Autopsy  4.17.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
VMExtractorIngestModule.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2012-2018 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.modules.vmextractor;
20 
21 import java.io.File;
22 import java.io.IOException;
23 import java.nio.file.Files;
24 import java.nio.file.Path;
25 import java.nio.file.Paths;
26 import java.text.SimpleDateFormat;
27 import java.util.ArrayList;
28 import java.util.Calendar;
29 import java.util.HashMap;
30 import java.util.List;
31 import java.util.UUID;
32 import java.util.logging.Level;
33 import org.openide.util.NbBundle;
34 import org.openide.util.NbBundle.Messages;
35 import org.sleuthkit.autopsy.casemodule.Case;
36 import org.sleuthkit.autopsy.casemodule.GeneralFilter;
37 import org.sleuthkit.autopsy.casemodule.ImageDSProcessor;
38 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
39 import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorCallback;
40 import org.sleuthkit.autopsy.corecomponentinterfaces.DataSourceProcessorProgressMonitor;
41 import org.sleuthkit.autopsy.coreutils.Logger;
42 import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
43 import org.sleuthkit.autopsy.datamodel.ContentUtils;
44 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleAdapter;
45 import org.sleuthkit.autopsy.ingest.DataSourceIngestModuleProgress;
46 import org.sleuthkit.autopsy.ingest.IngestJobContext;
47 import org.sleuthkit.autopsy.ingest.IngestJobSettings;
48 import org.sleuthkit.autopsy.ingest.IngestManager;
49 import org.sleuthkit.autopsy.ingest.IngestMessage;
50 import org.sleuthkit.autopsy.ingest.IngestModule;
51 import org.sleuthkit.autopsy.ingest.IngestServices;
52 import org.sleuthkit.datamodel.AbstractFile;
53 import org.sleuthkit.datamodel.Content;
54 import org.sleuthkit.datamodel.DataSource;
55 import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
56 import org.sleuthkit.datamodel.SleuthkitCase;
57 import org.sleuthkit.datamodel.TskCoreException;
58 import org.sleuthkit.datamodel.TskDataException;
59 
64 @NbBundle.Messages({"# {0} - output directory name", "VMExtractorIngestModule.cannotCreateOutputDir.message=Unable to create output directory: {0}."
65 })
66 final class VMExtractorIngestModule extends DataSourceIngestModuleAdapter {
67 
68  private static final Logger logger = Logger.getLogger(VMExtractorIngestModule.class.getName());
69  private IngestJobContext context;
70  private Path ingestJobOutputDir;
71  private String parentDeviceId;
72  private String parentTimeZone;
73 
74  private final HashMap<String, String> imageFolderToOutputFolder = new HashMap<>();
75  private int folderId = 0;
76 
77  @Messages({"# {0} - data source name", "deviceIdQueryErrMsg=Data source {0} missing Device ID",
78  "VMExtractorIngestModule.noOpenCase.errMsg=No open case available."})
79  @Override
80  public void startUp(IngestJobContext context) throws IngestModuleException {
81  this.context = context;
82  long dataSourceObjId = context.getDataSource().getId();
83  try {
84  Case currentCase = Case.getCurrentCaseThrows();
85  SleuthkitCase caseDb = currentCase.getSleuthkitCase();
86  DataSource dataSource = caseDb.getDataSource(dataSourceObjId);
87  parentDeviceId = dataSource.getDeviceId();
88  parentTimeZone = dataSource.getTimeZone();
89  SimpleDateFormat dateFormat = new SimpleDateFormat("yyyy_MM_dd_HH_mm_ss");
90  String timeStamp = dateFormat.format(Calendar.getInstance().getTime());
91  String ingestJobOutputDirName = context.getDataSource().getName() + "_" + context.getDataSource().getId() + "_" + timeStamp;
92  ingestJobOutputDirName = ingestJobOutputDirName.replace(':', '_');
93  ingestJobOutputDir = Paths.get(currentCase.getModuleDirectory(), VMExtractorIngestModuleFactory.getModuleName(), ingestJobOutputDirName);
94  // create module output folder to write extracted virtual machine files to
95  Files.createDirectories(ingestJobOutputDir);
96  } catch (IOException | SecurityException | UnsupportedOperationException ex) {
97  throw new IngestModule.IngestModuleException(Bundle.VMExtractorIngestModule_cannotCreateOutputDir_message(ex.getLocalizedMessage()), ex);
98  } catch (TskDataException | TskCoreException ex) {
99  throw new IngestModule.IngestModuleException(Bundle.deviceIdQueryErrMsg(context.getDataSource().getName()), ex);
100  } catch (NoCurrentCaseException ex) {
101  throw new IngestModule.IngestModuleException(Bundle.VMExtractorIngestModule_noOpenCase_errMsg(), ex);
102  }
103  }
104 
105  @Override
106  public ProcessResult process(Content dataSource, DataSourceIngestModuleProgress progressBar) {
107 
108  String outputFolderForThisVM;
109  List<AbstractFile> vmFiles;
110 
111  // Configure and start progress bar - looking for VM files
112  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.searchingImage.message"));
113  // Not sure how long it will take for search to complete.
