Autopsy  4.7.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractIE.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2011-2018 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.BufferedReader;
26 
27 import org.openide.util.NbBundle;
28 import org.sleuthkit.autopsy.coreutils.ExecUtil;
29 import java.io.File;
30 import java.io.FileInputStream;
31 import java.io.FileNotFoundException;
32 import java.io.IOException;
33 import java.io.InputStreamReader;
34 import java.text.ParseException;
35 import java.text.SimpleDateFormat;
36 import java.util.ArrayList;
37 import java.util.List;
38 import java.util.Set;
39 import java.util.HashSet;
40 import java.util.logging.Level;
41 import org.sleuthkit.autopsy.coreutils.Logger;
42 import java.util.Collection;
43 import java.util.Scanner;
44 import java.util.stream.Collectors;
45 import org.openide.modules.InstalledFileLocator;
46 import org.sleuthkit.autopsy.casemodule.Case;
47 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
48 import org.sleuthkit.autopsy.datamodel.ContentUtils;
49 import org.sleuthkit.autopsy.ingest.IngestServices;
50 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
51 import org.sleuthkit.datamodel.BlackboardArtifact;
52 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
53 import org.sleuthkit.datamodel.BlackboardAttribute;
54 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
55 import org.sleuthkit.datamodel.Content;
56 import org.sleuthkit.autopsy.coreutils.PlatformUtil;
57 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator;
58 import org.sleuthkit.autopsy.ingest.IngestJobContext;
59 import org.sleuthkit.datamodel.*;
60 
65 class ExtractIE extends Extract {
66 
67  private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
68  private final IngestServices services = IngestServices.getInstance();
69  private final String moduleTempResultsDir;
70  private String PASCO_LIB_PATH;
71  private final String JAVA_PATH;
72  private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
73  private Content dataSource;
74  private IngestJobContext context;
75 
76  ExtractIE() throws NoCurrentCaseException {
77  moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractIE.moduleName.text");
78  moduleTempResultsDir = RAImageIngestModule.getRATempPath(Case.getCurrentCaseThrows(), "IE") + File.separator + "results"; //NON-NLS
79  JAVA_PATH = PlatformUtil.getJavaPath();
80  }
81 
82  @Override
83  public void process(Content dataSource, IngestJobContext context) {
84  this.dataSource = dataSource;
85  this.context = context;
86  dataFound = false;
87  this.getBookmark();
88  this.getCookie();
89  this.getHistory();
90  }
91 
95  private void getBookmark() {
96  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
97  List<AbstractFile> favoritesFiles;
98  try {
99  favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); //NON-NLS
100  } catch (TskCoreException ex) {
101  logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
102  this.addErrorMessage(
103  NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
104  this.getName()));
105  return;
106  }
107 
108  if (favoritesFiles.isEmpty()) {
109  logger.log(Level.INFO, "Didn't find any IE bookmark files."); //NON-NLS
110  return;
111  }
112 
113  dataFound = true;
114  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
115  for (AbstractFile fav : favoritesFiles) {
116  if (fav.getSize() == 0) {
117  continue;
118  }
119 
120  if (context.dataSourceIngestIsCancelled()) {
121  break;
122  }
123 
124  String url = getURLFromIEBookmarkFile(fav);
125 
126  String name = fav.getName();
127  Long datetime = fav.getCrtime();
128  String Tempdate = datetime.toString();
129  datetime = Long.valueOf(Tempdate);
130  String domain = Util.extractDomain(url);
131 
132  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
133  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
134  NbBundle.getMessage(this.getClass(),
135  "ExtractIE.parentModuleName.noSpace"), url));
136  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
137  NbBundle.getMessage(this.getClass(),
138  "ExtractIE.parentModuleName.noSpace"), name));
139  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
140  NbBundle.getMessage(this.getClass(),
141  "ExtractIE.parentModuleName.noSpace"), datetime));
142  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
143  NbBundle.getMessage(this.getClass(),
144  "ExtractIE.parentModuleName.noSpace"),
145  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
146  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
147  NbBundle.getMessage(this.getClass(),
148  "ExtractIE.parentModuleName.noSpace"), domain));
149 
150  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
151  if (bbart != null) {
152  bbartifacts.add(bbart);
153  }
154  }
155  services.fireModuleDataEvent(new ModuleDataEvent(
156  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
157  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));
158  }
159 
160  private String getURLFromIEBookmarkFile(AbstractFile fav) {
161  BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));
162  String line, url = "";
163  try {
164  line = reader.readLine();
165  while (null != line) {
166  // The actual shortcut line we are interested in is of the
167  // form URL=http://path/to/website
168  if (line.startsWith("URL")) { //NON-NLS
169  url = line.substring(line.indexOf("=") + 1);
170  break;
171  }
172  line = reader.readLine();
173  }
