Autopsy  4.4
Graphical digital forensics platform for The Sleuth Kit and other tools.
Chrome.java
Go to the documentation of this file.
1 /*
2  *
3  * Autopsy Forensic Browser
4  *
5  * Copyright 2012-2014 Basis Technology Corp.
6  *
7  * Copyright 2012 42six Solutions.
8  *
9  * Project Contact/Architect: carrier <at> sleuthkit <dot> org
10  *
11  * Licensed under the Apache License, Version 2.0 (the "License");
12  * you may not use this file except in compliance with the License.
13  * You may obtain a copy of the License at
14  *
15  * http://www.apache.org/licenses/LICENSE-2.0
16  *
17  * Unless required by applicable law or agreed to in writing, software
18  * distributed under the License is distributed on an "AS IS" BASIS,
19  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
20  * See the License for the specific language governing permissions and
21  * limitations under the License.
22  */
23 package org.sleuthkit.autopsy.recentactivity;
24 
25 import com.google.gson.JsonArray;
26 import com.google.gson.JsonElement;
27 import com.google.gson.JsonIOException;
28 import com.google.gson.JsonObject;
29 import com.google.gson.JsonParser;
30 import com.google.gson.JsonSyntaxException;
31 import org.openide.util.NbBundle;
32 import org.sleuthkit.autopsy.ingest.IngestServices;
33 import org.sleuthkit.autopsy.datamodel.ContentUtils;
34 import java.util.logging.Level;
35 import java.util.*;
36 import java.io.File;
37 import java.io.FileNotFoundException;
38 import java.io.FileReader;
39 import java.io.IOException;
40 import org.sleuthkit.autopsy.casemodule.services.FileManager;
41 import org.sleuthkit.autopsy.coreutils.Logger;
42 import org.sleuthkit.autopsy.ingest.IngestJobContext;
43 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
44 import org.sleuthkit.datamodel.AbstractFile;
45 import org.sleuthkit.datamodel.BlackboardArtifact;
46 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
47 import org.sleuthkit.datamodel.BlackboardAttribute;
48 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
49 import org.sleuthkit.datamodel.Content;
50 import org.sleuthkit.datamodel.TskCoreException;
51 import org.sleuthkit.datamodel.TskData;
52 
56 class Chrome extends Extract {
57 
58  private static final String historyQuery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS
59  + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS
60  private static final String cookieQuery = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS
61  private static final String downloadQuery = "SELECT full_path, url, start_time, received_bytes FROM downloads"; //NON-NLS
62  private static final String downloadQueryVersion30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS
63  private static final String loginQuery = "SELECT origin_url, username_value, signon_realm from logins"; //NON-NLS
64  private final Logger logger = Logger.getLogger(this.getClass().getName());
65  private Content dataSource;
66  private IngestJobContext context;
67 
68  Chrome() {
69  moduleName = NbBundle.getMessage(Chrome.class, "Chrome.moduleName");
70  }
71 
72  @Override
73  public void process(Content dataSource, IngestJobContext context) {
74  this.dataSource = dataSource;
75  this.context = context;
76  dataFound = false;
77  this.getHistory();
78  this.getBookmark();
79  this.getCookie();
80  this.getLogin();
81  this.getDownload();
82  }
83 
87  private void getHistory() {
88  FileManager fileManager = currentCase.getServices().getFileManager();
89  List<AbstractFile> historyFiles;
90  try {
91  historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS
92  } catch (TskCoreException ex) {
93  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
94  logger.log(Level.SEVERE, msg, ex);
95  this.addErrorMessage(this.getName() + ": " + msg);
96  return;
97  }
98 
99  // get only the allocated ones, for now
100  List<AbstractFile> allocatedHistoryFiles = new ArrayList<>();
101  for (AbstractFile historyFile : historyFiles) {
102  if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {
103  allocatedHistoryFiles.add(historyFile);
104  }
105  }
106 
107  // log a message if we don't have any allocated history files
108  if (allocatedHistoryFiles.isEmpty()) {
109  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles");
110  logger.log(Level.INFO, msg);
111  return;
112  }
113 
114  dataFound = true;
115  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
116  int j = 0;
117  while (j < historyFiles.size()) {
118  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; //NON-NLS
119  final AbstractFile historyFile = historyFiles.get(j++);
120  if (historyFile.getSize() == 0) {
121  continue;
122  }
123  try {
124  ContentUtils.writeToFile(historyFile, new File(temps), context::dataSourceIngestIsCancelled);
125  } catch (IOException ex) {
126  logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome web history artifacts.{0}", ex); //NON-NLS
127  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",
128  this.getName(), historyFile.getName()));
129  continue;
130  }
131  File dbFile = new File(temps);
132  if (context.dataSourceIngestIsCancelled()) {
133  dbFile.delete();
134  break;
135  }
136  List<HashMap<String, Object>> tempList;
137  tempList = this.dbConnect(temps, historyQuery);
138  logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
139  for (HashMap<String, Object> result : tempList) {
140  Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
141  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
142  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
143  ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
144  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
145  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
146  (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
147  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
148  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
149  ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS
