diff --git a/RecentActivity/nbproject/genfiles.properties b/RecentActivity/nbproject/genfiles.properties
index edf146affb0c1a47e8b4d4aff2d6abef48acc9de..5f4ee37d9eaba241ad6b1fa64d4e8d2d4f4fdd80 100644
--- a/RecentActivity/nbproject/genfiles.properties
+++ b/RecentActivity/nbproject/genfiles.properties
@@ -1,8 +1,8 @@
-build.xml.data.CRC32=9b8a08d3
+build.xml.data.CRC32=13440745
build.xml.script.CRC32=d323407a
build.xml.stylesheet.CRC32=a56c6a5b@1.46.1
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
-nbproject/build-impl.xml.data.CRC32=9b8a08d3
+nbproject/build-impl.xml.data.CRC32=13440745
nbproject/build-impl.xml.script.CRC32=aef16a21
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1
diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties
index b9c82fbb81fe3093e5be00ae5bd42dd3e2d0fcf2..c2587f0f66da27a9ede0ad53554f11716cfd0827 100644
--- a/RecentActivity/nbproject/project.properties
+++ b/RecentActivity/nbproject/project.properties
@@ -1,4 +1,4 @@
-file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar
+file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar
file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar
file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
javac.source=1.6
diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml
index 1184a96e43e5c2ef17e475c9a605abc343101e65..5a41ab3f00575b82155463e93237bed4bac15a67 100644
--- a/RecentActivity/nbproject/project.xml
+++ b/RecentActivity/nbproject/project.xml
@@ -198,10 +198,6 @@
<runtime-relative-path>ext/jdom-1.1.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jdom-1.1.2.jar</binary-origin>
</class-path-extension>
- <class-path-extension>
- <runtime-relative-path>ext/jcalendarbutton-1.4.5.jar</runtime-relative-path>
- <binary-origin>release/modules/ext/jcalendarbutton-1.4.5.jar</binary-origin>
- </class-path-extension>
</data>
</configuration>
</project>
diff --git a/RecentActivity/release/rr/plugins/autopsysystem b/RecentActivity/release/rr/plugins/autopsysystem
new file mode 100644
index 0000000000000000000000000000000000000000..c80be5ebf00d08c9e28b477a2750762deef52667
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsysystem
@@ -0,0 +1,6 @@
+# List of plugins for the Registry Ripper
+
+#-------------------------------------
+# system
+autopsyusb
+autopsyusbdevices
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsyusb.pl b/RecentActivity/release/rr/plugins/autopsyusb.pl
new file mode 100644
index 0000000000000000000000000000000000000000..2a4c438c7cfa9226ebccacc826c650330bfcb326
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsyusb.pl
@@ -0,0 +1,111 @@
+#-----------------------------------------------------------
+# usb
+# Similar to usbstor plugin, but prints output in .csv format;
+# also checks MountedDevices keys
+#
+#
+# copyright 2008 H. Carvey, keydet89@yahoo.com
+#-----------------------------------------------------------
+package usb;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20080825);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Get USB subkeys info; csv output";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $reg;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $name_path = $ccs."\\Control\\ComputerName\\ComputerName";
+ my $comp_name;
+ eval {
+ $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data();
+ };
+ $comp_name = "Test" if ($@);
+
+ my $key_path = $ccs."\\Enum\\USB";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar(@subkeys) > 0) {
+ foreach my $s (@subkeys) {
+ my $dev_class = $s->get_name();
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar(@sk) > 0) {
+ foreach my $k (@sk) {
+ my $serial = $k->get_name();
+ my $sn_lw = $k->get_timestamp();
+ my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw;
+
+ my $loc;
+ eval {
+ $loc = $k->get_value("LocationInformation")->get_data();
+ $str .= ",".$loc;
+ };
+ $str .= ", " if ($@);
+
+
+ my $friendly;
+ eval {
+ $friendly = $k->get_value("FriendlyName")->get_data();
+ $str .= ",".$friendly;
+ };
+ $str .= ", " if ($@);
+
+ my $parent;
+ eval {
+ $parent = $k->get_value("ParentIdPrefix")->get_data();
+ $str .= ",".$parent;
+ };
+
+
+ ::rptMsg($str);
+ }
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ ::logMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ ::logMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/release/rr/plugins/autopsyusbdevices.pl b/RecentActivity/release/rr/plugins/autopsyusbdevices.pl
new file mode 100644
index 0000000000000000000000000000000000000000..27f7ef8a29282c7fb7822181eeeb73d419435c87
--- /dev/null