174  } catch (IOException ex) {
175  logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
176  this.addErrorMessage(
177  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
178  fav.getName()));
179  } catch (IndexOutOfBoundsException ex) {
180  logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
181  this.addErrorMessage(
182  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
183  fav.getName()));
184  } finally {
185  try {
186  reader.close();
187  } catch (IOException ex) {
188  logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS
189  }
190  }
191 
192  return url;
193  }
194 
198  private void getCookie() {
199  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
200  List<AbstractFile> cookiesFiles;
201  try {
202  cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); //NON-NLS
203  } catch (TskCoreException ex) {
204  logger.log(Level.WARNING, "Error getting cookie files for IE"); //NON-NLS
205  this.addErrorMessage(
206  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errGettingFile", this.getName()));
207  return;
208  }
209 
210  if (cookiesFiles.isEmpty()) {
211  logger.log(Level.INFO, "Didn't find any IE cookies files."); //NON-NLS
212  return;
213  }
214 
215  dataFound = true;
216  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
217  for (AbstractFile cookiesFile : cookiesFiles) {
218  if (context.dataSourceIngestIsCancelled()) {
219  break;
220  }
221  if (cookiesFile.getSize() == 0) {
222  continue;
223  }
224 
225  byte[] t = new byte[(int) cookiesFile.getSize()];
226  try {
227  final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize());
228  } catch (TskCoreException ex) {
229  logger.log(Level.WARNING, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
230  this.addErrorMessage(
231  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
232  this.getName(), cookiesFile.getName()));
233  continue;
234  }
235  String cookieString = new String(t);
236  String[] values = cookieString.split("\n");
237  String url = values.length > 2 ? values[2] : "";
238  String value = values.length > 1 ? values[1] : "";
239  String name = values.length > 0 ? values[0] : "";
240  Long datetime = cookiesFile.getCrtime();
241  String tempDate = datetime.toString();
242  datetime = Long.valueOf(tempDate);
243  String domain = Util.extractDomain(url);
244 
245  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
246  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
247  NbBundle.getMessage(this.getClass(),
248  "ExtractIE.parentModuleName.noSpace"), url));
249  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,
250  NbBundle.getMessage(this.getClass(),
251  "ExtractIE.parentModuleName.noSpace"), datetime));
252  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
253  NbBundle.getMessage(this.getClass(),
254  "ExtractIE.parentModuleName.noSpace"), (name != null) ? name : ""));
255  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
256  NbBundle.getMessage(this.getClass(),
257  "ExtractIE.parentModuleName.noSpace"), value));
258  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
259  NbBundle.getMessage(this.getClass(),
260  "ExtractIE.parentModuleName.noSpace"),
261  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
262  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
263  NbBundle.getMessage(this.getClass(),
264  "ExtractIE.parentModuleName.noSpace"), domain));
265  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
266  if (bbart != null) {
267  bbartifacts.add(bbart);
268  }
269  }
270  services.fireModuleDataEvent(new ModuleDataEvent(
271  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
272  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));
273  }
274 
278  private void getHistory() {
279  logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS
280  boolean foundHistory = false;
281 
282  final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); //NON-NLS
283  if (pascoRoot == null) {
284  this.addErrorMessage(
285  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName()));
286  logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS
287  return;
288  }
289 
290  final String pascoHome = pascoRoot.getAbsolutePath();
291  logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS
292 
293  PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS
294  + pascoHome + File.separator + "*";
295 
296  File resultsDir = new File(moduleTempResultsDir);
297  resultsDir.mkdirs();
298 
299  // get index.dat files
300  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
301  List<AbstractFile> indexFiles;
302  try {
303  indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
304  } catch (TskCoreException ex) {
305  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
306  this.getName()));
307  logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
308  return;
309  }
310 
311  if (indexFiles.isEmpty()) {
312  String msg = NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.noHistFiles");
313  logger.log(Level.INFO, msg);
314  return;
315  }
316 
317  dataFound = true;
318  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
319  String temps;
320  String indexFileName;
321  for (AbstractFile indexFile : indexFiles) {
322  // Since each result represent an index.dat file,
323  // just create these files with the following notation:
324  // index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
325  // Write each index.dat file to a temp directory.
