diff --git a/RecentActivity/nbproject/genfiles.properties b/RecentActivity/nbproject/genfiles.properties index 5ed1794ff3d3212443e8e31368e96e06c77d486c..edf146affb0c1a47e8b4d4aff2d6abef48acc9de 100644 --- a/RecentActivity/nbproject/genfiles.properties +++ b/RecentActivity/nbproject/genfiles.properties @@ -1,8 +1,8 @@ -build.xml.data.CRC32=6b34b285 +build.xml.data.CRC32=9b8a08d3 build.xml.script.CRC32=d323407a build.xml.stylesheet.CRC32=a56c6a5b@1.46.1 # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. -nbproject/build-impl.xml.data.CRC32=6b34b285 +nbproject/build-impl.xml.data.CRC32=9b8a08d3 nbproject/build-impl.xml.script.CRC32=aef16a21 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1 diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties index 95cab07bcd670e186cd6cc0611903925ca5f9719..b9c82fbb81fe3093e5be00ae5bd42dd3e2d0fcf2 100644 --- a/RecentActivity/nbproject/project.properties +++ b/RecentActivity/nbproject/project.properties @@ -1,4 +1,5 @@ file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar +file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar javac.source=1.6 javac.compilerargs=-Xlint -Xlint:-serial diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml index 0fad8c88c244be1330f2c2b1c4abf632e342ca96..1184a96e43e5c2ef17e475c9a605abc343101e65 100644 --- a/RecentActivity/nbproject/project.xml +++ b/RecentActivity/nbproject/project.xml @@ -190,6 +190,10 @@ <runtime-relative-path>ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</runtime-relative-path> <binary-origin>release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar</binary-origin> </class-path-extension> + <class-path-extension> + <runtime-relative-path>ext/gson-2.1.jar</runtime-relative-path> + <binary-origin>release/modules/ext/gson-2.1.jar</binary-origin> + </class-path-extension> <class-path-extension> <runtime-relative-path>ext/jdom-1.1.2.jar</runtime-relative-path> <binary-origin>release/modules/ext/jdom-1.1.2.jar</binary-origin> diff --git a/RecentActivity/release/modules/ext/gson-2.1.jar b/RecentActivity/release/modules/ext/gson-2.1.jar new file mode 100644 index 0000000000000000000000000000000000000000..b85f091a0d2e76b75babc21bdbe05ef118089910 Binary files /dev/null and b/RecentActivity/release/modules/ext/gson-2.1.jar differ diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index 8bdee2792b4eb510668c9aaa27ebe8da457467a3..5c64650aaa46efb8d17c54268d8eb14f482c8301 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -3,6 +3,9 @@ * and open the template in the editor. */ package org.sleuthkit.autopsy.recentactivity; +import com.google.gson.JsonElement; +import com.google.gson.JsonObject; +import com.google.gson.JsonParser; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; @@ -12,7 +15,9 @@ import java.util.logging.Logger; import java.util.*; import java.io.File; +import java.io.FileReader; import java.io.IOException; +import java.util.Map.Entry; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; @@ -29,10 +34,10 @@ public class Chrome { public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " + "datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; - public static final String chcookiequery = "select name, value, host, expires_utc, datetime(last_access_utc/1000000-11644473600,'unixepoch','localtime') as last_access_utc, creation_utc from cookies"; + public static final String chcookiequery = "select name, value, host_key, expires_utc, datetime(last_access_utc/1000000-11644473600,'unixepoch','localtime') as last_access_utc, creation_utc from cookies"; public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count, datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id"; - public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from `downloads`"; - public static final String chloginquery = "select origin_url, username_value, signon_realm from `logins`"; + public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads"; + public static final String chloginquery = "select origin_url, username_value, signon_realm from logins"; private final Logger logger = Logger.getLogger(this.getClass().getName()); public int ChromeCount = 0; @@ -51,7 +56,7 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ String allFS = new String(); for(String img : image) { - allFS += " and fs_obj_id = '" + img + "'"; + allFS += " AND fs_obj_id = '" + img + "'"; } ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' AND parent_path LIKE '%Chrome%'" + allFS); @@ -117,8 +122,13 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + String allFS = new String(); + for(String img : image) + { + allFS += " AND fs_obj_id = '" + img + "'"; + } List<FsContent> FFSqlitedb; - ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Cookies' and parent_path LIKE '%Chrome%' and fs_obj_id = '" + image + "'"); + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and parent_path LIKE '%Chrome%'" + allFS); FFSqlitedb = tempDb.resultSetToFsContents(rs); rs.close(); @@ -143,8 +153,8 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",temprs.getString("access_utc"))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key"))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",temprs.getString("last_access_utc"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); @@ -171,14 +181,19 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ logger.log(Level.WARNING, "Error while trying to write to the file system.", ioex); } - //COOKIES section - // This gets the cookie info + //BOokmarks section + // This gets the bm info try { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + String allFS = new String(); + for(String img : image) + { + allFS += " AND fs_obj_id = '" + img + "'"; + } List<FsContent> FFSqlitedb; - ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and parent_path LIKE '%Chrome%' and fs_obj_id = '" + image + "'"); + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and parent_path LIKE '%Chrome%'" + allFS); FFSqlitedb = tempDb.resultSetToFsContents(rs); rs.close(); rs.getStatement().close(); @@ -188,7 +203,7 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ while (j < FFSqlitedb.size()) { String temps = currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db"; - String connectionString = "jdbc:sqlite:" + temps; + ContentUtils.writeToFile(FFSqlitedb.get(j), new File(currentCase.getTempDirectory() + "\\" + FFSqlitedb.get(j).getName().toString() + j + ".db")); File dbFile = new File(temps); if (controller.isCancelled() ) { @@ -197,26 +212,64 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ } try { - dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); - ResultSet temprs = tempdbconnect.executeQry(chbookmarkquery); - while(temprs.next()) - { - BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); - Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("last_visit_time"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); - bbart.addAttributes(bbattributes); - - } - tempdbconnect.closeConnection(); - temprs.close(); + + final JsonParser parser = new JsonParser(); + JsonElement jsonElement = parser.parse(new FileReader(temps)); + JsonObject jsonBookmarks = jsonElement.getAsJsonObject(); + + for ( Entry<String, JsonElement> entry : jsonBookmarks.entrySet()) { + String key = entry.getKey(); + JsonElement value = entry.getValue(); + if(key.contains("roots")) + { + JsonObject jsonRoots = value.getAsJsonObject(); + for ( Entry<String, JsonElement> roots : jsonRoots.entrySet()) { + if(roots.getKey().contains("bookmark_bar")){ + JsonObject jsonChildren = roots.getValue().getAsJsonObject(); + for ( Entry<String, JsonElement> children : jsonChildren.entrySet()) { + JsonObject bookmarks = children.getValue().getAsJsonObject(); + for (Entry<String, JsonElement> recs : bookmarks.entrySet()) { + JsonObject rec = recs.getValue().getAsJsonObject(); + + String url = rec.get("url").getAsString(); + String name = rec.get("name").getAsString(); + String date = rec.get("date_added").getAsString(); + } + } + + } + + } + +// BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); +// Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited","")); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","","")); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","","")); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); +// bbart.addAttributes(bbattributes); + } + } +// dbconnect tempdbconnect = new dbconnect("org.sqlite.JDBC",connectionString); +// ResultSet temprs = tempdbconnect.executeQry(chbookmarkquery); +// while(temprs.next()) +// { +// BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); +// Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("last_visit_time"))); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); +// bbart.addAttributes(bbattributes); +// +// } +// tempdbconnect.closeConnection(); +// temprs.close(); } catch (Exception ex) { - logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); + logger.log(Level.WARNING, "Error while trying to read into the Bookmarks for Chrome." + ex); } j++; dbFile.delete(); @@ -238,7 +291,12 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); List<FsContent> FFSqlitedb; - ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and parent_path LIKE '%Chrome%' and fs_obj_id = '" + image + "'"); + String allFS = new String(); + for(String img : image) + { + allFS += " AND fs_obj_id = '" + img + "'"; + } + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and parent_path LIKE '%Chrome%'" + allFS); FFSqlitedb = tempDb.resultSetToFsContents(rs); rs.close(); rs.getStatement().close(); @@ -299,8 +357,13 @@ public void getchdb(List<String> image, IngestImageWorkerController controller){ { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + String allFS = new String(); + for(String img : image) + { + allFS += " AND