Autopsy  4.5.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractRegistry.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2014 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  * Contact: aebadirad <at> 42six <dot> com
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import java.io.*;
26 import java.io.File;
27 import java.text.ParseException;
28 import java.text.SimpleDateFormat;
29 import java.util.*;
30 import java.util.logging.Level;
31 import javax.xml.parsers.DocumentBuilder;
32 import javax.xml.parsers.DocumentBuilderFactory;
33 import javax.xml.parsers.ParserConfigurationException;
34 import org.openide.modules.InstalledFileLocator;
35 import org.openide.util.NbBundle;
43 import org.sleuthkit.datamodel.*;
44 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
45 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
46 import org.w3c.dom.Document;
47 import org.w3c.dom.Element;
48 import org.w3c.dom.Node;
49 import org.w3c.dom.NodeList;
50 import org.xml.sax.InputSource;
51 import org.xml.sax.SAXException;
52 import java.nio.file.Path;
56 
63 @NbBundle.Messages({
64  "RegRipperNotFound=Autopsy RegRipper executable not found.",
65  "RegRipperFullNotFound=Full version RegRipper executable not found."
66 })
67 class ExtractRegistry extends Extract {
68 
69  private final Logger logger = Logger.getLogger(this.getClass().getName());
70  private String RR_PATH;
71  private String RR_FULL_PATH;
72  private Path rrHome; // Path to the Autopsy version of RegRipper
73  private Path rrFullHome; // Path to the full version of RegRipper
74  private Content dataSource;
75  private IngestJobContext context;
76  final private static UsbDeviceIdMapper USB_MAPPER = new UsbDeviceIdMapper();
77  final private static String RIP_EXE = "rip.exe";
78  final private static String RIP_PL = "rip.pl";
79  private List<String> rrCmd = new ArrayList<>();
80  private List<String> rrFullCmd= new ArrayList<>();
81 
82 
83  ExtractRegistry() throws IngestModuleException {
84  moduleName = NbBundle.getMessage(ExtractIE.class, "ExtractRegistry.moduleName.text");
85 
86  final File rrRoot = InstalledFileLocator.getDefault().locate("rr", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
87  if (rrRoot == null) {
88  throw new IngestModuleException(Bundle.RegRipperNotFound());
89  }
90 
91  final File rrFullRoot = InstalledFileLocator.getDefault().locate("rr-full", ExtractRegistry.class.getPackage().getName(), false); //NON-NLS
92  if (rrFullRoot == null) {
93  throw new IngestModuleException(Bundle.RegRipperFullNotFound());
94  }
95 
96  String executableToRun = RIP_EXE;
97  if (!PlatformUtil.isWindowsOS()) {
98  executableToRun = RIP_PL;
99  }
100  rrHome = rrRoot.toPath();
101  RR_PATH = rrHome.resolve(executableToRun).toString();
102  rrFullHome = rrFullRoot.toPath();
103  RR_FULL_PATH = rrFullHome.resolve(executableToRun).toString();
104 
105  if (!(new File(RR_PATH).exists())) {
106  throw new IngestModuleException(Bundle.RegRipperNotFound());
107  }
108  if (!(new File(RR_FULL_PATH).exists())) {
109  throw new IngestModuleException(Bundle.RegRipperFullNotFound());
110  }
111  if(PlatformUtil.isWindowsOS()){
112  rrCmd.add(RR_PATH);
113  rrFullCmd.add(RR_FULL_PATH);
114  }else{
115  String perl;
116  File usrBin = new File("/usr/bin/perl");
117  File usrLocalBin = new File("/usr/local/bin/perl");
118  if(usrBin.canExecute() && usrBin.exists() && !usrBin.isDirectory()){
119  perl = "/usr/bin/perl";
120  }else if(usrLocalBin.canExecute() && usrLocalBin.exists() && !usrLocalBin.isDirectory()){
121  perl = "/usr/local/bin/perl";
122  }else{
123  throw new IngestModuleException("perl not found in your system");
124  }
125  rrCmd.add(perl);
126  rrCmd.add(RR_PATH);
127  rrFullCmd.add(perl);
128  rrFullCmd.add(RR_FULL_PATH);
129  }
130  }
134  private List<AbstractFile> findRegistryFiles() {
135  List<AbstractFile> allRegistryFiles = new ArrayList<>();
136  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
137 
138  // find the user-specific ntuser-dat files
139  try {
140  allRegistryFiles.addAll(fileManager.findFiles(dataSource, "ntuser.dat")); //NON-NLS
