def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
# FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.4/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%test%")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
art = file.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
SampleJythonDataSourceIngestModuleFactory.moduleName,
"Test file")
art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE,
"Error indexing artifact " + art.getDisplayName())
# To further the example, this code will read the contents of the file and count the number of bytes
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(1024, "b")
totLen = 0
readLen = inputStream.read(buffer)
while (readLen != -1):
totLen = totLen + readLen
readLen = inputStream.read(buffer)
# Update the progress bar
progressBar.progress(fileCount)
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module",
"Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, datasource, progressbar):
PostBoard=IngestServices.getInstance()
progressbar.switchToIndeterminate()
ccase = Case.getCurrentCase().getSleuthkitCase()
blackboard = Case.getCurrentCase().getServices().getBlackboard()
msgcounter = 0
# if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
# (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
# (file.isFile() == true)):
# return IngestModule.ProcessResult.OK
#
#prepare artifacts
artifact_name = "TSK_WINCOM_CONTACT"
artifact_desc = "Windows Communication Contacts"
try:
artID_wincom_contact = ccase.addArtifactType(artifact_name, artifact_desc)
attribute_name = "TSK_WINCOM_CONTACT_SERVICE"
attribute_name1 = "TSK_WINCOM_CONTACT_APPID"
attribute_name2 = "TSK_WINCOM_CONTACT_FIRSTNAME"
attribute_name3 = "TSK_WINCOM_CONTACT_LASTNAME"
attribute_name4 = "TSK_WINCOM_CONTACT_COUNTRY"
attribute_name5 = "TSK_WINCOM_CONTACT_LOCALITY"
attribute_name6 = "TSK_WINCOM_CONTACT_REGION"
attribute_name7 = "TSK_WINCOM_CONTACT_BIRTHDAY"
attID_ex= ccase.addArtifactAttributeType(attribute_name, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Service vs Person")
attID_ex1 = ccase.addArtifactAttributeType(attribute_name1, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Application")
attID_ex2 = ccase.addArtifactAttributeType(attribute_name2, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "First Name")
attID_ex3 = ccase.addArtifactAttributeType(attribute_name3, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Last Name")
attID_ex4 = ccase.addArtifactAttributeType(attribute_name4, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Country")
attID_ex5 = ccase.addArtifactAttributeType(attribute_name5, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "City")
attID_ex6 = ccase.addArtifactAttributeType(attribute_name6, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Region")
attID_ex7 = ccase.addArtifactAttributeType(attribute_name7, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Birthday")
except:
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), "Error creating artifacts"+ str(msgcounter))
#IngestServices.getInstance().postMessage(message)
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
artID_wincom_contact = ccase.getArtifactTypeID(artifact_name)
artID_wincom_contact_evt = ccase.getArtifactType(artifact_name)
#get files
##IngestServices.getInstance().postMessage(message)
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(datasource, "%appcontent-ms")
numFiles = len(files)
progressbar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
fileCount = fileCount + 1
progressbar.progress(fileCount)
progressbar.progress("Windows Communication Analyzer")
msgcounter+=1
# message = IngestMessage.createMessage(
# IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), str(msgcounter) + " - in file loop and found file:" + str(file.getParentPath()))
# #IngestServices.getInstance().postMessage(message)
ParentPath = file.getParentPath()
#if "microsoft.windowscommunicationsapps" in ParentPath and "_8wekyb3d8bbwe" in ParentPath and file.getName().lower().endswith("appcontent-ms") and "Address" in ParentPath :
if file.getSize() > 0 and "microsoft.windowscommunicationsapps" in ParentPath:
lclXMLPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(file.getId()) + ".appcontent-ms")
ContentUtils.writeToFile(file, File(lclXMLPath))
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
with open(lclXMLPath, "rb") as XMLFile:
with open(lclXMLPath+".rewrite", 'w+b') as NewXMLFile:
contents = XMLFile.read()
newContent = contents.decode('utf-16').encode('utf-8')
NewXMLFile.write(newContent.replace('<?xml version="1.0" encoding="utf-16"?>','<?xml version="1.0" encoding="utf-8"?>'))
NewXMLFile.close()
XMLFile.close()
f = open(lclXMLPath+".rewrite", "rb")
all = f.read()
f.close()
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName + str(msgcounter), all)
#IngestServices.getInstance().postMessage(message)
#XMLFile = open(lclXMLPath, "rb")
AppID="**"
FirstName = "**"
LastName = "**"
HomeAddress1Country = "**"
HomeAddress1Locality = "**"
HomeAddress1Region = "**"
Birthday = "**"
Service = "**"
root = ET.fromstring(all)
for elem in root.iter():
teller = 0
if "System.Contact.ConnectedServiceName" in str(elem.attrib):
if len(elem.text) == 2:
for child in elem:
teller =+1
Service = child.text
# if teller == 1:
break
else:
Service = elem.text
elif "System.AppUserModel.PackageRelativeApplicationID" in str(elem.attrib):
if len(elem.text) == 2:
for child in elem:
teller =+1
AppID = child.text
# if teller == 1:
break
else:
if len(elem.text)==0:
AppID = elem.text
else:
AppID = "**"
elif "System.Contact.FirstName" in str(elem.attrib):
if len(elem.text) == 2:
for child in elem:
teller =+1
FirstName = child.text
if teller == 1:
break
else:
FirstName = elem.text
elif "System.Contact.LastName" in str(elem.attrib):
if len(elem.text) == 2:
for child in elem:
teller =+1
LastName = child.text
if teller == 1:
break
else:
LastName = elem.text
elif "System.Contact.HomeAddress1Country" in str(elem.attrib):
if len(elem.text) == 2:
teller =+1
for child in elem:
HomeAddress1Country = child.text
if teller == 1:
break
else:
HomeAddress1Country = elem.text
elif "System.Contact.HomeAddress1Locality" in str(elem.attrib):
if len(elem.text) == 2:
for child in elem:
teller =+1
HomeAddress1Locality = child.text
if teller == 1:
break
else:
HomeAddress1Locality = elem.text
elif "System.Contact.HomeAddress1Region" in str(elem.attrib):
if len(elem.text) == 2:
for child in elem:
teller =+1
HomeAddress1Region = child.text
if teller == 1:
break
else:
HomeAddress1Region = elem.text
elif "System.Contact.Birthday" in str(elem.attrib):
if len(elem.text) == 2:
for child in elem:
teller =+1
Birthday = child.text
if teller == 1:
break
else:
Birthday = elem.text
else:
#another value - manual forensics
#AppID = "BLAHELSE"
pass
#IngestServices.getInstance().postMessage(message)
#end looping through elements
#ready for next file
art = file.newArtifact(artID_wincom_contact)
attID_ex =ccase.getAttributeType("TSK_WINCOM_CONTACT_SERVICE")
art.addAttribute(BlackboardAttribute(attID_ex, WindowsCommunicationModuleFactory.moduleName, Service))
attID_ex1 =ccase.getAttributeType("TSK_WINCOM_CONTACT_APPID")
art.addAttribute(BlackboardAttribute(attID_ex1, WindowsCommunicationModuleFactory.moduleName, AppID))
attID_ex2 =ccase.getAttributeType("TSK_WINCOM_CONTACT_FIRSTNAME")
art.addAttribute(BlackboardAttribute(attID_ex2, WindowsCommunicationModuleFactory.moduleName, FirstName))
attID_ex3 =ccase.getAttributeType("TSK_WINCOM_CONTACT_LASTNAME")
art.addAttribute(BlackboardAttribute(attID_ex3, WindowsCommunicationModuleFactory.moduleName, LastName))
attID_ex4 =ccase.getAttributeType("TSK_WINCOM_CONTACT_COUNTRY")
art.addAttribute(BlackboardAttribute(attID_ex4, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Country))
attID_ex5 =ccase.getAttributeType("TSK_WINCOM_CONTACT_LOCALITY")
art.addAttribute(BlackboardAttribute(attID_ex5, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Locality))
attID_ex6 =ccase.getAttributeType("TSK_WINCOM_CONTACT_REGION")
art.addAttribute(BlackboardAttribute(attID_ex6, WindowsCommunicationModuleFactory.moduleName, HomeAddress1Region))
attID_ex7 =ccase.getAttributeType("TSK_WINCOM_CONTACT_BIRTHDAY")
art.addAttribute(BlackboardAttribute(attID_ex7, WindowsCommunicationModuleFactory.moduleName, Birthday))
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(WindowsCommunicationModuleFactory.moduleName, artID_wincom_contact_evt, None))
else:
pass
#cleanup
try:
os.remove(lclXMLPath)
os.remove(lclXMLPath+".rewrite")
except:
self.log(Level.INFO, "Cleanup of files did not work ")
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Windows Communication App - Contacts", "Windows Communication App - Contacts Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
# def shutDown(self):
# # As a final part of this example, we'll send a message to the ingest inbox with the number of files found (in this thread)
# msg2 = IngestMessage.createMessage(
# IngestMessage.MessageType.DATA, WindowsCommunicationModuleFactory.moduleName,
# "Found " + str(self.filesFound))
# ingestServices = IngestServices.getInstance().postMessage(msg2)
def process(self, dataSource, progressBar):
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# Find the "contacts.db" file to parse
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "contacts.db")
# keep track of progress
num_files = len(files)
progressBar.switchToDeterminate(num_files)
file_count = 0
for f in files:
# First check to see if the job was cancelled
# If it was, return.
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
# Begin processing the next file
self.log(Level.INFO, "Processing file: " + f.getName())
file_count += 1
# need to save the current file to disk for processng
lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(),
str(f.getId()) + ".db")
ContentUtils.writeToFile(f, File(lclDbPath))
# Next we open the db for processing
try:
Class.forName("org.sqlite.JDBC").newInstance()
db_conn = DriverManager.getConnection("jdbc:sqlite:%s" %
lclDbPath)
except SQLException as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
f.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# queryr all from the contacts table
try:
stmt = db_conn.createStatement()
result_set = stmt.executeQuery("SELECT * FROM contacts")
except SQLException as e:
self.log(
Level.INFO,
"Error querying database for contacts table (" +
e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Process the DB
while result_set.next():
# Make an artifact on the blackboard and give it attributes
art = f.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT)
# Name found in DB
name = result_set.getString("name")
art.addAttribute(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME_PERSON.
getTypeID(),
HW11ContactsDbIngestModuleFactory.moduleName, name))
# Email found
email = result_set.getString("email")
art.addAttribute(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL.getTypeID(
), HW11ContactsDbIngestModuleFactory.moduleName,
email))
# Phone number found
phone = result_set.getString("phone")
art.addAttribute(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.
