Autopsy  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractIE.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2011-2018 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.BufferedReader;
26 
27 import org.openide.util.NbBundle;
28 import org.sleuthkit.autopsy.coreutils.ExecUtil;
29 import org.sleuthkit.autopsy.coreutils.NetworkUtils;
30 import java.io.File;
31 import java.io.FileInputStream;
32 import java.io.FileNotFoundException;
33 import java.io.IOException;
34 import java.io.InputStreamReader;
35 import java.text.ParseException;
36 import java.text.SimpleDateFormat;
37 import java.util.ArrayList;
38 import java.util.List;
39 import java.util.Set;
40 import java.util.HashSet;
41 import java.util.logging.Level;
42 import org.sleuthkit.autopsy.coreutils.Logger;
43 import java.util.Collection;
44 import java.util.Scanner;
45 import java.util.stream.Collectors;
46 import org.openide.modules.InstalledFileLocator;
47 import org.sleuthkit.autopsy.casemodule.Case;
48 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
49 import org.sleuthkit.autopsy.datamodel.ContentUtils;
50 import org.sleuthkit.autopsy.ingest.IngestServices;
51 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
52 import org.sleuthkit.datamodel.BlackboardArtifact;
53 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
54 import org.sleuthkit.datamodel.BlackboardAttribute;
55 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
56 import org.sleuthkit.datamodel.Content;
57 import org.sleuthkit.autopsy.coreutils.PlatformUtil;
58 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProcessTerminator;
59 import org.sleuthkit.autopsy.ingest.IngestJobContext;
60 import org.sleuthkit.datamodel.*;
61 
66 class ExtractIE extends Extract {
67 
68  private static final Logger logger = Logger.getLogger(ExtractIE.class.getName());
69  private final IngestServices services = IngestServices.getInstance();
70  private final String moduleTempResultsDir;
71  private String PASCO_LIB_PATH;
72  private final String JAVA_PATH;
73  private static final String RESOURCE_URL_PREFIX = "res://";
74  private static final SimpleDateFormat dateFormatter = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'");
75  private Content dataSource;
76  private IngestJobContext context;
77 
78  ExtractIE() throws NoCurrentCaseException {
79  moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractIE.moduleName.text");
80  moduleTempResultsDir = RAImageIngestModule.getRATempPath(Case.getCurrentCaseThrows(), "IE") + File.separator + "results"; //NON-NLS
81  JAVA_PATH = PlatformUtil.getJavaPath();
82  }
83 
84  @Override
85  public void process(Content dataSource, IngestJobContext context) {
86  this.dataSource = dataSource;
87  this.context = context;
88  dataFound = false;
89  this.getBookmark();
90  this.getCookie();
91  this.getHistory();
92  }
93 
97  private void getBookmark() {
98  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
99  List<AbstractFile> favoritesFiles;
100  try {
101  favoritesFiles = fileManager.findFiles(dataSource, "%.url", "Favorites"); //NON-NLS
102  } catch (TskCoreException ex) {
103  logger.log(Level.WARNING, "Error fetching 'url' files for Internet Explorer bookmarks.", ex); //NON-NLS
104  this.addErrorMessage(
105  NbBundle.getMessage(this.getClass(), "ExtractIE.getBookmark.errMsg.errGettingBookmarks",
106  this.getName()));
107  return;
108  }
109 
110  if (favoritesFiles.isEmpty()) {
111  logger.log(Level.INFO, "Didn't find any IE bookmark files."); //NON-NLS
112  return;
113  }
114 
115  dataFound = true;
116  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
117  for (AbstractFile fav : favoritesFiles) {
118  if (fav.getSize() == 0) {
119  continue;
120  }
121 
122  if (context.dataSourceIngestIsCancelled()) {
123  break;
124  }
125 
126  String url = getURLFromIEBookmarkFile(fav);
127 
128  String name = fav.getName();
129  Long datetime = fav.getCrtime();
130  String Tempdate = datetime.toString();
131  datetime = Long.valueOf(Tempdate);
132  String domain = extractDomain(url);
133 
134  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
135  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
136  NbBundle.getMessage(this.getClass(),
137  "ExtractIE.parentModuleName.noSpace"), url));
138  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
139  NbBundle.getMessage(this.getClass(),