141  } catch (TskCoreException ex) {
142  logger.log(Level.WARNING, "Error fetching 'ntuser.dat' file."); //NON-NLS
143  }
144 
145  // find the system hives'
146  String[] regFileNames = new String[]{"system", "software", "security", "sam"}; //NON-NLS
147  for (String regFileName : regFileNames) {
148  try {
149  allRegistryFiles.addAll(fileManager.findFiles(dataSource, regFileName, "/system32/config")); //NON-NLS
150  } catch (TskCoreException ex) {
151  String msg = NbBundle.getMessage(this.getClass(),
152  "ExtractRegistry.findRegFiles.errMsg.errReadingFile", regFileName);
153  logger.log(Level.WARNING, msg);
154  this.addErrorMessage(this.getName() + ": " + msg);
155  }
156  }
157  return allRegistryFiles;
158  }
159 
164  private void analyzeRegistryFiles() {
165  List<AbstractFile> allRegistryFiles = findRegistryFiles();
166 
167  // open the log file
168  FileWriter logFile = null;
169  try {
170  logFile = new FileWriter(RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + "regripper-info.txt"); //NON-NLS
171  } catch (IOException ex) {
172  logger.log(Level.SEVERE, null, ex);
173  }
174 
175  int j = 0;
176  for (AbstractFile regFile : allRegistryFiles) {
177  String regFileName = regFile.getName();
178  String regFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg") + File.separator + regFileName;
179  String outputPathBase = RAImageIngestModule.getRAOutputPath(currentCase, "reg") + File.separator + regFileName + "-regripper-" + Integer.toString(j++); //NON-NLS
180  File regFileNameLocalFile = new File(regFileNameLocal);
181  try {
182  ContentUtils.writeToFile(regFile, regFileNameLocalFile, context::dataSourceIngestIsCancelled);
183  } catch (IOException ex) {
184  logger.log(Level.SEVERE, "Error writing the temp registry file. {0}", ex); //NON-NLS
185  this.addErrorMessage(
186  NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
187  this.getName(), regFileName));
188  continue;
189  }
190 
191  if (context.dataSourceIngestIsCancelled()) {
192  break;
193  }
194 
195  try {
196  if (logFile != null) {
197  logFile.write(Integer.toString(j - 1) + "\t" + regFile.getUniquePath() + "\n");
198  }
199  } catch (TskCoreException | IOException ex) {
200  logger.log(Level.SEVERE, null, ex);
201  }
202 
203  logger.log(Level.INFO, "{0}- Now getting registry information from {1}", new Object[]{moduleName, regFileNameLocal}); //NON-NLS
204  RegOutputFiles regOutputFiles = ripRegistryFile(regFileNameLocal, outputPathBase);
205  if (context.dataSourceIngestIsCancelled()) {
206  break;
207  }
208 
209  // parse the autopsy-specific output
210  if (regOutputFiles.autopsyPlugins.isEmpty() == false) {
211  if (parseAutopsyPluginOutput(regOutputFiles.autopsyPlugins, regFile) == false) {
212  this.addErrorMessage(
213  NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.failedParsingResults",
214  this.getName(), regFileName));
215  }
216  }
217 
218  // create a report for the full output
219  if (!regOutputFiles.fullPlugins.isEmpty()) {
220  try {
221  currentCase.addReport(regOutputFiles.fullPlugins, NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace"), "RegRipper " + regFile.getUniquePath()); //NON-NLS
222  } catch (TskCoreException e) {
223  this.addErrorMessage("Error adding regripper output as Autopsy report: " + e.getLocalizedMessage()); //NON-NLS
224  }
225  }
226 
227  // delete the hive
228  regFileNameLocalFile.delete();
229  }
230 
231  try {
232  if (logFile != null) {
233  logFile.close();
234  }
235  } catch (IOException ex) {
236  logger.log(Level.SEVERE, null, ex);
237  }
238  }
239 
240  private class RegOutputFiles {
241 
242  public String autopsyPlugins = "";
243  public String fullPlugins = "";
244  }
245 
253  private RegOutputFiles ripRegistryFile(String regFilePath, String outFilePathBase) {
254  String autopsyType = ""; // Type argument for rr for autopsy-specific modules
255  String fullType; // Type argument for rr for full set of modules
256 
257  RegOutputFiles regOutputFiles = new RegOutputFiles();
258 
259  if (regFilePath.toLowerCase().contains("system")) { //NON-NLS
260  autopsyType = "autopsysystem"; //NON-NLS
