Autopsy  4.14.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
ShellBagParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019 Basis Technology Corp.
5  *
6  * Copyright 2012 42six Solutions.
7  * Contact: aebadirad <at> 42six <dot> com
8  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
9  *
10  * Licensed under the Apache License, Version 2.0 (the "License");
11  * you may not use this file except in compliance with the License.
12  * You may obtain a copy of the License at
13  *
14  * http://www.apache.org/licenses/LICENSE-2.0
15  *
16  * Unless required by applicable law or agreed to in writing, software
17  * distributed under the License is distributed on an "AS IS" BASIS,
18  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19  * See the License for the specific language governing permissions and
20  * limitations under the License.
21  */
22 package org.sleuthkit.autopsy.recentactivity;
23 
24 import java.io.BufferedReader;
25 import java.io.FileReader;
26 import java.io.File;
27 import java.io.FileNotFoundException;
28 import java.io.IOException;
29 import java.text.ParseException;
30 import java.text.SimpleDateFormat;
31 import java.util.ArrayList;
32 import java.util.List;
33 import java.util.Locale;
34 import java.util.logging.Level;
36 
40 class ShellBagParser {
41  private static final Logger logger = Logger.getLogger(ShellBagParser.class.getName());
42 
43  private static final SimpleDateFormat DATE_TIME_FORMATTER = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss", Locale.getDefault());
44  // Last Write date\time format from itempos plugin
45  private static final SimpleDateFormat DATE_TIME_FORMATTER2 = new SimpleDateFormat("EEE MMM dd HH:mm:ss yyyyy", Locale.getDefault());
46 
47  private ShellBagParser() {
48  }
49 
60  static List<ShellBag> parseShellbagOutput(String regFilePath) throws FileNotFoundException, IOException {
61  List<ShellBag> shellbags = new ArrayList<>();
62  File regfile = new File(regFilePath);
63 
64  ShellBagParser sbparser = new ShellBagParser();
65 
66  try (BufferedReader reader = new BufferedReader(new FileReader(regfile))) {
67  String line = reader.readLine();
68  while (line != null) {
69  line = line.trim();
70 
71  if (line.matches("^shellbags_xp v.*")) {
72  shellbags.addAll(sbparser.parseShellBagsXP(reader));
73  } else if (line.matches("^shellbags v.*")) {
74  shellbags.addAll(sbparser.parseShellBags(reader));
75  } else if (line.matches("^itempos.*")) {
76  shellbags.addAll(sbparser.parseItempos(reader));
77  }
78 
79  line = reader.readLine();
80  }
81  }
82 
83  return shellbags;
84  }
85 
95  List<ShellBag> parseShellBagsXP(BufferedReader reader) throws IOException {
96  List<ShellBag> shellbags = new ArrayList<>();
97  String line = reader.readLine();
98 
99  while (line != null && !isSectionSeparator(line)) {
100 
101  if (isShellbagXPDataLine(line)) {
102  String[] tokens = line.split("\\|");
103  if (tokens.length >= 6) {
104  shellbags.add(new ShellBag(tokens[5].trim(), "Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU", tokens[0].trim(), tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
105  }
106  }
107 
108  line = reader.readLine();
109  }
110 
111  return shellbags;
112  }
113 
122  List<ShellBag> parseShellBags(BufferedReader reader) throws IOException {
123  List<ShellBag> shellbags = new ArrayList<>();
124  String line = reader.readLine();
125  String regPath = "Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU";
126 
127  while (line != null && !isSectionSeparator(line)) {
128 
129  if (isShellbagDataLine(line)) {
130  String[] tokens = line.split("\\|");
131  String path = tokens[6].replaceAll("\\[.*?\\]", "").trim();
132  int index = line.lastIndexOf('[');
133  String endstuff = "";
134  if (index != -1) {
135  endstuff = line.substring(index, line.length() - 1).replace("[Desktop", "");
136  }
137  if (tokens.length >= 7) {
138  shellbags.add(new ShellBag(path, regPath + endstuff, tokens[0].trim(), tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
139  }
140  }
141 
142  line = reader.readLine();
143  }
144 
145  return shellbags;
146  }
147 
157  List<ShellBag> parseItempos(BufferedReader reader) throws IOException {
158  List<ShellBag> shellbags = new ArrayList<>();
159  String bagpath = "";
160  String lastWrite = "";
161  String line = reader.readLine();
162 
163  while (line != null && !isSectionSeparator(line)) {
164 
165  if (isItemposDataLine(line)) {
166  String[] tokens = line.split("\\|");
167  if (tokens.length >= 5) {
168  shellbags.add(new ShellBag(tokens[4].trim(), bagpath, lastWrite, tokens[1].trim(), tokens[2].trim(), tokens[3].trim()));
169  }
170  } else if (line.contains("Software\\")) {
171  bagpath = line.trim();
172  lastWrite = "";
173  } else if (line.contains("LastWrite:")) {
174  lastWrite = line.replace("LastWrite:", "").trim();
175  }
176 
177  line = reader.readLine();
178  }
179 
180  return shellbags;
181  }
182 
195  boolean isSectionSeparator(String line) {
196  if (line == null || line.isEmpty()) {
197  return false;
198  }
199 
200  return line.trim().matches("^-+");
201  }
202 
212  boolean isItemposDataLine(String line) {
213  return line.matches("^\\d*?\\s*?\\|.*?\\|.*?\\|.*?\\|.*?");
214  }
215 
227  boolean isShellbagXPDataLine(String line) {
228  return line.matches("^(\\d+?.*?\\s*? | \\s*?)\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?");
229  }
230 
242  boolean isShellbagDataLine(String line) {
243  return line.matches("^(\\d+?.*?\\s*? | \\s*?)\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?\\|.*?");
244  }
245 
250  class ShellBag {
251 
252  private final String resource;
253  private final String key;
254  private final String lastWrite;
255  private final String modified;
256  private final String accessed;
257  private final String created;
258 
271  ShellBag(String resource, String key, String lastWrite, String modified, String accessed, String created) {
272  this.resource = resource;
273  this.key = key;
274  this.lastWrite = lastWrite;
275  this.accessed = accessed;
276  this.modified = modified;
277  this.created = created;
278  }
279 
285  String getResource() {
286  return resource == null ? "" : resource;
287  }
288 
294  String getKey() {
295  return key == null ? "" : key;
296  }
297 
304  long getLastWrite() {
305  return parseDateTime(lastWrite);
306  }
307 
314  long getModified() {
315  return parseDateTime(modified);
316  }
317 
324  long getAccessed() {
325  return parseDateTime(accessed);
326  }
327 
334  long getCreated() {
335  return parseDateTime(created);
336  }
337 
346  long parseDateTime(String dateTimeString) {
347  if (!dateTimeString.isEmpty()) {
348  try {
349  return DATE_TIME_FORMATTER.parse(dateTimeString).getTime() / 1000;
350  } catch (ParseException ex) {
351  // The parse of the string may fail because there are two possible formats.
352  }
353 
354  try {
355  return DATE_TIME_FORMATTER2.parse(dateTimeString).getTime() / 1000;
356  } catch (ParseException ex) {
357  logger.log(Level.WARNING, String.format("ShellBag parse failure. %s is not formated as expected.", dateTimeString), ex);
358  }
359  }
360  return 0;
361  }
362  }
363 
364 }
synchronized static Logger getLogger(String name)
Definition: Logger.java:124

Copyright © 2012-2020 Basis Technology. Generated on: Wed Apr 8 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.