140  "ExtractIE.parentModuleName.noSpace"), name));
141  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
142  NbBundle.getMessage(this.getClass(),
143  "ExtractIE.parentModuleName.noSpace"), datetime));
144  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
145  NbBundle.getMessage(this.getClass(),
146  "ExtractIE.parentModuleName.noSpace"),
147  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
148  if (domain != null && domain.isEmpty() == false) {
149  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
150  NbBundle.getMessage(this.getClass(),
151  "ExtractIE.parentModuleName.noSpace"), domain));
152  }
153 
154  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK, fav, bbattributes);
155  if (bbart != null) {
156  bbartifacts.add(bbart);
157  }
158  }
159  services.fireModuleDataEvent(new ModuleDataEvent(
160  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
161  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));
162  }
163 
164  private String getURLFromIEBookmarkFile(AbstractFile fav) {
165  BufferedReader reader = new BufferedReader(new InputStreamReader(new ReadContentInputStream(fav)));
166  String line, url = "";
167  try {
168  line = reader.readLine();
169  while (null != line) {
170  // The actual shortcut line we are interested in is of the
171  // form URL=http://path/to/website
172  if (line.startsWith("URL")) { //NON-NLS
173  url = line.substring(line.indexOf("=") + 1);
174  break;
175  }
176  line = reader.readLine();
177  }
178  } catch (IOException ex) {
179  logger.log(Level.WARNING, "Failed to read from content: " + fav.getName(), ex); //NON-NLS
180  this.addErrorMessage(
181  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg", this.getName(),
182  fav.getName()));
183  } catch (IndexOutOfBoundsException ex) {
184  logger.log(Level.WARNING, "Failed while getting URL of IE bookmark. Unexpected format of the bookmark file: " + fav.getName(), ex); //NON-NLS
185  this.addErrorMessage(
186  NbBundle.getMessage(this.getClass(), "ExtractIE.getURLFromIEBmkFile.errMsg2", this.getName(),
187  fav.getName()));
188  } finally {
189  try {
190  reader.close();
191  } catch (IOException ex) {
192  logger.log(Level.WARNING, "Failed to close reader.", ex); //NON-NLS
193  }
194  }
195 
196  return url;
197  }
198 
202  private void getCookie() {
203  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
204  List<AbstractFile> cookiesFiles;
205  try {
206  cookiesFiles = fileManager.findFiles(dataSource, "%.txt", "Cookies"); //NON-NLS
207  } catch (TskCoreException ex) {
208  logger.log(Level.WARNING, "Error getting cookie files for IE"); //NON-NLS
209  this.addErrorMessage(
210  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errGettingFile", this.getName()));
211  return;
212  }
213 
214  if (cookiesFiles.isEmpty()) {
215  logger.log(Level.INFO, "Didn't find any IE cookies files."); //NON-NLS
216  return;
217  }
218 
219  dataFound = true;
220  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
221  for (AbstractFile cookiesFile : cookiesFiles) {
222  if (context.dataSourceIngestIsCancelled()) {
223  break;
224  }
225  if (cookiesFile.getSize() == 0) {
226  continue;
227  }
228 
229  byte[] t = new byte[(int) cookiesFile.getSize()];
230  try {
231  final int bytesRead = cookiesFile.read(t, 0, cookiesFile.getSize());
232  } catch (TskCoreException ex) {
233  logger.log(Level.WARNING, "Error reading bytes of Internet Explorer cookie.", ex); //NON-NLS
234  this.addErrorMessage(
235  NbBundle.getMessage(this.getClass(), "ExtractIE.getCookie.errMsg.errReadingIECookie",
236  this.getName(), cookiesFile.getName()));
237  continue;
238  }
239  String cookieString = new String(t);
240  String[] values = cookieString.split("\n");
241  String url = values.length > 2 ? values[2] : "";
242  String value = values.length > 1 ? values[1] : "";
243  String name = values.length > 0 ? values[0] : "";
244  Long datetime = cookiesFile.getCrtime();
245  String tempDate = datetime.toString();
246  datetime = Long.valueOf(tempDate);
247  String domain = extractDomain(url);
248 
249  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
250  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
251  NbBundle.getMessage(this.getClass(),
252  "ExtractIE.parentModuleName.noSpace"), url));
253  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,
254  NbBundle.getMessage(this.getClass(),
