Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
Chrome.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2018 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  *
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import com.google.gson.JsonArray;
26 import com.google.gson.JsonElement;
27 import com.google.gson.JsonIOException;
28 import com.google.gson.JsonObject;
29 import com.google.gson.JsonParser;
30 import com.google.gson.JsonSyntaxException;
31 import org.openide.util.NbBundle;
32 import org.sleuthkit.autopsy.ingest.IngestServices;
33 import org.sleuthkit.autopsy.datamodel.ContentUtils;
34 import java.util.logging.Level;
35 import java.util.*;
36 import java.io.File;
37 import java.io.FileNotFoundException;
38 import java.io.FileReader;
39 import java.io.IOException;
40 import org.sleuthkit.autopsy.casemodule.services.FileManager;
41 import org.sleuthkit.autopsy.coreutils.Logger;
42 import org.sleuthkit.autopsy.coreutils.NetworkUtils;
43 import org.sleuthkit.autopsy.ingest.IngestJobContext;
44 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
45 import org.sleuthkit.datamodel.AbstractFile;
46 import org.sleuthkit.datamodel.BlackboardArtifact;
47 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
48 import org.sleuthkit.datamodel.BlackboardAttribute;
49 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
50 import org.sleuthkit.datamodel.Content;
51 import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
52 import org.sleuthkit.datamodel.TskCoreException;
53 import org.sleuthkit.datamodel.TskData;
54 
58 class Chrome extends Extract {
59 
60  private static final String HISTORY_QUERY = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS
61  + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS
62  private static final String COOKIE_QUERY = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS
63  private static final String DOWNLOAD_QUERY = "SELECT full_path, url, start_time, received_bytes FROM downloads"; //NON-NLS
64  private static final String DOWNLOAD_QUERY_V30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS
65  private static final String LOGIN_QUERY = "SELECT origin_url, username_value, signon_realm from logins"; //NON-NLS
66  private final Logger logger = Logger.getLogger(this.getClass().getName());
67  private Content dataSource;
68  private IngestJobContext context;
69 
70  Chrome() {
71  moduleName = NbBundle.getMessage(Chrome.class, "Chrome.moduleName");
72  }
73 
74  @Override
75  public void process(Content dataSource, IngestJobContext context) {
76  this.dataSource = dataSource;
77  this.context = context;
78  dataFound = false;
79  this.getHistory();
80  this.getBookmark();
81  this.getCookie();
82  this.getLogin();
83  this.getDownload();
84  }
85 
89  private void getHistory() {
90  FileManager fileManager = currentCase.getServices().getFileManager();
91  List<AbstractFile> historyFiles;
92  try {
93  historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS
94  } catch (TskCoreException ex) {
95  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
96  logger.log(Level.SEVERE, msg, ex);
97  this.addErrorMessage(this.getName() + ": " + msg);
98  return;
99  }
100 
101  // get only the allocated ones, for now
102  List<AbstractFile> allocatedHistoryFiles = new ArrayList<>();
103  for (AbstractFile historyFile : historyFiles) {
104  if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {
105  allocatedHistoryFiles.add(historyFile);
106  }
107  }
108 
109  // log a message if we don't have any allocated history files
110  if (allocatedHistoryFiles.isEmpty()) {
111  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles");
112  logger.log(Level.INFO, msg);
113  return;
114  }
115 
116  dataFound = true;
117  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
118  int j = 0;
119  while (j < historyFiles.size()) {
120  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName() + j + ".db"; //NON-NLS
121  final AbstractFile historyFile = historyFiles.get(j++);
122  if (historyFile.getSize() == 0) {
123  continue;
124  }
125  try {
126  ContentUtils.writeToFile(historyFile, new File(temps), context::dataSourceIngestIsCancelled);
127  } catch (ReadContentInputStreamException ex) {
128  logger.log(Level.WARNING, String.format("Error reading Chrome web history artifacts file '%s' (id=%d).",
129  historyFile.getName(), historyFile.getId()), ex); //NON-NLS
130  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",
131  this.getName(), historyFile.getName()));
132  continue;
133  } catch (IOException ex) {
134  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome web history artifacts file '%s' (id=%d).",
135  temps, historyFile.getName(), historyFile.getId()), ex); //NON-NLS
136  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",
137  this.getName(), historyFile.getName()));
138  continue;
139  }
140  File dbFile = new File(temps);
141  if (context.dataSourceIngestIsCancelled()) {
142  dbFile.delete();
143  break;
144  }
145  List<HashMap<String, Object>> tempList;
146  tempList = this.dbConnect(temps, HISTORY_QUERY);
147  logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
148  for (HashMap<String, Object> result : tempList) {
149  Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
150  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
151  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
152  ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
153  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
154  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
155  (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
156  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
157  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
158  ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS
159  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
160  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
161  ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS
162  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
163  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
164  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
165  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
166  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
167  (NetworkUtils.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
168 