getTypeID(),
HW11ContactsDbIngestModuleFactory.moduleName, phone))
# Index the artifact for keyword searching
try:
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE,
"Error indexing artifact " + art.getDisplayName())
# Update the UI of the newly created artifact
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(HW11ContactsDbIngestModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT,
None))
# Clean up tasks for the current file
stmt.close()
db_conn.close()
os.remove(lclDbPath)
# After all db's are processed, post a message to the ingest inbox.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"ContactsDb Analyzer",
"Found %d files" % file_count)
IngestServices.getInstance().postMessage(message)
# return
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
self.log(Level.INFO, "Starting to process")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Get the temp directory and create the sub directory
modDir = os.path.join(
Case.getCurrentCase().getModulesOutputDirAbsPath(), "AD1Extractor")
try:
os.mkdir(modDir)
except:
self.log(Level.INFO,
"AD1 Extractor Directory already Exists " + modDir)
moduleName = AD1ExtractorIngestModuleFactory.moduleName
# get the current case
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%", "/")
numFiles = len(files)
self.log(Level.INFO, "Number of files to process ==> " + str(numFiles))
for file in files:
self.log(Level.INFO,
"File name to process is ==> " + file.getName())
self.log(
Level.INFO,
"File name to process is ==> " + str(file.getLocalAbsPath()))
imageFile = file.getLocalAbsPath()
if ((imageFile != None) or (not file.isDir())):
if ".ad1" in imageFile.lower():
progressBar.progress("Extracting " + file.getName())
filename, file_extension = os.path.splitext(file.getName())
self.log(
Level.INFO, "Running program ==> " + self.path_to_exe +
" " + imageFile + " " + modDir + " " +
os.path.join(modDir, filename + ".db3"))
pipe = Popen([
self.path_to_exe, imageFile, modDir,
os.path.join(modDir, filename + ".db3")
],
stdout=PIPE,
stderr=PIPE)
outText = pipe.communicate()[0]
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artIdAD1 = skCase.addArtifactType(
"AD1_EXTRACTOR", "AD1 Extraction")
except:
self.log(
Level.INFO,
"Artifacts Creation Error, Artifact AD1_EXTRACTOR may exist. ==> "
)
artIdAD1 = skCase.getArtifactTypeID("AD1_EXTRACTOR")
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection(
"jdbc:sqlite:%s" %
os.path.join(modDir, filename + ".db3"))
except SQLException as e:
self.log(
Level.INFO,
"Could not open database file (not SQLite) " +
os.path.join(modDir, filename + ".db3") + " (" +
e.getMessage() + ")")
return IngestModule.ProcessResult.OK
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery(self.sqlStatement)
self.log(Level.INFO, "query ad1_info")
except SQLException as e:
self.log(
Level.INFO,
"Error querying database for ad1_info tables (" +
e.getMessage() + ") ")
return IngestModule.ProcessResult.OK
# Cycle through each row and get the installed programs and install time
while resultSet.next():
try:
artAD1 = file.newArtifact(artIdAD1)
attributes = ArrayList()
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_NAME, moduleName,
resultSet.getString("file_name")))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_TEMP_DIR, moduleName,
resultSet.getString("ad1_path_name")))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_DATETIME_CREATED, moduleName,
resultSet.getInt("date_created")))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_DATETIME_MODIFIED, moduleName,
resultSet.getInt("date_modified")))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_DATETIME_ACCESSED, moduleName,
resultSet.getInt("date_accessed")))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_HASH_MD5, moduleName,
resultSet.getString("md5_hash")))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_HASH_SHA1, moduleName,
resultSet.getString("sha1_hash")))
artAD1.addAttributes(attributes)
# index the artifact for keyword search
try:
blackboard.postArtifact(artAD1)
except:
pass
except SQLException as e:
self.log(
Level.INFO,
"Error getting values from AD1tables (" +
e.getMessage() + ")")
# Close the database statement
try:
stmt.close()
dbConn.close()
except:
pass
dir_list = []
dir_list.append(modDir)
services = IngestServices.getInstance()
progress_updater = ProgressUpdater()
newDataSources = []
fileManager = Case.getCurrentCase().getServices().getFileManager()
skcase_data = Case.getCurrentCase()
# Get a Unique device id using uuid
device_id = UUID.randomUUID()
self.log(Level.INFO, "device id: ==> " + str(device_id))
skcase_data.notifyAddingDataSource(device_id)
progressBar.progress(
"Adding Takeout files to AD1Extractor Data Source")
# Add data source with files
newDataSource = fileManager.addLocalFilesDataSource(
str(device_id), "AD1", "", dir_list, progress_updater)
newDataSources.append(newDataSource.getRootDirectory())
# Get the files that were added
files_added = progress_updater.getFiles()
for file_added in files_added:
progressBar.progress(
"Adding AD1 extracted files to new data source")
skcase_data.notifyDataSourceAdded(file_added, device_id)
#self.log(Level.INFO, "Fire Module1: ==> " + str(file_added))
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"AD1ExtractorSettings",
" AD1Extractors Has Been Run ")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, file):
skCase = Case.getCurrentCase().getSleuthkitCase()
ARTID_NS_DEVICE_ACCOUNT_ID = skCase.getArtifactTypeID(
self.ARTIFACTTYPENAME_NS_DEVICE_ACCOUNT)
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
or not (file.isFile())):
return IngestModule.ProcessResult.OK
# Use blackboard class to index blackboard artifacts for keyword search
# blackboard = Case.getCurrentCase().getServices().getBlackboard()
if file.getName() == "8000000000000010":
self.filesFound += 1
artifactList = file.getArtifacts(
BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT)
self.log(Level.INFO, str(artifactList.size()))
users = self.getUsersFromFile(file)
artifactList = file.getArtifacts(ARTID_NS_DEVICE_ACCOUNT_ID)
for user in users:
# Don't add to blackboard if the artifact already exists
for artifact in artifactList:
artifactNickname = artifact.getAttribute(
self.NS_ACCOUNT_ATTRIBUTES["nickname"][3])
artifactEmail = artifact.getAttribute(
self.NS_ACCOUNT_ATTRIBUTES["email"][3])
if artifactNickname and artifactEmail:
if artifactNickname.getValueString(
) == user["nickname"]:
if artifactEmail.getValueString() == user["email"]:
return IngestModule.ProcessResult.OK
art = file.newArtifact(ARTID_NS_DEVICE_ACCOUNT_ID)
art.addAttribute(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.
getTypeID(),
DeviceAccountIngestModuleFactory.moduleName,
"Nintendo Switch - Device Accounts"))
for attribute in self.NS_ACCOUNT_ATTRIBUTES.keys():
art.addAttribute(
BlackboardAttribute(
self.NS_ACCOUNT_ATTRIBUTES[attribute][3],
DeviceAccountIngestModuleFactory.moduleName,
str(user[attribute])))
# Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(
DeviceAccountIngestModuleFactory.moduleName,
skCase.getArtifactType(
self.ARTIFACTTYPENAME_NS_DEVICE_ACCOUNT), None))
return IngestModule.ProcessResult.OK
def process(self, file):
skCase = Case.getCurrentCase().getSleuthkitCase()
ARTID_NS_WIFI = skCase.getArtifactTypeID(self.ARTIFACTTYPENAME_NS_WIFI)
networks = {}
skCase = Case.getCurrentCase().getSleuthkitCase()
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
or (file.isFile() is False)):
return IngestModule.ProcessResult.OK
blackboard = Case.getCurrentCase().getServices().getBlackboard()
if (file.getName().lower() == "8000000000000050"):
artifactList = file.getArtifacts(ARTID_NS_WIFI)
self.log(Level.INFO, "Found the file" + file.getName())
self.filesFound += 1
inputStream = ReadContentInputStream(file)
buffer = jarray.zeros(8192, "b")
totLen = 0
lengthofbuffer = inputStream.read(buffer)
while lengthofbuffer != -1:
totLen = totLen + lengthofbuffer
lengthofbuffer = inputStream.read(buffer)
currentBuffer = buffer.tostring()
regex = "\x00[^\x00]{16}\x03(?:[^\x20-\x7f]+)(?P<ssid>[\x20-\x7f]+?)\x00(?:[^\x20-\x7f]+)(?P<pass>[\x20-\x7f]+?)\x00"
x = re.finditer(regex, currentBuffer)
for network in x:
networks[network.group('ssid')] = network.group('pass')
for ssid, psk in networks.items():
self.log(Level.INFO, ssid)
# Don't add to blackboard if the artifact already exists
for artifact in artifactList:
artifactSSID = artifact.getAttribute(
self.NS_WIFI_ATTRIBUTES["SSID"][3])
if artifactSSID.getValueString() == ssid:
pass
art = file.newArtifact(ARTID_NS_WIFI)
art.addAttribute(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.
getTypeID(), WiFiIngestModuleFactory.moduleName,
"Nintendo Switch - Wireless Credentials"))
art.addAttribute(
BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["SSID"][3],
WiFiIngestModuleFactory.moduleName,
ssid))
art.addAttribute(
BlackboardAttribute(self.NS_WIFI_ATTRIBUTES["PSK"][3],
WiFiIngestModuleFactory.moduleName,
psk))
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException:
self.log(Level.SEVERE,
"Error indexing artifact " + art.getDisplayName())
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(
WiFiIngestModuleFactory.moduleName,
skCase.getArtifactType(self.ARTIFACTTYPENAME_NS_WIFI),
None))
return IngestModule.ProcessResult.OK
def __findCallLogsInDB(self, databasePath, abstractFile, dataSource):
if not databasePath:
return
bbartifacts = list()
try:
connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath)
statement = connection.createStatement()
# Create a 'Device' account using the data source device id
datasourceObjId = dataSource.getDataSource().getId()
ds = Case.getCurrentCase().getSleuthkitCase().getDataSource(datasourceObjId)
deviceID = ds.getDeviceId()
deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().createAccountFileInstance(Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile)
for tableName in CallLogAnalyzer._tableNames:
try:
resultSet = statement.executeQuery("SELECT number, date, duration, type, name FROM " + tableName + " ORDER BY date DESC;")
self._logger.log(Level.INFO, "Reading call log from table {0} in db {1}", [tableName, databasePath])
while resultSet.next():
date = resultSet.getLong("date") / 1000
direction = CallLogAnalyzer.fromType(resultSet.getInt("type"))
directionString = direction.getDisplayName() if direction is not None else ""
number = resultSet.getString("number")
duration = resultSet.getLong("duration") # duration of call is in seconds
name = resultSet.getString("name") # name of person dialed or called. None if unregistered
try:
attributes = ArrayList()
artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG) # create a call log and then add attributes from result set.
