Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
TangoMessageAnalyzer.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.android;
20 
21 import java.io.File;
22 import java.sql.Connection;
23 import java.sql.DriverManager;
24 import java.sql.ResultSet;
25 import java.sql.SQLException;
26 import java.sql.Statement;
27 import java.util.List;
28 import java.util.logging.Level;
29 import org.apache.commons.codec.binary.Base64;
30 import org.openide.util.NbBundle;
31 import org.openide.util.NbBundle.Messages;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.BlackboardArtifact;
41 import org.sleuthkit.datamodel.BlackboardAttribute;
42 import org.sleuthkit.datamodel.Content;
43 import org.sleuthkit.datamodel.TskCoreException;
44 
48 class TangoMessageAnalyzer {
49 
50  private static final String moduleName = AndroidModuleFactory.getModuleName();
51  private static final Logger logger = Logger.getLogger(TangoMessageAnalyzer.class.getName());
52  private static Blackboard blackboard;
53 
54  public static void findTangoMessages(Content dataSource, FileManager fileManager,
55  IngestJobContext context) {
56  blackboard = Case.getCurrentCase().getServices().getBlackboard();
57  List<AbstractFile> absFiles;
58  try {
59  absFiles = fileManager.findFiles(dataSource, "tc.db"); //NON-NLS
60  for (AbstractFile abstractFile : absFiles) {
61  try {
62  File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
63  ContentUtils.writeToFile(abstractFile, jFile, context::dataSourceIngestIsCancelled);
64  findTangoMessagesInDB(jFile.toString(), abstractFile);
65  } catch (Exception e) {
66  logger.log(Level.SEVERE, "Error parsing Tango messages", e); //NON-NLS
67  }
68  }
69  } catch (TskCoreException e) {
70  logger.log(Level.SEVERE, "Error finding Tango messages", e); //NON-NLS
71  }
72  }
73 
74  @Messages({"TangoMessageAnalyzer.indexError.message=Failed to index Tango message artifact for keyword search."})
75  private static void findTangoMessagesInDB(String DatabasePath, AbstractFile f) {
76  Connection connection = null;
77  ResultSet resultSet = null;
78  Statement statement = null;
79 
80  if (DatabasePath == null || DatabasePath.isEmpty()) {
81  return;
82  }
83  try {
84  Class.forName("org.sqlite.JDBC"); //NON-NLS //load JDBC driver
85  connection = DriverManager.getConnection("jdbc:sqlite:" + DatabasePath); //NON-NLS
86  statement = connection.createStatement();
87  } catch (ClassNotFoundException | SQLException e) {
88  logger.log(Level.SEVERE, "Error opening database", e); //NON-NLS
89  return;
90  }
91 
92  try {
93  resultSet = statement.executeQuery(
94  "SELECT conv_id, create_time,direction,payload FROM messages ORDER BY create_time DESC;"); //NON-NLS
95 
96  String conv_id; // seems to wrap around the message found in payload after decoding from base-64
97  String direction; // 1 incoming, 2 outgoing
98  String payload; // seems to be a base64 message wrapped by the conv_id
99 
100  while (resultSet.next()) {
101  conv_id = resultSet.getString("conv_id"); //NON-NLS
102  Long create_time = Long.valueOf(resultSet.getString("create_time")) / 1000; //NON-NLS
103  if (resultSet.getString("direction").equals("1")) { //NON-NLS
104  direction = "Incoming"; //NON-NLS
105  } else {
106  direction = "Outgoing"; //NON-NLS
107  }
108  payload = resultSet.getString("payload"); //NON-NLS
109 
110  BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); //create a call log and then add attributes from result set.
111  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, moduleName, create_time));
112  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, moduleName, direction));
113  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT, moduleName, decodeMessage(conv_id, payload)));
114  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE, moduleName,
115  NbBundle.getMessage(TangoMessageAnalyzer.class,
116  "TangoMessageAnalyzer.bbAttribute.tangoMessage")));
117 
118  try {
119  // index the artifact for keyword search
120  blackboard.indexArtifact(bba);
121  } catch (Blackboard.BlackboardException ex) {
122  MessageNotifyUtil.Notify.error(
123  Bundle.TangoMessageAnalyzer_indexError_message(), bba.getDisplayName());
124  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + bba.getArtifactID(), ex); //NON-NLS
125  }
126  }
127  } catch (Exception e) {
128  logger.log(Level.SEVERE, "Error parsing Tango messages to the Blackboard", e); //NON-NLS
129  } finally {
130  try {
131  if (resultSet != null) {
132  resultSet.close();
133  }
134  statement.close();
135  connection.close();
136  } catch (Exception e) {
137  logger.log(Level.SEVERE, "Error closing database", e); //NON-NLS
138  }
139  }
140  }
141 
142  //take the message string which is wrapped by a certain string, and return the text enclosed.
143  private static String decodeMessage(String wrapper, String message) {
144  String result = "";
145  byte[] decoded = Base64.decodeBase64(message);
146  try {
147  String Z = new String(decoded, "UTF-8");
148  result = Z.split(wrapper)[1];
149  } catch (Exception e) {
150  logger.log(Level.SEVERE, "Error decoding a Tango message", e); //NON-NLS
151  }
152  return result;
153  }
154 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Jan 2 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.