169  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
170  if (bbart != null) {
171  bbartifacts.add(bbart);
172  }
173  }
174  dbFile.delete();
175  }
176 
177  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
178  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
179  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
180  }
181 
185  private void getBookmark() {
186  FileManager fileManager = currentCase.getServices().getFileManager();
187  List<AbstractFile> bookmarkFiles;
188  try {
189  bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS
190  } catch (TskCoreException ex) {
191  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");
192  logger.log(Level.SEVERE, msg, ex);
193  this.addErrorMessage(this.getName() + ": " + msg);
194  return;
195  }
196 
197  if (bookmarkFiles.isEmpty()) {
198  logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); //NON-NLS
199  return;
200  }
201 
202  dataFound = true;
203  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
204  int j = 0;
205 
206  while (j < bookmarkFiles.size()) {
207  AbstractFile bookmarkFile = bookmarkFiles.get(j++);
208  if (bookmarkFile.getSize() == 0) {
209  continue;
210  }
211  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName() + j + ".db"; //NON-NLS
212  try {
213  ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled);
214  } catch (ReadContentInputStreamException ex) {
215  logger.log(Level.WARNING, String.format("Error reading Chrome bookmark artifacts file '%s' (id=%d).",
216  bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS
217  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",
218  this.getName(), bookmarkFile.getName()));
219  continue;
220  } catch (IOException ex) {
221  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome bookmark artifacts file '%s' (id=%d).",
222  temps, bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS
223  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",
224  this.getName(), bookmarkFile.getName()));
225  continue;
226  }
227 
228  logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{moduleName, temps}); //NON-NLS
229  File dbFile = new File(temps);
230  if (context.dataSourceIngestIsCancelled()) {
231  dbFile.delete();
232  break;
233  }
234 
235  FileReader tempReader;
236  try {
237  tempReader = new FileReader(temps);
238  } catch (FileNotFoundException ex) {
239  logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS
240  this.addErrorMessage(
241  NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getName(),
242  bookmarkFile.getName()));
243  continue;
244  }
245 
246  final JsonParser parser = new JsonParser();
247  JsonElement jsonElement;
248  JsonObject jElement, jRoot, jBookmark;
249  JsonArray jBookmarkArray;
250 
251  try {
252  jsonElement = parser.parse(tempReader);
253  jElement = jsonElement.getAsJsonObject();
254  jRoot = jElement.get("roots").getAsJsonObject(); //NON-NLS
255  jBookmark = jRoot.get("bookmark_bar").getAsJsonObject(); //NON-NLS
256  jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS
257  } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
258  logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS
259  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3",
260  this.getName(), bookmarkFile.getName()));
261  continue;
262  }
263 
264  for (JsonElement result : jBookmarkArray) {
265  JsonObject address = result.getAsJsonObject();
266  if (address == null) {
267  continue;
268  }
269  JsonElement urlEl = address.get("url"); //NON-NLS
270  String url;
271  if (urlEl != null) {
272  url = urlEl.getAsString();
273  } else {
274  url = "";
275  }
276  String name;
277  JsonElement nameEl = address.get("name"); //NON-NLS
278  if (nameEl != null) {
279  name = nameEl.getAsString();
280  } else {
281  name = "";
282  }
283  Long date;
284  JsonElement dateEl = address.get("date_added"); //NON-NLS
285  if (dateEl != null) {
286  date = dateEl.getAsLong();
287  } else {
288  date = Long.valueOf(0);
289  }
290  String domain = NetworkUtils.extractDomain(url);
291  try {
292  BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
293  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
294  //TODO Revisit usage of deprecated constructor as per TSK-583
295  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
296  NbBundle.getMessage(this.getClass(),
297  "Chrome.parentModuleName"), url));
298  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
299  NbBundle.getMessage(this.getClass(),
300  "Chrome.parentModuleName"), name));
301  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
302  NbBundle.getMessage(this.getClass(),
303  "Chrome.parentModuleName"), (date / 1000000) - Long.valueOf("11644473600")));
304  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
305  NbBundle.getMessage(this.getClass(),
306  "Chrome.parentModuleName"),
307  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
308  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
309  NbBundle.getMessage(this.getClass(),
310  "Chrome.parentModuleName"), domain));
311  bbart.addAttributes(bbattributes);
312 
313  // index the artifact for keyword search
314  this.indexArtifact(bbart);
315  bbartifacts.add(bbart);
316  } catch (TskCoreException ex) {
317  logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS
318  this.addErrorMessage(
319  NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4",
320  this.getName(), bookmarkFile.getName()));
321  }
322  }
323  dbFile.delete();
324  }
325 
326  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
327  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
328  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));
329  }
330 
334  private void getCookie() {
335 
336  FileManager fileManager = currentCase.getServices().getFileManager();
337  List<AbstractFile> cookiesFiles;
338  try {
339  cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS
340  } catch (TskCoreException ex) {
341  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles");
342  logger.log(Level.SEVERE, msg, ex);
343  this.addErrorMessage(this.getName() + ": " + msg);
344  return;
345  }
346 
347  if (cookiesFiles.isEmpty()) {
348  logger.log(Level.INFO, "Didn't find any Chrome cookies files."); //NON-NLS
349  return;
350  }
351 
352  dataFound = true;
353  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
