LocalFilesDSProcessor.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2011-2021 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.casemodule;
 
import java.io.File;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import java.util.logging.Level;
import javax.swing.JPanel;
import javax.swing.filechooser.FileFilter;
import org.apache.commons.io.FilenameUtils;
import org.openide.modules.InstalledFileLocator;
import org.openide.util.NbBundle;
import org.openide.util.NbBundle.Messages;
import org.openide.util.lookup.ServiceProvider;
import org.openide.util.lookup.ServiceProviders;
import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorCallback;
import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor;
import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessor;
import org.sleuthkit.autopsy.coreutils.ExecUtil;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.PlatformUtil;
import org.sleuthkit.autopsy.datasourceprocessors.AutoIngestDataSourceProcessor;
import org.sleuthkit.datamodel.Host;
import org.sleuthkit.datamodel.TskCoreException;

@ServiceProviders(value = {
    @ServiceProvider(service = DataSourceProcessor.class),
    @ServiceProvider(service = AutoIngestDataSourceProcessor.class)
})
@Messages({
    "LocalFilesDSProcessor.logicalEvidenceFilter.desc=Logical Evidence Files (L01)"
})
public class LocalFilesDSProcessor implements DataSourceProcessor, AutoIngestDataSourceProcessor {
 
    private static final String DATA_SOURCE_TYPE = NbBundle.getMessage(LocalFilesDSProcessor.class, "LocalFilesDSProcessor.dsType");
    private static final Logger logger = Logger.getLogger(LocalFilesDSProcessor.class.getName());
    private final LogicalFilesDspPanel configPanel;
    private static final String L01_EXTRACTION_DIR = "L01";
    private static final String UNIQUENESS_CONSTRAINT_SEPERATOR = "_";
    private static final String EWFEXPORT_DIR = "ewfexport_exec"; // NON-NLS
    private static final String EWFEXPORT_32_BIT_DIR = "32-bit"; // NON-NLS
    private static final String EWFEXPORT_64_BIT_DIR = "64-bit"; // NON-NLS
    private static final String EWFEXPORT_WINDOWS_EXE = "ewfexport.exe"; // NON-NLS
    private static final String LOG_FILE_EXTENSION = ".txt";
    private static final List<String> LOGICAL_EVIDENCE_EXTENSIONS = Arrays.asList(".l01");
    private static final String LOGICAL_EVIDENCE_DESC = Bundle.LocalFilesDSProcessor_logicalEvidenceFilter_desc();
    private static final GeneralFilter LOGICAL_EVIDENCE_FILTER = new GeneralFilter(LOGICAL_EVIDENCE_EXTENSIONS, LOGICAL_EVIDENCE_DESC);
    /*
     * TODO: Remove the setDataSourceOptionsCalled flag and the settings fields
     * when the deprecated method setDataSourceOptions is removed.
     */
    private List<String> localFilePaths;

    public LocalFilesDSProcessor() {
        configPanel = LogicalFilesDspPanel.getDefault();
    }

    public static String getType() {
        return DATA_SOURCE_TYPE;
    }

    @Override
    public String getDataSourceType() {
        return DATA_SOURCE_TYPE;
    }

    @Override
    public JPanel getPanel() {
        configPanel.select();
        return configPanel;
    }

    @Override
    public boolean isPanelValid() {
        return configPanel.validatePanel();
    }

    @Override
    public void run(DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
        run(null, progressMonitor, callback);
    }

