612  }
613 
614  dbFile.delete();
615  }
616 
617  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
618  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
619  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
620  }
621 
622  private boolean isChromePreVersion30(String temps) {
623  String query = "PRAGMA table_info(downloads)"; //NON-NLS
624  List<HashMap<String, Object>> columns = this.dbConnect(temps, query);
625  for (HashMap<String, Object> col : columns) {
626  if (col.get("name").equals("url")) { //NON-NLS
627  return true;
628  }
629  }
630 
631  return false;
632  }
633 }
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55
org.sleuthkit.autopsy.datamodel.ContentUtils.writeToFile
static< T > long writeToFile(Content content, java.io.File outputFile, ProgressHandle progress, Future< T > worker, boolean source)
Definition: ContentUtils.java:210
org.sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
Definition: IngestServices.java:108
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:165
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.ingest.IngestServices.getInstance
static synchronized IngestServices getInstance()
Definition: IngestServices.java:51

Copyright © 2012-2016 Basis Technology. Generated on: Mon Jun 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.