19 package org.sleuthkit.autopsy.recentactivity;
21 import com.dd.plist.NSArray;
22 import com.dd.plist.NSDate;
23 import com.dd.plist.NSDictionary;
24 import com.dd.plist.NSObject;
25 import com.dd.plist.NSString;
26 import com.dd.plist.PropertyListFormatException;
27 import com.dd.plist.PropertyListParser;
29 import java.io.IOException;
30 import java.nio.file.Path;
31 import java.nio.file.Paths;
32 import java.text.ParseException;
33 import java.util.ArrayList;
34 import java.util.Collection;
35 import java.util.HashMap;
36 import java.util.Iterator;
37 import java.util.List;
38 import java.util.logging.Level;
39 import javax.xml.parsers.ParserConfigurationException;
40 import org.apache.commons.io.FilenameUtils;
41 import org.openide.util.NbBundle.Messages;
55 import org.xml.sax.SAXException;
61 final class ExtractSafari
extends Extract {
63 private final IngestServices services = IngestServices.getInstance();
66 private static final String HISTORY_QUERY =
"SELECT url, title, visit_time + 978307200 as time FROM 'history_items' JOIN history_visits ON history_item = history_items.id;";
68 private static final String HISTORY_FILE_NAME =
"History.db";
69 private static final String BOOKMARK_FILE_NAME =
"Bookmarks.plist";
70 private static final String DOWNLOAD_FILE_NAME =
"Downloads.plist";
71 private static final String COOKIE_FILE_NAME =
"Cookies.binarycookies";
72 private static final String COOKIE_FOLDER =
"Cookies";
73 private static final String SAFARI_FOLDER =
"Safari";
75 private static final String HEAD_URL =
"url";
76 private static final String HEAD_TITLE =
"title";
77 private static final String HEAD_TIME =
"time";
79 private static final String PLIST_KEY_CHILDREN =
"Children";
80 private static final String PLIST_KEY_URL =
"URLString";
81 private static final String PLIST_KEY_URI =
"URIDictionary";
82 private static final String PLIST_KEY_TITLE =
"title";
83 private static final String PLIST_KEY_DOWNLOAD_URL =
"DownloadEntryURL";
84 private static final String PLIST_KEY_DOWNLOAD_DATE =
"DownloadEntryDateAddedKey";
85 private static final String PLIST_KEY_DOWNLOAD_PATH =
"DownloadEntryPath";
86 private static final String PLIST_KEY_DOWNLOAD_HISTORY =
"DownloadHistory";
88 private static final Logger LOG = Logger.getLogger(ExtractSafari.class.getName());
91 "ExtractSafari_Module_Name=Safari",
92 "ExtractSafari_Error_Getting_History=An error occurred while processing Safari history files.",
93 "ExtractSafari_Error_Parsing_Bookmark=An error occured while processing Safari Bookmark files",
94 "ExtractSafari_Error_Parsing_Cookies=An error occured while processing Safari Cookies files",
95 "Progress_Message_Safari_History=Safari History",
96 "Progress_Message_Safari_Bookmarks=Safari Bookmarks",
97 "Progress_Message_Safari_Cookies=Safari Cookies",
98 "Progress_Message_Safari_Downloads=Safari Downloads",
110 protected String getName() {
111 return Bundle.ExtractSafari_Module_Name();
115 void process(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar) {
118 progressBar.progress(Bundle.Progress_Message_Safari_Cookies());
120 processHistoryDB(dataSource, context);
122 }
catch (IOException | TskCoreException ex) {
123 this.addErrorMessage(Bundle.ExtractSafari_Error_Getting_History());
124 LOG.log(Level.SEVERE,
"Exception thrown while processing history file.", ex);
127 progressBar.progress(Bundle.Progress_Message_Safari_Bookmarks());
129 processBookmarkPList(dataSource, context);
130 }
catch (IOException | TskCoreException | SAXException | PropertyListFormatException | ParseException | ParserConfigurationException ex) {
131 this.addErrorMessage(Bundle.ExtractSafari_Error_Parsing_Bookmark());
132 LOG.log(Level.SEVERE,
"Exception thrown while parsing Safari Bookmarks file.", ex);