if direction == CallLogAnalyzer.OUTGOING:
attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO, general.MODULE_NAME, number))
else: # Covers INCOMING and MISSED
attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM, general.MODULE_NAME, number))
attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_START, general.MODULE_NAME, date))
attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_END, general.MODULE_NAME, duration + date))
attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, directionString))
attributes.add(BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, general.MODULE_NAME, name))
artifact.addAttributes(attributes)
# Create an account
calllogAccountInstance = Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().createAccountFileInstance(Account.Type.PHONE, number, general.MODULE_NAME, abstractFile);
# create relationship between accounts
Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().addRelationships(deviceAccountInstance, [calllogAccountInstance], artifact, Relationship.Type.CALL_LOG, date);
bbartifacts.append(artifact)
try:
# index the artifact for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
blackboard.indexArtifact(artifact)
except Blackboard.BlackboardException as ex:
self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
MessageNotifyUtil.Notify.error("Failed to index call log artifact for keyword search.", artifact.getDisplayName())
except TskCoreException as ex:
self._logger.log(Level.SEVERE, "Error posting call log record to the blackboard", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
except SQLException as ex:
self._logger.log(Level.WARNING, String.format("Could not read table %s in db %s", tableName, databasePath), ex)
except SQLException as ex:
self._logger.log(Level.SEVERE, "Could not parse call log; error connecting to db " + databasePath, ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
finally:
if bbartifacts:
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(general.MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG, bbartifacts))
def analyze(self, dataSource, fileManager, context):
oruxMapsTrackpointsDbs = AppSQLiteDB.findAppDatabases(
dataSource, "oruxmapstracks.db", True, self._PACKAGE_NAME)
for oruxMapsTrackpointsDb in oruxMapsTrackpointsDbs:
try:
current_case = Case.getCurrentCaseThrows()
poiQueryString = "SELECT poilat, poilon, poitime, poiname FROM pois"
poisResultSet = oruxMapsTrackpointsDb.runQuery(poiQueryString)
abstractFile = oruxMapsTrackpointsDb.getDBFile()
if poisResultSet is not None:
while poisResultSet.next():
latitude = poisResultSet.getDouble("poilat")
longitude = poisResultSet.getDouble("poilon")
time = poisResultSet.getLong(
"poitime") / 1000 # milliseconds since unix epoch
name = poisResultSet.getString("poiname")
attributes = ArrayList()
artifact = abstractFile.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT
)
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_DATETIME, self._MODULE_NAME, time))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LATITUDE, self._MODULE_NAME, latitude))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LONGITUDE, self._MODULE_NAME,
longitude))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME,
self._MODULE_NAME, name))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_PROG_NAME, self._MODULE_NAME,
self._PROGRAM_NAME))
artifact.addAttributes(attributes)
try:
# index the artifact for keyword search
blackboard = Case.getCurrentCase(
).getSleuthkitCase().getBlackboard()
blackboard.postArtifact(artifact,
self._MODULE_NAME)
except Blackboard.BlackboardException as ex:
self._logger.log(
Level.SEVERE,
"Unable to index blackboard artifact " +
str(artifact.getArtifactID()), ex)
self._logger.log(Level.SEVERE,
traceback.format_exc())
MessageNotifyUtil.Notify.error(
"Failed to index trackpoint artifact for keyword search.",
artifact.getDisplayName())
trackpointsQueryString = "SELECT trkptlat, trkptlon, trkpttime FROM trackpoints"
trackpointsResultSet = oruxMapsTrackpointsDb.runQuery(
trackpointsQueryString)
if trackpointsResultSet is not None:
while trackpointsResultSet.next():
latitude = trackpointsResultSet.getDouble("trkptlat")
longitude = trackpointsResultSet.getDouble("trkptlon")
time = trackpointsResultSet.getLong(
"trkpttime"
) / 1000 # milliseconds since unix epoch
name = ""
attributes = ArrayList()
artifact = abstractFile.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT
)
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_DATETIME, self._MODULE_NAME, time))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LATITUDE, self._MODULE_NAME, latitude))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LONGITUDE, self._MODULE_NAME,
longitude))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME,
self._MODULE_NAME, name))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_PROG_NAME, self._MODULE_NAME,
self._PROGRAM_NAME))
artifact.addAttributes(attributes)
try:
# index the artifact for keyword search
blackboard = Case.getCurrentCase(
).getSleuthkitCase().getBlackboard()
blackboard.postArtifact(artifact,
self._MODULE_NAME)
except Blackboard.BlackboardException as ex:
self._logger.log(
Level.SEVERE,
"Unable to index blackboard artifact " +
str(artifact.getArtifactID()), ex)
self._logger.log(Level.SEVERE,
traceback.format_exc())
MessageNotifyUtil.Notify.error(
"Failed to index trackpoint artifact for keyword search.",
artifact.getDisplayName())
except SQLException as ex:
self._logger.log(
Level.WARNING,
"Error processing query result for Orux Map trackpoints.",
ex)
self._logger.log(Level.WARNING, traceback.format_exc())
except TskCoreException as ex:
self._logger.log(
Level.SEVERE,
"Failed to add Orux Map trackpoint artifacts.", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
except BlackboardException as ex:
self._logger.log(Level.WARNING, "Failed to post artifacts.",
ex)
self._logger.log(Level.WARNING, traceback.format_exc())
except NoCurrentCaseException as ex:
self._logger.log(Level.WARNING, "No case currently open.", ex)
self._logger.log(Level.WARNING, traceback.format_exc())
finally:
oruxMapsTrackpointsDb.close()
def process(self, dataSource, progressBar):
# Check to see if the artifacts exist and if not then create it, also check to see if the attributes
# exist and if not then create them
skCase = Case.getCurrentCase().getSleuthkitCase();
skCase_Tran = skCase.beginTransaction()
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_jl_ad = skCase.addArtifactType( "TSK_JL_AD", "Jump List Auto Dest")
except:
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
artID_jl_ad = skCase.getArtifactTypeID("TSK_JL_AD")
try:
attID_jl_fn = skCase.addArtifactAttributeType("TSK_JLAD_FILE_NAME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "JumpList File Name")
except:
self.log(Level.INFO, "Attributes Creation Error, JL AD File Name. ==> ")
try:
attID_jl_fg = skCase.addArtifactAttributeType("TSK_JLAD_FILE_DESCRIPTION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Description")
except:
self.log(Level.INFO, "Attributes Creation Error, File Description. ==> ")
try:
attID_jl_in = skCase.addArtifactAttributeType("TSK_JLAD_ITEM_NAME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Item Name")
except:
self.log(Level.INFO, "Attributes Creation Error, Item Name. ==> ")
try:
attID_jl_cl = skCase.addArtifactAttributeType("TSK_JLAD_COMMAND_LINE_ARGS", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Command Line Args")
except:
self.log(Level.INFO, "Attributes Creation Error, Command Line Arguments. ==> ")
try:
attID_jl_dt = skCase.addArtifactAttributeType("TSK_JLAD_Drive Type", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "Drive Type")
except:
self.log(Level.INFO, "Attributes Creation Error, Drive Type. ==> ")
try:
attID_jl_dsn = skCase.addArtifactAttributeType("TSK_JLAD_DRIVE_SERIAL_NUMBER", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "Drive Serial Number")
except:
self.log(Level.INFO, "Attributes Creation Error, Drive Serial Number. ==> ")
try:
attID_jl_des = skCase.addArtifactAttributeType("TSK_JLAD_DESCRIPTION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Description")
except:
self.log(Level.INFO, "Attributes Creation Error, Description. ==> ")
try:
attID_jl_evl = skCase.addArtifactAttributeType("TSK_JLAD_ENVIRONMENT_VARIABLES_LOCATION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Env Var Location")
except:
self.log(Level.INFO, "Attributes Creation Error, Env Var Location. ==> ")
try:
attID_jl_fat = skCase.addArtifactAttributeType("TSK_JLAD_FILE_ACCESS_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Access Time")
except:
self.log(Level.INFO, "Attributes Creation Error, File Access Time. ==> ")
try:
attID_jl_faf = skCase.addArtifactAttributeType("TSK_JLAD_FILE_ATTRIBUTE_FLAGS", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "File Attribute Flags")
except:
self.log(Level.INFO, "Attributes Creation Error, File Attribute Flags. ==> ")
try:
attID_jl_fct = skCase.addArtifactAttributeType("TSK_JLAD_FILE_CREATION_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Creation Time")
except:
self.log(Level.INFO, "Attributes Creation Error, File Creation Time. ==> ")
try:
attID_jl_fmt = skCase.addArtifactAttributeType("TSK_JLAD_FILE_MODIFICATION_TIME", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Modification Time")
except:
self.log(Level.INFO, "Attributes Creation Error, File Modification Time. ==> ")
try:
attID_jl_fs = skCase.addArtifactAttributeType("TSK_JLAD_FILE_SIZE", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, "File Size")
except:
self.log(Level.INFO, "Attributes Creation Error, File Size. ==> ")
try:
attID_jl_ic = skCase.addArtifactAttributeType("TSK_JLAD_ICON_LOCATION", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Icon Location")
except:
self.log(Level.INFO, "Attributes Creation Error, Icon Location. ==> ")
try:
attID_jl_ltid = skCase.addArtifactAttributeType("TSK_JLAD_LINK_TARGET_IDENTIFIER_DATA", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Link Target Identifier Data")
except:
self.log(Level.INFO, "Attributes Creation Error, Link Target Identifier Data. ==> ")
try:
attID_jl_lp = skCase.addArtifactAttributeType("TSK_JLAD_LOCAL_PATH", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Local Path")
except:
self.log(Level.INFO, "Attributes Creation Error, File Modification Time. ==> ")
try:
attID_jl_mi = skCase.addArtifactAttributeType("TSK_JLAD_FILE_MACHINE_IDENTIFIER", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Machine Identifier")
except:
self.log(Level.INFO, "Attributes Creation Error, Machine Identifier. ==> ")
try:
attID_jl_np = skCase.addArtifactAttributeType("TSK_JLAD_NETWORK_PATH", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Network Path")
except:
self.log(Level.INFO, "Attributes Creation Error, Network Path. ==> ")
try:
attID_jl_rp = skCase.addArtifactAttributeType("TSK_JLAD_RELATIVE_PATH", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Relative Path")
except:
self.log(Level.INFO, "Attributes Creation Error, Relative Path. ==> ")
try:
attID_jl_vl = skCase.addArtifactAttributeType("TSK_JLAD_VOLUME_LABEL", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Volume Label")
except:
self.log(Level.INFO, "Attributes Creation Error, Volume Label. ==> ")
try:
attID_jl_wc = skCase.addArtifactAttributeType("TSK_JLAD_WORKING_DIRECTORY", BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Working Directory")
except:
self.log(Level.INFO, "Attributes Creation Error, Working Directory. ==> ")
#self.log(Level.INFO, "Get Artifacts after they were created.")
