diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties
index f63c9a79f7d3642fa97b77827bf0b73fc1d7397d..85d4c74b926311e0435615107bb2d22f9ccacebf 100644
--- a/RecentActivity/nbproject/project.properties
+++ b/RecentActivity/nbproject/project.properties
@@ -1,5 +1,4 @@
file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar
-file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar
file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
javac.source=1.6
javac.compilerargs=-Xlint -Xlint:-serial
diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml
index 834ee65cf1db1ca4509a153fd1d89ba9aebad6f1..924a7a2a03e7fb91efe266d756d9de42e63a1755 100644
--- a/RecentActivity/nbproject/project.xml
+++ b/RecentActivity/nbproject/project.xml
@@ -51,10 +51,6 @@
<runtime-relative-path>ext/gson-2.1.jar</runtime-relative-path>
<binary-origin>release/modules/ext/gson-2.1.jar</binary-origin>
</class-path-extension>
- <class-path-extension>
- <runtime-relative-path>ext/jdom-1.1.2.jar</runtime-relative-path>
- <binary-origin>release/modules/ext/jdom-1.1.2.jar</binary-origin>
- </class-path-extension>
</data>
</configuration>
</project>
diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
index 30f757381cd29859dabf666131f73b3a5ad84f33..152eee5e1ea65fbebf440cc8c5d19ff3f34a50f7 100644
--- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
+++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
@@ -20,27 +20,32 @@
*/
package org.sleuthkit.autopsy.recentactivity;
-import java.io.File;
import java.io.*;
+import java.io.File;
import java.sql.ResultSet;
import java.text.ParseException;
import java.text.SimpleDateFormat;
import java.util.*;
import java.util.logging.Level;
-import org.sleuthkit.autopsy.coreutils.Logger;
-import org.jdom.Document;
-import org.jdom.Element;
-import org.jdom.input.SAXBuilder;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
import org.openide.modules.InstalledFileLocator;
import org.sleuthkit.autopsy.casemodule.Case;
+import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.ingest.IngestImageWorkerController;
-import org.sleuthkit.autopsy.ingest.IngestServices;
import org.sleuthkit.autopsy.ingest.IngestModuleImage;
import org.sleuthkit.autopsy.ingest.IngestModuleInit;
+import org.sleuthkit.autopsy.ingest.IngestServices;
+import org.sleuthkit.datamodel.*;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
-import org.sleuthkit.datamodel.*;
+import org.sleuthkit.datamodel.FileSystem;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
/**
* Extracting windows registry data using regripper
@@ -207,10 +212,10 @@ private boolean parseReg(String regRecord, long orgId) {
try {
File regfile = new File(regRecord);
FileInputStream fstream = new FileInputStream(regfile);
- InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8");
- BufferedReader input = new BufferedReader(fstreamReader);
+ //InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8");
+ //BufferedReader input = new BufferedReader(fstreamReader);
//logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding());
- String regString = new Scanner(input).useDelimiter("\\Z").next();
+ String regString = new Scanner(fstream, "UTF-8").useDelimiter("\\Z").next();
regfile.delete();
String startdoc = "<?xml version=\"1.0\"?><document>";
String result = regString.replaceAll("----------------------------------------", "");
@@ -220,19 +225,18 @@ private boolean parseReg(String regRecord, long orgId) {
result = result.replaceAll("&", "&");
String enddoc = "</document>";
String stringdoc = startdoc + result + enddoc;
- SAXBuilder sb = new SAXBuilder();
- Document document = sb.build(new StringReader(stringdoc));
- Element root = document.getRootElement();
- List<Element> types = root.getChildren();
- Iterator<Element> iterator = types.iterator();
- while (iterator.hasNext()) {
- String etime = "";
- String context = "";
- Element tempnode = iterator.next();
- // Element tempnode = types.get(i);
- context = tempnode.getName();
- Element timenode = tempnode.getChild("time");
- etime = timenode.getTextTrim();
+
+ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ Document doc = builder.parse(new InputSource(new StringReader(stringdoc)));
+ Element oroot = doc.getDocumentElement();
+ NodeList children = oroot.getChildNodes();
+ int len = children.getLength();
+ for(int i=0; i<len; i++) {
+ Element tempnode = (Element) children.item(i);
+ String context = tempnode.getNodeName();
+
+ Element timenode = (Element) tempnode.getElementsByTagName("time").item(0);
+ String etime = timenode.getTextContent();
Long time = null;
try {
Long epochtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(etime).getTime();
@@ -242,19 +246,20 @@ private boolean parseReg(String regRecord, long orgId) {
} catch (ParseException e) {
logger.log(Level.WARNING, "RegRipper::Conversion on DateTime -> failed for: " + etime);
}
- Element artroot = tempnode.getChild("artifacts");
- List<Element> artlist = artroot.getChildren();
+
+ Element artroot = (Element) tempnode.getElementsByTagName("artifacts").item(0);
+ NodeList myartlist = artroot.getChildNodes();
String winver = "";
String installdate = "";
- if (artlist.isEmpty()) {
- } else {
- Iterator<Element> aiterator = artlist.iterator();
- while (aiterator.hasNext()) {
- Element artnode = aiterator.next();
- String name = artnode.getAttributeValue("name");
- String value = artnode.getTextTrim();
+ for(int j=0; j<myartlist.getLength(); j++) {
+ Node artchild = myartlist.item(j);
+ // If it has attributes, then it is an Element (based off API)
+ if(artchild.hasAttributes()) {
+ Element artnode = (Element) artchild;
+ String name = artnode.getAttribute("name");
+ String value = artnode.getTextContent().trim();
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
-
+
if ("recentdocs".equals(context)) {
// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time));
@@ -278,7 +283,7 @@ private boolean parseReg(String regRecord, long orgId) {
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, utime));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", utime));
- String dev = artnode.getAttributeValue("dev");
+ String dev = artnode.getAttribute("dev");
//TODO Revisit usage of deprecated constructor as per TSK-583
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev));
//bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value));
@@ -341,7 +346,7 @@ private boolean parseReg(String regRecord, long orgId) {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "RecentActivity", time));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", name));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", value));
- bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", artnode.getName()));
+ bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), "RecentActivity", artnode.getNodeName()));
bbart.addAttributes(bbattributes);
} else {
@@ -349,6 +354,7 @@ private boolean parseReg(String regRecord, long orgId) {
// bbart.addAttributes(bbattributes);
}
}
+
}
}
} catch (Exception ex) {