Autopsy  4.13.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2013-2019 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  *
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.dataSourceIntegrity;
21 import;
22 import;
23 import java.util.ArrayList;
24 import java.util.List;
25 import java.util.logging.Level;
26 import javax.xml.bind.DatatypeConverter;
27 import java.util.Arrays;
35 import org.sleuthkit.datamodel.Content;
36 import org.sleuthkit.datamodel.Image;
37 import org.sleuthkit.datamodel.TskCoreException;
38 import org.openide.util.NbBundle;
40 import org.sleuthkit.datamodel.Blackboard;
41 import org.sleuthkit.datamodel.BlackboardArtifact;
42 import org.sleuthkit.datamodel.BlackboardAttribute;
43 import org.sleuthkit.datamodel.TskDataException;
53  private static final Logger logger = Logger.getLogger(DataSourceIntegrityIngestModule.class.getName());
54  private static final long DEFAULT_CHUNK_SIZE = 32 * 1024;
57  private final boolean computeHashes;
58  private final boolean verifyHashes;
60  private final List<HashData> hashDataList = new ArrayList<>();
64  DataSourceIntegrityIngestModule(DataSourceIntegrityIngestSettings settings) {
65  computeHashes = settings.shouldComputeHashes();
66  verifyHashes = settings.shouldVerifyHashes();
67  }
69  @NbBundle.Messages({
70  "DataSourceIntegrityIngestModule.startup.noCheckboxesSelected=At least one of the checkboxes must be selected"
71  })
72  @Override
73  public void startUp(IngestJobContext context) throws IngestModuleException {
74  this.context = context;
76  // It's an error if the module is run without either option selected
77  if (!(computeHashes || verifyHashes)) {
78  throw new IngestModuleException(Bundle.DataSourceIntegrityIngestModule_startup_noCheckboxesSelected());
79  }
80  }
82  @NbBundle.Messages({
83  "# {0} - imageName",
84  "DataSourceIntegrityIngestModule.process.skipCompute=Not computing new hashes for {0} since the option was disabled",
85  "# {0} - imageName",
86  "DataSourceIntegrityIngestModule.process.skipVerify=Not verifying existing hashes for {0} since the option was disabled",
87  "# {0} - hashName",
88  "DataSourceIntegrityIngestModule.process.hashAlgorithmError=Error creating message digest for {0} algorithm",
89  "# {0} - hashName",
90  "DataSourceIntegrityIngestModule.process.hashMatch=<li>{0} hash verified </li>",
91  "# {0} - hashName",
92  "DataSourceIntegrityIngestModule.process.hashNonMatch=<li>{0} hash not verified </li>",
93  "# {0} - calculatedHashValue",
94  "# {1} - storedHashValue",
95  "DataSourceIntegrityIngestModule.process.hashList=<ul><li>Calculated hash: {0} </li><li>Stored hash: {1} </li></ul>",
96  "# {0} - hashName",
97  "# {1} - calculatedHashValue",
98  "DataSourceIntegrityIngestModule.process.calcHashWithType=<li>Calculated {0} hash: {1} </li>",
99  "# {0} - imageName",
100  "DataSourceIntegrityIngestModule.process.calculateHashDone=<p>Data Source Hash Calculation Results for {0} </p>",
101  "DataSourceIntegrityIngestModule.process.hashesCalculated= hashes calculated",
102  "# {0} - imageName",
103  "DataSourceIntegrityIngestModule.process.errorSavingHashes= Error saving hashes for image {0} to the database",
104  "# {0} - imageName",
105  "DataSourceIntegrityIngestModule.process.errorLoadingHashes= Error loading hashes for image {0} from the database",
106  "# {0} - hashAlgorithm",
107  "# {1} - calculatedHashValue",
108  "# {2} - storedHashValue",
109  "DataSourceIntegrityIngestModule.process.hashFailedForArtifact={0} hash verification failed:\n Calculated hash: {1}\n Stored hash: {2}\n",
110  "# {0} - imageName",
111  "DataSourceIntegrityIngestModule.process.verificationSuccess=Integrity of {0} verified",
112  "# {0} - imageName",
113  "DataSourceIntegrityIngestModule.process.verificationFailure={0} failed integrity verification",
114  })
115  @Override
116  public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress statusHelper) {
117  String imgName = dataSource.getName();
119  // Skip non-images
120  if (!(dataSource instanceof Image)) {
121  logger.log(Level.INFO, "Skipping non-image {0}", imgName); //NON-NLS
123  NbBundle.getMessage(this.getClass(),
124  "DataSourceIntegrityIngestModule.process.skipNonEwf",
125  imgName)));
126  return ProcessResult.OK;
127  }
128  Image img = (Image) dataSource;
130  // Get the image size. Log a warning if it is zero.