# Get the new artifacts and attributes that were just created
artID_jl_ad = skCase.getArtifactTypeID("TSK_JL_AD")
artID_jl_ad_evt = skCase.getArtifactType("TSK_JL_AD")
attID_jl_fn = skCase.getAttributeType("TSK_JLAD_FILE_NAME")
attID_jl_fg = skCase.getAttributeType("TSK_JLAD_FILE_DESCRIPTION")
attID_jl_in = skCase.getAttributeType("TSK_JLAD_ITEM_NAME")
attID_jl_cl = skCase.getAttributeType("TSK_JLAD_COMMAND_LINE_ARGS")
attID_jl_dt = skCase.getAttributeType("TSK_JLAD_Drive Type")
attID_jl_dsn = skCase.getAttributeType("TSK_JLAD_DRIVE_SERIAL_NUMBER")
attID_jl_des = skCase.getAttributeType("TSK_JLAD_DESCRIPTION")
attID_jl_evl = skCase.getAttributeType("TSK_JLAD_ENVIRONMENT_VARIABLES_LOCATION")
attID_jl_fat = skCase.getAttributeType("TSK_JLAD_FILE_ACCESS_TIME")
attID_jl_faf = skCase.getAttributeType("TSK_JLAD_FILE_ATTRIBUTE_FLAGS")
attID_jl_fct = skCase.getAttributeType("TSK_JLAD_FILE_CREATION_TIME")
attID_jl_fmt = skCase.getAttributeType("TSK_JLAD_FILE_MODIFICATION_TIME")
attID_jl_fs = skCase.getAttributeType("TSK_JLAD_FILE_SIZE")
attID_jl_ic = skCase.getAttributeType("TSK_JLAD_ICON_LOCATION")
attID_jl_ltid = skCase.getAttributeType("TSK_JLAD_LINK_TARGET_IDENTIFIER_DATA")
attID_jl_lp = skCase.getAttributeType("TSK_JLAD_LOCAL_PATH")
attID_jl_mi = skCase.getAttributeType("TSK_JLAD_FILE_MACHINE_IDENTIFIER")
attID_jl_np = skCase.getAttributeType("TSK_JLAD_NETWORK_PATH")
attID_jl_rp = skCase.getAttributeType("TSK_JLAD_RELATIVE_PATH")
attID_jl_vl = skCase.getAttributeType("TSK_JLAD_VOLUME_LABEL")
attID_jl_wd = skCase.getAttributeType("TSK_JLAD_WORKING_DIRECTORY")
#self.log(Level.INFO, "Artifact id for TSK_PREFETCH ==> " + str(artID_pf))
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Find the Windows Event Log Files
files = []
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%.automaticDestinations-ms")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
# Create Event Log directory in temp directory, if it exists then continue on processing
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "create Directory " + Temp_Dir + "\JL_AD")
try:
os.mkdir(Temp_Dir + "\JL_AD")
except:
self.log(Level.INFO, "JL_AD Directory already exists " + Temp_Dir)
# Write out each Event Log file to the temp directory
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(Temp_Dir + "\JL_AD", file.getName())
ContentUtils.writeToFile(file, File(lclDbPath))
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO, "Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Run the EXE, saving output to a sqlite database
self.log(Level.INFO, "Running program on data source parm 1 ==> " + Temp_Dir + "\JL_AD" + " Parm 2 ==> " + Temp_Dir + "\JL_AD.db3")
output = subprocess.Popen([self.path_to_exe, Temp_Dir + "\JL_AD", Temp_Dir + "\JL_AD.db3", self.path_to_app_id_db], stdout=subprocess.PIPE).communicate()[0]
#self.log(Level.INFO, "Output for the JL_AD program ==> " + output)
self.log(Level.INFO, " Return code is ==> " + output)
# Set the database to be read to the one created by the Event_EVTX program
lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(), "JL_AD.db3")
self.log(Level.INFO, "Path to the JL_AD database file created ==> " + lclDbPath)
# Open the DB using JDBC
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) " + file.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%.automaticDestinations-ms")
for file in files:
file_name = os.path.splitext(file.getName())[0]
self.log(Level.INFO, "File To process in SQL " + file_name + " <<=====")
# Query the contacts table in the database and get all columns.
try:
stmt = dbConn.createStatement()
SQL_Statement = "select File_Name, File_Description, Item_Name, command_line_arguments, drive_type, drive_serial_number, " + \
" description, environment_variables_location, file_access_time, file_attribute_flags, file_creation_time, " + \
" file_modification_time, file_size, icon_location, link_target_identifier_data, local_path, " + \
" machine_identifier, network_path, relative_path, volume_label, working_directory " + \
" from Automatic_destinations_JL where upper(File_Name) = upper('" + file_name + "');"
# " from Automatic_destinations_JL where File_Name||'.automaticDestinations-ms' = '" + file_name + "';"
#self.log(Level.INFO, "SQL Statement " + SQL_Statement + " <<=====")
resultSet = stmt.executeQuery(SQL_Statement)
except SQLException as e:
self.log(Level.INFO, "Error querying database for EventLogs table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
# self.log(Level.INFO, "Result (" + resultSet.getString("File_Name") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Recovered_Record") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Computer_Name") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Identifier") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Identifier_Qualifiers") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Level") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Offset") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Identifier") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Source_Name") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_User_Security_Identifier") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Time_Epoch") + ")")
# self.log(Level.INFO, "Result (" + resultSet.getString("Event_Detail_Text") + ")")
File_Name = resultSet.getString("File_Name")
File_Description = resultSet.getString("File_Description")
Item_Name = resultSet.getString("Item_Name")
Command_Line_Arguments = resultSet.getString("command_line_arguments")
Drive_Type = resultSet.getInt("drive_type")
Drive_Serial_Number = resultSet.getInt("drive_serial_number")
Description = resultSet.getString("description")
Environment_Variables_Location = resultSet.getString("environment_variables_location")
File_Access_Time = resultSet.getString("file_access_time")
File_Attribute_Flags = resultSet.getInt("file_attribute_flags")
File_Creation_Time = resultSet.getString("file_creation_time")
File_Modification_Time = resultSet.getString("file_modification_time")
File_Size = resultSet.getInt("file_size")
Icon_Location = resultSet.getString("icon_location")
Link_Target_Identifier_Data = resultSet.getString("link_target_identifier_data")
Local_Path = resultSet.getString("local_path")
Machine_Identifier = resultSet.getString("machine_identifier")
Network_Path = resultSet.getString("network_path")
Relative_Path = resultSet.getString("relative_path")
Volume_Label = resultSet.getString("volume_label")
Working_Directory = resultSet.getString("working_directory")
except SQLException as e:
self.log(Level.INFO, "Error getting values from contacts table (" + e.getMessage() + ")")
#fileManager = Case.getCurrentCase().getServices().getFileManager()
#files = fileManager.findFiles(dataSource, Prefetch_File_Name)
#for file in files:
# Make artifact for TSK_PREFETCH, this can happen when custom attributes are fully supported
#art = file.newArtifact(artID_pf)
# Make an artifact on the blackboard, TSK_PROG_RUN and give it attributes for each of the fields
# Not the proper way to do it but it will work for the time being.
art = file.newArtifact(artID_jl_ad)