354  int j = 0;
355  while (j < cookiesFiles.size()) {
356  AbstractFile cookiesFile = cookiesFiles.get(j++);
357  if (cookiesFile.getSize() == 0) {
358  continue;
359  }
360  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName() + j + ".db"; //NON-NLS
361  try {
362  ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled);
363  } catch (ReadContentInputStreamException ex) {
364  logger.log(Level.WARNING, String.format("Error reading Chrome cookie artifacts file '%s' (id=%d).",
365  cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS
366  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",
367  this.getName(), cookiesFile.getName()));
368  continue;
369  } catch (IOException ex) {
370  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome cookie artifacts file '%s' (id=%d).",
371  temps, cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS
372  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",
373  this.getName(), cookiesFile.getName()));
374  continue;
375  }
376  File dbFile = new File(temps);
377  if (context.dataSourceIngestIsCancelled()) {
378  dbFile.delete();
379  break;
380  }
381 
382  List<HashMap<String, Object>> tempList = this.dbConnect(temps, COOKIE_QUERY);
383  logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
384  for (HashMap<String, Object> result : tempList) {
385  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
386  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
387  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
388  ((result.get("host_key").toString() != null) ? result.get("host_key").toString() : ""))); //NON-NLS
389  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,
390  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
391  (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
392 
393  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
394  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
395  ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS
396  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
397  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
398  ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS
399  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
400  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
401  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
402  String domain = result.get("host_key").toString(); //NON-NLS
403  domain = domain.replaceFirst("^\\.+(?!$)", "");
404  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
405  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));
406 
407  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
408  if (bbart != null) {
409  bbartifacts.add(bbart);
410  }
411  }
412 
413  dbFile.delete();
414  }
415 
416  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
417  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
418  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));
419  }
420 
424  private void getDownload() {
425  FileManager fileManager = currentCase.getServices().getFileManager();
426  List<AbstractFile> downloadFiles;
427  try {
428  downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS
429  } catch (TskCoreException ex) {
430  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles");
431  logger.log(Level.SEVERE, msg, ex);
432  this.addErrorMessage(this.getName() + ": " + msg);
433  return;
434  }
435 
436  if (downloadFiles.isEmpty()) {
437  logger.log(Level.INFO, "Didn't find any Chrome download files."); //NON-NLS
438  return;
439  }
440 
441  dataFound = true;
442  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
443  int j = 0;
444  while (j < downloadFiles.size()) {
445  AbstractFile downloadFile = downloadFiles.get(j++);
446  if (downloadFile.getSize() == 0) {
447  continue;
448  }
449  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName() + j + ".db"; //NON-NLS
450  try {
451  ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled);
452  } catch (ReadContentInputStreamException ex) {
453  logger.log(Level.WARNING, String.format("Error reading Chrome download artifacts file '%s' (id=%d).",
454  downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS
455  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",
456  this.getName(), downloadFile.getName()));
457  continue;
458  } catch (IOException ex) {
459  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome download artifacts file '%s' (id=%d).",
460  temps, downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS
461  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",
462  this.getName(), downloadFile.getName()));
463  continue;
464  }
465  File dbFile = new File(temps);
466  if (context.dataSourceIngestIsCancelled()) {
467  dbFile.delete();
468  break;
469  }
470 
471  List<HashMap<String, Object>> tempList;
472 
473  if (isChromePreVersion30(temps)) {
474  tempList = this.dbConnect(temps, DOWNLOAD_QUERY);
475  } else {
476  tempList = this.dbConnect(temps, DOWNLOAD_QUERY_V30);
477  }
478 
479  logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
480  for (HashMap<String, Object> result : tempList) {
481  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
482  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
483  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (result.get("full_path").toString()))); //NON-NLS
484  long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS
485  if (pathID != -1) {
486  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
487  NbBundle.getMessage(this.getClass(),
488  "Chrome.parentModuleName"), pathID));
489  }
490  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
491  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
492  ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
493  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
494  Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS
495 
496  //TODO Revisit usage of deprecated constructor as per TSK-583
497  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", time));
498  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
499  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), time));
500  String domain = NetworkUtils.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); //NON-NLS
501  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
502  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));