255  "ExtractIE.parentModuleName.noSpace"), datetime));
256  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
257  NbBundle.getMessage(this.getClass(),
258  "ExtractIE.parentModuleName.noSpace"), (name != null) ? name : ""));
259  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
260  NbBundle.getMessage(this.getClass(),
261  "ExtractIE.parentModuleName.noSpace"), value));
262  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
263  NbBundle.getMessage(this.getClass(),
264  "ExtractIE.parentModuleName.noSpace"),
265  NbBundle.getMessage(this.getClass(), "ExtractIE.moduleName.text")));
266  if (domain != null && domain.isEmpty() == false) {
267  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
268  NbBundle.getMessage(this.getClass(),
269  "ExtractIE.parentModuleName.noSpace"), domain));
270  }
271  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
272  if (bbart != null) {
273  bbartifacts.add(bbart);
274  }
275  }
276  services.fireModuleDataEvent(new ModuleDataEvent(
277  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
278  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));
279  }
280 
284  private void getHistory() {
285  logger.log(Level.INFO, "Pasco results path: {0}", moduleTempResultsDir); //NON-NLS
286  boolean foundHistory = false;
287 
288  final File pascoRoot = InstalledFileLocator.getDefault().locate("pasco2", ExtractIE.class.getPackage().getName(), false); //NON-NLS
289  if (pascoRoot == null) {
290  this.addErrorMessage(
291  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.unableToGetHist", this.getName()));
292  logger.log(Level.SEVERE, "Error finding pasco program "); //NON-NLS
293  return;
294  }
295 
296  final String pascoHome = pascoRoot.getAbsolutePath();
297  logger.log(Level.INFO, "Pasco2 home: {0}", pascoHome); //NON-NLS
298 
299  PASCO_LIB_PATH = pascoHome + File.separator + "pasco2.jar" + File.pathSeparator //NON-NLS
300  + pascoHome + File.separator + "*";
301 
302  File resultsDir = new File(moduleTempResultsDir);
303  resultsDir.mkdirs();
304 
305  // get index.dat files
306  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
307  List<AbstractFile> indexFiles;
308  try {
309  indexFiles = fileManager.findFiles(dataSource, "index.dat"); //NON-NLS
310  } catch (TskCoreException ex) {
311  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errGettingHistFiles",
312  this.getName()));
313  logger.log(Level.WARNING, "Error fetching 'index.data' files for Internet Explorer history."); //NON-NLS
314  return;
315  }
316 
317  if (indexFiles.isEmpty()) {
318  String msg = NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.noHistFiles");
319  logger.log(Level.INFO, msg);
320  return;
321  }
322 
323  dataFound = true;
324  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
325  String temps;
326  String indexFileName;
327  for (AbstractFile indexFile : indexFiles) {
328  // Since each result represent an index.dat file,
329  // just create these files with the following notation:
330  // index<Number>.dat (i.e. index0.dat, index1.dat,..., indexN.dat)
331  // Write each index.dat file to a temp directory.
332  //BlackboardArtifact bbart = fsc.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
333  indexFileName = "index" + Integer.toString((int) indexFile.getId()) + ".dat"; //NON-NLS
334  //indexFileName = "index" + Long.toString(bbart.getArtifactID()) + ".dat";
335  temps = RAImageIngestModule.getRATempPath(currentCase, "IE") + File.separator + indexFileName; //NON-NLS
336  File datFile = new File(temps);
337  if (context.dataSourceIngestIsCancelled()) {
338  break;
339  }
340  try {
341  ContentUtils.writeToFile(indexFile, datFile, context::dataSourceIngestIsCancelled);
342  } catch (IOException e) {
343  logger.log(Level.WARNING, "Error while trying to write index.dat file " + datFile.getAbsolutePath(), e); //NON-NLS
344  this.addErrorMessage(
345  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errWriteFile", this.getName(),
346  datFile.getAbsolutePath()));
347  continue;
348  }
349 
350  String filename = "pasco2Result." + indexFile.getId() + ".txt"; //NON-NLS
351  boolean bPascProcSuccess = executePasco(temps, filename);
352  if (context.dataSourceIngestIsCancelled()) {
353  return;
354  }
355 
356  //At this point pasco2 proccessed the index files.
357  //Now fetch the results, parse them and the delete the files.