fs_obj_id = '" + img + "'"; + } List<FsContent> FFSqlitedb; - ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and parent_path LIKE '%Chrome%' and fs_obj_id = '" + image + "'"); + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and parent_path LIKE '%Chrome%'" + allFS); FFSqlitedb = tempDb.resultSetToFsContents(rs); rs.close(); rs.getStatement().close(); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 1e0968b8d679e508245a50e5b796bc71528d8a93..bf6f93ada0cddd7276669b713c41db898930c284 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -118,7 +118,7 @@ private void init(List<String> image, IngestImageWorkerController controller) { String allFS = new String(); for(String img : image) { - allFS += " and fs_obj_id = '" + img + "'"; + allFS += " AND fs_obj_id = '" + img + "'"; } ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS); FsContentCollection = tempDb.resultSetToFsContents(rs); @@ -161,6 +161,10 @@ private void init(List<String> image, IngestImageWorkerController controller) { } catch (Exception ioex) { logger.log(Level.SEVERE, "Error while trying to write index.dat files.", ioex); } + + //bookmarks + + //cookies } //Simple wrapper to JavaSystemCaller.Exec() to execute pasco2 jar @@ -273,7 +277,7 @@ public void parsePascoResults() { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", "", actime)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", "None")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), "RecentActivity", "", "")); // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime)); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 366382e6b82e2d42cfd164806a15ffce4de86687..26010cf9c8d6a58a68e5b3156a567d92aa19bfc1 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -81,7 +81,7 @@ public void getregistryfiles(List<String> image, IngestImageWorkerController con String allFS = new String(); for(String img : image) { - allFS += " and fs_obj_id = '" + img + "'"; + allFS += " AND fs_obj_id = '" + img + "'"; } List<FsContent> Regfiles; ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name = 'system' OR name = 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 47c27467ff64e4dedcaec3d5e0bee85d71328e52..f83f18dbc193bb53a18199976189e67033cda70d 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -31,7 +31,7 @@ public class Firefox { private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,datetime(moz_historyvisits.visit_date/1000000,'unixepoch','localtime') as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; private static final String ffcookiequery = "SELECT name,value,host,expiry,datetime(moz_cookies.lastAccessed/1000000,'unixepoch','localtime') as lastAccessed,creationTime FROM moz_cookies"; private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; - private static final String ffdownloadquery = "select target, source, startTime, maxBytes from `moz_downloads`"; + private static final String ffdownloadquery = "select target, source, startTime, maxBytes from moz_downloads"; public Logger logger = Logger.getLogger(this.getClass().getName()); @@ -50,7 +50,7 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){ String allFS = new String(); for(String img : image) { - allFS += " and fs_obj_id = '" + img + "'"; + allFS += " AND fs_obj_id = '" + img + "'"; } List<FsContent> FFSqlitedb; @@ -87,8 +87,8 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){ { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",temprs.getString("url"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("visit_date"))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",((temprs.getString("visit_date") != null) ? temprs.getString("visit_date") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",((temprs.getString("ref") != null) ? temprs.getString("ref") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); @@ -96,25 +96,38 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){ } temprs.close(); - ResultSet tempbm = tempdbconnect.executeQry(ffbookmarkquery); + tempdbconnect.closeConnection(); + + } + catch (Exception ex) + { + logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); + } + + try + { + + + dbconnect tempdbconnect2 = new dbconnect("org.sqlite.JDBC",connectionString); + ResultSet tempbm = tempdbconnect2.executeQry(ffbookmarkquery); while(tempbm.next()) { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((tempbm.getString("url") != null) ? tempbm.getString("url") : ""))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); bbart.addAttributes(bbattributes); } tempbm.close(); - tempdbconnect.closeConnection(); - - + tempdbconnect2.closeConnection(); } catch (Exception ex) { logger.log(Level.WARNING, "Error while trying to read into a sqlite db." + connectionString, ex); } + + j++; dbFile.delete(); } @@ -138,7 +151,7 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){ String allFS = new String(); for(String img : image) { - allFS += " and fs_obj_id = '" + img + "'"; + allFS += " AND fs_obj_id = '" + img + "'"; } List<FsContent> FFSqlitedb; @@ -202,8 +215,13 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){ { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + String allFS = new String(); + for(String img : image) + { + allFS += " AND fs_obj_id = '" + img + "'"; + } List<FsContent> FFSqlitedb; - ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and parent_path LIKE '%Firefox%' and fs_obj_id = '" + image + "'"); + ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and parent_path LIKE '%Firefox%'" + allFS); FFSqlitedb = tempDb.resultSetToFsContents(rs); rs.close(); rs.getStatement().close(); @@ -233,7 +251,7 @@ public void getffdb(List<String> image, IngestImageWorkerController controller){ //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("target"))); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); bbart.addAttributes(bbattributes); } diff --git a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java index 350ac7300d5d376c4739f0617f20000d1b6d237f..2019ee0da93431ce16bbe3eec7d52527bf6a8449 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java @@ -31,6 +31,8 @@ public class reportHTML { //Declare our publically accessible formatted report, this will change everytime they run a report public static StringBuilder formatted_Report = new StringBuilder(); + public static StringBuilder unformatted_header = new StringBuilder(); + public static StringBuilder formatted_header = new StringBuilder(); public static String htmlPath = ""; public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> report, reportFilter rr){ @@ -83,7 +85,6 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re } try{ - String ingestwarning = "<h2 style=\"color: red;\">Warning, this report was run before ingest services completed!</h2>"; Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase skCase = currentCase.getSleuthkitCase(); @@ -108,12 +109,28 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re + "table tr th:nth-child(1) {text-align: center; width: 60px;} " + "table td {display: table-cell; padding: 8px 16px; font: 13px/20px Arial, Helvetica, sans-serif;} " + "table tr:nth-child(even) td {background: #f3f3f3;} " - + "table tr td:nth-child(1) {text-align: center; width: 60px; background: #f3f3f3;} " + + "table tr td:nth-child(1) {text-align: left; width: 60px; background: #f3f3f3;} " + "table tr:nth-child(even) td:nth-child(1) {background: #eaeaea;}" + "</style>"; //Add additional header information - formatted_Report.append("<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case:").append(caseName).append("</title>"); - formatted_Report.append(CSS); + String header = "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\"><html xmlns=\"http://www.w3.org/1999/xhtml\" lang=\"en\" xml:lang=\"en\"><head><title>Autopsy Report for Case: " + caseName + "</title>"; + formatted_header.append(header); + formatted_header.append(CSS); + + //do for unformatted + String simpleCSS = "<style>" + + "body {padding: 30px; margin: 0; background: #FFFFFF; color: #535353;} " + + "h1 {font-size: 26px; color: #005577; margin: 0 0 20px 0;} " + + "h2 {font-size: 20px; font-weight: normal; color: #0077aa; margin: 40px 0 10px 0; padding: 0 0 10px 0; border-bottom: 1px solid #dddddd;} " + + "h3 {font-size: 16px;color: #0077aa; margin: 40px 0 10px 0;} " + + "p {margin: 0 0 20px 0;} table {width: 100%; padding: 0; margin: 0; border-collapse: collapse; border-bottom: 1px solid #e5e5e5;} " + + "table thead th {display: table-cell; text-align: left; padding: 4px 8px; background: #e5e5e5; color: #777;font-size: 11px; width: 80px; border-top: 1px solid #dedede; border-bottom: 2px solid #dedede;} " + + "table tr th {text-align: left; width: 80px;} " + + "table td {width: 100px; font-size: 8px; display: table-cell; padding: 4px 8px;} " + + "table tr {text-align: left; width: 60px; background: #f3f3f3;} " + + "</style>"; + unformatted_header.append(header); + unformatted_header.append(simpleCSS); //formatted_Report.append("<link rel=\"stylesheet\" href=\"" + rrpath + "report.css\" type=\"text/css\" />"); formatted_Report.append("</head><body><div id=\"main\"><div id=\"content\">"); // Add summary information now @@ -135,7 +152,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re StringBuilder nodeWebCookie = new StringBuilder("<h3>Web Cookies (").append(countWebCookie).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Name</th><th>Value</th><th>Program</th></tr></thead><tbody>"); StringBuilder nodeWebHistory = new StringBuilder("<h3>Web History (").append(countWebHistory).append(")</h3>").append(tableHeader).append("<th>URL</th><th>Date</th><th>Referrer</th><th>Title</th><th>Program</th></tr></thead><tbody>"); StringBuilder nodeWebDownload = new StringBuilder("<h3>Web Downloads (").append(countWebDownload).append(")</h3>").append(tableHeader).append("<th>File</th><th>Source</th><th>Time</th><th>Program</th></tr></thead><tbody>"); - StringBuilder nodeRecentObjects = new StringBuilder("<h3>Recent Documents (").append(countRecentObjects).