19 package org.sleuthkit.autopsy.recentactivity;
21 import java.util.ArrayList;
22 import java.util.Arrays;
23 import java.util.HashMap;
25 import java.util.Collection;
26 import java.util.List;
27 import java.util.Objects;
28 import java.util.logging.Level;
29 import org.openide.util.NbBundle;
35 import org.
sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
43 class ExtractWebAccountType
extends Extract {
45 private static final Logger logger = Logger.getLogger(ExtractWebAccountType.class.getName());
47 ExtractWebAccountType() {
48 moduleName = NbBundle.getMessage(ExtractWebAccountType.class,
"ExtractWebAccountType.moduleName.text");
51 private static final List<BlackboardArtifact.Type> QUERY_ARTIFACTS = Arrays.asList(
52 new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY),
53 new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_SERVICE_ACCOUNT)
56 private void extractDomainRoles(Content dataSource, IngestJobContext context) {
59 Collection<BlackboardArtifact> listArtifacts = currentCase.getSleuthkitCase().getBlackboard().getArtifacts(
60 QUERY_ARTIFACTS, Arrays.asList(dataSource.getId()));
62 logger.log(Level.INFO,
"Processing {0} blackboard artifacts.", listArtifacts.size());
65 RoleProcessor roleProcessor =
new RoleProcessor(context);
68 for (BlackboardArtifact artifact : listArtifacts) {
69 if (context.dataSourceIngestIsCancelled()) {
73 findRolesForUrl(artifact, roleProcessor);
77 roleProcessor.createArtifacts();
79 }
catch (TskCoreException e) {
80 logger.log(Level.SEVERE,
"Encountered error retrieving artifacts for domain role analysis", e);
92 private void findRolesForUrl(BlackboardArtifact artifact, RoleProcessor roleProcessor)
throws TskCoreException {
94 BlackboardAttribute urlAttr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL));
95 if (urlAttr == null) {
99 BlackboardAttribute domainAttr = artifact.getAttribute(
new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN));
100 if (domainAttr == null) {
104 String url = urlAttr.getValueString().toLowerCase();
105 String domain = domainAttr.getValueString().toLowerCase();
107 boolean roleFound =
false;
108 roleFound = findMyBbRole(url, domain, artifact, roleProcessor) || roleFound;
109 roleFound = findPhpBbRole(url, domain, artifact, roleProcessor) || roleFound;
110 roleFound = findJoomlaRole(url, domain, artifact, roleProcessor) || roleFound;
111 roleFound = findWordPressRole(url, domain, artifact, roleProcessor) || roleFound;
114 if (!roleFound && artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_SERVICE_ACCOUNT.getTypeID()) {
115 roleProcessor.addRole(domain, domain, Role.USER, url, artifact);
129 private boolean findMyBbRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
130 String platformName =
"myBB platform";
132 if (url.contains(
"/admin/index.php")) {
133 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
135 }
else if (url.contains(
"/modcp.php")) {
136 roleProcessor.addRole(domain, platformName, Role.MOD, url, artifact);
138 }
else if (url.contains(
"/usercp.php")) {
139 roleProcessor.addRole(domain, platformName, Role.USER, url, artifact);
155 private boolean findPhpBbRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
156 String platformName =
"phpBB platform";
158 if (url.contains(
"/adm/index.php")) {
159 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
161 }
else if (url.contains(
"/mcp.php")) {
162 roleProcessor.addRole(domain, platformName, Role.MOD, url, artifact);
164 }
else if (url.contains(
"/ucp.php")) {
165 roleProcessor.addRole(domain, platformName, Role.USER, url, artifact);
181 private boolean findJoomlaRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
182 String platformName =
"Joomla platform";
184 if (url.contains(
"/administrator/index.php")) {
185 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
201 private boolean findWordPressRole(String url, String domain, BlackboardArtifact artifact, RoleProcessor roleProcessor) {
202 String platformName =
"WordPress platform";
206 if (url.contains(
"/wp-admin/")) {
208 if (url.endsWith(
"/wp-admin/")
209 || url.contains(
"/wp-admin/index.php")
210 || url.contains(
"/wp-admin/profile.php")) {
211 roleProcessor.addRole(domain, platformName, Role.USER, url, artifact);
214 roleProcessor.addRole(domain, platformName, Role.ADMIN, url, artifact);
223 void process(Content dataSource, IngestJobContext context, DataSourceIngestModuleProgress progressBar) {
224 extractDomainRoles(dataSource, context);
237 private final Map<RoleKey, DomainRole>
roles =
new HashMap<>();
254 void addRole(String domain, String platform,
Role role, String url, BlackboardArtifact artifact) {
256 if ((!roles.containsKey(key))
257 || (roles.containsKey(key) && (role.
getRank() > roles.get(key).getRole().getRank()))) {
258 roles.put(key,
new DomainRole(domain, platform, role, url, artifact));
265 void createArtifacts() {
267 if (roles.isEmpty()) {
268 logger.log(Level.INFO,
"Didn't find any web accounts.");
271 logger.log(Level.INFO,
"Found {0} web accounts.", roles.keySet().size());
275 for (RoleKey key : roles.keySet()) {
280 DomainRole role = roles.get(key);
282 AbstractFile file = tskCase.getAbstractFileById(role.getArtifact().getObjectID());
287 String desc = role.getRole().
getDesc() +
" (" + role.getPlatform() +
")";
289 Collection<BlackboardAttribute> bbattributes =
new ArrayList<>();
290 bbattributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN,
291 NbBundle.getMessage(
this.getClass(),
292 "ExtractWebAccountType.parentModuleName"), role.getDomain()));
293 bbattributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT,
294 NbBundle.getMessage(
this.getClass(),
295 "ExtractWebAccountType.parentModuleName"), desc));
296 bbattributes.add(
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL,
297 NbBundle.getMessage(
this.getClass(),
298 "ExtractWebAccountType.parentModuleName"), role.getUrl()));
300 postArtifact(createArtifactWithAttributes(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_ACCOUNT_TYPE, file, bbattributes));
302 }
catch (TskCoreException ex) {
303 logger.log(Level.SEVERE,
"Error creating web accounts", ex);
312 "ExtractWebAccountType.role.user=User role",
313 "ExtractWebAccountType.role.moderator=Moderator role",
314 "ExtractWebAccountType.role.admin=Administrator role"
317 USER(Bundle.ExtractWebAccountType_role_user(), 0),
318 MOD(Bundle.ExtractWebAccountType_role_moderator(), 1),
319 ADMIN(Bundle.ExtractWebAccountType_role_admin(), 2);
346 RoleKey(String domain, String platform) {
353 if (!(other instanceof
RoleKey)) {
357 RoleKey otherKey = (RoleKey) other;
358 return (domain.equals(otherKey.
domain)
359 && platform.equals(otherKey.
platform));
365 hash = 79 * hash + Objects.hashCode(this.domain);
366 hash = 79 * hash + Objects.hashCode(this.platform);
377 final String platform;
380 final BlackboardArtifact artifact;
382 DomainRole(String domain, String platform,
Role role, String url, BlackboardArtifact artifact) {
383 this.domain = domain;
385 this.platform = platform;
387 this.artifact = artifact;
394 String getPlatform() {
406 BlackboardArtifact getArtifact() {
boolean dataSourceIngestIsCancelled()