503  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
504  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
505  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
506 
507  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);
508  if (bbart != null) {
509  bbartifacts.add(bbart);
510  }
511  }
512 
513  dbFile.delete();
514  }
515 
516  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
517  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
518  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts));
519  }
520 
524  private void getLogin() {
525  FileManager fileManager = currentCase.getServices().getFileManager();
526  List<AbstractFile> signonFiles;
527  try {
528  signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); //NON-NLS
529  } catch (TskCoreException ex) {
530  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles");
531  logger.log(Level.SEVERE, msg, ex);
532  this.addErrorMessage(this.getName() + ": " + msg);
533  return;
534  }
535 
536  if (signonFiles.isEmpty()) {
537  logger.log(Level.INFO, "Didn't find any Chrome signon files."); //NON-NLS
538  return;
539  }
540 
541  dataFound = true;
542  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
543  int j = 0;
544  while (j < signonFiles.size()) {
545  AbstractFile signonFile = signonFiles.get(j++);
546  if (signonFile.getSize() == 0) {
547  continue;
548  }
549  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName() + j + ".db"; //NON-NLS
550  try {
551  ContentUtils.writeToFile(signonFile, new File(temps), context::dataSourceIngestIsCancelled);
552  } catch (ReadContentInputStreamException ex) {
553  logger.log(Level.WARNING, String.format("Error reading Chrome login artifacts file '%s' (id=%d).",
554  signonFile.getName(), signonFile.getId()), ex); //NON-NLS
555  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",
556  this.getName(), signonFile.getName()));
557  continue;
558  } catch (IOException ex) {
559  logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome login artifacts file '%s' (id=%d).",
560  temps, signonFile.getName(), signonFile.getId()), ex); //NON-NLS
561  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",
562  this.getName(), signonFile.getName()));
563  continue;
564  }
565  File dbFile = new File(temps);
566  if (context.dataSourceIngestIsCancelled()) {
567  dbFile.delete();
568  break;
569  }
570  List<HashMap<String, Object>> tempList = this.dbConnect(temps, LOGIN_QUERY);
571  logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
572  for (HashMap<String, Object> result : tempList) {
573  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
574  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
575  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
576  ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); //NON-NLS
577  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("origin_url").toString() != null) ? EscapeUtil.decodeURL(result.get("origin_url").toString()) : "")));
578  //TODO Revisit usage of deprecated constructor as per TSK-583
579  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000)));
580  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
581  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
582  (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
583  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
584  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
585  ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS
586  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
587  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
588  ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS
589  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
590  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
591  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
592  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED,
593  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
594  (NetworkUtils.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
595  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
596  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
597  ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS
598  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
599  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
600  result.get("signon_realm").toString())); //NON-NLS
601 
602  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes);
603  if (bbart != null) {
604  bbartifacts.add(bbart);
605  }
606 
607  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
608  Collection<BlackboardAttribute> osAcctAttributes = new ArrayList<>();
609  osAcctAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
610  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
611  ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS
612  this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes);
613  }
614 
615  dbFile.delete();
616  }
617 
618  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
619  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
620  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
621  }
622 
623  private boolean isChromePreVersion30(String temps) {
624  String query = "PRAGMA table_info(downloads)"; //NON-NLS
625  List<HashMap<String, Object>> columns = this.dbConnect(temps, query);
626  for (HashMap<String, Object> col : columns) {
627  if (col.get("name").equals("url")) { //NON-NLS
628  return true;
629  }
630  }
631 
632  return false;
633  }
634 }
org.sleuthkit.autopsy.coreutils.NetworkUtils.extractDomain
static String extractDomain(String urlString)
Definition: NetworkUtils.java:106
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55
org.sleuthkit.autopsy.datamodel.ContentUtils.writeToFile
static< T > long writeToFile(Content content, java.io.File outputFile, ProgressHandle progress, Future< T > worker, boolean source)
Definition: ContentUtils.java:210
org.sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
Definition: IngestServices.java:108
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:165
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124
org.sleuthkit.autopsy.ingest.IngestServices.getInstance
static synchronized IngestServices getInstance()
Definition: IngestServices.java:51

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.