Autopsy  4.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
CacheLocationAnalyzer.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.android;
20 
21 import java.io.File;
22 import java.io.FileInputStream;
23 import java.io.InputStream;
24 import java.math.BigInteger;
25 import java.nio.ByteBuffer;
26 import java.util.List;
27 import java.util.logging.Level;
28 
29 import org.openide.util.NbBundle;
36 import org.sleuthkit.datamodel.AbstractFile;
37 import org.sleuthkit.datamodel.BlackboardArtifact;
38 import org.sleuthkit.datamodel.BlackboardAttribute;
39 import org.sleuthkit.datamodel.Content;
40 import org.sleuthkit.datamodel.TskCoreException;
41 
46 class CacheLocationAnalyzer {
47 
48  private static final String moduleName = AndroidModuleFactory.getModuleName();
49  private static final Logger logger = Logger.getLogger(CacheLocationAnalyzer.class.getName());
50  private static Blackboard blackboard;
51 
56  public static void findGeoLocations(Content dataSource, FileManager fileManager) {
57 
58  blackboard = Case.getCurrentCase().getServices().getBlackboard();
59  try {
60  List<AbstractFile> abstractFiles = fileManager.findFiles(dataSource, "cache.cell"); //NON-NLS
61  abstractFiles.addAll(fileManager.findFiles(dataSource, "cache.wifi")); //NON-NLS
62 
63  for (AbstractFile abstractFile : abstractFiles) {
64  try {
65  if (abstractFile.getSize() == 0) {
66  continue;
67  }
68  File jFile = new File(Case.getCurrentCase().getTempDirectory(), abstractFile.getName());
69  ContentUtils.writeToFile(abstractFile, jFile);
70 
71  findGeoLocationsInFile(jFile, abstractFile);
72  } catch (Exception e) {
73  logger.log(Level.SEVERE, "Error parsing cached Location files", e); //NON-NLS
74  }
75  }
76  } catch (TskCoreException e) {
77  logger.log(Level.SEVERE, "Error finding cached Location files", e); //NON-NLS
78  }
79  }
80 
81  private static void findGeoLocationsInFile(File file, AbstractFile f) {
82  byte[] bytes; // will temporarily hold bytes to be converted into the correct data types
83 
84  try {
85  InputStream inputStream = new FileInputStream(file);
86 
87  bytes = new byte[2]; // version
88  inputStream.read(bytes);
89 
90  bytes = new byte[2];
91  inputStream.read(bytes); //number of location entries
92 
93  int iterations = new BigInteger(bytes).intValue();
94 
95  for (int i = 0; i < iterations; i++) { //loop through every entry
96  bytes = new byte[2];
97  inputStream.read(bytes);
98 
99  bytes = new byte[1];
100  inputStream.read(bytes);
101  while (new BigInteger(bytes).intValue() != 0) { //pass through non important values until the start of accuracy(around 7-10 bytes)
102  if (0 > inputStream.read(bytes)) {
103  break;
104  }
105  }
106  bytes = new byte[3];
107  inputStream.read(bytes);
108  if (new BigInteger(bytes).intValue() <= 0) {//This refers to a location that could not be calculated.
109  bytes = new byte[28]; //read rest of the row's bytes
110  inputStream.read(bytes);
111  continue;
112  }
113  String accuracy = "" + new BigInteger(bytes).intValue();
114 
115  bytes = new byte[4];
116  inputStream.read(bytes);
117  String confidence = "" + new BigInteger(bytes).intValue();
118 
119  bytes = new byte[8];
120  inputStream.read(bytes);
121  double latitude = toDouble(bytes);
122 
123  bytes = new byte[8];
124  inputStream.read(bytes);
125  double longitude = toDouble(bytes);
126 
127  bytes = new byte[8];
128  inputStream.read(bytes);
129  Long timestamp = new BigInteger(bytes).longValue() / 1000;
130 
131  BlackboardArtifact bba = f.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT);
132  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE, moduleName, latitude));
133  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE, moduleName, longitude));
134  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, moduleName, timestamp));
135  bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, moduleName,
136  NbBundle.getMessage(CacheLocationAnalyzer.class,
137  "CacheLocationAnalyzer.bbAttribute.fileLocationHistory",
138  file.getName())));
139 
140  //Not storing these for now.
141  // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy));
142  // bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(),moduleName, confidence));
143 
144  try {
145  // index the artifact for keyword search
146  blackboard.indexArtifact(bba);
147  } catch (Blackboard.BlackboardException ex) {
148  logger.log(Level.SEVERE, NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.error.msg", bba.getDisplayName()), ex); //NON-NLS
149  MessageNotifyUtil.Notify.error(
150  NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.exception.msg"), bba.getDisplayName());
151  }
152  }
153 
154  } catch (Exception e) {
155  logger.log(Level.SEVERE, "Error parsing Cached GPS locations to Blackboard", e); //NON-NLS
156  }
157  }
158 
159  private static double toDouble(byte[] bytes) {
160  return ByteBuffer.wrap(bytes).getDouble();
161  }
162 }

Copyright © 2012-2015 Basis Technology. Generated on: Wed Apr 6 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.