# This is for when proper atributes can be created.
art.addAttributes(((BlackboardAttribute(attID_jl_fn, JumpListADDbIngestModuleFactory.moduleName, File_Name)), \
(BlackboardAttribute(attID_jl_fg, JumpListADDbIngestModuleFactory.moduleName, File_Description)), \
(BlackboardAttribute(attID_jl_in, JumpListADDbIngestModuleFactory.moduleName, Item_Name)), \
(BlackboardAttribute(attID_jl_cl, JumpListADDbIngestModuleFactory.moduleName, Command_Line_Arguments)), \
(BlackboardAttribute(attID_jl_dt, JumpListADDbIngestModuleFactory.moduleName, Drive_Type)), \
(BlackboardAttribute(attID_jl_dsn, JumpListADDbIngestModuleFactory.moduleName, Drive_Serial_Number)), \
(BlackboardAttribute(attID_jl_des, JumpListADDbIngestModuleFactory.moduleName, Description)), \
(BlackboardAttribute(attID_jl_evl, JumpListADDbIngestModuleFactory.moduleName, Environment_Variables_Location)), \
(BlackboardAttribute(attID_jl_fat, JumpListADDbIngestModuleFactory.moduleName, File_Access_Time)), \
(BlackboardAttribute(attID_jl_faf, JumpListADDbIngestModuleFactory.moduleName, File_Attribute_Flags)), \
(BlackboardAttribute(attID_jl_fct, JumpListADDbIngestModuleFactory.moduleName, File_Creation_Time)), \
(BlackboardAttribute(attID_jl_fmt, JumpListADDbIngestModuleFactory.moduleName, File_Modification_Time)), \
(BlackboardAttribute(attID_jl_fs, JumpListADDbIngestModuleFactory.moduleName, File_Size)), \
(BlackboardAttribute(attID_jl_ic, JumpListADDbIngestModuleFactory.moduleName, Icon_Location)), \
(BlackboardAttribute(attID_jl_ltid, JumpListADDbIngestModuleFactory.moduleName, Link_Target_Identifier_Data)), \
(BlackboardAttribute(attID_jl_lp, JumpListADDbIngestModuleFactory.moduleName, Local_Path)), \
(BlackboardAttribute(attID_jl_mi, JumpListADDbIngestModuleFactory.moduleName, Machine_Identifier)), \
(BlackboardAttribute(attID_jl_np, JumpListADDbIngestModuleFactory.moduleName, Network_Path)), \
(BlackboardAttribute(attID_jl_rp, JumpListADDbIngestModuleFactory.moduleName, Relative_Path)), \
(BlackboardAttribute(attID_jl_vl, JumpListADDbIngestModuleFactory.moduleName, Volume_Label)), \
(BlackboardAttribute(attID_jl_wd, JumpListADDbIngestModuleFactory.moduleName, Working_Directory))))
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None))
# Clean up
skCase_Tran.commit()
stmt.close()
dbConn.close()
os.remove(lclDbPath)
#skCase.close()
#Clean up EventLog directory and files
for file in files:
try:
os.remove(Temp_Dir + "\\" + file.getName())
except:
self.log(Level.INFO, "removal of JL_AD file failed " + Temp_Dir + "\\" + file.getName())
try:
os.rmdir(Temp_Dir)
except:
self.log(Level.INFO, "removal of JL_AD directory failed " + Temp_Dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"JumpList AD", " JumpList AD Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(JumpListADDbIngestModuleFactory.moduleName, artID_jl_ad_evt, None))
return IngestModule.ProcessResult.OK
def process(self, file):
# Skip non-files
if ((file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) or
(file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) or
(file.isFile() == False)):
return IngestModule.ProcessResult.OK
# Blackboard
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# XML Path
xmlPath = file.getUniquePath().replace("/", "\\")
xmlPath = xmlPath.replace(file.getName(), "")
replaceImgNameA = "\\img_" + str(Case.getCurrentCase().getNumber()) + ".001\\"
replaceImgNameB = "img_" + str(Case.getCurrentCase().getNumber()) + ".001\\"
xmlPath = xmlPath.replace(replaceImgNameA, "");
xmlPath = xmlPath.replace(replaceImgNameB, "");
# XML fullpath
xmlFullpath = file.getUniquePath().replace("/", "\\")
xmlFullpath = xmlFullpath.replace(replaceImgNameA, "");
xmlFullpath = xmlFullpath.replace(replaceImgNameB, "");
# XML Data
xmlId = file.getMd5Hash()
xmlCreated = file.getCrtime()
xmlAccessed = file.getAtime()
xmlWritten = file.getMtime()
xmlFileSize = file.getSize()
xmlPhysicalLocation = file.getMetaAddr()
xmlDeleted = 0
xmlMyDescription = "Exisiting"
xmlHash = file.getMd5Hash()
# Start process images -------------------------------------------------------------------------------------
if(file.getMIMEType() in self.listOfImagesMimeToCopy):
# Count
self.countImages = self.countImages+1
self.countImagesAndMovies = self.countImagesAndMovies+1
# XML Data for picture
xmlPicture = file.getName()
# Create directory
uniquePathFullLinux = file.getUniquePath();
uniquePathFullWindows = uniquePathFullLinux.replace("/", "\\")
uniquePathFullWindows = uniquePathFullWindows[1:]
fileName = os.path.basename(uniquePathFullWindows)
uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameA, "");
uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameB, "");
splitDir = uniquePathWindows.split("\\")
pathToCreate = os.path.join(self.filesDirectoryGlobal, "")
for directory in splitDir:
directory = directory.replace(":", "")
pathToCreate = os.path.join(pathToCreate, directory)
# self.log(Level.INFO, "==> directory=" + str(directory) + " pathToCreate=" + str(pathToCreate))
try:
os.mkdir(pathToCreate)
except:
pass
# Write file (here we can use either file.getName or xmlId
try:
extractedFile = os.path.join(pathToCreate, file.getName())
ContentUtils.writeToFile(file, File(extractedFile))
except:
self.log(Level.SEVERE, "Error writing File " + file.getName() + " to " + extractedFile)
# Write image to XML file
try:
f = open(self.xmlFileImagesGlobal, "a")
f.write(" <Image>\n")
f.write(" <path><![CDATA[" + str(xmlPath) + "]]></path>\n")
f.write(" <picture>" + str(xmlPicture) + "</picture>\n")
f.write(" <category>0</category>\n")
f.write(" <id>" + str(xmlId) + "</id>\n")
f.write(" <fileoffset>0</fileoffset>\n")
f.write(" <fullpath><![CDATA[" + str(xmlFullpath) + "]]></fullpath>\n")
f.write(" <created>" + str(xmlCreated) + "</created>\n")
f.write(" <accessed>" + str(xmlAccessed) + "</accessed>\n")
f.write(" <written>" + str(xmlWritten) + "</written>\n")
f.write(" <deleted>" + str(xmlDeleted) + "</deleted>\n")
f.write(" <hash>" + str(xmlHash) + "</hash>\n")
f.write(" <encaseHash>0</encaseHash>\n")
f.write(" <myDescription>" + xmlMyDescription + "</myDescription>\n")
f.write(" <physicalLocation>" + str(xmlPhysicalLocation) + "</physicalLocation>\n")
f.write(" <myUnique>0</myUnique>\n")
f.write(" <tagged>0</tagged>\n")
f.write(" <subCat></subCat>\n")
f.write(" <notes></notes>\n")
f.write(" <fileSize>" + str(xmlFileSize) + "</fileSize>\n")
f.write(" <bitDepth></bitDepth>\n")
f.write(" <aspectRatio></aspectRatio>\n")
f.write(" </Image>\n")
f.close()
except:
self.log(Level.SEVERE, "Error could not append to XML file " + self.xmlFileImagesGlobal)
# Make artifact on blackboard
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, AutopsyToGriffeyeFactory.moduleName, "Images")
art.addAttribute(att)
# Index artifact
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# UI
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AutopsyToGriffeyeFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None))
# Start process Movies -------------------------------------------------------------------------------------
if(file.getMIMEType() in self.listOfMoviesMimeToCopy):
# Count
self.countMovies = self.countMovies+1
self.countImagesAndMovies = self.countImagesAndMovies+1
# XML Data for picture
xmlVideo = file.getName()
# Create directory
uniquePathFullLinux = file.getUniquePath();
uniquePathFullWindows = uniquePathFullLinux.replace("/", "\\")
uniquePathFullWindows = uniquePathFullWindows[1:]
fileName = os.path.basename(uniquePathFullWindows)
uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameA, "");
uniquePathWindows = uniquePathFullWindows.replace(replaceImgNameB, "");
splitDir = uniquePathWindows.split("\\")
pathToCreate = os.path.join(self.filesDirectoryGlobal, "")
for directory in splitDir:
directory = directory.replace(":", "")
pathToCreate = os.path.join(pathToCreate, directory)
# self.log(Level.INFO, "==> directory=" + str(directory) + " pathToCreate=" + str(pathToCreate))
try:
os.mkdir(pathToCreate)
except:
pass
# Write file (here we can use either file.getName or xmlId
try:
extractedFile = os.path.join(pathToCreate, file.getName())
ContentUtils.writeToFile(file, File(extractedFile))
except:
self.log(Level.SEVERE, "Error writing File " + file.getName() + " to " + extractedFile)
# Write image to XML file
try:
f = open(self.xmlFileMoviesGlobal, "a")
f.write(" <Movie>\n")
f.write(" <path><![CDATA[" + str(xmlPath) + "]]></path>\n")
f.write(" <movie>" + str(xmlMovie) + "</movie>\n")
f.write(" <category>0</category>\n")
f.write(" <id>" + str(xmlId) + "</id>\n")
f.write(" <fileoffset>0</fileoffset>\n")
f.write(" <fullpath><![CDATA[" + str(xmlFullpath) + "]]></fullpath>\n")
f.write(" <created>" + str(xmlCreated) + "</created>\n")
f.write(" <accessed>" + str(xmlAccessed) + "</accessed>\n")
f.write(" <written>" + str(xmlWritten) + "</written>\n")
f.write(" <deleted>" + str(xmlDeleted) + "</deleted>\n")
f.write(" <hash>" + str(xmlHash) + "</hash>\n")
f.write(" <encaseHash>0</encaseHash>\n")
f.write(" <myDescription>" + xmlMyDescription + "</myDescription>\n")
f.write(" <physicalLocation>" + str(xmlPhysicalLocation) + "</physicalLocation>\n")
f.write(" <myUnique>0</myUnique>\n")
f.write(" <tagged>0</tagged>\n")
f.write(" <subCat></subCat>\n")
f.write(" <notes></notes>\n")
f.write(" <fileSize>" + str(xmlFileSize) + "</fileSize>\n")
f.write(" </Movie>\n")
f.close()
except:
self.log(Level.SEVERE, "Error could not append to XML file " + self.xmlFileMoviesGlobal)
# Make artifact on blackboard
art = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, AutopsyToGriffeyeFactory.moduleName, "Movies")
art.addAttribute(att)
# Index artifact
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName())
# UI
IngestServices.getInstance().fireModuleDataEvent(ModuleDataEvent(AutopsyToGriffeyeFactory.moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, None))
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
self.log(Level.INFO,dataSource.getUniquePath())
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
self.art_contacts = self.create_artifact_type("Labcif-MSTeams_CONTACTS_"," Contacts", blackboard)
self.art_messages = self.create_artifact_type("Labcif-MSTeams_MESSAGES_"," MESSAGES", blackboard)
self.art_messages_reacts = self.create_artifact_type("Labcif-MSTeams_MESSAGES_REACTS"," REACTS", blackboard)
self.art_messages_files = self.create_artifact_type("Labcif-MSTeams_MESSAGES_FILES"," FILES", blackboard)
self.art_call = self.create_artifact_type("Labcif-MSTeams_CALLS_", " Call history", blackboard)
self.art_call_one_to_one = self.create_artifact_type("Labcif-MSTeams_CALLS_ONE_TO_ONE", " Call history one to one", blackboard)
self.art_teams = self.create_artifact_type("Labcif-MSTeams_TEAMS_"," Teams", blackboard)
# contactos
self.att_name = self.create_attribute_type('Labcif-MSTeams_CONTACT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Name", blackboard)
self.att_email = self.create_attribute_type('Labcif-MSTeams_CONTACT_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Email", blackboard)
self.att_orgid = self.create_attribute_type('Labcif-MSTeams_CONTACT_ORGID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Orgid", blackboard)
self.att_user_contacts = self.create_attribute_type('Labcif-MSTeams_USERNAME_CONTACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard)
self.att_folder_extract_contacts = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_CONTACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard)
# reacts
self.att_message_id_reacts = self.create_attribute_type('Labcif-MSTeams_MESSAGE_ID_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message ID", blackboard)
self.att_sender_name_react = self.create_attribute_type('Labcif-MSTeams_MESSAGE_SENDER_NAME_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Who reacted", blackboard)
self.att_reacted_with = self.create_attribute_type('Labcif-MSTeams_MESSAGE_FILE_LOCAL_EMOJI_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Emoji", blackboard)
self.att_react_time= self.create_attribute_type('Labcif-MSTeams_MESSAGE_REACT_TIME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "React time", blackboard)
self.att_user_message_reacts = self.create_attribute_type('Labcif-MSTeams_USERNAME_MESSAGE_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard)
