From 69b3a4036aa688e8d3f2c531814f77b5393294ee Mon Sep 17 00:00:00 2001
From: Mark McKinnon <mark.mckinnon@davenport.edu>
Date: Tue, 30 Mar 2021 10:48:19 -0400
Subject: [PATCH] Get Domain and Host before username parsing
Get Domain and Host information from the registry before username parsing.
---
.../osaccount/OsAccountDataPanel.java | 9 +-
.../autopsy/datamodel/OsAccounts.java | 4 +-
RecentActivity/nbproject/project.properties | 1 +
RecentActivity/nbproject/project.xml | 4 +
.../recentactivity/ExtractRegistry.java | 101 +++++++++++++++++-
5 files changed, 109 insertions(+), 10 deletions(-)
diff --git a/Core/src/org/sleuthkit/autopsy/contentviewers/osaccount/OsAccountDataPanel.java b/Core/src/org/sleuthkit/autopsy/contentviewers/osaccount/OsAccountDataPanel.java
index a1077e3e82..82c267abff 100755
--- a/Core/src/org/sleuthkit/autopsy/contentviewers/osaccount/OsAccountDataPanel.java
+++ b/Core/src/org/sleuthkit/autopsy/contentviewers/osaccount/OsAccountDataPanel.java
@@ -412,11 +412,10 @@ protected void done() {
hostDataMap.forEach((K, V) -> data.add(buildHostData(K, V)));
}
- // TODO - load realm on background thread
- //OsAccountRealm realm = account.getRealm();
- //if (realm != null) {
- // data.add(buildRealmProperties(realm));
- //}
+ OsAccountRealm realm = account.getRealm();
+ if (realm != null) {
+ data.add(buildRealmProperties(realm));
+ }
Map<Host, DataSource> instanceMap = results.getDataSourceMap();
if (!instanceMap.isEmpty()) {
diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java b/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java
index 8465b76947..29e36b182a 100755
--- a/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java
+++ b/Core/src/org/sleuthkit/autopsy/datamodel/OsAccounts.java
@@ -256,9 +256,7 @@ protected Sheet createSheet() {
Bundle.OsAccounts_loginNameProperty_desc(),
optional.isPresent() ? optional.get() : ""));
- // TODO - load realm on background thread
- String realmName = "";
- //String realmName = account.getRealm().getRealmNames().isEmpty() ? "" : account.getRealm().getRealmNames().get(0);
+ String realmName = account.getRealm().getRealmNames().isEmpty() ? "" : account.getRealm().getRealmNames().get(0);
propertiesSet.put(new NodeProperty<>(
Bundle.OsAccounts_accountRealmNameProperty_name(),
Bundle.OsAccounts_accountRealmNameProperty_displayName(),
diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties
index 9736070e53..aab9fa2a60 100644
--- a/RecentActivity/nbproject/project.properties
+++ b/RecentActivity/nbproject/project.properties
@@ -1,3 +1,4 @@
+file.reference.Rejistry-1.1-SNAPSHOT.jar=release/modules/ext/Rejistry-1.1-SNAPSHOT.jar
javac.source=1.8
javac.compilerargs=-Xlint -Xlint:-serial
license.file=../LICENSE-2.0.txt
diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml
index af8c2edace..8fc5e13b53 100644
--- a/RecentActivity/nbproject/project.xml
+++ b/RecentActivity/nbproject/project.xml
@@ -74,6 +74,10 @@
</dependency>
</module-dependencies>
<public-packages/>
+ <class-path-extension>
+ <runtime-relative-path>ext/Rejistry-1.1-SNAPSHOT.jar</runtime-relative-path>
+ <binary-origin>release/modules/ext/Rejistry-1.1-SNAPSHOT.jar</binary-origin>
+ </class-path-extension>
</data>
</configuration>
</project>
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
index 1c0db38074..e503ba8a95 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
@@ -106,6 +106,10 @@
import org.sleuthkit.datamodel.Report;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskDataException;
+import com.williballenthin.rejistry.RegistryHiveFile;
+import com.williballenthin.rejistry.RegistryKey;
+import com.williballenthin.rejistry.RegistryParseException;
+import com.williballenthin.rejistry.RegistryValue;
/**
* Extract windows registry data using regripper. Runs two versions of
@@ -178,6 +182,9 @@ class ExtractRegistry extends Extract {
private IngestJobContext context;
private Map<String, String> userNameMap;
+ private String hostName = null;
+ private String domainName = null;
+
private static final String SHELLBAG_ARTIFACT_NAME = "RA_SHELL_BAG"; //NON-NLS
private static final String SHELLBAG_ATTRIBUTE_LAST_WRITE = "RA_SHELL_BAG_LAST_WRITE"; //NON-NLS
private static final String SHELLBAG_ATTRIBUTE_KEY = "RA_SHELL_BAG_KEY"; //NON-NLS
@@ -1107,6 +1114,8 @@ private void addBlueToothAttribute(String line, Collection<BlackboardAttribute>
* @return true if successful, false if parsing failed at some point
*/
private boolean parseSamPluginOutput(String regFilePath, AbstractFile regAbstractFile) {
+ parseSystemHostDomain();
+
File regfile = new File(regFilePath);
List<BlackboardArtifact> newArtifacts = new ArrayList<>();
try (BufferedReader bufferedReader = new BufferedReader(new FileReader(regfile))) {
@@ -1155,7 +1164,8 @@ private boolean parseSamPluginOutput(String regFilePath, AbstractFile regAbstrac
//add remaining userinfos as accounts;
for (Map<String, String> userInfo : userInfoMap.values()) {
- OsAccount osAccount = accountMgr.createWindowsAccount(userInfo.get(SID_KEY), null, null, host, OsAccountRealm.RealmScope.UNKNOWN);
+ OsAccount osAccount;
+ osAccount = accountMgr.createWindowsAccount(userInfo.get(SID_KEY), null, domainName, host, domainName != null ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN);
accountMgr.createOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
updateOsAccount(osAccount, userInfo, groupMap.get(userInfo.get(SID_KEY)), regAbstractFile);
}
@@ -1216,6 +1226,93 @@ private boolean parseSamPluginOutput(String regFilePath, AbstractFile regAbstrac
return false;
}
+ /**
+ * Finds the Host and Domain information from the registry.
