api-docs/4.22.1/_recent_documents_by_lnk_8java_source.html

/*

 *

 * Autopsy Forensic Browser

 *

 * Copyright 2012-2021 Basis Technology Corp.

 *

 * Copyright 2012 42six Solutions.

 * Contact: aebadirad <at> 42six <dot> com

 * Project Contact/Architect: carrier <at> sleuthkit <dot> org

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package org.sleuthkit.autopsy.recentactivity;


import java.io.File;

import java.util.ArrayList;

import java.util.List;

import java.util.logging.Level;

import org.apache.commons.io.FilenameUtils;

import org.openide.util.NbBundle;

import org.sleuthkit.autopsy.coreutils.Logger;

import java.util.Collection;

import java.util.HashMap;

import org.openide.util.NbBundle.Messages;

import org.sleuthkit.autopsy.coreutils.JLNK;

import org.sleuthkit.autopsy.coreutils.JLnkParser;

import org.sleuthkit.autopsy.coreutils.JLnkParserException;

import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;

import org.sleuthkit.autopsy.ingest.IngestJobContext;

import org.sleuthkit.datamodel.BlackboardArtifact;

import org.sleuthkit.datamodel.BlackboardAttribute;

import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;

import org.sleuthkit.datamodel.Content;

import org.sleuthkit.datamodel.TskCoreException;

import org.sleuthkit.datamodel.AbstractFile;

import org.sleuthkit.datamodel.ReadContentInputStream;

import org.sleuthkit.datamodel.TskData;


class RecentDocumentsByLnk extends Extract {


    private static final Logger logger = Logger.getLogger(RecentDocumentsByLnk.class.getName());

    private Content dataSource;

    private final IngestJobContext context;


    @Messages({

        "Progress_Message_Extract_Resent_Docs=Recent Documents",

        "RecentDocumentsByLnk_displayName=Recent Documents by Link Analyzer"

    })

    RecentDocumentsByLnk(IngestJobContext context) {

        super(Bundle.RecentDocumentsByLnk_displayName(), context);

        this.context = context;

    }


    private void getRecentDocuments() {


        org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();

        List<AbstractFile> recentFiles;

        try {

            recentFiles = fileManager.findFiles(dataSource, "%.lnk", "Recent"); //NON-NLS

        } catch (TskCoreException ex) {

            logger.log(Level.WARNING, "Error searching for .lnk files."); //NON-NLS

            this.addErrorMessage(

                    NbBundle.getMessage(this.getClass(), "RecentDocumentsByLnk.getRecDoc.errMsg.errGetLnkFiles",

                            this.getDisplayName()));

            return;

        }


        if (recentFiles.isEmpty()) {

            logger.log(Level.INFO, "Didn't find any recent files."); //NON-NLS

            return;

        }


        dataFound = true;

        List<BlackboardArtifact> bbartifacts = new ArrayList<>();

        HashMap<String, String> recentFileMap = new HashMap<>();

        for (AbstractFile recentFile : recentFiles) {

            if (context.dataSourceIngestIsCancelled()) {

                break;

            }


            if (recentFile.getSize() == 0) {

                continue;

            }

            JLNK lnk;

            JLnkParser lnkParser = new JLnkParser(new ReadContentInputStream(recentFile), (int) recentFile.getSize());

            try {

                lnk = lnkParser.parse();

            } catch (JLnkParserException e) {

                //TODO should throw a specific checked exception

                boolean unalloc = recentFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)

                        || recentFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC);

                if (unalloc == false) {

                    logger.log(Level.WARNING, "Error lnk parsing the file to get recent files {0}", recentFile); //NON-NLS

                }

                continue;

            }


            Collection<BlackboardAttribute> bbattributes = new ArrayList<>();

            String path = lnk.getBestPath();

            if (recentFileMap.get(path + File.separator + recentFile.getName()) == null) {

                recentFileMap.put(path + File.separator + recentFile.getName(), recentFile.getName());

                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,

                        NbBundle.getMessage(this.getClass(),

                                "RecentDocumentsByLnk.parentModuleName.noSpace"),

                        path));

                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,

                        NbBundle.getMessage(this.getClass(),

                                "RecentDocumentsByLnk.parentModuleName.noSpace"),

                        Util.findID(dataSource, path)));

                bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,

                        NbBundle.getMessage(this.getClass(),

                                "RecentDocumentsByLnk.parentModuleName.noSpace"),

                        recentFile.getCrtime()));

                try {

                    BlackboardArtifact bba = createArtifactWithAttributes(BlackboardArtifact.Type.TSK_RECENT_OBJECT, recentFile, bbattributes);

                    if (bba != null) {

                        bbartifacts.add(bba);

                        bba = createAssociatedArtifact(path, bba);

                        if (bba != null) {

                            bbartifacts.add(bba);

                        }

                    }

                } catch (TskCoreException ex) {

                    logger.log(Level.SEVERE, String.format("Failed to create TSK_RECENT_OBJECT artifact for file %d", recentFile.getId()), ex);

                }

            }

        }


        if (!context.dataSourceIngestIsCancelled()) {

            postArtifacts(bbartifacts);

        }

    }


    private BlackboardArtifact createAssociatedArtifact(String filePathName, BlackboardArtifact bba) {

        String normalizePathName = FilenameUtils.normalize(filePathName, true);

        String fileName = FilenameUtils.getName(normalizePathName);

        String filePath = FilenameUtils.getPath(normalizePathName);

        List<AbstractFile> sourceFiles;

        if (filePath == null) {

            return null;

        }

        try {

            sourceFiles = currentCase.getSleuthkitCase().getFileManager().findFilesExactNameExactPath(dataSource, fileName, filePath);

            for (AbstractFile sourceFile : sourceFiles) {

                if (sourceFile.getParentPath().endsWith(filePath)) {

                    return createAssociatedArtifact(sourceFile, bba);

                }

            }

        } catch (TskCoreException ex) {

            logger.log(Level.WARNING, String.format("Error finding actual file %s. file may not exist", filePathName), ex); //NON-NLS

        }


        return null;

    }


    @Override

    public void process(Content dataSource, DataSourceIngestModuleProgress progressBar) {

        this.dataSource = dataSource;

        dataFound = false;


        progressBar.progress(Bundle.Progress_Message_Extract_Resent_Docs());

        this.getRecentDocuments();

    }

}

org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
List< AbstractFile > findFiles(String fileName)
Definition FileManager.java:175