self.att_folder_extract_reacts = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_REACTS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard)
# mensagens
self.att_message_id = self.create_attribute_type('Labcif-MSTeams_MESSAGE_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message ID", blackboard)
self.att_message = self.create_attribute_type('Labcif-MSTeams_MESSAGE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message", blackboard)
self.att_sender_name = self.create_attribute_type('Labcif-MSTeams_SENDER', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Senders name", blackboard)
self.att_time = self.create_attribute_type('Labcif-MSTeams_TIME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message time", blackboard)
self.att_cvid = self.create_attribute_type('Labcif-MSTeams_CONVERSATION_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "CV", blackboard)
self.att_user_message = self.create_attribute_type('Labcif-MSTeams_USERNAME_MESSAGE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard)
self.att_folder_extract_message = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_MESSAGES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard)
# ficheiros
self.att_message_id_files = self.create_attribute_type('Labcif-MSTeams_MESSAGE_ID', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Message ID", blackboard)
self.att_file_name = self.create_attribute_type('Labcif-MSTeams_MESSAGE_FILE_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File name", blackboard)
self.att_file_local = self.create_attribute_type('Labcif-MSTeams_MESSAGE_FILE_LINK', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "File Link", blackboard)
self.att_user_message_files = self.create_attribute_type('Labcif-MSTeams_USERNAME_MESSAGE_FILES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard)
self.att_folder_extract_files = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_FILES', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard)
# calls one to one
self.att_date_start_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_TIME_START', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one time start", blackboard)
self.att_date_finish_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_TIME_FINISH', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one time finish", blackboard)
self.att_creator_name_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_CREATOR_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Creator Name", blackboard)
self.att_creator_email_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_CREATOR_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Creator Email", blackboard)
self.att_participant_name_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_PARTICIPANT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Participant Name", blackboard)
self.att_participant_email_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_PARTICIPANT_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one Participant Email", blackboard)
self.att_state_one_to_one = self.create_attribute_type('Labcif-MSTeams_CALL_ONE_TO_ONE_STATE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call one to one state", blackboard)
self.att_user_calls_one_to_one = self.create_attribute_type('Labcif-MSTeams_USERNAME_CALLS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard)
self.att_folder_extract_calls_one_to_one = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_CALLS_ONE_TO_ONE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard)
# teams
self.att_cv_id_teams = self.create_attribute_type('Labcif-MSTeams_CV_ID_TEAMS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Conversation ID teams", blackboard)
self.att_creator_name_teams = self.create_attribute_type('Labcif-MSTeams_TEAMS_CREATOR_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Creator Name", blackboard)
self.att_creator_email_teams = self.create_attribute_type('Labcif-MSTeams_TEAMS_CREATOR_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Creator Email", blackboard)
self.att_participant_name_teams = self.create_attribute_type('Labcif-MSTeams_TEAMS_PARTICIPANT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Participant Name", blackboard)
self.att_participant_email_teams = self.create_attribute_type('Labcif-MSTeams_teams_PARTICIPANT_EMAIL_ONE_TO_ONE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Teams Participant Email", blackboard)
self.att_user_teams = self.create_attribute_type('Labcif-MSTeams_USERNAME_TEAMS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard)
self.att_folder_extract_teams = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_TEAMS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard)
# calls
self.att_date = self.create_attribute_type('Labcif-MSTeams_CALL_DATE', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call Date", blackboard)
self.att_creator_name = self.create_attribute_type('Labcif-MSTeams_CALL_CREATOR_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Creator Name", blackboard)
self.att_creator_email = self.create_attribute_type('Labcif-MSTeams_CALL_CREATOR_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Creator Email", blackboard)
self.att_count_people_in = self.create_attribute_type('Labcif-MSTeams_CALL_AMOUNT_PEOPLE_IN', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Amount of people in call", blackboard)
self.att_duration = self.create_attribute_type('Labcif-MSTeams_CALL_DURANTION', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Call Duration", blackboard)
self.att_participant_name = self.create_attribute_type('Labcif-MSTeams_CALL_PARTICIPANT_NAME', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Participant Name", blackboard)
self.att_participant_email = self.create_attribute_type('Labcif-MSTeams_CALL_PARTICIPANT_EMAIL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Participant Email", blackboard)
self.att_user_calls = self.create_attribute_type('Labcif-MSTeams_USERNAME_CALLS', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "User", blackboard)
self.att_folder_extract_calls = self.create_attribute_type('Labcif-MSTeams_FOLDER_EXTRACT_CALL', BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, "Folder of extraction", blackboard)
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
# FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/latest/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%.ldb","https_teams.microsoft.com_")
numFiles = len(files)
progressBar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artfiact. Refer to the developer docs for other examples.
src = file.getParentPath()
pathSplited=src.split("/")
user=pathSplited[2]
if user not in users:
users.append(user)
buffer = jarray.zeros(file.getSize(), "b")
file.read(buffer,0,file.getSize())
if "lost" not in src and "Roaming" in file.getParentPath() and "ProjetoEI" not in file.getParentPath():
if src not in paths:
tm = datetime.fromtimestamp(math.floor(tim.time())).strftime("%m-%d-%Y_%Hh-%Mm-%Ss")
paths[src]="Analysis_Autopsy_LDB_{}_{}".format(user,tm)
if not os.path.exists(os.path.join(projectEIAppDataPath,paths[src])):
try:
os.mkdir(os.path.join(projectEIAppDataPath,paths[src]))
except OSError:
print("Creation of the directory %s failed" % os.path.join(projectEIAppDataPath,paths[src]))
else:
print("Successfully created the directory %s " % os.path.join(projectEIAppDataPath,paths[src]))
f = open(os.path.join(os.path.join(projectEIAppDataPath,paths[src]),file.getName()),"wb")
f.write(buffer.tostring())
f.close()
# try:
# # index the artifact for keyword search
# blackboard.indexArtifact(art)
# except Blackboard.BlackboardException as e:
# self.log(Level.SEVERE, "Error indexing artifact " + art.getDisplayName()+str(e))
# To further the example, this code will read the contents of the file and count the number of bytes
# Update the progress bar
progressBar.progress(fileCount)
for src, path in paths.items():
complementaryFiles=fileManager.findFilesByParentPath(dataSource.getId(),src)
for file in complementaryFiles:
if "lost" not in file.getParentPath() and ".ldb" not in file.getName() and "lost" not in file.getName() and "Roaming" in file.getParentPath() and "ProjetoEI" not in file.getParentPath():
if file.getName() == "." or file.getName() == ".." or "-slack" in file.getName():
continue
buffer = jarray.zeros(file.getSize(), "b")
if src not in paths:
tm = datetime.fromtimestamp(math.floor(tim.time())).strftime("%m-%d-%Y_%Hh-%Mm-%Ss")
paths[src] = "Analysis_Autopsy_LDB_{}_{}".format(user,tm)
if not os.path.exists(os.path.join(projectEIAppDataPath,paths[src])):
try:
os.mkdir(os.path.join(projectEIAppDataPath,paths[src]))
except OSError:
print("Creation of the directory %s failed" % os.path.join(projectEIAppDataPath,paths[src]))
else:
print("Successfully created the directory %s " % os.path.join(projectEIAppDataPath,paths[src]))
try:
f = open(os.path.join(os.path.join(projectEIAppDataPath,paths[src]),file.getName()),"a")
file.read(buffer,0,file.getSize())
f.write(buffer.tostring())
f.close()
except :
self.log(Level.INFO,"File Crash")
pathModule = os.path.realpath(__file__)
indexCutPath=pathModule.rfind("\\")
pathModule=pathModule[0:indexCutPath+1]
# message = IngestMessage.createMessage(
# IngestMessage.MessageType.DATA, Labcif-MSTeamsFactory.moduleName,
# str(self.filesFound) + " files found")
analysisPath = ""
result = {}
for key,value in paths.items():
if key not in result:
result[key] = value
for key, value in result.items():
p = subprocess.Popen([r"{}EI\EI.exe".format(pathModule),"--pathToEI",r"{}EI\ ".format(pathModule), "-a", value],stderr=subprocess.PIPE)
out = p.stderr.read()
self.log(Level.INFO, out)
p.wait()
# os.system("cmd /c \"{}EI\\EI.exe\" --pathToEI \"{}EI\\\" -a {}".format(pathModule,pathModule,value))
results=[]
pathResults="Analise Autopsy"
for u in users:
pathLDB=""
for key,value in paths.items():
if "Analysis_Autopsy_LDB_{}".format(u) in value:
pathLDB=value
break
for root, dirs, files in os.walk(projectEIAppDataPath, topdown=False):
for name in dirs:
if pathResults in name and os.stat(os.path.join(projectEIAppDataPath,pathLDB)).st_mtime < os.stat(os.path.join(projectEIAppDataPath,name)).st_mtime:
pathsLDB[pathLDB]=os.path.join(projectEIAppDataPath,name)
results.append(os.path.join(projectEIAppDataPath,name))
f = open(os.path.join(projectEIAppDataPath,"filesToReport.txt"),"w")
for r in results:
for files in os.walk(r,topdown=False):
for name in files:
for fileName in name:
if ".csv" in fileName or ".html" in fileName or ".css" in fileName:
f.write(os.path.join(r,fileName)+"\n")
f.close()
f = open(os.path.join(projectEIAppDataPath,"filesToReport.txt"), "r")
for line in f:
line = line.replace("\n","")
pathExtract=""
if ".csv" in line:
# ok
if "EventCall" in line:
rowcount=0
for key,value in pathsLDB.items():
if value in line:
for k,v in paths.items():
if v == key:
pathExtract=k
break
with io.open(line,encoding="utf-8") as csvfile:
reader = csv.reader(x.replace('\0', '') for x in csvfile)
for row in reader: # each row is a list
try:
row = row[0].split(";")
if rowcount!=0:
art = dataSource.newArtifact(self.art_call.getTypeID())
dura=str(int(float(row[4])))
art.addAttribute(BlackboardAttribute(self.att_date, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0])))
art.addAttribute(BlackboardAttribute(self.att_creator_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1])))
art.addAttribute(BlackboardAttribute(self.att_creator_email, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2])))
art.addAttribute(BlackboardAttribute(self.att_count_people_in, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3])))
art.addAttribute(BlackboardAttribute(self.att_duration, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName,dura ))
art.addAttribute(BlackboardAttribute(self.att_participant_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[5])))
art.addAttribute(BlackboardAttribute(self.att_participant_email, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[6])))
art.addAttribute(BlackboardAttribute(self.att_user_calls, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[7])))
art.addAttribute(BlackboardAttribute(self.att_folder_extract_calls, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract))
except:
self.log(Level.INFO,"File empty")
rowcount+=1
csvfile.close()
# ok
elif "Conversations" in line:
rowcount=0
for key,value in pathsLDB.items():
