Autopsy  4.11.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
ExtractZoneIdentifier.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2019 Basis Technology Corp.
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.recentactivity;
20 
21 import java.io.FileNotFoundException;
22 import java.io.IOException;
23 import java.util.ArrayList;
24 import java.util.Arrays;
25 import java.util.Collection;
26 import java.util.HashSet;
27 import java.util.List;
28 import java.util.Properties;
29 import java.util.Set;
30 import java.util.logging.Level;
31 import org.apache.commons.lang3.StringUtils;
32 import org.openide.util.NbBundle.Messages;
33 import org.sleuthkit.autopsy.coreutils.Logger;
34 import org.sleuthkit.autopsy.coreutils.NetworkUtils;
35 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
36 import org.sleuthkit.autopsy.ingest.IngestJobContext;
37 import org.sleuthkit.autopsy.ingest.IngestServices;
38 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.BlackboardArtifact;
41 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE;
42 import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD;
43 import org.sleuthkit.datamodel.BlackboardAttribute;
44 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN;
45 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION;
46 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID;
47 import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL;
48 import org.sleuthkit.datamodel.Content;
49 import org.sleuthkit.datamodel.ReadContentInputStream;
50 import org.sleuthkit.datamodel.TskCoreException;
51 
57 final class ExtractZoneIdentifier extends Extract {
58 
59  private static final Logger LOG = Logger.getLogger(ExtractEdge.class.getName());
60 
61  private static final String ZONE_IDENTIFIER_FILE = "%:Zone.Identifier"; //NON-NLS
62  private static final String ZONE_IDENTIFIER = ":Zone.Identifier"; //NON-NLS
63 
64  @Messages({
65  "ExtractZone_process_errMsg_find=A failure occured while searching for :Zone.Indentifier files.",
66  "ExtractZone_process_errMsg=An error occured processing ':Zone.Indentifier' files.",
67  "ExtractZone_progress_Msg=Extracting :Zone.Identifer files"
68  })
69 
70  @Override
71  void process(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar) {
72 
73  progressBar.progress(Bundle.ExtractZone_progress_Msg());
74 
75  List<AbstractFile> zoneFiles = null;
76  try {
77  zoneFiles = currentCase.getServices().getFileManager().findFiles(dataSource, ZONE_IDENTIFIER_FILE);
78  } catch (TskCoreException ex) {
79  addErrorMessage(Bundle.ExtractZone_process_errMsg_find());
80  LOG.log(Level.SEVERE, "Unable to find zone identifier files, exception thrown. ", ex); // NON-NLS
81  }
82 
83  if (zoneFiles == null || zoneFiles.isEmpty()) {
84  return;
85  }
86 
87  Set<Long> knownPathIDs = null;
88  try {
89  knownPathIDs = getPathIDsForType(TSK_WEB_DOWNLOAD);
90  } catch (TskCoreException ex) {
91  addErrorMessage(Bundle.ExtractZone_process_errMsg());
92  LOG.log(Level.SEVERE, "Failed to build PathIDs List for TSK_WEB_DOWNLOAD", ex); // NON-NLS
93  }
94 
95  if (knownPathIDs == null) {
96  return;
97  }
98 
99  Collection<BlackboardArtifact> sourceArtifacts = new ArrayList<>();
100  Collection<BlackboardArtifact> downloadArtifacts = new ArrayList<>();
101 
102  for (AbstractFile zoneFile : zoneFiles) {
103 
104  if (context.dataSourceIngestIsCancelled()) {
105  return;
106  }
107 
108  try {
109  processZoneFile(context, dataSource, zoneFile, sourceArtifacts, downloadArtifacts, knownPathIDs);