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Name</th><th>Path</th></tr></thead><tbody>"); + StringBuilder nodeRecentObjects = new StringBuilder("<h3>Recent Documents (").append(countRecentObjects).append(")</h3>").append(tableHeader).append("<th>Name</th><th>Path</th><th>Size</th></tr></thead><tbody>"); StringBuilder nodeTrackPoint = new StringBuilder("<h3>Track Points (").append(countTrackPoint).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>"); StringBuilder nodeInstalled = new StringBuilder("<h3>Installed Programs (").append(countInstalled).append(")</h3>").append(tableHeader).append("<th>Artifact ID</th><th>Name</th><th>Size</th><th>Attribute</th><th>Value</th></tr></thead><tbody>"); StringBuilder nodeKeyword = new StringBuilder("<h3>Keyword Search Hits (").append(countKeyword).append(")</h3>"); @@ -164,6 +181,7 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re int type = tempatt.getAttributeTypeID(); String value = tempatt.getValueString(); + value = reportUtils.insertPeriodically(value, "<br>", 30); attributes.put(type, value); cc++; } @@ -277,10 +295,11 @@ public reportHTML (HashMap<BlackboardArtifact,ArrayList<BlackboardAttribute>> re //end of master loop formatted_Report.append("</div></div></body></html>"); - + formatted_header.append(formatted_Report); + unformatted_header.append(formatted_Report); htmlPath = currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".html"; BufferedWriter out = new BufferedWriter(new FileWriter(htmlPath)); - out.write(formatted_Report.toString()); + out.write(formatted_header.toString()); out.flush(); out.close(); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportPanel.java b/Report/src/org/sleuthkit/autopsy/report/reportPanel.java index c03e38ccfe4fc2d5f67d9bfa6b911d1818381764..5e3dc31c718b26b40c7d2a458ccd8fa80b0937f2 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportPanel.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportPanel.java @@ -129,7 +129,7 @@ private void exportReport(String path){ String xmlpath = reportUtils.changeExtension(path, ".xml"); try { FileOutputStream out = new FileOutputStream(htmlpath); - out.write(reportHTML.formatted_Report.toString().getBytes()); + out.write(reportHTML.formatted_header.toString().getBytes()); out.flush(); out.close(); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java b/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java index 44bfac8e3a87c3c778d4e845e2a2b32a6155e63a..4528aff2061293583a45793e26c4a0fc30058d0f 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java @@ -24,7 +24,7 @@ */ public class reportPanelAction { private static final String ACTION_NAME = "Report Preview"; - private String viewReport = ""; + private StringBuilder viewReport = new StringBuilder(); public reportPanelAction(){ } @@ -64,7 +64,7 @@ public void run() public void run() { reportHTML htmlReport = new reportHTML(Results,rr); - viewReport = htmlReport.formatted_Report.toString(); + viewReport.append(reportHTML.unformatted_header.toString()); } }); @@ -83,7 +83,7 @@ public void run() xmlthread.join(); // initialize panel with loaded settings htmlthread.join(); - reportPanel panel = new reportPanel(viewReport); + reportPanel panel = new reportPanel(viewReport.toString()); @@ -97,7 +97,7 @@ public void actionPerformed(ActionEvent e) { // add the panel to the popup window popUpWindow.add(panel); - popUpWindow.setResizable(true); + popUpWindow.setResizable(false); popUpWindow.pack(); // set the location of the popUp Window on the center of the screen Dimension screenDimension = Toolkit.getDefaultToolkit().getScreenSize(); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportUtils.java b/Report/src/org/sleuthkit/autopsy/report/reportUtils.java index 2e6b190d8d82ecd8d6e15f722b9852008025f93f..eb2ce020a14bd01e2d15f2f0acad674783101000 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportUtils.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportUtils.java @@ -18,4 +18,25 @@ static String changeExtension(String originalName, String newExtension) { return originalName + newExtension; } } + +public static String insertPeriodically( + String text, String insert, int period) +{ + StringBuilder builder = new StringBuilder( + text.length() + insert.length() * (text.length()/period)+1); + + int index = 0; + String prefix = ""; + while (index < text.length()) + { + // Don't put the insert in the very first iteration. + // This is easier than appending it *after* each substring + builder.append(prefix); + prefix = insert; + builder.append(text.substring(index, + Math.min(index + period, text.length()))); + index += period; + } + return builder.toString(); +} } \ No newline at end of file