261  fullType = "system"; //NON-NLS
262  } else if (regFilePath.toLowerCase().contains("software")) { //NON-NLS
263  autopsyType = "autopsysoftware"; //NON-NLS
264  fullType = "software"; //NON-NLS
265  } else if (regFilePath.toLowerCase().contains("ntuser")) { //NON-NLS
266  autopsyType = "autopsyntuser"; //NON-NLS
267  fullType = "ntuser"; //NON-NLS
268  } else if (regFilePath.toLowerCase().contains("sam")) { //NON-NLS
269  fullType = "sam"; //NON-NLS
270  } else if (regFilePath.toLowerCase().contains("security")) { //NON-NLS
271  fullType = "security"; //NON-NLS
272  } else {
273  return regOutputFiles;
274  }
275 
276  // run the autopsy-specific set of modules
277  if (!autopsyType.isEmpty()) {
278  regOutputFiles.autopsyPlugins = outFilePathBase + "-autopsy.txt"; //NON-NLS
279  String errFilePath = outFilePathBase + "-autopsy.err.txt"; //NON-NLS
280  logger.log(Level.INFO, "Writing RegRipper results to: {0}", regOutputFiles.autopsyPlugins); //NON-NLS
281  executeRegRipper(rrCmd, rrHome, regFilePath, autopsyType, regOutputFiles.autopsyPlugins, errFilePath);
282  }
283  if (context.dataSourceIngestIsCancelled()) {
284  return regOutputFiles;
285  }
286 
287  // run the full set of rr modules
288  if (!fullType.isEmpty()) {
289  regOutputFiles.fullPlugins = outFilePathBase + "-full.txt"; //NON-NLS
290  String errFilePath = outFilePathBase + "-full.err.txt"; //NON-NLS
291  logger.log(Level.INFO, "Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins); //NON-NLS
292  executeRegRipper(rrFullCmd, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath);
293  }
294  return regOutputFiles;
295  }
296 
297  private void executeRegRipper(List<String> regRipperPath, Path regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) {
298  try {
299  List<String> commandLine = new ArrayList<>();
300  for(String cmd: regRipperPath){
301  commandLine.add(cmd);
302  }
303  commandLine.add("-r"); //NON-NLS
304  commandLine.add(hiveFilePath);
305  commandLine.add("-f"); //NON-NLS
306  commandLine.add(hiveFileType);
307 
308  ProcessBuilder processBuilder = new ProcessBuilder(commandLine);
309  processBuilder.directory(regRipperHomeDir.toFile()); // RegRipper 2.8 has to be run from its own directory
310  processBuilder.redirectOutput(new File(outputFile));
311  processBuilder.redirectError(new File(errFile));
312  ExecUtil.execute(processBuilder, new DataSourceIngestModuleProcessTerminator(context));
313  } catch (IOException ex) {
314  logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS
315  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName()));
316  }
317  }
318 
319  // @@@ VERIFY that we are doing the right thing when we parse multiple NTUSER.DAT
328  private boolean parseAutopsyPluginOutput(String regFilePath, AbstractFile regFile) {
329  FileInputStream fstream = null;
330  try {
331  SleuthkitCase tempDb = currentCase.getSleuthkitCase();
332 
333  // Read the file in and create a Document and elements
334  File regfile = new File(regFilePath);
335  fstream = new FileInputStream(regfile);
336 
337  String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next(); //NON-NLS
338  String startdoc = "<?xml version=\"1.0\"?><document>"; //NON-NLS
339  String result = regString.replaceAll("----------------------------------------", "");
340  result = result.replaceAll("\\n", ""); //NON-NLS
341  result = result.replaceAll("\\r", ""); //NON-NLS
342  result = result.replaceAll("'", "&apos;"); //NON-NLS
343  result = result.replaceAll("&", "&amp;"); //NON-NLS
344  result = result.replace('\0', ' '); // NON-NLS
345  String enddoc = "</document>"; //NON-NLS
346  String stringdoc = startdoc + result + enddoc;
347  DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
348  Document doc = builder.parse(new InputSource(new StringReader(stringdoc)));
349 
350  // cycle through the elements in the doc
351  Element oroot = doc.getDocumentElement();
352  NodeList children = oroot.getChildNodes();
353  int len = children.getLength();
354  // Add all "usb" dataType nodes to collection of BlackboardArtifacts
355  // that we will submit in a ModuleDataEvent for additional processing.