135 progressBar.progress(Bundle.Progress_Message_Safari_Downloads());
137 processDownloadsPList(dataSource, context);
138 }
catch (IOException | TskCoreException | SAXException | PropertyListFormatException | ParseException | ParserConfigurationException ex) {
139 this.addErrorMessage(Bundle.ExtractSafari_Error_Parsing_Bookmark());
140 LOG.log(Level.SEVERE,
"Exception thrown while parsing Safari Download.plist file.", ex);
143 progressBar.progress(Bundle.Progress_Message_Safari_Cookies());
145 processBinaryCookieFile(dataSource, context);
146 }
catch (TskCoreException ex) {
147 this.addErrorMessage(Bundle.ExtractSafari_Error_Parsing_Cookies());
148 LOG.log(Level.SEVERE,
"Exception thrown while processing Safari cookies file.", ex);
159 private void processHistoryDB(Content dataSource, IngestJobContext context)
throws TskCoreException, IOException {
160 FileManager fileManager = getCurrentCase().getServices().getFileManager();
162 List<AbstractFile> historyFiles = fileManager.findFiles(dataSource, HISTORY_FILE_NAME, SAFARI_FOLDER);
164 if (historyFiles == null || historyFiles.isEmpty()) {
170 for (AbstractFile historyFile : historyFiles) {
171 if (context.dataSourceIngestIsCancelled()) {
175 getHistory(context, historyFile);
190 private void processBookmarkPList(Content dataSource, IngestJobContext context)
throws TskCoreException, IOException, SAXException, PropertyListFormatException, ParseException, ParserConfigurationException {
191 FileManager fileManager = getCurrentCase().getServices().getFileManager();
193 List<AbstractFile> files = fileManager.findFiles(dataSource, BOOKMARK_FILE_NAME, SAFARI_FOLDER);
195 if (files == null || files.isEmpty()) {
201 for (AbstractFile file : files) {
202 if (context.dataSourceIngestIsCancelled()) {
206 getBookmarks(context, file);
222 private void processDownloadsPList(Content dataSource, IngestJobContext context)
throws TskCoreException, IOException, SAXException, PropertyListFormatException, ParseException, ParserConfigurationException {
223 FileManager fileManager = getCurrentCase().getServices().getFileManager();
225 List<AbstractFile> files = fileManager.findFiles(dataSource, DOWNLOAD_FILE_NAME, SAFARI_FOLDER);
227 if (files == null || files.isEmpty()) {
233 for (AbstractFile file : files) {
234 if (context.dataSourceIngestIsCancelled()) {
238 getDownloads(dataSource, context, file);
249 private void processBinaryCookieFile(Content dataSource, IngestJobContext context)
throws TskCoreException {
250 FileManager fileManager = getCurrentCase().getServices().getFileManager();
252 List<AbstractFile> files = fileManager.findFiles(dataSource, COOKIE_FILE_NAME, COOKIE_FOLDER);
254 if (files == null || files.isEmpty()) {
260 for (AbstractFile file : files) {
261 if (context.dataSourceIngestIsCancelled()) {
265 getCookies(context, file);
266 }
catch (IOException ex) {
267 LOG.log(Level.WARNING, String.format(
"Failed to get cookies from file %s", Paths.get(file.getUniquePath(), file.getName()).toString()), ex);
280 private void getHistory(IngestJobContext context, AbstractFile historyFile)
throws TskCoreException, IOException {
281 if (historyFile.getSize() == 0) {
285 File tempHistoryFile = createTemporaryFile(context, historyFile);
288 ContentUtils.writeToFile(historyFile, tempHistoryFile, context::dataSourceIngestIsCancelled);
289 }
catch (IOException ex) {
290 throw new IOException(
"Error writingToFile: " + historyFile, ex);
294 postArtifacts(getHistoryArtifacts(historyFile, tempHistoryFile.toPath(), context));
296 tempHistoryFile.delete();
313 private void getBookmarks(IngestJobContext context, AbstractFile file)
throws TskCoreException, IOException, SAXException, PropertyListFormatException, ParseException, ParserConfigurationException {
314 if (file.getSize() == 0) {
318 File tempFile = createTemporaryFile(context, file);