+++ b/RecentActivity/release/rr/plugins/autopsyusbdevices.pl
@@ -0,0 +1,108 @@
+#-----------------------------------------------------------
+# usbdevices.pl
+# Parses contents of Enum\USB key for web cam
+#
+# History
+# 20100219 - created
+#
+# copyright 2010 Quantum Analytics Research, LLC
+#-----------------------------------------------------------
+package usbdevices;
+use strict;
+
+my %config = (hive => "System",
+ osmask => 22,
+ hasShortDescr => 1,
+ hasDescr => 0,
+ hasRefs => 0,
+ version => 20100219);
+
+sub getConfig{return %config}
+
+sub getShortDescr {
+ return "Parses Enum\\USB key for devices";
+}
+sub getDescr{}
+sub getRefs {}
+sub getHive {return $config{hive};}
+sub getVersion {return $config{version};}
+
+my $VERSION = getVersion();
+my $reg;
+
+sub pluginmain {
+ my $class = shift;
+ my $hive = shift;
+ $reg = Parse::Win32Registry->new($hive);
+ my $root_key = $reg->get_root_key;
+::logMsg("Launching usbdevices v.".$VERSION);
+# Code for System file, getting CurrentControlSet
+ my $current;
+ my $ccs;
+ my $key_path = 'Select';
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+ $current = $key->get_value("Current")->get_data();
+ $ccs = "ControlSet00".$current;
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ return;
+ }
+
+ my $key_path = $ccs."\\Enum\\USB";
+ my $key;
+ if ($key = $root_key->get_subkey($key_path)) {
+
+ my @subkeys = $key->get_list_of_subkeys();
+ if (scalar @subkeys > 0) {
+ foreach my $s (@subkeys) {
+ my @sk = $s->get_list_of_subkeys();
+ if (scalar @sk > 0) {
+ foreach my $s2 (@sk) {
+ ::rptMsg("");
+ eval {
+ my $desc = $s2->get_value("DeviceDesc")->get_data();
+ ::rptMsg($desc." [".$s->get_name()."\\".$s2->get_name()."]");
+ };
+
+ my $str;
+ eval {
+ my $class = $s2->get_value("Class")->get_data();
+ ::rptMsg(" Class : ".$class);
+ };
+
+ eval {
+ my $serv = $s2->get_value("Service")->get_data();
+ ::rptMsg(" Service : ".$serv);
+ };
+
+ eval {
+ my $serv = $s2->get_value("LocationInformation")->get_data();
+ ::rptMsg(" Location Information: ".$serv);
+ };
+
+ eval {
+ my $serv = $s2->get_value("Mfg")->get_data();
+ ::rptMsg(" Mfg : ".$serv);
+ };
+
+# eval {
+# if ($s2->get_value("Class")->get_data() eq "Image") {
+# ::rptMsg("Possible webcam at ".$s->get_name()."\\".$s2->get_name());
+# }
+# };
+# ::rptMsg("Error: ".$@) if ($@);
+ }
+ }
+ }
+ }
+ else {
+ ::rptMsg($key_path." has no subkeys.");
+ }
+ }
+ else {
+ ::rptMsg($key_path." not found.");
+ }
+}
+1;
\ No newline at end of file
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
index ce51b19478647f60d9b7190a87311e06b4ebf3c7..e1be9319f2725f2e3e7e7a385e1e722ba306f1eb 100755
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java
@@ -35,9 +35,9 @@ public class Chrome {
public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, "
- + "datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
- public static final String chcookiequery = "select name, value, host_key, expires_utc, datetime(last_access_utc/1000000-11644473600,'unixepoch','localtime') as last_access_utc, creation_utc from cookies";
- public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count, datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id";
+ + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url";
+ public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies";
+ public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id";
public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads";
public static final String chloginquery = "select origin_url, username_value, signon_realm from logins";
private final Logger logger = Logger.getLogger(this.getClass().getName());
@@ -85,7 +85,7 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){
while(temprs.next())
{
-
+ String domain = Util.extractDomain(temprs.getString("url"));
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",temprs.getString("url")));
@@ -93,6 +93,7 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",temprs.getString("from_visit")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
@@ -156,11 +157,13 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
+ String domain = Util.extractDomain(temprs.getString("host_key"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",temprs.getString("last_access_utc")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
tempdbconnect.closeConnection();
@@ -231,13 +234,14 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){
String url = address.get("url").getAsString();
String name = address.get("name").getAsString();
String date = address.get("date_added").getAsString();
-