356  Collection<BlackboardArtifact> usbBBartifacts = new ArrayList<>();
357 
358  for (int i = 0; i < len; i++) {
359  Element tempnode = (Element) children.item(i);
360 
361  String dataType = tempnode.getNodeName();
362 
363  NodeList timenodes = tempnode.getElementsByTagName("mtime"); //NON-NLS
364  Long mtime = null;
365  if (timenodes.getLength() > 0) {
366  Element timenode = (Element) timenodes.item(0);
367  String etime = timenode.getTextContent();
368  try {
369  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime();
370  mtime = epochtime;
371  String Tempdate = mtime.toString();
372  mtime = Long.valueOf(Tempdate) / 1000;
373  } catch (ParseException ex) {
374  logger.log(Level.WARNING, "Failed to parse epoch time when parsing the registry."); //NON-NLS
375  }
376  }
377 
378  NodeList artroots = tempnode.getElementsByTagName("artifacts"); //NON-NLS
379  if (artroots.getLength() == 0) {
380  // If there isn't an artifact node, skip this entry
381  continue;
382  }
383 
384  Element artroot = (Element) artroots.item(0);
385  NodeList myartlist = artroot.getChildNodes();
386  String parentModuleName = NbBundle.getMessage(this.getClass(), "ExtractRegistry.parentModuleName.noSpace");
387  String winver = "";
388 
389  // If all artifact nodes should really go under one Blackboard artifact, need to process it differently
390  switch (dataType) {
391  case "WinVersion": //NON-NLS
392  String version = "";
393  String systemRoot = "";
394  String productId = "";
395  String regOwner = "";
396  String regOrg = "";
397  Long installtime = null;
398  for (int j = 0; j < myartlist.getLength(); j++) {
399  Node artchild = myartlist.item(j);
400  // If it has attributes, then it is an Element (based off API)
401  if (artchild.hasAttributes()) {
402  Element artnode = (Element) artchild;
403 
404  String value = artnode.getTextContent().trim();
405  String name = artnode.getAttribute("name"); //NON-NLS
406  switch (name) {
407  case "ProductName": // NON-NLS
408  version = value;
409  break;
410  case "CSDVersion": // NON-NLS
411  // This is dependant on the fact that ProductName shows up first in the module output
412  version = version + " " + value;
413  break;
414  case "SystemRoot": //NON-NLS
415  systemRoot = value;
416  break;
417  case "ProductId": //NON-NLS
418  productId = value;
419  break;
420  case "RegisteredOwner": //NON-NLS
421  regOwner = value;
422  break;
423  case "RegisteredOrganization": //NON-NLS
424  regOrg = value;
425  break;
426  case "InstallDate": //NON-NLS
427  try {
428  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(value).getTime();
429  installtime = epochtime;
430  String Tempdate = installtime.toString();
431  installtime = Long.valueOf(Tempdate) / 1000;
432  } catch (ParseException e) {
433  logger.log(Level.SEVERE, "RegRipper::Conversion on DateTime -> ", e); //NON-NLS
434  } break;
435  default:
436  break;
437  }
438  }
439  } try {
440  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
441  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, version));
442  if (installtime != null) {
443  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, installtime));
444  }
445  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH, parentModuleName, systemRoot));
446  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PRODUCT_ID, parentModuleName, productId));
447  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_OWNER, parentModuleName, regOwner));
448  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_ORGANIZATION, parentModuleName, regOrg));
449 
450  // Check if there is already an OS_INFO artifact for this file, and add to that if possible.