321 postArtifacts(getBookmarkArtifacts(file, tempFile, context));
341 private void getDownloads(Content dataSource, IngestJobContext context, AbstractFile file)
throws TskCoreException, IOException, SAXException, PropertyListFormatException, ParseException, ParserConfigurationException {
342 if (file.getSize() == 0) {
346 File tempFile = createTemporaryFile(context, file);
349 postArtifacts(getDownloadArtifacts(dataSource, file, tempFile));
352 if (tempFile != null) {
368 private void getCookies(IngestJobContext context, AbstractFile file)
throws TskCoreException, IOException {
369 if (file.getSize() == 0) {
373 File tempFile = null;
376 tempFile = createTemporaryFile(context, file);
378 postArtifacts(getCookieArtifacts(file, tempFile, context));
381 if (tempFile != null) {
397 private Collection<BlackboardArtifact> getHistoryArtifacts(AbstractFile origFile, Path tempFilePath, IngestJobContext context)
throws TskCoreException {
398 List<HashMap<String, Object>> historyList = this.dbConnect(tempFilePath.toString(), HISTORY_QUERY);
400 if (historyList == null || historyList.isEmpty()) {
404 Collection<BlackboardArtifact> bbartifacts =
new ArrayList<>();
405 for (HashMap<String, Object> row : historyList) {
406 if (context.dataSourceIngestIsCancelled()) {
410 String url = row.get(HEAD_URL).toString();
411 String title = row.get(HEAD_TITLE).toString();
412 Long time = (Double.valueOf(row.get(HEAD_TIME).toString())).longValue();
414 BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY);
415 bbart.addAttributes(createHistoryAttribute(url, time, null, title,
416 this.getName(), NetworkUtils.extractDomain(url), null));
417 bbartifacts.add(bbart);
436 private Collection<BlackboardArtifact> getBookmarkArtifacts(AbstractFile origFile, File tempFile, IngestJobContext context)
throws IOException, PropertyListFormatException, ParseException, ParserConfigurationException, SAXException, TskCoreException {
437 Collection<BlackboardArtifact> bbartifacts =
new ArrayList<>();
440 NSDictionary root = (NSDictionary) PropertyListParser.parse(tempFile);
442 parseBookmarkDictionary(bbartifacts, origFile, root, context);
443 }
catch (PropertyListFormatException ex) {
444 PropertyListFormatException plfe =
new PropertyListFormatException(origFile.getName() +
": " + ex.getMessage());
445 plfe.setStackTrace(ex.getStackTrace());
447 }
catch (ParseException ex) {
448 ParseException pe =
new ParseException(origFile.getName() +
": " + ex.getMessage(), ex.getErrorOffset());
449 pe.setStackTrace(ex.getStackTrace());
451 }
catch (ParserConfigurationException ex) {
452 ParserConfigurationException pce =
new ParserConfigurationException(origFile.getName() +
": " + ex.getMessage());
453 pce.setStackTrace(ex.getStackTrace());
455 }
catch (SAXException ex) {
456 SAXException se =
new SAXException(origFile.getName() +
": " + ex.getMessage());
457 se.setStackTrace(ex.getStackTrace());
477 private Collection<BlackboardArtifact> getDownloadArtifacts(Content dataSource, AbstractFile origFile, File tempFile)
throws IOException, PropertyListFormatException, ParseException, ParserConfigurationException, SAXException, TskCoreException {
478 Collection<BlackboardArtifact> bbartifacts = null;
482 NSDictionary root = (NSDictionary)PropertyListParser.parse(tempFile);
487 NSArray nsArray = (NSArray)root.get(PLIST_KEY_DOWNLOAD_HISTORY);
492 NSObject[] objectArray = nsArray.getArray();
493 bbartifacts =
new ArrayList<>();
495 for(NSObject obj: objectArray){
496 if(obj instanceof NSDictionary){
497 bbartifacts.addAll(parseDownloadDictionary(dataSource, origFile, (NSDictionary)obj));
503 }
catch (PropertyListFormatException ex) {
504 PropertyListFormatException plfe =
new PropertyListFormatException(origFile.getName() +
": " + ex.getMessage());