358  if (bPascProcSuccess) {
359  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
360  bbartifacts.addAll(parsePascoOutput(indexFile, filename).stream()
361  .filter(bbart -> bbart.getArtifactTypeID() == ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID())
362  .collect(Collectors.toList()));
363  foundHistory = true;
364 
365  //Delete index<n>.dat file since it was succcessfully by Pasco
366  datFile.delete();
367  } else {
368  logger.log(Level.WARNING, "pasco execution failed on: {0}", this.getName()); //NON-NLS
369  this.addErrorMessage(
370  NbBundle.getMessage(this.getClass(), "ExtractIE.getHistory.errMsg.errProcHist", this.getName()));
371  }
372  }
373 
374  if (foundHistory) {
375  services.fireModuleDataEvent(new ModuleDataEvent(
376  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName"),
377  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
378  }
379  }
380 
389  private boolean executePasco(String indexFilePath, String outputFileName) {
390  boolean success = true;
391  try {
392  final String outputFileFullPath = moduleTempResultsDir + File.separator + outputFileName;
393  final String errFileFullPath = moduleTempResultsDir + File.separator + outputFileName + ".err"; //NON-NLS
394  logger.log(Level.INFO, "Writing pasco results to: {0}", outputFileFullPath); //NON-NLS
395  List<String> commandLine = new ArrayList<>();
396  commandLine.add(JAVA_PATH);
397  commandLine.add("-cp"); //NON-NLS
398  commandLine.add(PASCO_LIB_PATH);
399  commandLine.add("isi.pasco2.Main"); //NON-NLS
400  commandLine.add("-T"); //NON-NLS
401  commandLine.add("history"); //NON-NLS
402  commandLine.add(indexFilePath);
403  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
404  processBuilder.redirectOutput(new File(outputFileFullPath));
405  processBuilder.redirectError(new File(errFileFullPath));
406  /*
407  * NOTE on Pasco return codes: There is no documentation for Pasco.
408  * Looking at the Pasco source code I see that when something goes
409  * wrong Pasco returns a negative number as a return code. However,
410  * we should still attempt to parse the Pasco output even if that
411  * happens. I have seen many situations where Pasco output file
412  * contains a lot of useful data and only the last entry is
413  * corrupted.
414  */
415  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context));
416  // @@@ Investigate use of history versus cache as type.
417  } catch (IOException ex) {
418  success = false;
419  logger.log(Level.SEVERE, "Unable to execute Pasco to process Internet Explorer web history.", ex); //NON-NLS
420  }
421  return success;
422  }
423 
433  private Collection<BlackboardArtifact> parsePascoOutput(AbstractFile origFile, String pascoOutputFileName) {
434 
435  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
436  String fnAbs = moduleTempResultsDir + File.separator + pascoOutputFileName;
437 
438  File file = new File(fnAbs);
439  if (file.exists() == false) {
440  this.addErrorMessage(
441  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.notFound", this.getName(),
442  file.getName()));
443  logger.log(Level.WARNING, "Pasco Output not found: {0}", file.getPath()); //NON-NLS
444  return bbartifacts;
445  }
446 
447  // Make sure the file the is not empty or the Scanner will
448  // throw a "No Line found" Exception
449  if (file.length() == 0) {
450  return bbartifacts;
451  }
452 
453  Scanner fileScanner;
454  try {
455  fileScanner = new Scanner(new FileInputStream(file.toString()));
456  } catch (FileNotFoundException ex) {
457  this.addErrorMessage(
458  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsing", this.getName(),
459  file.getName()));
460  logger.log(Level.WARNING, "Unable to find the Pasco file at " + file.getPath(), ex); //NON-NLS
461  return bbartifacts;
462  }
463 
464  // Keep a list of reported user accounts to avoid repeats
465  Set<String> reportedUserAccounts = new HashSet<>();
466 
467  while (fileScanner.hasNext()) {
468  String line = fileScanner.nextLine();
469  if (!line.startsWith("URL")) { //NON-NLS
470  continue;
471  }
472 
473  String[] lineBuff = line.split("\\t"); //NON-NLS
474 
475  if (lineBuff.length < 4) {
476  logger.log(Level.INFO, "Found unrecognized IE history format."); //NON-NLS
477  continue;
478  }
479 
480  String actime = lineBuff[3];
481  Long ftime = (long) 0;
482  String user = "";
483  String realurl = null;
484  String domain;
485 
486  /*
487  * We've seen two types of lines: URL http://XYZ.com .... URL
488  * Visited: Joe@http://XYZ.com ....