451  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
452  if (results.isEmpty()) {
453  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
454  bbart.addAttributes(bbattributes);
455 
456  // index the artifact for keyword search
457  this.indexArtifact(bbart);
458  } else {
459  results.get(0).addAttributes(bbattributes);
460  }
461 
462  } catch (TskCoreException ex) {
463  logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
464  }
465  break;
466  case "Profiler": // NON-NLS
467  String os = "";
468  String procArch = "";
469  String procId = "";
470  String tempDir = "";
471  for (int j = 0; j < myartlist.getLength(); j++) {
472  Node artchild = myartlist.item(j);
473  // If it has attributes, then it is an Element (based off API)
474  if (artchild.hasAttributes()) {
475  Element artnode = (Element) artchild;
476 
477  String value = artnode.getTextContent().trim();
478  String name = artnode.getAttribute("name"); //NON-NLS
479  switch (name) {
480  case "OS": // NON-NLS
481  os = value;
482  break;
483  case "PROCESSOR_ARCHITECTURE": // NON-NLS
484  procArch = value;
485  break;
486  case "PROCESSOR_IDENTIFIER": //NON-NLS
487  procId = value;
488  break;
489  case "TEMP": //NON-NLS
490  tempDir = value;
491  break;
492  default:
493  break;
494  }
495  }
496  } try {
497  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
498  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VERSION, parentModuleName, os));
499  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE, parentModuleName, procArch));
500  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TEMP_DIR, parentModuleName, tempDir));
501 
502  // Check if there is already an OS_INFO artifact for this file and add to that if possible
503  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
504  if (results.isEmpty()) {
505  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
506  bbart.addAttributes(bbattributes);
507 
508  // index the artifact for keyword search
509  this.indexArtifact(bbart);
510  } else {
511  results.get(0).addAttributes(bbattributes);
512  }
513  } catch (TskCoreException ex) {
514  logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
515  }
516  break;
517  case "CompName": // NON-NLS
518  String compName = "";
519  String domain = "";
520  for (int j = 0; j < myartlist.getLength(); j++) {
521  Node artchild = myartlist.item(j);
522  // If it has attributes, then it is an Element (based off API)
523  if (artchild.hasAttributes()) {
524  Element artnode = (Element) artchild;
525 
526  String value = artnode.getTextContent().trim();
527  String name = artnode.getAttribute("name"); //NON-NLS
528 
529  if (name.equals("ComputerName")) { // NON-NLS
530  compName = value;
531  } else if (name.equals("Domain")) { // NON-NLS
532  domain = value;
533  }
534  }
535  } try {
536  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
537  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, compName));
538  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN, parentModuleName, domain));
539 
540  // Check if there is already an OS_INFO artifact for this file and add to that if possible
541  ArrayList<BlackboardArtifact> results = tempDb.getBlackboardArtifacts(ARTIFACT_TYPE.TSK_OS_INFO, regFile.getId());
542  if (results.isEmpty()) {
543  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
544  bbart.addAttributes(bbattributes);
545 
546  // index the artifact for keyword search
547  this.indexArtifact(bbart);
548  } else {
549  results.get(0).addAttributes(bbattributes);
550  }
551  } catch (TskCoreException ex) {
552  logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
553  }
554  break;
555  default:
556  for (int j = 0; j < myartlist.getLength(); j++) {
557  Node artchild = myartlist.item(j);
558  // If it has attributes, then it is an Element (based off API)
559  if (artchild.hasAttributes()) {
560  Element artnode = (Element) artchild;
561 
562  String value = artnode.getTextContent().trim();
563  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
564 
565  switch (dataType) {
566  case "recentdocs": //NON-NLS
567  // BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
568  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", dataType, mtime));
569  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", dataType, mtimeItem));
570  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", dataType, value));
571  // bbart.addAttributes(bbattributes);
572  // @@@ BC: Why are we ignoring this...
573  break;
574  case "usb": //NON-NLS
575  try {
576  Long usbMtime = Long.parseLong(artnode.getAttribute("mtime")); //NON-NLS
577  usbMtime = Long.valueOf(usbMtime.toString());
578 
579  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
580  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, usbMtime));
581  String dev = artnode.getAttribute("dev"); //NON-NLS
582  String make = "";
583  String model = dev;
584  if (dev.toLowerCase().contains("vid")) { //NON-NLS
585  USBInfo info = USB_MAPPER.parseAndLookup(dev);
586  if (info.getVendor() != null) {
587  make = info.getVendor();
588  }
589  if (info.getProduct() != null) {
590  model = info.getProduct();
591  }
592  }
593  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MAKE, parentModuleName, make));
594  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL, parentModuleName, model));
595  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID, parentModuleName, value));
596  bbart.addAttributes(bbattributes);
597 
598  // index the artifact for keyword search
599  this.indexArtifact(bbart);
