Autopsy  4.6.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
EncryptionDetectionDataSourceIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.encryptiondetection;
20 
21 import java.io.IOException;
22 import java.util.Collections;
23 import java.util.List;
24 import java.util.logging.Level;
30 import org.sleuthkit.datamodel.Content;
31 import org.sleuthkit.datamodel.TskCoreException;
38 import org.sleuthkit.datamodel.BlackboardArtifact;
39 import org.sleuthkit.datamodel.Image;
40 import org.sleuthkit.datamodel.ReadContentInputStream;
41 import org.sleuthkit.datamodel.Volume;
42 import org.sleuthkit.datamodel.VolumeSystem;
43 
47 final class EncryptionDetectionDataSourceIngestModule implements DataSourceIngestModule {
48 
49  private final IngestServices services = IngestServices.getInstance();
50  private final Logger logger = services.getLogger(EncryptionDetectionModuleFactory.getModuleName());
51  private Blackboard blackboard;
52  private double calculatedEntropy;
53  private final double minimumEntropy;
54 
61  EncryptionDetectionDataSourceIngestModule(EncryptionDetectionIngestJobSettings settings) {
62  minimumEntropy = settings.getMinimumEntropy();
63  }
64 
65  @Override
66  public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException {
67  try {
68  validateSettings();
69  blackboard = Case.getOpenCase().getServices().getBlackboard();
70  } catch (NoCurrentCaseException ex) {
71  throw new IngestModule.IngestModuleException("Exception while getting open case.", ex);
72  }
73  }
74 
75  @Override
76  public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
77 
78  try {
79  if (dataSource instanceof Image) {
80  List<VolumeSystem> volumeSystems = ((Image) dataSource).getVolumeSystems();
81  for (VolumeSystem volumeSystem : volumeSystems) {
82  for (Volume volume : volumeSystem.getVolumes()) {
83  if (isVolumeEncrypted(volume)) {
84  return flagVolume(volume);
85  }
86  }
87  }
88  }
89  } catch (ReadContentInputStream.ReadContentInputStreamException ex) {
90  logger.log(Level.WARNING, String.format("Unable to read data source '%s'", dataSource.getName()), ex);
92  } catch (IOException | TskCoreException ex) {
93  logger.log(Level.SEVERE, String.format("Unable to process data source '%s'", dataSource.getName()), ex);
95  }
96 
98  }
99 
108  private void validateSettings() throws IngestModule.IngestModuleException {
109  EncryptionDetectionTools.validateMinEntropyValue(minimumEntropy);
110  }
111 
120  private IngestModule.ProcessResult flagVolume(Volume volume) {
121  try {
122  BlackboardArtifact artifact = volume.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED);
123 
124  try {
125  /*
126  * Index the artifact for keyword search.
127  */
128  blackboard.indexArtifact(artifact);
129  } catch (Blackboard.BlackboardException ex) {
130  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
131  }
132 
133  /*
134  * Send an event to update the view with the new result.
135  */
136  services.fireModuleDataEvent(new ModuleDataEvent(EncryptionDetectionModuleFactory.getModuleName(), BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED, Collections.singletonList(artifact)));
137 
138  /*
139  * Make an ingest inbox message.
140  */
141  StringBuilder detailsSb = new StringBuilder("");
142  detailsSb.append("File: ").append(volume.getParent().getUniquePath()).append(volume.getName()).append("<br/>\n");
143  detailsSb.append("Entropy: ").append(calculatedEntropy);
144 
146  "Encryption Detected Match: " + volume.getName(),
147  detailsSb.toString(),
148  volume.getName(),
149  artifact));
150 
152  } catch (TskCoreException ex) {
153  logger.log(Level.SEVERE, String.format("Failed to create blackboard artifact for '%s'.", volume.getName()), ex); //NON-NLS
155  }
156  }
157 
166  private boolean isVolumeEncrypted(Volume volume) throws ReadContentInputStream.ReadContentInputStreamException, IOException, TskCoreException {
167  /*
168  * Criteria for the checks in this method are partially based on
169  * http://www.forensicswiki.org/wiki/TrueCrypt#Detection
170  */
171  if (volume.getFileSystems().isEmpty()) {
172  calculatedEntropy = EncryptionDetectionTools.calculateEntropy(volume);
173  if (calculatedEntropy >= minimumEntropy) {
174  return true;
175  }
176  }
177  return false;
178  }
179 }
static IngestMessage createDataMessage(String source, String subject, String detailsHtml, String uniqueKey, BlackboardArtifact data)
Logger getLogger(String moduleDisplayName)
void postMessage(final IngestMessage message)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
synchronized void indexArtifact(BlackboardArtifact artifact)
Definition: Blackboard.java:59
static synchronized IngestServices getInstance()

Copyright © 2012-2016 Basis Technology. Generated on: Mon May 7 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.