131  long size = img.getSize();
132  if (size == 0) {
133  logger.log(Level.WARNING, "Size of image {0} was 0 when queried.", imgName); //NON-NLS
134  }
136  // Determine which mode we're in.
137  // - If there are any preset hashes, then we'll verify them (assuming the verify checkbox is selected)
138  // - Otherwise we'll calculate and store all three hashes (assuming the compute checkbox is selected)
140  // First get a list of all stored hash types
141  try {
142  if (img.getMd5() != null && ! img.getMd5().isEmpty()) {
143  hashDataList.add(new HashData(HashType.MD5, img.getMd5()));
144  }
145  if (img.getSha1() != null && ! img.getSha1().isEmpty()) {
146  hashDataList.add(new HashData(HashType.SHA1, img.getSha1()));
147  }
148  if (img.getSha256() != null && ! img.getSha256().isEmpty()) {
149  hashDataList.add(new HashData(HashType.SHA256, img.getSha256()));
150  }
151  } catch (TskCoreException ex) {
152  String msg = Bundle.DataSourceIntegrityIngestModule_process_errorLoadingHashes(imgName);
154  logger.log(Level.SEVERE, msg, ex);
155  return ProcessResult.ERROR;
156  }
158  // Figure out which mode we should be in
159  Mode mode;
160  if (hashDataList.isEmpty()) {
161  mode = Mode.COMPUTE;
162  } else {
163  mode = Mode.VERIFY;
164  }
166  // If that mode was not enabled by the user, exit
167  if (mode.equals(Mode.COMPUTE) && ! this.computeHashes) {
168  logger.log(Level.INFO, "Not computing hashes for {0} since the option was disabled", imgName); //NON-NLS
170  Bundle.DataSourceIntegrityIngestModule_process_skipCompute(imgName)));
171  return ProcessResult.OK;
172  } else if (mode.equals(Mode.VERIFY) && ! this.verifyHashes) {
173  logger.log(Level.INFO, "Not verifying hashes for {0} since the option was disabled", imgName); //NON-NLS
175  Bundle.DataSourceIntegrityIngestModule_process_skipVerify(imgName)));
176  return ProcessResult.OK;
177  }
179  // If we're in compute mode (i.e., the hash list is empty), add all hash algorithms
180  // to the list.
181  if (mode.equals(Mode.COMPUTE)) {
182  for(HashType type : HashType.values()) {
183  hashDataList.add(new HashData(type, ""));
184  }
185  }
187  // Set up the digests
188  for (HashData hashData:hashDataList) {
189  try {
190  hashData.digest = MessageDigest.getInstance(hashData.type.getName());
191  } catch (NoSuchAlgorithmException ex) {
192  String msg = Bundle.DataSourceIntegrityIngestModule_process_hashAlgorithmError(hashData.type.getName());
194  logger.log(Level.SEVERE, msg, ex);
195  return ProcessResult.ERROR;
196  }
197  }
199  // Libewf uses a chunk size of 64 times the sector size, which is the
200  // motivation for using it here. For other images it shouldn't matter,
201  // so they can use this chunk size as well.