326  //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
327  indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //NON-NLS
328  //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
329  temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; //NON-NLS
330  File datFile = new File(temps);
331  if (context.dataSourceIngestIsCancelled()) {
332  break;
333  }
334  try {
335  ContentUtils.writeToFile(indexFile, datFile, context::dataSourceIngestIsCancelled);
336  } catch (IOException e) {
337  logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
338  this.addErrorMessage(
339  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
340  datFile.getAbsolutePath()));
341  continue;
342  }
343 
344  String filename = "pasco2Result." + indexFile.getId() + ".txt"; //NON-NLS
345  boolean bPascProcSuccess = executePasco(temps, filename);
346  if (context.dataSourceIngestIsCancelled()) {
347  return;
348  }
349 
350  //At this point pasco2 proccessed the index files.
351  //Now fetch the results, parse them and the delete the files.
352  if (bPascProcSuccess) {
353  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
354  bbartifacts.addAll(parsePascoOutput(indexFile, filename).stream()
355  .filter(bbart -> bbart.getArtifactTypeID() == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID())
356  .collect(Collectors.toList()));
357  foundHistory = true;
358 
359  //Delete index<n>.dat file since it was succcessfully by Pasco
360  datFile.delete();
361  } else {
362  logger.log(Level.WARNING, "pasco execution failed on: {0}", this.getName()); //NON-NLS
363  this.addErrorMessage(
364  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName()));
365  }
366  }
367 
368  if (foundHistory) {
369  services.fireModuleDataEvent(new ModuleDataEvent(
370  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
371  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
372  }
373  }
374 
383  private boolean executePasco(String indexFilePath, String outputFileName) {
384  boolean success = true;
385  try {
386  final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName;
387  final String errFileFullPath = moduleTempResultsDir + File.separator + outputFileName + ".err"; //NON-NLS
388  logger.log(Level.INFO, "Writing pasco results to: {0}", outputFileFullPath); //NON-NLS
389  List<String> commandLine = new ArrayList<>();
390  commandLine.add(JAVA_PATH);
391  commandLine.add("-cp"); //NON-NLS
392  commandLine.add(PASCO_LIB_PATH);
393  commandLine.add("isi.pasco2.Main"); //NON-NLS
394  commandLine.add("-T"); //NON-NLS
395  commandLine.add("history"); //NON-NLS
396  commandLine.add(indexFilePath);
397  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
398  processBuilder.redirectOutput(new File(outputFileFullPath));
399  processBuilder.redirectError(new File(errFileFullPath));
400  /*
401  * NOTE on Pasco return codes: There is no documentation for Pasco.
402  * Looking at the Pasco source code I see that when something goes
403  * wrong Pasco returns a negative number as a return code. However,
404  * we should still attempt to parse the Pasco output even if that
405  * happens. I have seen many situations where Pasco output file
406  * contains a lot of useful data and only the last entry is
407  * corrupted.
408  */
409  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context));
410  // @@@ Investigate use of history versus cache as type.