114  progressBar.switchToIndeterminate();
115 
116  logger.log(Level.INFO, "Looking for virtual machine files in data source {0}", dataSource.getName()); //NON-NLS
117 
118  try {
119  // look for all VM files
120  vmFiles = findVirtualMachineFiles(dataSource);
121  } catch (TskCoreException ex) {
122  logger.log(Level.SEVERE, "Error querying case database", ex); //NON-NLS
123  return ProcessResult.ERROR;
124  } catch (NoCurrentCaseException ex) {
125  logger.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
126  return ProcessResult.ERROR;
127  }
128 
129  if (vmFiles.isEmpty()) {
130  // no VM files found
131  logger.log(Level.INFO, "No virtual machine files found in data source {0}", dataSource.getName()); //NON-NLS
132  return ProcessResult.OK;
133  }
134  // display progress for saving each VM file to disk
135  progressBar.switchToDeterminate(vmFiles.size());
136  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.exportingToDisk.message"));
137 
138  int numFilesSaved = 0;
139  for (AbstractFile vmFile : vmFiles) {
140  if (context.dataSourceIngestIsCancelled()) {
141  break;
142  }
143 
144  logger.log(Level.INFO, "Saving virtual machine file {0} to disk", vmFile.getName()); //NON-NLS
145 
146  // get vmFolderPathInsideTheImage to the folder where VM is located
147  String vmFolderPathInsideTheImage = vmFile.getParentPath();
148 
149  // check if the vmFolderPathInsideTheImage is already in hashmap
150  if (imageFolderToOutputFolder.containsKey(vmFolderPathInsideTheImage)) {
151  // if it is then we have already created output folder to write out all VM files in this parent folder
152  outputFolderForThisVM = imageFolderToOutputFolder.get(vmFolderPathInsideTheImage);
153  } else {
154  // if not - create output folder to write out VM files (can use any unique ID or number for folder name)
155  folderId++;
156  outputFolderForThisVM = Paths.get(ingestJobOutputDir.toString(), Integer.toString(folderId)).toString();
157 
158  // add vmFolderPathInsideTheImage to hashmap
159  imageFolderToOutputFolder.put(vmFolderPathInsideTheImage, outputFolderForThisVM);
160  }
161 
162  // write the vm file to output folder
163  try {
164  writeVirtualMachineToDisk(vmFile, outputFolderForThisVM);
165  } catch (ReadContentInputStreamException ex) {
166  logger.log(Level.WARNING, String.format("Failed to read virtual machine file '%s' (id=%d).",
167  vmFile.getName(), vmFile.getId()), ex); //NON-NLS
168  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedExtractVM.title.txt"),
169  NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedExtractVM.msg.txt", vmFile.getName()));
170  } catch (Exception ex) {
171  logger.log(Level.SEVERE, String.format("Failed to write virtual machine file '%s' (id=%d) to folder '%s'.",
172  vmFile.getName(), vmFile.getId(), outputFolderForThisVM), ex); //NON-NLS
173  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedExtractVM.title.txt"),
174  NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedExtractVM.msg.txt", vmFile.getName()));
175  }
176 
177  // Update progress bar
178  numFilesSaved++;
179  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.exportingToDisk.message"), numFilesSaved);
180  }
181  logger.log(Level.INFO, "Finished saving virtual machine files to disk"); //NON-NLS
182 
183  // update progress bar
184  progressBar.switchToDeterminate(imageFolderToOutputFolder.size());
185  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.queuingIngestJobs.message"));
186  // this is for progress bar purposes because at this point we only know in advance how many job folders to ingest, not how many data sources.