202  long chunkSize = 64 * img.getSsize();
203  chunkSize = (chunkSize == 0) ? DEFAULT_CHUNK_SIZE : chunkSize;
205  // Casting to double to capture decimals
206  int totalChunks = (int) Math.ceil((double) size / (double) chunkSize);
207  logger.log(Level.INFO, "Total chunks = {0}", totalChunks); //NON-NLS
209  if (mode.equals(Mode.VERIFY)) {
210  logger.log(Level.INFO, "Starting hash verification of {0}", img.getName()); //NON-NLS
211  } else {
212  logger.log(Level.INFO, "Starting hash calculation for {0}", img.getName()); //NON-NLS
213  }
215  NbBundle.getMessage(this.getClass(),
216  "DataSourceIntegrityIngestModule.process.startingImg",
217  imgName)));
219  // Set up the progress bar
220  statusHelper.switchToDeterminate(totalChunks);
222  // Read in byte size chunks and update the hash value with the data.
223  byte[] data = new byte[(int) chunkSize];
224  int read;
225  for (int i = 0; i < totalChunks; i++) {
226  if (context.dataSourceIngestIsCancelled()) {
227  return ProcessResult.OK;
228  }
229  try {
230  read =, i * chunkSize, chunkSize);
231  } catch (TskCoreException ex) {
232  String msg = NbBundle.getMessage(this.getClass(),
233  "DataSourceIntegrityIngestModule.process.errReadImgAtChunk", imgName, i);
235  logger.log(Level.SEVERE, msg, ex);
236  return ProcessResult.ERROR;
237  }
239  // Only update with the read bytes.
240  if (read == chunkSize) {
241  for (HashData struct:hashDataList) {
242  struct.digest.update(data);
243  }
244  } else {
245  byte[] subData = Arrays.copyOfRange(data, 0, read);
246  for (HashData struct:hashDataList) {
247  struct.digest.update(subData);
248  }
249  }
250  statusHelper.progress(i);
251  }
253  // Produce the final hashes
254  for(HashData hashData:hashDataList) {
255  hashData.calculatedHash = DatatypeConverter.printHexBinary(hashData.digest.digest()).toLowerCase();
256  logger.log(Level.INFO, "Hash calculated from {0}: {1}", new Object[]{imgName, hashData.calculatedHash}); //NON-NLS
257  }
259  if (mode.equals(Mode.VERIFY)) {
260  // Check that each hash matches
261  boolean verified = true;
262  String detailedResults = NbBundle
263  .getMessage(this.getClass(), "DataSourceIntegrityIngestModule.shutDown.verifyResultsHeader", imgName);
264  String hashResults = "";
265  String artifactComment = "";
267  for (HashData hashData:hashDataList) {
268  if (hashData.storedHash.equals(hashData.calculatedHash)) {
269  hashResults += Bundle.DataSourceIntegrityIngestModule_process_hashMatch( + " ";
270  } else {
271  verified = false;
272  hashResults += Bundle.DataSourceIntegrityIngestModule_process_hashNonMatch( + " ";
273  artifactComment += Bundle.DataSourceIntegrityIngestModule_process_hashFailedForArtifact(,
274  hashData.calculatedHash, hashData.storedHash) + " ";
275  }
276  hashResults += Bundle.DataSourceIntegrityIngestModule_process_hashList(hashData.calculatedHash, hashData.storedHash);
277  }
279  String verificationResultStr;
280  String messageResultStr;
281  MessageType messageType;
282  if (verified) {
283  messageType = MessageType.INFO;
284  verificationResultStr = NbBundle.getMessage(this.getClass(), "DataSourceIntegrityIngestModule.shutDown.verified");
285  messageResultStr = Bundle.DataSourceIntegrityIngestModule_process_verificationSuccess(imgName);
286  } else {
287  messageType = MessageType.WARNING;
288  verificationResultStr = NbBundle.getMessage(this.getClass(), "DataSourceIntegrityIngestModule.shutDown.notVerified");
289  messageResultStr = Bundle.DataSourceIntegrityIngestModule_process_verificationFailure(imgName);
290  }