if value in line:
for k,v in paths.items():
if v == key:
pathExtract=k
break
with io.open(line,encoding="utf-8") as csvfile:
reader = csv.reader(x.replace('\0', '') for x in csvfile)
for row in reader: # each row is a list
try:
row = row[0].split(";")
if rowcount!=0:
art = dataSource.newArtifact(self.art_teams.getTypeID())
art.addAttribute(BlackboardAttribute(self.att_cv_id_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0])))
art.addAttribute(BlackboardAttribute(self.att_creator_name_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1])))
art.addAttribute(BlackboardAttribute(self.att_creator_email_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2])))
art.addAttribute(BlackboardAttribute(self.att_participant_name_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3])))
art.addAttribute(BlackboardAttribute(self.att_participant_email_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[4])))
art.addAttribute(BlackboardAttribute(self.att_user_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[5])))
art.addAttribute(BlackboardAttribute(self.att_folder_extract_teams, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract))
except:
self.log(Level.INFO,"File empty")
rowcount+=1
csvfile.close()
# ok
elif "CallOneToOne" in line:
rowcount=0
for key,value in pathsLDB.items():
if value in line:
for k,v in paths.items():
if v == key:
pathExtract=k
break
with io.open(line,encoding="utf-8") as csvfile:
reader = csv.reader(x.replace('\0', '') for x in csvfile)
for row in reader: # each row is a list
try:
row = row[0].split(";")
if rowcount!=0:
art = dataSource.newArtifact(self.art_call_one_to_one.getTypeID())
art.addAttribute(BlackboardAttribute(self.att_date_start_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2])))
art.addAttribute(BlackboardAttribute(self.att_date_finish_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3])))
art.addAttribute(BlackboardAttribute(self.att_creator_name_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0])))
art.addAttribute(BlackboardAttribute(self.att_creator_email_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1])))
art.addAttribute(BlackboardAttribute(self.att_participant_name_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[4])))
art.addAttribute(BlackboardAttribute(self.att_participant_email_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[5])))
art.addAttribute(BlackboardAttribute(self.att_state_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[6])))
art.addAttribute(BlackboardAttribute(self.att_user_calls_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[7])))
art.addAttribute(BlackboardAttribute(self.att_folder_extract_calls_one_to_one, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract))
except:
self.log(Level.INFO,"File empty")
rowcount+=1
csvfile.close()
elif "Files" in line:
rowcount=0
for key,value in pathsLDB.items():
if value in line:
for k,v in paths.items():
if v == key:
pathExtract=k
break
with io.open(line,encoding="utf-8") as csvfile:
reader = csv.reader(x.replace('\0', '') for x in csvfile)
for row in reader: # each row is a list
try:
row = row[0].split(";")
if rowcount!=0:
art = dataSource.newArtifact(self.art_messages_files.getTypeID())
art.addAttribute(BlackboardAttribute(self.att_message_id_files, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0])))
art.addAttribute(BlackboardAttribute(self.att_file_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1])))
art.addAttribute(BlackboardAttribute(self.att_file_local, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2])))
art.addAttribute(BlackboardAttribute(self.att_user_message_files, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3])))
art.addAttribute(BlackboardAttribute(self.att_folder_extract_files, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract))
except:
self.log(Level.INFO,"File empty")
rowcount+=1
csvfile.close()
elif "Mensagens" in line:
rowcount=0
for key,value in pathsLDB.items():
if value in line:
for k,v in paths.items():
if v == key:
pathExtract=k
break
idMessage=""
message=""
sender=""
timee=""
cvid=""
userMessage=""
with open(line) as csvfile:
reader = csv.reader(x.replace('\0', '') for x in csvfile)
for row in reader: # each row is a list
try:
self.log(Level.INFO,str(row))
if rowcount!=0:
if len(row) == 1:
row = row[0].split(";")
idMessage=str(row[0])
message=str(row[1])
timee=str(row[2])
sender=str(row[3])
cvid=str(row[4])
userMessage=str(row[5])
else:
partOne = row[0].split(";")
idMessage=str(partOne[0])
lastPart=row[len(row)-1].split(";")
timee=str(lastPart[1])
sender=str(lastPart[2])
cvid=str(lastPart[3])
userMessage=str(lastPart[4])
message=str(partOne[1])+","
if len(row)!=2:
for x in range(1,len(row)-1):
message+=str(row[x])+","
message+=str(lastPart[0])
art = dataSource.newArtifact(self.art_messages.getTypeID())
art.addAttribute(BlackboardAttribute(self.att_message_id, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, idMessage))
art.addAttribute(BlackboardAttribute(self.att_message, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, message))
art.addAttribute(BlackboardAttribute(self.att_sender_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, sender))
art.addAttribute(BlackboardAttribute(self.att_time, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, timee))
art.addAttribute(BlackboardAttribute(self.att_cvid, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, cvid))
art.addAttribute(BlackboardAttribute(self.att_user_message, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, userMessage))
art.addAttribute(BlackboardAttribute(self.att_folder_extract_message, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract))
except:
self.log(Level.INFO,"File empty")
rowcount+=1
csvfile.close()
elif "Reacts" in line:
rowcount=0
for key,value in pathsLDB.items():
if value in line:
for k,v in paths.items():
if v == key:
pathExtract=k
break
with io.open(line,encoding="utf-8") as csvfile:
reader = csv.reader(x.replace('\0', '') for x in csvfile)
for row in reader: # each row is a list
try:
row = row[0].split(";")
if rowcount!=0:
art = dataSource.newArtifact(self.art_messages_reacts.getTypeID())
try:
art.addAttribute(BlackboardAttribute(self.att_message_id_reacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0])))
art.addAttribute(BlackboardAttribute(self.att_reacted_with, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1])))
art.addAttribute(BlackboardAttribute(self.att_sender_name_react, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2])))
art.addAttribute(BlackboardAttribute(self.att_react_time, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3])))
art.addAttribute(BlackboardAttribute(self.att_user_message_reacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[4])))
art.addAttribute(BlackboardAttribute(self.att_folder_extract_reacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract))
except:
pass
else:
pass
except:
self.log(Level.INFO,"File empty")
rowcount+=1
csvfile.close()
elif "Contactos.csv" in line:
rowcount=0
for key,value in pathsLDB.items():
if value in line:
for k,v in paths.items():
if v == key:
pathExtract=k
break
with io.open(line,encoding="utf-8") as csvfile:
reader = csv.reader(x.replace('\0', '') for x in csvfile)
for row in reader: # each row is a list
try:
row = row[0].split(";")
if rowcount!=0:
art = dataSource.newArtifact(self.art_contacts.getTypeID())
art.addAttribute(BlackboardAttribute(self.att_name, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[0])))
art.addAttribute(BlackboardAttribute(self.att_email, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[1])))
art.addAttribute(BlackboardAttribute(self.att_orgid, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[2])))
art.addAttribute(BlackboardAttribute(self.att_user_contacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, str(row[3])))
art.addAttribute(BlackboardAttribute(self.att_folder_extract_contacts, LabcifMSTeamsDataSourceIngestModuleFactory.moduleName, pathExtract))
except:
self.log(Level.INFO,"File empty")
rowcount+=1
csvfile.close()
rowcount=0
#Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Sample Jython Data Source Ingest Module", "Please run MSTeams Report")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def __findGeoLocationsInDB(self, databasePath, abstractFile):
if not databasePath:
return
try:
Class.forName("org.sqlite.JDBC") # load JDBC driver
connection = DriverManager.getConnection("jdbc:sqlite:" +
databasePath)
statement = connection.createStatement()
except (ClassNotFoundException) as ex:
self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
return
except (SQLException) as ex:
# Error opening database.
return
resultSet = None
try:
resultSet = statement.executeQuery(
"SELECT time, dest_lat, dest_lng, dest_title, dest_address, source_lat, source_lng FROM destination_history;"
)
while resultSet.next():
time = Long.valueOf(resultSet.getString("time")) / 1000
dest_title = resultSet.getString("dest_title")
dest_address = resultSet.getString("dest_address")
dest_lat = GoogleMapLocationAnalyzer.convertGeo(
resultSet.getString("dest_lat"))
dest_lng = GoogleMapLocationAnalyzer.convertGeo(
resultSet.getString("dest_lng"))
source_lat = GoogleMapLocationAnalyzer.convertGeo(
resultSet.getString("source_lat"))
source_lng = GoogleMapLocationAnalyzer.convertGeo(
resultSet.getString("source_lng"))
attributes = ArrayList()
artifact = abstractFile.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE)
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY,
general.MODULE_NAME, "Destination"))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME,
general.MODULE_NAME, time))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LATITUDE_END, general.MODULE_NAME, dest_lat))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LONGITUDE_END, general.MODULE_NAME, dest_lng))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LATITUDE_START, general.MODULE_NAME,
source_lat))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_GEO_LONGITUDE_START, general.MODULE_NAME,
source_lng))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME,
general.MODULE_NAME, dest_title))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION,
general.MODULE_NAME, dest_address))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME,
general.MODULE_NAME, "Google Maps History"))
artifact.addAttributes(attributes)
try:
# index the artifact for keyword search
blackboard = Case.getCurrentCase().getServices(
).getBlackboard()
blackboard.indexArtifact(artifact)
except Blackboard.BlackboardException as ex:
self._logger.log(
Level.SEVERE, "Unable to index blackboard artifact " +
str(artifact.getArtifactID()), ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
MessageNotifyUtil.Notify.error(
"Failed to index GPS route artifact for keyword search.",
artifact.getDisplayName())
except SQLException as ex:
# Unable to execute Google map locations SQL query against database.
pass
except Exception as ex:
self._logger.log(
Level.SEVERE,
"Error parsing Google map locations to the blackboard", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
finally:
try:
if resultSet is not None:
resultSet.close()
statement.close()
connection.close()
except Exception as ex:
# Error closing the database.
pass
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
# blackboard = Case.getCurrentCase().getServices().getBlackboard() #we're not using indexing
# Get case
case = Case.getCurrentCase().getSleuthkitCase()
# For our example, we will use FileManager to get all
# files with the word "test"
# in the name and then count and read them
# FileManager API: http://sleuthkit.org/autopsy/docs/api-docs/4.4/classorg_1_1sleuthkit_1_1autopsy_1_1casemodule_1_1services_1_1_file_manager.html
fileManager = Case.getCurrentCase().getServices().getFileManager()
setting_file = fileManager.findFiles(
dataSource,
"Phoenix.xml") if self.local_settings.get_parse_settings() else []
cache_files = fileManager.findFiles(
dataSource, "%.0%", "com.netgear.android"
) if self.local_settings.get_parse_settings() else []
num_files = len(setting_file) + len(cache_files)
self.log(Level.INFO, "found " + str(num_files) + " files")
progressBar.switchToDeterminate(num_files)
file_count = 0
# Cache Files (Thumbnails in cache/http & cache/cams directories under com.netgear.android
if self.local_settings.get_parse_cache():
