Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EncryptionDetectionDataSourceIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.encryptiondetection;
20 
21 import java.io.IOException;
22 import java.util.Collections;
23 import java.util.List;
24 import java.util.logging.Level;
25 import org.openide.util.NbBundle.Messages;
26 import org.sleuthkit.autopsy.casemodule.Case;
27 import org.sleuthkit.autopsy.casemodule.services.Blackboard;
28 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
29 import org.sleuthkit.autopsy.ingest.IngestModule;
30 import org.sleuthkit.datamodel.Content;
31 import org.sleuthkit.datamodel.TskCoreException;
32 import org.sleuthkit.autopsy.coreutils.Logger;
33 import org.sleuthkit.autopsy.ingest.DataSourceIngestModule;
34 import org.sleuthkit.autopsy.ingest.IngestJobContext;
35 import org.sleuthkit.autopsy.ingest.IngestMessage;
36 import org.sleuthkit.autopsy.ingest.IngestServices;
37 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
38 import org.sleuthkit.datamodel.BlackboardArtifact;
39 import org.sleuthkit.datamodel.BlackboardAttribute;
40 import org.sleuthkit.datamodel.Image;
41 import org.sleuthkit.datamodel.ReadContentInputStream;
42 import org.sleuthkit.datamodel.Volume;
43 import org.sleuthkit.datamodel.VolumeSystem;
44 
48 final class EncryptionDetectionDataSourceIngestModule implements DataSourceIngestModule {
49 
50  private final IngestServices services = IngestServices.getInstance();
51  private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName());
52  private Blackboard blackboard;
53  private double calculatedEntropy;
54  private final double minimumEntropy;
55 
62  EncryptionDetectionDataSourceIngestModule(EncryptionDetectionIngestJobSettings settings) {
63  minimumEntropy = settings.getMinimumEntropy();
64  }
65 
66  @Override
67  public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException {
68  validateSettings();
69  blackboard = Case.getCurrentCase().getServices().getBlackboard();
70  }
71 
72  @Messages({
73  "EncryptionDetectionDataSourceIngestModule.artifactComment.bitlocker=Bitlocker encryption detected.",
74  "EncryptionDetectionDataSourceIngestModule.artifactComment.suspected=Suspected encryption due to high entropy (%f)."
75  })
76  @Override
77  public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
78 
79  try {
80  if (dataSource instanceof Image) {
81  List<VolumeSystem> volumeSystems = ((Image) dataSource).getVolumeSystems();
82  for (VolumeSystem volumeSystem : volumeSystems) {
83  for (Volume volume : volumeSystem.getVolumes()) {
84  if (BitlockerDetection.isBitlockerVolume(volume)) {
85  return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_bitlocker());
86  }
87  if (isVolumeEncrypted(volume)) {
88  return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, String.format(Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_suspected(), calculatedEntropy));
89  }
90  }
91  }
92  }
93  } catch (ReadContentInputStream.ReadContentInputStreamException ex) {
94  logger.log(Level.WARNING, String.format("Unable to read data source '%s'", dataSource.getName()), ex);
95  return IngestModule.ProcessResult.ERROR;
96  } catch (IOException | TskCoreException ex) {
97  logger.log(Level.SEVERE, String.format("Unable to process data source '%s'", dataSource.getName()), ex);
98  return IngestModule.ProcessResult.ERROR;
99  }
100 
101  return IngestModule.ProcessResult.OK;
102  }
103 
112  private void validateSettings() throws IngestModule.IngestModuleException {
113  EncryptionDetectionTools.validateMinEntropyValue(minimumEntropy);
114  }
115 
126  private IngestModule.ProcessResult flagVolume(Volume volume, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) {
127  try {
128  BlackboardArtifact artifact = volume.newArtifact(artifactType);
129  artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment));
130 
131  try {
132  /*
133  * Index the artifact for keyword search.
134  */
135  blackboard.indexArtifact(artifact);
136  } catch (Blackboard.BlackboardException ex) {
137  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
138  }
139 
140  /*
141  * Send an event to update the view with the new result.
142  */
143  services.fireModuleDataEvent(new ModuleDataEvent(EncryptionDetectionModuleFactory.getModuleName(), artifactType, Collections.singletonList(artifact)));
144 
145  /*
146  * Make an ingest inbox message.
147  */
148  StringBuilder detailsSb = new StringBuilder("");
149  detailsSb.append("File: ");
150  Content parentFile = volume.getParent();
151  if (parentFile != null) {
152  detailsSb.append(volume.getParent().getUniquePath());
153  }
154  detailsSb.append(volume.getName());
155  if (artifactType.equals(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED)) {
156  detailsSb.append("<br/>\nEntropy: ").append(calculatedEntropy);
157  }
158 
159  services.postMessage(IngestMessage.createDataMessage(EncryptionDetectionModuleFactory.getModuleName(),
160  artifactType.getDisplayName() + " Match: " + volume.getName(),
161  detailsSb.toString(),
162  volume.getName(),
163  artifact));
164 
165  return IngestModule.ProcessResult.OK;
166  } catch (TskCoreException ex) {
167  logger.log(Level.SEVERE, String.format("Failed to create blackboard artifact for '%s'.", volume.getName()), ex); //NON-NLS
168  return IngestModule.ProcessResult.ERROR;
169  }
170  }
171 
180  private boolean isVolumeEncrypted(Volume volume) throws ReadContentInputStream.ReadContentInputStreamException, IOException, TskCoreException {
181  /*
182  * Criteria for the checks in this method are partially based on
183  * http://www.forensicswiki.org/wiki/TrueCrypt#Detection
184  */
185  if (volume.getFileSystems().isEmpty()) {
186  calculatedEntropy = EncryptionDetectionTools.calculateEntropy(volume);
187  if (calculatedEntropy >= minimumEntropy) {
188  return true;
189  }
190  }
191  return false;
192  }
193 }

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.