150  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
151  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
152  ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS
153  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
154  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
155  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
156  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
157  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
158  (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
159 
160  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
161  if (bbart != null) {
162  bbartifacts.add(bbart);
163  }
164  }
165  dbFile.delete();
166  }
167 
168  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
169  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
170  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
171  }
172 
176  private void getBookmark() {
177  FileManager fileManager = currentCase.getServices().getFileManager();
178  List<AbstractFile> bookmarkFiles = null;
179  try {
180  bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS
181  } catch (TskCoreException ex) {
182  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");
183  logger.log(Level.SEVERE, msg, ex);
184  this.addErrorMessage(this.getName() + ": " + msg);
185  return;
186  }
187 
188  if (bookmarkFiles.isEmpty()) {
189  logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); //NON-NLS
190  return;
191  }
192 
193  dataFound = true;
194  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
195  int j = 0;
196 
197  while (j < bookmarkFiles.size()) {
198  AbstractFile bookmarkFile = bookmarkFiles.get(j++);
199  if (bookmarkFile.getSize() == 0) {
200  continue;
201  }
202  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName().toString() + j + ".db"; //NON-NLS
203  try {
204  ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled);
205  } catch (IOException ex) {
206  logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome bookmark artifacts.{0}", ex); //NON-NLS
207  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",
208  this.getName(), bookmarkFile.getName()));
209  continue;
210  }
211 
212  logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{moduleName, temps}); //NON-NLS
213  File dbFile = new File(temps);
214  if (context.dataSourceIngestIsCancelled()) {
215  dbFile.delete();
216  break;
217  }
218 
219  FileReader tempReader;
220  try {
221  tempReader = new FileReader(temps);
222  } catch (FileNotFoundException ex) {
223  logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS
224  this.addErrorMessage(
225  NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getName(),
226  bookmarkFile.getName()));
227  continue;
228  }
229 
230  final JsonParser parser = new JsonParser();
231  JsonElement jsonElement;
232  JsonObject jElement, jRoot, jBookmark;
233  JsonArray jBookmarkArray;
234 
235  try {
236  jsonElement = parser.parse(tempReader);
237  jElement = jsonElement.getAsJsonObject();
238  jRoot = jElement.get("roots").getAsJsonObject(); //NON-NLS
239  jBookmark = jRoot.get("bookmark_bar").getAsJsonObject(); //NON-NLS
240  jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS
241  } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
242  logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS
243  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3",
244  this.getName(), bookmarkFile.getName()));
245  continue;
246  }
247 
248  for (JsonElement result : jBookmarkArray) {
249  JsonObject address = result.getAsJsonObject();
250  if (address == null) {
251  continue;
252  }
253  JsonElement urlEl = address.get("url"); //NON-NLS
254  String url;
255  if (urlEl != null) {
256  url = urlEl.getAsString();
257  } else {
258  url = "";
259  }
260  String name;
261  JsonElement nameEl = address.get("name"); //NON-NLS
262  if (nameEl != null) {
263  name = nameEl.getAsString();
264  } else {
265  name = "";
266  }
267  Long date;
268  JsonElement dateEl = address.get("date_added"); //NON-NLS
269  if (dateEl != null) {
270  date = dateEl.getAsLong();
271  } else {
272  date = Long.valueOf(0);
273  }
274  String domain = Util.extractDomain(url);
275  try {
276  BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
277  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
278  //TODO Revisit usage of deprecated constructor as per TSK-583
279  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
280  NbBundle.getMessage(this.getClass(),
281  "Chrome.parentModuleName"), url));
282  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,
283  NbBundle.getMessage(this.getClass(),
284  "Chrome.parentModuleName"), name));
285  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,
286  NbBundle.getMessage(this.getClass(),
287  "Chrome.parentModuleName"), (date / 1000000) - Long.valueOf("11644473600")));
288  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
289  NbBundle.getMessage(this.getClass(),
290  "Chrome.parentModuleName"),
291  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
292  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
293  NbBundle.getMessage(this.getClass(),
294  "Chrome.parentModuleName"), domain));
295  bbart.addAttributes(bbattributes);
296 
297  // index the artifact for keyword search
298  this.indexArtifact(bbart);
299  bbartifacts.add(bbart);
300  } catch (TskCoreException ex) {
301  logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS
302  this.addErrorMessage(
303  NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4",
304  this.getName(), bookmarkFile.getName()));
305  }
306  }
307  dbFile.delete();
308  }
309 
310  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
311  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
312  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));
313  }
314 
318  private void getCookie() {
319 
320  FileManager fileManager = currentCase.getServices().getFileManager();
321  List<AbstractFile> cookiesFiles;
322  try {
323  cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS
324  } catch (TskCoreException ex) {
325  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles");
326  logger.log(Level.SEVERE, msg, ex);
327  this.addErrorMessage(this.getName() + ": " + msg);
328  return;
329  }
330 
331  if (cookiesFiles.isEmpty()) {
332  logger.log(Level.INFO, "Didn't find any Chrome cookies files."); //NON-NLS
333  return;
334  }
335 
336  dataFound = true;
337  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
338  int j = 0;
339  while (j < cookiesFiles.size()) {
340  AbstractFile cookiesFile = cookiesFiles.get(j++);
341  if (cookiesFile.getSize() == 0) {
342  continue;
343  }
344  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName().toString() + j + ".db"; //NON-NLS
345  try {
346  ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled);
347  } catch (IOException ex) {
348  logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome cookie artifacts.{0}", ex); //NON-NLS
349  this.addErrorMessage(
350  NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile", this.getName(),
351  cookiesFile.getName()));
352  continue;
353  }
354  File dbFile = new File(temps);
355  if (context.dataSourceIngestIsCancelled()) {
356  dbFile.delete();
357  break;
358  }
359 
360  List<HashMap<String, Object>> tempList = this.dbConnect(temps, cookieQuery);
361  logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
362  for (HashMap<String, Object> result : tempList) {
363  Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
364  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
365  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
366  ((result.get("host_key").toString() != null) ? result.get("host_key").toString() : ""))); //NON-NLS
367  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,
368  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
369  (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
370 
371  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
372  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
373  ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS
374  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,
375  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
376  ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS
377  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
378  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
379  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
380  String domain = result.get("host_key").toString(); //NON-NLS
381  domain = domain.replaceFirst("^\\.+(?!$)", "");
382  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
383  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));
384 
385  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
386  if (bbart != null) {
387  bbartifacts.add(bbart);
388  }
389  }
390 
391  dbFile.delete();
392  }
393 
394  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
395  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
396  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));
397  }
398 
402  private void getDownload() {
403  FileManager fileManager = currentCase.getServices().getFileManager();
404  List<AbstractFile> downloadFiles = null;
405  try {
406  downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS
407  } catch (TskCoreException ex) {
408  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles");
409  logger.log(Level.SEVERE, msg, ex);
410  this.addErrorMessage(this.getName() + ": " + msg);
411  return;
412  }
413 
414  if (downloadFiles.isEmpty()) {
415  logger.log(Level.INFO, "Didn't find any Chrome download files."); //NON-NLS
416  return;
417  }
418 
419  dataFound = true;
420  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
421  int j = 0;
422  while (j < downloadFiles.size()) {
423  AbstractFile downloadFile = downloadFiles.get(j++);
424  if (downloadFile.getSize() == 0) {
425  continue;
426  }
427  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName().toString() + j + ".db"; //NON-NLS
428  try {
429  ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled);
430  } catch (IOException ex) {
431  logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex); //NON-NLS
432  this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",
433  this.getName(), downloadFile.getName()));
434  continue;
435  }
436  File dbFile = new File(temps);
437  if (context.dataSourceIngestIsCancelled()) {
438  dbFile.delete();
439  break;
440  }
441 
442  List<HashMap<String, Object>> tempList;
443 
444  if (isChromePreVersion30(temps)) {
445  tempList = this.dbConnect(temps, downloadQuery);
446  } else {
447  tempList = this.dbConnect(temps, downloadQueryVersion30);
448  }
449 
450  logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
451  for (HashMap<String, Object> result : tempList) {
452  Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
453  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
454  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (result.get("full_path").toString()))); //NON-NLS
455  long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS
456  if (pathID != -1) {
457  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,
458  NbBundle.getMessage(this.getClass(),
459  "Chrome.parentModuleName"), pathID));
460  }
461  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
462  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
463  ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS
464  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));
465  Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS
466 
467  //TODO Revisit usage of deprecated constructor as per TSK-583
468  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", time));
469  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
470  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), time));
471  String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); //NON-NLS
472  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
473  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));