+ */
+ private void parseSystemHostDomain() {
+ List<AbstractFile> systemFiles = new ArrayList<>();
+ org.sleuthkit.autopsy.casemodule.services.FileManager fileManager = currentCase.getServices().getFileManager();
+
+ // find the system hives', process this first so we can map the user id's and sids for later use
+ try {
+ systemFiles = fileManager.findFiles(dataSource, "system", "/system32/config"); //NON-NLS
+ } catch (TskCoreException ex) {
+ // Fix this message
+ String msg = NbBundle.getMessage(this.getClass(),
+ "ExtractRegistry.findRegFiles.errMsg.errReadingFile", "sam");
+ logger.log(Level.WARNING, msg, ex);
+ this.addErrorMessage(this.getName() + ": " + msg);
+ }
+
+ for (AbstractFile systemHive: systemFiles) {
+ if (systemHive.getParentPath().toLowerCase().endsWith("/system32/config/")) {
+
+ String systemFileNameLocal = RAImageIngestModule.getRATempPath(currentCase, "reg") + File.separator + systemHive.getName();
+ File systemFileNameLocalFile = new File(systemFileNameLocal);
+
+ try {
+ ContentUtils.writeToFile(systemHive, systemFileNameLocalFile, context::dataSourceIngestIsCancelled);
+ RegistryHiveFile systemRegFile = new RegistryHiveFile(systemFileNameLocalFile);
+ RegistryKey currentKey = findRegistryKey(systemRegFile, "ControlSet001/Services/Tcpip/Parameters");
+ if (currentKey == null) {
+ return;
+ }
+ List<RegistryValue> parameterList = currentKey.getValueList();
+ for (RegistryValue parameter : parameterList) {
+ if (parameter.getName().toLowerCase().equals("hostname")) {
+ hostName = parameter.getValue().getAsString();
+ continue;
+ }
+ if (parameter.getName().toLowerCase().equals("domain")) {
+ domainName = parameter.getValue().getAsString();
+ continue;
+ }
+ }
+ } catch (ReadContentInputStreamException ex) {
+ logger.log(Level.WARNING, String.format("Error reading registry file '%s' (id=%d).",
+ systemHive.getName(), systemHive.getId()), ex); //NON-NLS
+ this.addErrorMessage(
+ NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
+ this.getName(), systemHive.getName()));
+ continue;
+ } catch (RegistryParseException ex) {
+ continue;
+ } catch (IOException ex) {
+ logger.log(Level.SEVERE, String.format("Error writing temp registry file '%s' for registry file '%s' (id=%d).",
+ systemFileNameLocal, systemHive.getName(), systemHive.getId()), ex); //NON-NLS
+ this.addErrorMessage(
+ NbBundle.getMessage(this.getClass(), "ExtractRegistry.analyzeRegFiles.errMsg.errWritingTemp",
+ this.getName(), systemHive.getName()));
+ continue;
+ }
+ }
+ }
+ }
+
+ /**
+ * Search's a registry hive for the specified key
+ *
+ * @param registryHiveFile Hive to parse
+ * @param registryKey registry key to find in hive
+ * @return registry key or null if it cannot be found
+ */
+ private RegistryKey findRegistryKey(RegistryHiveFile registryHiveFile, String registryKey) {
+
+ RegistryKey currentKey;
+ try {
+ RegistryKey rootKey = registryHiveFile.getRoot();
+ String regKeyList[] = registryKey.split("/");
+ currentKey = rootKey;
+ for (String key : regKeyList) {
+ currentKey = currentKey.getSubkey(key);
+ }
+ } catch (RegistryParseException ex) {
+ return null;
+ }
+ return currentKey;
+
+ }
+
/**
* Creates the attribute list for the given user information and group list.
*
@@ -2224,7 +2321,7 @@ private void createOrUpdateOsAccount(AbstractFile file, String sid, String userN
Optional<OsAccount> optional = accountMgr.getWindowsAccount(sid, null, null, host);
OsAccount osAccount;
if (!optional.isPresent()) {
- osAccount = accountMgr.createWindowsAccount(sid, userName != null && userName.isEmpty() ? null : userName, null, host, OsAccountRealm.RealmScope.UNKNOWN);
+ osAccount = accountMgr.createWindowsAccount(sid, userName != null && userName.isEmpty() ? null : userName, domainName, host, domainName != null ? OsAccountRealm.RealmScope.DOMAIN : OsAccountRealm.RealmScope.UNKNOWN);
accountMgr.createOsAccountInstance(osAccount, (DataSource)dataSource, OsAccountInstance.OsAccountInstanceType.LAUNCHED);
} else {
osAccount = optional.get();
--
GitLab