187  int numJobsQueued = 0;
188  // start processing output folders after we are done writing out all vm files
189  for (String folder : imageFolderToOutputFolder.values()) {
190  if (context.dataSourceIngestIsCancelled()) {
191  break;
192  }
193  List<String> vmFilesToIngest = VirtualMachineFinder.identifyVirtualMachines(Paths.get(folder));
194  for (String file : vmFilesToIngest) {
195  try {
196  logger.log(Level.INFO, "Ingesting virtual machine file {0} in folder {1}", new Object[]{file, folder}); //NON-NLS
197 
198  // for extracted virtual machines there is no manifest XML file to read data source ID from so use parent data source ID.
199  // ingest the data sources
200  ingestVirtualMachineImage(Paths.get(folder, file));
201  } catch (InterruptedException ex) {
202  logger.log(Level.INFO, "Interrupted while ingesting virtual machine file " + file + " in folder " + folder, ex); //NON-NLS
203  } catch (IOException ex) {
204  logger.log(Level.SEVERE, "Failed to ingest virtual machine file " + file + " in folder " + folder, ex); //NON-NLS
205  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedIngestVM.title.txt"),
206  NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedIngestVM.msg.txt", file));
207  } catch (NoCurrentCaseException ex) {
208  logger.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
209  MessageNotifyUtil.Notify.error(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.msgNotify.failedIngestVM.title.txt"),
210  Bundle.VMExtractorIngestModule_noOpenCase_errMsg());
211  }
212  }
213  // Update progress bar
214  numJobsQueued++;
215  progressBar.progress(NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.queuingIngestJobs.message"), numJobsQueued);
216  }
217  logger.log(Level.INFO, "VMExtractorIngestModule completed processing of data source {0}", dataSource.getName()); //NON-NLS
218  return ProcessResult.OK;
219  }
220 
232  private static List<AbstractFile> findVirtualMachineFiles(Content dataSource) throws TskCoreException, NoCurrentCaseException {
233  List<AbstractFile> vmFiles = new ArrayList<>();
234  for (String vmExtension : GeneralFilter.VIRTUAL_MACHINE_EXTS) {
235  String searchString = "%" + vmExtension; // want a search string that looks like this "%.vmdk"
236  vmFiles.addAll(Case.getCurrentCaseThrows().getServices().getFileManager().findFiles(dataSource, searchString));
237  }
238  return vmFiles;
239  }
240 
250  private void writeVirtualMachineToDisk(AbstractFile vmFile, String outputFolderForThisVM) throws ReadContentInputStreamException, IOException {
251 
252  // TODO: check available disk space first? See IngestMonitor.getFreeSpace()
253  // check if output folder exists
254  File destinationFolder = Paths.get(outputFolderForThisVM).toFile();
255  if (!destinationFolder.exists()) {
256  destinationFolder.mkdirs();
257  }
258  /*
259  * Write the virtual machine file to disk.
260  */
261  File localFile = Paths.get(outputFolderForThisVM, vmFile.getName()).toFile();
262  ContentUtils.writeToFile(vmFile, localFile, context::dataSourceIngestIsCancelled);
263  }
264 
271  private void ingestVirtualMachineImage(Path vmFile) throws InterruptedException, IOException, NoCurrentCaseException {
272 
273  /*
274  * Try to add the virtual machine file to the case as a data source.
275  */
276  UUID taskId = UUID.randomUUID();
277  Case.getCurrentCaseThrows().notifyAddingDataSource(taskId);
278  ImageDSProcessor dataSourceProcessor = new ImageDSProcessor();
279  AddDataSourceCallback dspCallback = new AddDataSourceCallback(vmFile);
280  synchronized (this) {
281  dataSourceProcessor.run(parentDeviceId, vmFile.toString(), parentTimeZone, false, new AddDataSourceProgressMonitor(), dspCallback);
282  /*
283  * Block the ingest thread until the data source processor finishes.