    @Override
    public void run(Host host, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
 
        localFilePaths = configPanel.getContentPaths();
        boolean createTimestamp = configPanel.getCreateTimestamp();
        boolean modifiedTimestamp = configPanel.getModifiedTimestamp();
        boolean accessTimestamp = configPanel.getAccessTimestamp();
        if (configPanel.subTypeIsLogicalEvidencePanel()) {
            try {
                //if the L01 option was chosen
                localFilePaths = extractLogicalEvidenceFileContents(localFilePaths);
            } catch (L01Exception ex) {
                //contents of l01 could not be extracted don't add data source or run ingest
                final List<String> errors = new ArrayList<>();
                errors.add(ex.getMessage());
                callback.done(DataSourceProcessorCallback.DataSourceProcessorResult.CRITICAL_ERRORS, errors, new ArrayList<>());
                return;
            } catch (NoCurrentCaseException ex) {
                logger.log(Level.WARNING, "Exception while getting open case.", ex);
                return;
            }
        }
        run(UUID.randomUUID().toString(), configPanel.getFileSetName(), localFilePaths, host, createTimestamp, 
              accessTimestamp, modifiedTimestamp, progressMonitor, callback);
    }

    private List<String> extractLogicalEvidenceFileContents(final List<String> logicalEvidenceFilePaths) throws L01Exception, NoCurrentCaseException {
        final List<String> extractedPaths = new ArrayList<>();
        Path ewfexportPath;
        ewfexportPath = locateEwfexportExecutable();
        List<String> command = new ArrayList<>();
        for (final String l01Path : logicalEvidenceFilePaths) {
            command.clear();
            command.add(ewfexportPath.toAbsolutePath().toString());
            command.add("-f");
            command.add("files");
            command.add("-t");
            File l01Dir = new File(Case.getCurrentCaseThrows().getModuleDirectory(), L01_EXTRACTION_DIR);
            if (!l01Dir.exists()) {
                l01Dir.mkdirs();
            }
            Path dirPath = Paths.get(FilenameUtils.getBaseName(l01Path) + UNIQUENESS_CONSTRAINT_SEPERATOR + System.currentTimeMillis());
 
            command.add(dirPath.toString());
            command.add(l01Path);
            ProcessBuilder processBuilder = new ProcessBuilder(command);
            processBuilder.directory(l01Dir);
            try {
                //redirect  ewfexport stdout and stderr to txt file
                Path logFileName = Paths.get(l01Dir.toString(), dirPath.toString() + LOG_FILE_EXTENSION);
                File logFile = new File(logFileName.toString());
                Path errFileName = Paths.get(l01Dir.toString(), dirPath.toString() + LOG_FILE_EXTENSION);
                File errFile = new File(errFileName.toString());
                processBuilder.redirectError(ProcessBuilder.Redirect.appendTo(errFile));
                processBuilder.redirectOutput(ProcessBuilder.Redirect.appendTo(logFile));
                // open the file with ewfexport to extract its contents
                ExecUtil.execute(processBuilder, new ExecUtil.TimedProcessTerminator());
                if (l01Dir.toPath().resolve(dirPath).toFile().exists()) {
                    extractedPaths.add(l01Dir.toPath().resolve(dirPath).toString());
                } else { //if we failed to extract anything let the user know the L01 file was unable to be processed
                    throw new L01Exception("Can not process the selected L01 file, ewfExport was unable to extract any files from it.");
                }
 
            } catch (SecurityException ex) {
                throw new L01Exception("Security exception occcured while trying to extract l01 contents", ex);
            } catch (IOException ex) {
                throw new L01Exception("IOException occcured while trying to extract l01 contents", ex);
            }
        }
        return extractedPaths;
    }

    static FileFilter getLogicalEvidenceFilter() {
        return LOGICAL_EVIDENCE_FILTER;
    }

    private Path locateEwfexportExecutable() throws L01Exception {
        // Must be running under a Windows operating system.
        if (!PlatformUtil.isWindowsOS()) {
            throw new L01Exception("L01 files are only supported on windows currently");
        }
 
        // Build the expected path to either the 32-bit or 64-bit version of the 
        // ewfexport executable.
        final File ewfRoot = InstalledFileLocator.getDefault().locate(EWFEXPORT_DIR, LocalFilesDSProcessor.class.getPackage().getName(), false);
 