110  } catch (TskCoreException ex) {
111  addErrorMessage(Bundle.ExtractZone_process_errMsg());
112  String message = String.format("Failed to process zone identifier file %s", zoneFile.getName()); //NON-NLS
113  LOG.log(Level.WARNING, message, ex);
114  }
115  }
116 
117  IngestServices services = IngestServices.getInstance();
118 
119  if (!sourceArtifacts.isEmpty()) {
120  services.fireModuleDataEvent(new ModuleDataEvent(
121  RecentActivityExtracterModuleFactory.getModuleName(),
122  TSK_DOWNLOAD_SOURCE, sourceArtifacts));
123  }
124 
125  if (!downloadArtifacts.isEmpty()) {
126  services.fireModuleDataEvent(new ModuleDataEvent(
127  RecentActivityExtracterModuleFactory.getModuleName(),
128  TSK_WEB_DOWNLOAD, downloadArtifacts));
129  }
130  }
131 
143  private void processZoneFile(IngestJobContext context, Content dataSource,
144  AbstractFile zoneFile, Collection<BlackboardArtifact> sourceArtifacts,
145  Collection<BlackboardArtifact> downloadArtifacts,
146  Set<Long> knownPathIDs) throws TskCoreException {
147 
148  ZoneIdentifierInfo zoneInfo = null;
149 
150  try {
151  zoneInfo = new ZoneIdentifierInfo(zoneFile);
152  } catch (IOException ex) {
153  String message = String.format("Unable to parse temporary File for %s", zoneFile.getName()); //NON-NLS
154  LOG.log(Level.WARNING, message, ex);
155  }
156 
157  if (zoneInfo == null) {
158  return;
159  }
160 
161  AbstractFile downloadFile = getDownloadFile(dataSource, zoneFile);
162 
163  if (downloadFile != null) {
164  // Only create a new TSK_WEB_DOWNLOAD artifact if one does not exist for downloadFile
165  if (!knownPathIDs.contains(downloadFile.getDataSourceObjectId())) {
166  // The zone identifier file is the parent of this artifact
167  // because it is the file we parsed to get the data
168  BlackboardArtifact downloadBba = createDownloadArtifact(zoneFile, zoneInfo);
169  if (downloadBba != null) {
170  downloadArtifacts.add(downloadBba);
171  }
172  }
173 
174  // check if download has a child TSK_DOWNLOAD_SOURCE artifact, if not create one
175  if (downloadFile.getArtifactsCount(TSK_DOWNLOAD_SOURCE) == 0) {
176  BlackboardArtifact sourceBba = createDownloadSourceArtifact(downloadFile, zoneInfo);
177  if (sourceBba != null) {
178  sourceArtifacts.add(sourceBba);
179  }
180  }
181  }
182  }
183 
194  private AbstractFile getDownloadFile(Content dataSource, AbstractFile zoneFile) throws TskCoreException {
195  AbstractFile downloadFile = null;
196 
197  org.sleuthkit.autopsy.casemodule.services.FileManager fileManager
198  = currentCase.getServices().getFileManager();
199 
200  String downloadFileName = zoneFile.getName().replace(ZONE_IDENTIFIER, ""); //NON-NLS
201 
202  List<AbstractFile> fileList = fileManager.findFiles(dataSource, downloadFileName, zoneFile.getParentPath());
203 
204  if (fileList.size() == 1) {
205  downloadFile = fileList.get(0);
206 
207  // Check that the download file and the zone file came from the same dir
208  if (!downloadFile.getParentPath().equals(zoneFile.getParentPath())) {
209  downloadFile = null;
210  } else if (zoneFile.getMetaAddr() != downloadFile.getMetaAddr()) {
211  downloadFile = null;
212  }
213  }
214 
215  return downloadFile;
216  }
217 
228  private BlackboardArtifact createDownloadSourceArtifact(AbstractFile downloadFile, ZoneIdentifierInfo zoneInfo) {
229 
230  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
231 
232  bbattributes.addAll(Arrays.asList(
233  new BlackboardAttribute(TSK_URL,