284  */
285  this.wait();
286  }
287 
288  /*
289  * If the image was added, start analysis on it with the ingest modules for this
290  * ingest context. Note that this does not wait for ingest to complete.
291  */
292  if (!dspCallback.vmDataSources.isEmpty()) {
293  Case.getCurrentCaseThrows().notifyDataSourceAdded(dspCallback.vmDataSources.get(0), taskId);
294  List<Content> dataSourceContent = new ArrayList<>(dspCallback.vmDataSources);
295  IngestJobSettings ingestJobSettings = new IngestJobSettings(context.getExecutionContext());
296  for (String warning : ingestJobSettings.getWarnings()) {
297  logger.log(Level.WARNING, String.format("Ingest job settings warning for virtual machine file %s : %s", vmFile.toString(), warning)); //NON-NLS
298  }
299  IngestServices.getInstance().postMessage(IngestMessage.createMessage(IngestMessage.MessageType.INFO,
300  VMExtractorIngestModuleFactory.getModuleName(),
301  NbBundle.getMessage(this.getClass(), "VMExtractorIngestModule.addedVirtualMachineImage.message", vmFile.toString())));
302  IngestManager.getInstance().beginIngestJob(dataSourceContent, ingestJobSettings);
303  } else {
304  Case.getCurrentCaseThrows().notifyFailedAddingDataSource(taskId);
305  }
306  }
307 
311  private static final class AddDataSourceProgressMonitor implements DataSourceProcessorProgressMonitor {
312 
313  @Override
314  public void setIndeterminate(final boolean indeterminate) {
315  }
316 
317  @Override
318  public void setProgress(final int progress) {
319  }
320 
321  @Override
322  public void setProgressText(final String text) {
323  }
324 
325  }
326 
331  private final class AddDataSourceCallback extends DataSourceProcessorCallback {
332 
333  private final Path vmFile;
334  private final List<Content> vmDataSources;
335 
341  private AddDataSourceCallback(Path vmFile) {
342  this.vmFile = vmFile;
343  vmDataSources = new ArrayList<>();
344  }
345 
346  @Override
347  public void done(DataSourceProcessorCallback.DataSourceProcessorResult result, List<String> errList, List<Content> content) {
348  for (String error : errList) {
349  String logMessage = String.format("Data source processor error for virtual machine file %s: %s", vmFile.toString(), error); //NON-NLS
350  if (DataSourceProcessorCallback.DataSourceProcessorResult.CRITICAL_ERRORS == result) {
351  logger.log(Level.SEVERE, logMessage);
352  } else {
353  logger.log(Level.WARNING, logMessage);
354  }
355  }
356 
357  /*
358  * Save a reference to the content object so it can be used to
359  * create a new ingest job.
360  */
361  if (!content.isEmpty()) {
362  vmDataSources.add(content.get(0));
363  }
364 
365  /*
366  * Unblock the ingest thread.
367  */
368  synchronized (VMExtractorIngestModule.this) {
369  VMExtractorIngestModule.this.notify();
370  }
371  }
372 
373  @Override
374  public void doneEDT(DataSourceProcessorResult result, List<String> errList, List<Content> newContents) {
375  done(result, errList, newContents);
376  }
377 
378  }
379 
380 }
org.sleuthkit.autopsy.modules.vmextractor.VMExtractorIngestModule.AddDataSourceCallback.doneEDT
void doneEDT(DataSourceProcessorResult result, List< String > errList, List< Content > newContents)
Definition: VMExtractorIngestModule.java:374
org.sleuthkit.autopsy.modules.vmextractor.VMExtractorIngestModule.AddDataSourceCallback.done
void done(DataSourceProcessorCallback.DataSourceProcessorResult result, List< String > errList, List< Content > content)
Definition: VMExtractorIngestModule.java:347
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55

Copyright © 2012-2021 Basis Technology. Generated on: Tue Jan 19 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.