+ String domain = Util.extractDomain(url);
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",date));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
@@ -298,11 +302,12 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){
{
BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
+ String domain = Util.extractDomain(temprs.getString("url"));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path")));
-
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbart.addAttributes(bbattributes);
@@ -370,7 +375,7 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity","", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm")));
-
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome"));
bbart.addAttributes(bbattributes);
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
index 0fd4f4eda6311235586d5b9593ceb86e7cbfab8a..c292e13f1c45f2fffaa4ed987e6c85d0156e3abd 100755
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java
@@ -28,6 +28,8 @@
//Util Imports
import java.sql.SQLException;
+import java.text.ParseException;
+import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
@@ -121,13 +123,14 @@ public ExtractIE(List<String> image, IngestImageWorkerController controller) {
}
String name = Favorite.getName();
String datetime = Favorite.getCrtimeAsDate();
-
+ String domain = Util.extractDomain(url);
BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
@@ -174,7 +177,7 @@ public ExtractIE(List<String> image, IngestImageWorkerController controller) {
String value = values[1];
String name = values[0];
String datetime = Cookie.getCrtimeAsDate();
-
+ String domain = Util.extractDomain(url);
BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE);
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url));
@@ -182,6 +185,7 @@ public ExtractIE(List<String> image, IngestImageWorkerController controller) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : ""));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbart.addAttributes(bbattributes);
}
@@ -366,6 +370,7 @@ public void parsePascoResults() {
String actime = lineBuff[3];
String user = "";
String realurl = "";
+ String domain = "";
if(url.length > 1)
{
user = url[0];
@@ -378,14 +383,20 @@ public void parsePascoResults() {
realurl = realurl.replaceAll(":(.*?):", "");
realurl = realurl.replace(":Host:", "");
realurl = realurl.trim();
+ domain = Util.extractDomain(realurl);
}
if(!ddtime.isEmpty()){
ddtime = ddtime.replace("T"," ");
ddtime = ddtime.substring(ddtime.length()-5);
}
if(!actime.isEmpty()){
- actime = actime.replace("T"," ");
- actime = actime.substring(0,actime.length()-5);
+ try{
+ Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime();
+ actime = epochtime.toString();
+ }
+ catch(ParseException e){
+ logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage());
+ }
}
// TODO: Need to fix this so we have the right obj_id
@@ -400,7 +411,7 @@ public void parsePascoResults() {
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer"));
-
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(),"RecentActivity","",user));
bbart.addAttributes(bbattributes);
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
index 54ae347a383692262b2ea96710cc2495e60d3f22..bdb96a43a7326c2903bc6075af97b79ffdb0712c 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
@@ -149,7 +149,7 @@ private String executeRegRip(String regFilePath, int fileIndex)
if(regFilePath.toLowerCase().contains("system"))
{
- type = "1system";
+ type = "autopsysystem";
}
if(regFilePath.toLowerCase().contains("software"))
{
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
index 4ae3be6e29c9c7e63f0a05986f340833b3908842..ccb35f7bebb280cb470ced4b4e949ead9e7ab3ba 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java
@@ -31,10 +31,10 @@
*/
public class Firefox {
- private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,datetime(moz_historyvisits.visit_date/1000000,'unixepoch','localtime') as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
- private static final String ffcookiequery = "SELECT name,value,host,expiry,datetime(moz_cookies.lastAccessed/1000000,'unixepoch','localtime') as lastAccessed,creationTime FROM moz_cookies";
+ private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0";
+ private static final String ffcookiequery = "SELECT name,value,host,expiry,lastAccessed,creationTime FROM moz_cookies";
private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id";
- private static final String ffdownloadquery = "select target, source, datetime(startTime/1000000,'unixepoch','localtime') as startTime, maxBytes from moz_downloads";