411  } catch (IOException ex) {
412  success = false;
413  logger.log(Level.SEVERE, "Unable to execute Pasco to process Internet Explorer web history.", ex); //NON-NLS
414  }
415  return success;
416  }
417 
427  private Collection<BlackboardArtifact> parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
428 
429  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
430  String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
431 
432  File file = new File(fnAbs);
433  if (file.exists() == false) {
434  this.addErrorMessage(
435  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
436  file.getName()));
437  logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
438  return bbartifacts;
439  }
440 
441  // Make sure the file the is not empty or the Scanner will
442  // throw a "No Line found" Exception
443  if (file.length() == 0) {
444  return bbartifacts;
445  }
446 
447  Scanner fileScanner;
448  try {
449  fileScanner = new Scanner(new FileInputStream(file.toString()));
450  } catch (FileNotFoundException ex) {
451  this.addErrorMessage(
452  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
453  file.getName()));
454  logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
455  return bbartifacts;
456  }
457 
458  // Keep a list of reported user accounts to avoid repeats
459  Set<String> reportedUserAccounts = new HashSet<>();
460 
461  while (fileScanner.hasNext()) {
462  String line = fileScanner.nextLine();
463  if (!line.startsWith("URL")) { //NON-NLS
464  continue;
465  }
466 
467  String[] lineBuff = line.split("\\t"); //NON-NLS
468 
469  if (lineBuff.length < 4) {
470  logger.log(Level.INFO, "Found unrecognized IE history format."); //NON-NLS
471  continue;
472  }
473 
474  String actime = lineBuff[3];
475  Long ftime = (long) 0;
476  String user;
477  String realurl;
478  String domain;
479 
480  /*
481  * We've seen two types of lines: URL http://XYZ.com .... URL
482  * Visited: Joe@http://XYZ.com ....
483  */
484  if (lineBuff[1].contains("@")) {
485  String url[] = lineBuff[1].split("@", 2);
486  user = url[0];
487  user = user.replace("Visited:", ""); //NON-NLS
488  user = user.replace(":Host:", ""); //NON-NLS
489  user = user.replaceAll("(:)(.*?)(:)", "");
490  user = user.trim();
491  realurl = url[1];
492  realurl = realurl.replace("Visited:", ""); //NON-NLS
493  realurl = realurl.replaceAll(":(.*?):", "");
494  realurl = realurl.replace(":Host:", ""); //NON-NLS
495  realurl = realurl.trim();
496  } else {
497  user = "";
498  realurl = lineBuff[1].trim();
499  }
500 
501  domain = Util.extractDomain(realurl);
502 
503  if (!actime.isEmpty()) {
504  try {
505  Long epochtime = dateFormatter.parse(actime).getTime();
506  ftime = epochtime / 1000;
507  } catch (ParseException e) {
508  this.addErrorMessage(
509  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
510  this.getName()));
511  logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS
512  }
513  }
514 
515  try {
516  BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
517  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
518  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
519  NbBundle.getMessage(this.getClass(),
520  "ExtractIE.parentModuleName.noSpace"), realurl));
521  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
522 
523  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
524  NbBundle.getMessage(this.getClass(),
525  "ExtractIE.parentModuleName.noSpace"), ftime));
526  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
527  NbBundle.getMessage(this.getClass(),
528  "ExtractIE.parentModuleName.noSpace"), ""));
529  // @@@ NOte that other browser modules are adding TITLE in hre for the title
530  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
531  NbBundle.getMessage(this.getClass(),
532  "ExtractIE.parentModuleName.noSpace"),
533  NbBundle.getMessage(this.getClass(),
534  "ExtractIE.moduleName.text")));
535  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
536  NbBundle.getMessage(this.getClass(),
537  "ExtractIE.parentModuleName.noSpace"), domain));
538  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
539  NbBundle.getMessage(this.getClass(),
540  "ExtractIE.parentModuleName.noSpace"), user));
541  bbart.addAttributes(bbattributes);
542 
543  // index the artifact for keyword search
544  this.indexArtifact(bbart);
545  bbartifacts.add(bbart);
546 
547  if ((!user.isEmpty()) && (!reportedUserAccounts.contains(user))) {
548  BlackboardArtifact osAttr = origFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
549  osAttr.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
550  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user));
551 
552  // index the artifact for keyword search
553  this.indexArtifact(osAttr);
554  bbartifacts.add(osAttr);
555 
556  reportedUserAccounts.add(user);
557  }
558  } catch (TskCoreException ex) {
559  logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS
560  }
561  }
562  fileScanner.close();
563  return bbartifacts;
564  }
565 }
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:165

Copyright © 2012-2016 Basis Technology. Generated on: Mon Jun 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.