234  RecentActivityExtracterModuleFactory.getModuleName(),
235  StringUtils.defaultString(zoneInfo.getURL(), "")),
236 
237  new BlackboardAttribute(TSK_DOMAIN,
238  RecentActivityExtracterModuleFactory.getModuleName(),
239  (zoneInfo.getURL() != null) ? NetworkUtils.extractDomain(zoneInfo.getURL()) : ""),
240 
241  new BlackboardAttribute(TSK_LOCATION,
242  RecentActivityExtracterModuleFactory.getModuleName(),
243  StringUtils.defaultString(zoneInfo.getZoneIdAsString(), "")))); //NON-NLS
244 
245  return addArtifact(TSK_DOWNLOAD_SOURCE, downloadFile, bbattributes);
246  }
247 
256  private BlackboardArtifact createDownloadArtifact(AbstractFile zoneFile, ZoneIdentifierInfo zoneInfo) {
257 
258  Collection<BlackboardAttribute> bbattributes = createDownloadAttributes(
259  null, null,
260  zoneInfo.getURL(), null,
261  (zoneInfo.getURL() != null ? NetworkUtils.extractDomain(zoneInfo.getURL()) : ""),
262  null);
263  return addArtifact(TSK_WEB_DOWNLOAD, zoneFile, bbattributes);
264  }
265 
275  private Set<Long> getPathIDsForType(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
276  Set<Long> idList = new HashSet<>();
277  for (BlackboardArtifact artifact : currentCase.getSleuthkitCase().getBlackboardArtifacts(type)) {
278  BlackboardAttribute pathIDAttribute = artifact.getAttribute(new BlackboardAttribute.Type(TSK_PATH_ID));
279 
280  if (pathIDAttribute != null) {
281  long contentID = pathIDAttribute.getValueLong();
282  if (contentID != -1) {
283  idList.add(contentID);
284  }
285  }
286  }
287  return idList;
288  }
289 
290  @Messages({
291  "ExtractZone_Local_Machine=Local Machine Zone",
292  "ExtractZone_Local_Intranet=Local Intranet Zone",
293  "ExtractZone_Trusted=Trusted Sites Zone",
294  "ExtractZone_Internet=Internet Zone",
295  "ExtractZone_Restricted=Restricted Sites Zone"
296  })
297 
306  private final static class ZoneIdentifierInfo {
307 
308  private static final String ZONE_ID = "ZoneId"; //NON-NLS
309  private static final String REFERRER_URL = "ReferrerUrl"; //NON-NLS
310  private static final String HOST_URL = "HostUrl"; //NON-NLS
311  private static final String FAMILY_NAME = "LastWriterPackageFamilyName"; //NON-NLS
312 
313  private final Properties properties = new Properties(null);
314 
324  ZoneIdentifierInfo(AbstractFile zoneFile) throws IOException {
325  properties.load(new ReadContentInputStream(zoneFile));
326  }
327 
333  private int getZoneId() {
334  int zoneValue = -1;
335  String value = properties.getProperty(ZONE_ID);
336  if (value != null) {
337  zoneValue = Integer.parseInt(value);
338  }
339 
340  return zoneValue;
341  }
342 
348  private String getZoneIdAsString() {
349  switch (getZoneId()) {
350  case 0:
351  return Bundle.ExtractZone_Local_Machine();
352  case 1:
353  return Bundle.ExtractZone_Local_Intranet();
354  case 2:
355  return Bundle.ExtractZone_Trusted();
356  case 3:
357  return Bundle.ExtractZone_Internet();
358  case 4:
359  return Bundle.ExtractZone_Restricted();
360  default:
361  return null;
362  }
363  }
364 
370  private String getURL() {
371  return properties.getProperty(HOST_URL);
372  }
373 
379  private String getReferrer() {
380  return properties.getProperty(REFERRER_URL);
381  }
382 
388  private String getFamilyName() {
389  return properties.getProperty(FAMILY_NAME);
390  }
391  }
392 
393 }
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:165

Copyright © 2012-2018 Basis Technology. Generated on: Fri Jun 21 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.