489  */
490  if (lineBuff[1].contains("@")) {
491  String url[] = lineBuff[1].split("@", 2);
492 
493  /*
494  * Verify the left portion of the URL is valid.
495  */
496  domain = extractDomain(url[0]);
497 
498  if (domain != null && domain.isEmpty() == false) {
499  /*
500  * Use the entire input for the URL.
501  */
502  realurl = lineBuff[1].trim();
503  } else {
504  /*
505  * Use the left portion of the input for the user, and the
506  * right portion for the host.
507  */
508  user = url[0];
509  user = user.replace("Visited:", ""); //NON-NLS
510  user = user.replace(":Host:", ""); //NON-NLS
511  user = user.replaceAll("(:)(.*?)(:)", "");
512  user = user.trim();
513  realurl = url[1];
514  realurl = realurl.replace("Visited:", ""); //NON-NLS
515  realurl = realurl.replaceAll(":(.*?):", "");
516  realurl = realurl.replace(":Host:", ""); //NON-NLS
517  realurl = realurl.trim();
518  domain = extractDomain(realurl);
519  }
520  } else {
521  /*
522  * Use the entire input for the URL.
523  */
524  realurl = lineBuff[1].trim();
525  domain = extractDomain(realurl);
526  }
527 
528  if (!actime.isEmpty()) {
529  try {
530  Long epochtime = dateFormatter.parse(actime).getTime();
531  ftime = epochtime / 1000;
532  } catch (ParseException e) {
533  this.addErrorMessage(
534  NbBundle.getMessage(this.getClass(), "ExtractIE.parsePascoOutput.errMsg.errParsingEntry",
535  this.getName()));
536  logger.log(Level.WARNING, String.format("Error parsing Pasco results, may have partial processing of corrupt file (id=%d)", origFile.getId()), e); //NON-NLS
537  }
538  }
539 
540  try {
541  BlackboardArtifact bbart = origFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
542  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
543  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
544  NbBundle.getMessage(this.getClass(),
545  "ExtractIE.parentModuleName.noSpace"), realurl));
546  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "RecentActivity", EscapeUtil.decodeURL(realurl)));
547 
548  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
549  NbBundle.getMessage(this.getClass(),
550  "ExtractIE.parentModuleName.noSpace"), ftime));
551  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
552  NbBundle.getMessage(this.getClass(),
553  "ExtractIE.parentModuleName.noSpace"), ""));
554  // @@@ NOte that other browser modules are adding TITLE in hre for the title
555  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
556  NbBundle.getMessage(this.getClass(),
557  "ExtractIE.parentModuleName.noSpace"),
558  NbBundle.getMessage(this.getClass(),
559  "ExtractIE.moduleName.text")));
560  if (domain != null && domain.isEmpty() == false) {
561  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
562  NbBundle.getMessage(this.getClass(),
563  "ExtractIE.parentModuleName.noSpace"), domain));
564  }
565  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
566  NbBundle.getMessage(this.getClass(),
567  "ExtractIE.parentModuleName.noSpace"), user));
568  bbart.addAttributes(bbattributes);
569 
570  // index the artifact for keyword search
571  this.indexArtifact(bbart);
572  bbartifacts.add(bbart);
573 
574  if ((!user.isEmpty()) && (!reportedUserAccounts.contains(user))) {
575  BlackboardArtifact osAttr = origFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
576  osAttr.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
577  NbBundle.getMessage(this.getClass(), "ExtractIE.parentModuleName.noSpace"), user));
578 
579  // index the artifact for keyword search
580  this.indexArtifact(osAttr);
581  bbartifacts.add(osAttr);
582 
583  reportedUserAccounts.add(user);
584  }
585  } catch (TskCoreException ex) {
586  logger.log(Level.SEVERE, "Error writing Internet Explorer web history artifact to the blackboard.", ex); //NON-NLS
587  }
588  }
589  fileScanner.close();
590  return bbartifacts;
591  }
592 
601  private String extractDomain(String url) {
602  if (url == null || url.isEmpty()) {
603  return url;
604  }
605 
606  if (url.toLowerCase().startsWith(RESOURCE_URL_PREFIX)) {
607  /*
608  * Ignore URLs that begin with the matched text.
609  */
610  return null;
611  }
612 
613  return NetworkUtils.extractDomain(url);
614  }
615 }
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:165

Copyright © 2012-2018 Basis Technology. Generated on: Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.