        Path executablePath;
        if (PlatformUtil.is64BitOS()) {
            executablePath = Paths.get(
                    ewfRoot.getAbsolutePath(),
                    EWFEXPORT_64_BIT_DIR,
                    EWFEXPORT_WINDOWS_EXE);
        } else {
            executablePath = Paths.get(
                    ewfRoot.getAbsolutePath(),
                    EWFEXPORT_32_BIT_DIR,
                    EWFEXPORT_WINDOWS_EXE);
        }
 
        // Make sure the executable exists at the expected location and that it  
        // can be run.
        final File ewfexport = executablePath.toFile();
        if (null == ewfexport || !ewfexport.exists()) {
            throw new LocalFilesDSProcessor.L01Exception("EWF export executable was not found");
        }
        if (!ewfexport.canExecute()) {
            throw new LocalFilesDSProcessor.L01Exception("EWF export executable can not be executed");
        }
 
        return executablePath;
    }

    public void run(String deviceId, String rootVirtualDirectoryName, List<String> localFilePaths, Host host, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
        new Thread(new AddLocalFilesTask(deviceId, rootVirtualDirectoryName, localFilePaths, host, false, false, false,progressMonitor, callback)).start();
    }

    public void run(String deviceId, String rootVirtualDirectoryName, List<String> localFilePaths, Host host, boolean createTimestamp, boolean accessTimestamp,
                      boolean modifiedTimestamp, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
        new Thread(new AddLocalFilesTask(deviceId, rootVirtualDirectoryName, localFilePaths, host, createTimestamp, accessTimestamp, modifiedTimestamp, 
                      progressMonitor, callback)).start();
    }

    public void run(String deviceId, String rootVirtualDirectoryName, List<String> localFilePaths,  DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callback) {
        run(deviceId, rootVirtualDirectoryName, localFilePaths, null, progressMonitor, callback);
    }

    @Override
    public void cancel() {
    }

    @Override
    public void reset() {
        configPanel.select();
        localFilePaths = null;
    }
 
    @Override
    public int canProcess(Path dataSourcePath) throws AutoIngestDataSourceProcessorException {
        // Local files DSP can process any file by simply adding it as a logical file.
        // It should return lowest possible non-zero confidence level and be treated 
        // as the "option of last resort" for auto ingest purposes
 
        List<String> filePaths = Arrays.asList(new String[]{dataSourcePath.toString()});
        //If there is only 1 file check if it is an L01 file and if it is extract the 
        //contents and replace the paths, if the contents can't be extracted return 0
        if (filePaths.size() == 1) {
            for (final String path : filePaths) {
                if (new File(path).isFile() && LOGICAL_EVIDENCE_FILTER.accept(new File(path))) {
                    try {
                        //if the L01 option was chosen
                        filePaths = extractLogicalEvidenceFileContents(filePaths);
                    } catch (L01Exception ex) {
                        logger.log(Level.WARNING, "File extension was .l01 but contents of logical evidence file were unable to be extracted", ex);
                        //contents of l01 could not be extracted don't add data source or run ingest
                        return 0;
                    } catch (NoCurrentCaseException ex) {
                        logger.log(Level.WARNING, "Exception while getting open case.", ex);
                        return 0;
                    }
                }
            }
        }
        return 1;
    }
 
    @Override
    public void process(String deviceId, Path dataSourcePath, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callBack) {
        process(deviceId, dataSourcePath, null, progressMonitor, callBack);
    }
 
    @Override
    public void process(String deviceId, Path dataSourcePath, Host host, DataSourceProcessorProgressMonitor progressMonitor, DataSourceProcessorCallback callBack) {
        List<String> filePaths = Arrays.asList(new String[]{dataSourcePath.toString()});
        run(deviceId, "", filePaths, host, progressMonitor, callBack);
    }

    private final class L01Exception extends Exception {
 
        private static final long serialVersionUID = 1L;
 
        L01Exception(final String message) {
            super(message);
        }
 
        L01Exception(final String message, final Throwable cause) {
            super(message, cause);
        }
    }
 
}