505 plfe.setStackTrace(ex.getStackTrace());
507 }
catch (ParseException ex) {
508 ParseException pe =
new ParseException(origFile.getName() +
": " + ex.getMessage(), ex.getErrorOffset());
509 pe.setStackTrace(ex.getStackTrace());
511 }
catch (ParserConfigurationException ex) {
512 ParserConfigurationException pce =
new ParserConfigurationException(origFile.getName() +
": " + ex.getMessage());
513 pce.setStackTrace(ex.getStackTrace());
515 }
catch (SAXException ex) {
516 SAXException se =
new SAXException(origFile.getName() +
": " + ex.getMessage());
517 se.setStackTrace(ex.getStackTrace());
534 private Collection<BlackboardArtifact> getCookieArtifacts(AbstractFile origFile, File tempFile, IngestJobContext context)
throws TskCoreException, IOException {
535 Collection<BlackboardArtifact> bbartifacts = null;
536 BinaryCookieReader reader = BinaryCookieReader.initalizeReader(tempFile);
538 if (reader != null) {
539 bbartifacts =
new ArrayList<>();
541 Iterator<Cookie> iter = reader.iterator();
542 while (iter.hasNext()) {
543 if (context.dataSourceIngestIsCancelled()) {
547 Cookie cookie = iter.next();
549 BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE);
550 bbart.addAttributes(createCookieAttributes(cookie.getURL(), cookie.getCreationDate(), cookie.getName(), cookie.getValue(), this.getName(), NetworkUtils.extractDomain(cookie.getURL())));
551 bbartifacts.add(bbart);
567 private void parseBookmarkDictionary(Collection<BlackboardArtifact> bbartifacts, AbstractFile origFile, NSDictionary root, IngestJobContext context)
throws TskCoreException {
569 if (context.dataSourceIngestIsCancelled()) {
573 if (root.containsKey(PLIST_KEY_CHILDREN)) {
574 NSArray children = (NSArray) root.objectForKey(PLIST_KEY_CHILDREN);
576 if (children != null) {
577 for (NSObject obj : children.getArray()) {
578 parseBookmarkDictionary(bbartifacts, origFile, (NSDictionary) obj, context);
581 }
else if (root.containsKey(PLIST_KEY_URL)) {
585 NSString nsstr = (NSString) root.objectForKey(PLIST_KEY_URL);
587 url = nsstr.toString();
590 NSDictionary dic = (NSDictionary) root.get(PLIST_KEY_URI);
592 nsstr = (NSString) root.objectForKey(PLIST_KEY_TITLE);
595 title = ((NSString) dic.get(PLIST_KEY_TITLE)).toString();
598 if (url != null || title != null) {
599 BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
600 bbart.addAttributes(createBookmarkAttributes(url, title, null, getName(), NetworkUtils.extractDomain(url)));
601 bbartifacts.add(bbart);
615 private Collection<BlackboardArtifact> parseDownloadDictionary(Content dataSource, AbstractFile origFile, NSDictionary entry)
throws TskCoreException {
616 Collection<BlackboardArtifact> bbartifacts =
new ArrayList<>();
622 FileManager fileManager = getCurrentCase().getServices().getFileManager();
624 NSString nsstring = (NSString) entry.get(PLIST_KEY_DOWNLOAD_URL);
625 if (nsstring != null) {
626 url = nsstring.toString();
629 nsstring = (NSString) entry.get(PLIST_KEY_DOWNLOAD_PATH);
630 if (nsstring != null) {
631 path = nsstring.toString();
632 pathID = Util.findID(dataSource, path);
635 NSDate date = (NSDate) entry.get(PLIST_KEY_DOWNLOAD_DATE);
637 time = date.getDate().getTime();
640 BlackboardArtifact bbart = origFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
641 bbart.addAttributes(this.createDownloadAttributes(path, pathID, url, time, NetworkUtils.extractDomain(url), getName()));
642 bbartifacts.add(bbart);
645 for (AbstractFile downloadedFile : fileManager.findFiles(dataSource, FilenameUtils.getName(path), FilenameUtils.getPath(path))) {
646 BlackboardArtifact downloadSourceArt = downloadedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_DOWNLOAD_SOURCE);
647 downloadSourceArt.addAttributes(createDownloadSourceAttributes(url));
648 bbartifacts.add(downloadSourceArt);