474  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
475  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
476  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
477 
478  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);
479  if (bbart != null) {
480  bbartifacts.add(bbart);
481  }
482  }
483 
484  dbFile.delete();
485  }
486 
487  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
488  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
489  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts));
490  }
491 
495  private void getLogin() {
496  FileManager fileManager = currentCase.getServices().getFileManager();
497  List<AbstractFile> signonFiles;
498  try {
499  signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); //NON-NLS
500  } catch (TskCoreException ex) {
501  String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles");
502  logger.log(Level.SEVERE, msg, ex);
503  this.addErrorMessage(this.getName() + ": " + msg);
504  return;
505  }
506 
507  if (signonFiles.isEmpty()) {
508  logger.log(Level.INFO, "Didn't find any Chrome signon files."); //NON-NLS
509  return;
510  }
511 
512  dataFound = true;
513  Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();
514  int j = 0;
515  while (j < signonFiles.size()) {
516  AbstractFile signonFile = signonFiles.get(j++);
517  if (signonFile.getSize() == 0) {
518  continue;
519  }
520  String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName().toString() + j + ".db"; //NON-NLS
521  try {
522  ContentUtils.writeToFile(signonFile, new File(temps), context::dataSourceIngestIsCancelled);
523  } catch (IOException ex) {
524  logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome login artifacts.{0}", ex); //NON-NLS
525  this.addErrorMessage(
526  NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getName(),
527  signonFile.getName()));
528  continue;
529  }
530  File dbFile = new File(temps);
531  if (context.dataSourceIngestIsCancelled()) {
532  dbFile.delete();
533  break;
534  }
535  List<HashMap<String, Object>> tempList = this.dbConnect(temps, loginQuery);
536  logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS
537  for (HashMap<String, Object> result : tempList) {
538  Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
539  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,
540  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
541  ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); //NON-NLS
542  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("origin_url").toString() != null) ? EscapeUtil.decodeURL(result.get("origin_url").toString()) : "")));
543  //TODO Revisit usage of deprecated constructor as per TSK-583
544  //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000)));
545  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,
546  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
547  (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS
548  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,
549  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
550  ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS
551  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
552  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
553  ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS
554  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,
555  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
556  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
557  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED,
558  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
559  (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS
560  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
561  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
562  ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS
563  bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,
564  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
565  result.get("signon_realm").toString())); //NON-NLS
566 
567  BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes);
568  if (bbart != null) {
569  bbartifacts.add(bbart);
570  }
571 
572  // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent
573  Collection<BlackboardAttribute> osAcctAttributes = new ArrayList<>();
574  osAcctAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,
575  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
576  ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS
577  this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes);
578  }
579 
580  dbFile.delete();
581  }
582 
583  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
584  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
585  BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));
586  }
587 
588  private boolean isChromePreVersion30(String temps) {
589  String query = "PRAGMA table_info(downloads)"; //NON-NLS
590  List<HashMap<String, Object>> columns = this.dbConnect(temps, query);
591  for (HashMap<String, Object> col : columns) {
592  if (col.get("name").equals("url")) { //NON-NLS
593  return true;
594  }
595  }
596 
597  return false;
598  }
599 }
org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:53
org.sleuthkit.autopsy.datamodel.ContentUtils.writeToFile
static< T > long writeToFile(Content content, java.io.File outputFile, ProgressHandle progress, Future< T > worker, boolean source)
Definition: ContentUtils.java:187
org.sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
Definition: IngestServices.java:98
org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles
synchronized List< AbstractFile > findFiles(String fileName)
Definition: FileManager.java:132
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:161
org.sleuthkit.autopsy.ingest.IngestServices.getInstance
static synchronized IngestServices getInstance()
Definition: IngestServices.java:45

Copyright © 2012-2016 Basis Technology. Generated on: Tue Jun 13 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.