292  detailedResults += NbBundle.getMessage(this.getClass(), "DataSourceIntegrityIngestModule.shutDown.resultLi", verificationResultStr);
293  detailedResults += hashResults;
295  if (!verified) {
296  try {
297  BlackboardArtifact verificationFailedArtifact = Case.getCurrentCase().getSleuthkitCase().newBlackboardArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_VERIFICATION_FAILED, img.getId());
298  verificationFailedArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
299  DataSourceIntegrityModuleFactory.getModuleName(), artifactComment));
300  Case.getCurrentCase().getServices().getArtifactsBlackboard().postArtifact(verificationFailedArtifact, DataSourceIntegrityModuleFactory.getModuleName());
301  } catch (TskCoreException ex) {
302  logger.log(Level.SEVERE, "Error creating verification failed artifact", ex);
303  } catch (Blackboard.BlackboardException ex) {
304  logger.log(Level.SEVERE, "Error posting verification failed artifact", ex);
305  }
306  }
308  services.postMessage(IngestMessage.createMessage(messageType, DataSourceIntegrityModuleFactory.getModuleName(),
309  messageResultStr, detailedResults));
311  } else {
312  // Store the hashes in the database and update the image
313  try {
314  String results = Bundle.DataSourceIntegrityIngestModule_process_calculateHashDone(imgName);
316  for (HashData hashData:hashDataList) {
317  switch (hashData.type) {
318  case MD5:
319  try {
320  img.setMD5(hashData.calculatedHash);
321  } catch (TskDataException ex) {
322  logger.log(Level.SEVERE, "Error setting calculated hash", ex);
323  }
324  break;
325  case SHA1:
326  try {
327  img.setSha1(hashData.calculatedHash);
328  } catch (TskDataException ex) {
329  logger.log(Level.SEVERE, "Error setting calculated hash", ex);
330  }
331  break;
332  case SHA256:
333  try {
334  img.setSha256(hashData.calculatedHash);
335  } catch (TskDataException ex) {
336  logger.log(Level.SEVERE, "Error setting calculated hash", ex);
337  }
338  break;
339  default:
340  break;
341  }
342  results += Bundle.DataSourceIntegrityIngestModule_process_calcHashWithType(, hashData.calculatedHash);
343  }
345  // Write the inbox message
347  imgName + Bundle.DataSourceIntegrityIngestModule_process_hashesCalculated(), results));
349  } catch (TskCoreException ex) {
350  String msg = Bundle.DataSourceIntegrityIngestModule_process_errorSavingHashes(imgName);
352  logger.log(Level.SEVERE, "Error saving hash for image " + imgName + " to database", ex);
353  return ProcessResult.ERROR;
354  }
355  }
357  return ProcessResult.OK;
358  }
363  private enum Mode {
366  }
372  private enum HashType {
373  MD5("MD5"),
374  SHA1("SHA-1"),
375  SHA256("SHA-256");
377  private final String name; // This should be the string expected by MessageDigest
379  HashType(String name) {
380 = name;
381  }
383  String getName() {
384  return name;
385  }
386  }
391  private class HashData {
392  private HashType type;
393  private MessageDigest digest;
394  private String storedHash;
395  private String calculatedHash;
397  HashData(HashType type, String storedHash) {
398  this.type = type;
399  this.storedHash = storedHash;
400  }
401  }
402 }
org.sleuthkit.datamodel.Blackboard getArtifactsBlackboard()
static IngestMessage createMessage(MessageType messageType, String source, String subject, String detailsHtml)
void postMessage(final IngestMessage message)
synchronized static Logger getLogger(String name)
ProcessResult process(Content dataSource, DataSourceIngestModuleProgress statusHelper)
static synchronized IngestServices getInstance()

Copyright © 2012-2019 Basis Technology. Generated on: Tue Jan 7 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.