+ private static final String ffdownloadquery = "select target, source,startTime, maxBytes from moz_downloads";
public Logger logger = Logger.getLogger(this.getClass().getName());
@@ -95,6 +95,7 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",((temprs.getString("ref") != null) ? temprs.getString("ref") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : "")));
bbart.addAttributes(bbattributes);
}
@@ -120,6 +121,7 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((tempbm.getString("url") != null) ? tempbm.getString("url") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",tempbm.getString("url")));
bbart.addAttributes(bbattributes);
}
tempbm.close();
@@ -189,6 +191,7 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : "")));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",temprs.getString("host")));
bbart.addAttributes(bbattributes);
}
@@ -257,7 +260,8 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : "")));
String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8");
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget));
-
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",temprs.getString("source")));
+
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox"));
bbart.addAttributes(bbattributes);
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
index 90a75f165fe2f5b42971d1b971813a40408b36ee..a7a8ff8e07527933ac32cdbdc01865a9b50d5af1 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java
@@ -16,6 +16,9 @@
import java.util.Date;
import java.util.List;
import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.apache.commons.lang.NullArgumentException;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.SleuthkitCase;
@@ -87,4 +90,16 @@ public static boolean imgpathexists(String path){
}
}
+
+public static String extractDomain(String value){
+ if (value == null) throw new NullArgumentException("domains to extract");
+ String result = "";
+ String domainPattern = "[a-z0-9\\-\\.]+\\.(com|org|net|mil|edu|(co\\.[a-z].))";
+ Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE);
+ Matcher m = p.matcher(value);
+ while (m.find()) {
+ result = value.substring(m.start(0),m.end(0));
+ }
+ return result;
+ }
}
\ No newline at end of file
diff --git a/Report/release/modules/ext/cobra-0.98.4.zip b/Report/release/modules/ext/cobra-0.98.4.zip
deleted file mode 100644
index 705d3772e8da973b79cc88aab4bbd8e6118ea6b0..0000000000000000000000000000000000000000
Binary files a/Report/release/modules/ext/cobra-0.98.4.zip and /dev/null differ
diff --git a/Report/release/modules/ext/install-lobo-0.98.4.jar b/Report/release/modules/ext/install-lobo-0.98.4.jar
deleted file mode 100644
index d5e85d11d15813bee1f833973188dfc93083fe7d..0000000000000000000000000000000000000000
Binary files a/Report/release/modules/ext/install-lobo-0.98.4.jar and /dev/null differ
diff --git a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java
index b7bfc9192379470a5815046a1c734561ededa6b0..951de08752099a099ca11771eada7b7b56ab79b5 100644
--- a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java
+++ b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java
@@ -157,6 +157,9 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
formatted_Report.append("<br /><table><thead><tr><th>Section</th><th>Count</th></tr></thead><tbody>");
if(countWebBookmark > 0){
formatted_Report.append("<tr><td><a href=\"#bookmark\">Web Bookmarks</a></td><td>").append(countWebBookmark).append("</td></tr>");
+ }
+ if(countWebCookie > 0){
+ formatted_Report.append("<tr><td><a href=\"#cookie\">Web Cookies</a></td><td>").append(countWebCookie).append("</td></tr>");
}
if(countWebHistory > 0){
formatted_Report.append("<tr><td><a href=\"#history\">Web History</a></td><td>").append(countWebHistory).append("</td></tr>");
@@ -230,6 +233,9 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re
int type = tempatt.getAttributeTypeID();
if(tempatt.getValueString() == null || tempatt.getValueString() == "null"){
+ }
+ else if(type == 2){
+ value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date (tempatt.getValueString()*1000));
}
else
{
diff --git a/Report/src/org/sleuthkit/autopsy/report/reportXLS.java b/Report/src/org/sleuthkit/autopsy/report/reportXLS.java
new file mode 100644
index 0000000000000000000000000000000000000000..241c8d821b6764ec0b31d0aa6de7a83c71b4fafc
--- /dev/null
+++ b/Report/src/org/sleuthkit/autopsy/report/reportXLS.java
@@ -0,0 +1,13 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.sleuthkit.autopsy.report;
+
+/**
+ *
+ * @author Alex
+ */
+public class reportXLS {
+
+}