600  // add to collection for ModuleDataEvent
601  usbBBartifacts.add(bbart);
602  } catch (TskCoreException ex) {
603  logger.log(Level.SEVERE, "Error adding device attached artifact to blackboard."); //NON-NLS
604  }
605  break;
606  case "uninstall": //NON-NLS
607  Long itemMtime = null;
608  try {
609  Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(artnode.getAttribute("mtime")).getTime(); //NON-NLS
610  itemMtime = epochtime;
611  itemMtime = itemMtime / 1000;
612  } catch (ParseException e) {
613  logger.log(Level.WARNING, "Failed to parse epoch time for installed program artifact."); //NON-NLS
614  }
615 
616  try {
617  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value));
618  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime));
619  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_INSTALLED_PROG);
620  bbart.addAttributes(bbattributes);
621 
622  // index the artifact for keyword search
623  this.indexArtifact(bbart);
624  } catch (TskCoreException ex) {
625  logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard."); //NON-NLS
626  }
627  break;
628  case "office": //NON-NLS
629  String officeName = artnode.getAttribute("name"); //NON-NLS
630 
631  try {
632  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
633  // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
634  if (mtime != null) {
635  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, parentModuleName, mtime));
636  }
637  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, officeName));
638  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value));
639  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName()));
640  bbart.addAttributes(bbattributes);
641 
642  // index the artifact for keyword search
643  this.indexArtifact(bbart);
644  } catch (TskCoreException ex) {
645  logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard."); //NON-NLS
646  }
647  break;
648 
649  case "ProcessorArchitecture": //NON-NLS
650  // Architecture is now included under Profiler
651  //try {
652  // String processorArchitecture = value;
653  // if (processorArchitecture.equals("AMD64"))
654  // processorArchitecture = "x86-64";
655 
656  // BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_INFO);
657  // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE.getTypeID(), parentModuleName, processorArchitecture));
658  // bbart.addAttributes(bbattributes);
659  //} catch (TskCoreException ex) {
660  // logger.log(Level.SEVERE, "Error adding os info artifact to blackboard."); //NON-NLS
661  //}
662  break;
663 
664  case "ProfileList": //NON-NLS
665  try {
666 
667  String homeDir = value;
668  String sid = artnode.getAttribute("sid"); //NON-NLS
669  String username = artnode.getAttribute("username"); //NON-NLS
670  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT);
671  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
672  parentModuleName, username));
673  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_ID,
674  parentModuleName, sid));
675  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
676  parentModuleName, homeDir));
677 
678  bbart.addAttributes(bbattributes);
679  // index the artifact for keyword search
680  this.indexArtifact(bbart);
681  } catch (TskCoreException ex) {
682  logger.log(Level.SEVERE, "Error adding account artifact to blackboard."); //NON-NLS
683  }
684  break;
685 
686  case "NtuserNetwork": // NON-NLS
687  try {
688  String localPath = artnode.getAttribute("localPath"); //NON-NLS
689  String remoteName = value;
690  BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
691  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH,
692  parentModuleName, localPath));
693  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH,
694  parentModuleName, remoteName));
695  bbart.addAttributes(bbattributes);
696  // index the artifact for keyword search
697  this.indexArtifact(bbart);
698  } catch (TskCoreException ex) {
699  logger.log(Level.SEVERE, "Error adding network artifact to blackboard."); //NON-NLS
700  }
701  break;
702 
703  case "shellfolders": // NON-NLS
704  // The User Shell Folders subkey stores the paths to Windows Explorer folders for the current user of the computer
705  // (https://technet.microsoft.com/en-us/library/Cc962613.aspx).
706  // No useful information. Skip.
707  break;
708 
709  default:
710  logger.log(Level.WARNING, "Unrecognized node name: {0}", dataType); //NON-NLS
711  break;
712  }
713  }
714  }
715  break;
716  }
717  } // for
718  if (!usbBBartifacts.isEmpty()) {
719  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED, usbBBartifacts));
720  }
721  return true;
722  } catch (FileNotFoundException ex) {
723  logger.log(Level.SEVERE, "Error finding the registry file."); //NON-NLS
724  } catch (SAXException ex) {
725  logger.log(Level.SEVERE, "Error parsing the registry XML: {0}", ex); //NON-NLS
726  } catch (IOException ex) {
727  logger.log(Level.SEVERE, "Error building the document parser: {0}", ex); //NON-NLS
728  } catch (ParserConfigurationException ex) {
729  logger.log(Level.SEVERE, "Error configuring the registry parser: {0}", ex); //NON-NLS
730  } finally {
731  try {
732  if (fstream != null) {
733  fstream.close();
734  }
735  } catch (IOException ex) {
736  }
737  }
738  return false;
739  }
740 
741  @Override
742  public void process(Content dataSource, IngestJobContext context) {
743  this.dataSource = dataSource;
744  this.context = context;
745  analyzeRegistryFiles();
746  }
747 }

Copyright © 2012-2016 Basis Technology. Generated on: Tue Feb 20 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.