# Settings File
for file in cache_files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
file_count += 1
#
# # Make an artifact on the blackboard.
# # Set the DB file as an "interesting file" : TSK_INTERESTING_FILE_HIT is a generic type of
# # artifact. Refer to the developer docs for other examples.
art = file.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
ArloIngestModuleFactory.moduleName, "Arlo Thumbnails")
art.addAttribute(att)
progressBar.progress(file_count)
# Settings
if self.local_settings.get_parse_settings():
# Settings File
for file in setting_file:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
file_count += 1
# Make an artifact on the blackboard.
# Set the DB file as an "interesting file" : TSK_INTERESTING_FILE_HIT is a generic type of
# artifact. Refer to the developer docs for other examples.
art = file.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
ArloIngestModuleFactory.moduleName, "Arlo")
art.addAttribute(att)
# Write to file (any way to contour this?)
lcl_setting_path = os.path.join(
Case.getCurrentCase().getTempDirectory(),
str(file.getId()) + ".xml")
ContentUtils.writeToFile(file, File(lcl_setting_path))
arlo_settings = minidom.parse(lcl_setting_path)
tags = arlo_settings.getElementsByTagName("string")
arlo_logins = {}
for tag in tags:
if tag.getAttribute('name') == "email":
arlo_logins['username'] = str(tag.firstChild.data)
elif tag.getAttribute('name') == "token":
arlo_logins['token'] = str(
tag.firstChild.data).replace("\n", "")
elif tag.getAttribute('name') == "userId":
arlo_logins['user_id'] = str(tag.firstChild.data)
art_type_id = case.getArtifactTypeID("ESC_GENERIC_LOGIN")
art_type = case.getArtifactType("ESC_GENERIC_LOGIN")
# Artifact
art = file.newArtifact(art_type_id)
# Attributes
att_login_username_id = case.getAttributeType(
"ESC_GENERIC_LOGIN_USERNAME")
att_login_secret_id = case.getAttributeType(
"ESC_GENERIC_LOGIN_SECRET")
att_login_secret_type_id = case.getAttributeType(
"ESC_GENERIC_LOGIN_SECRET_TYPE")
att_login_service_id = case.getAttributeType(
"ESC_GENERIC_LOGIN_SERVICE")
att_login_remarks_id = case.getAttributeType(
"ESC_GENERIC_LOGIN_REMARKS")
att_login_username = BlackboardAttribute(
att_login_username_id, ArloIngestModuleFactory.moduleName,
arlo_logins['username'])
att_login_secret = BlackboardAttribute(
att_login_secret_id, ArloIngestModuleFactory.moduleName,
arlo_logins['token'])
att_login_secret_type = BlackboardAttribute(
att_login_secret_type_id,
ArloIngestModuleFactory.moduleName, "Oauth2 Token")
att_login_service = BlackboardAttribute(
att_login_service_id, ArloIngestModuleFactory.moduleName,
"Arlo")
att_login_remarks = BlackboardAttribute(
att_login_remarks_id, ArloIngestModuleFactory.moduleName,
"User ID: %s" % arlo_logins['user_id'])
art.addAttribute(att_login_username)
art.addAttribute(att_login_secret)
art.addAttribute(att_login_secret_type)
art.addAttribute(att_login_service)
art.addAttribute(att_login_remarks)
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ArloIngestModuleFactory.moduleName,
art_type, None))
progressBar.progress(file_count)
# FINISHED!
# Post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Arlo Analysis",
"Found %d files" % file_count)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# Find files named contacts.db, regardless of parent path
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "contacts.db")
numFiles = len(files)
progressBar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(),
str(file.getId()) + ".db")
ContentUtils.writeToFile(file, File(lclDbPath))
# Open the DB using JDBC
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" %
lclDbPath)
except SQLException as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
file.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the contacts table in the database and get all columns.
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery("SELECT * FROM contacts")
except SQLException as e:
self.log(
Level.INFO,
"Error querying database for contacts table (" +
e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
name = resultSet.getString("name")
email = resultSet.getString("email")
phone = resultSet.getString("phone")
except SQLException as e:
self.log(
Level.INFO,
"Error getting values from contacts table (" +
e.getMessage() + ")")
# Make an artifact on the blackboard, TSK_CONTACT and give it attributes for each of the fields
art = file.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT)
attributes = ArrayList()
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME_PERSON.
getTypeID(), ContactsDbIngestModuleFactory.moduleName,
name))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL.getTypeID(
), ContactsDbIngestModuleFactory.moduleName, email))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.
getTypeID(), ContactsDbIngestModuleFactory.moduleName,
phone))
art.addAttributes(attributes)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE,
"Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ContactsDbIngestModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT,
None))
# Clean up
stmt.close()
dbConn.close()
os.remove(lclDbPath)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"ContactsDb Analyzer",
"Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# Check if this is Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO,
"Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
progressBar.switchToIndeterminate()
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
# In most Autopsy plugins this is where, the plugins searches for the files it's going to parse (i.e. a Registry hive or Log file)
# In this plugin the data were adding to the case comes from outside autopsy, so there isn't really a file to associate the output with
# but Autopsy expects the artifacts produced by the plugin to be associated with a file
# So, this plugin just selects the very first file in the dataset, and associates the artifacts with that.
files = fileManager.findFiles(dataSource, "%")
self.log(
Level.INFO,
"CloudTrail logs will be associated with " + files[0].getName())
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "Found temporary directory: " + Temp_Dir)
mydb = Temp_Dir + "\\Cloudtopsy.db"
# Parse some keys
self.log(
Level.INFO, "Downloading and parsing CloudTrail logs: \"" +
self.my_exe + "\" -a \"" + self.Access_Key + "\" -s \"" +
self.Secret_Key + "\" -r \"" + self.Region + "\" -b \"" +
self.Bucket + "\" -d \"" + mydb + "\"")
subprocess.Popen([
self.my_exe, '-a', self.Access_Key, '-s', self.Secret_Key, '-r',
self.Region, '-b', self.Bucket, '-d', mydb
]).communicate()[0]
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb)
except SQLException as e:
self.log(
Level.INFO, "Could not open database file " + mydb + " (" +
e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Retrieve a list of CloudTrail APIs called
try:
stmt = dbConn.createStatement()
tableSet = stmt.executeQuery(
"SELECT name from sqlite_master WHERE type='table' ORDER by name; "
)
self.log(
Level.INFO,
"SQLite Query: SELECT name from sqlite_master WHERE type='table' ORDER by name;"
)
except SQLException as e:
self.log(
Level.INFO,
"Error Running Query: SELECT name from sqlite_master WHERE type='table' ORDER by name;"
)
return IngestModule.ProcessResult.OK
while tableSet.next():
self.List_Of_tables.append(tableSet.getString("name"))
# Retrieve a count of CloudTrail APIs called and use it for the Progress Bar
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery(
"SELECT COUNT(*) as count FROM Sqlite_Master WHERE type='table'; "
)
self.log(
Level.INFO,
"SELECT COUNT(*) as count FROM Sqlite_Master WHERE type='table';"
)
except SQLException as e:
self.log(
Level.INFO,
"SELECT COUNT(*) as count FROM Sqlite_Master WHERE type='table';"
)
return IngestModule.ProcessResult.OK
progressBar.switchToDeterminate(int(resultSet.getString("count")))
stmt.close()
dbConn.close()
# Ingest the tables in mydb in Autopsy
count = 0
for table_name in self.List_Of_tables:
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
artifact_name = "TSK_" + table_name.upper()
artifact_desc = "CloudTrail: " + table_name.upper()
artID_amc = skCase.addArtifactType(artifact_name, artifact_desc)
artID_amc = skCase.getArtifactTypeID(artifact_name)
artID_amc_evt = skCase.getArtifactType(artifact_name)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % mydb)
stmt = dbConn.createStatement()
except SQLException as e:
return IngestModule.ProcessResult.OK
Column_Names = []
Column_Types = []
self.log(Level.INFO, "Running Query: " + SQL_String_2)
resultSet2 = stmt.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(resultSet2.getString("name").upper())
Column_Types.append(resultSet2.getString("type").upper())
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" + resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
resultSet2.getString("name"))
except:
self.log(
Level.INFO,
"Attributes Creation Error (string), " +
resultSet2.getString("name") + " ==> ")
elif resultSet2.getString("type").upper() == "":
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" + resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
resultSet2.getString("name"))
except:
self.log(
Level.INFO,
"Attributes Creation Error (string2), " +
resultSet2.getString("name") + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" + resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG,
resultSet2.getString("name"))
except:
self.log(
Level.INFO, "Attributes Creation Error (long), " +
resultSet2.getString("name") + " ==> ")
self.log(Level.INFO, "Running Query: " + SQL_String_1)
resultSet3 = stmt.executeQuery(SQL_String_1)
while resultSet3.next():
art = files[0].newArtifact(artID_amc)
Column_Number = 1
for col_name in Column_Names:
c_name = "TSK_" + col_name
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
art.addAttribute(
BlackboardAttribute(
attID_ex1,
CloudtopsyIngestModuleFactory.moduleName,
resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(
BlackboardAttribute(
attID_ex1,
CloudtopsyIngestModuleFactory.moduleName,
resultSet3.getString(Column_Number)))
else:
art.addAttribute(
BlackboardAttribute(
attID_ex1,
CloudtopsyIngestModuleFactory.moduleName,
long(resultSet3.getInt(Column_Number))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(CloudtopsyIngestModuleFactory.moduleName,
artID_amc_evt, None))
stmt.close()
dbConn.close()
count += 1
progressBar.progress(count)
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, "Cloudtopsy",
" CloudTrail Logs Successfully Ingested!")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
self.log(
Level.INFO,
"Starting to process, Just before call to parse_safari_history")
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Get the temp directory and create the sub directory
Temp_Dir = Case.getCurrentCase().getTempDirectory()
try:
os.mkdir(Temp_Dir + "\MacFSEvents")
except:
self.log(Level.INFO,
"FSEvents Directory already exists " + Temp_Dir)
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%", ".fseventsd")
numFiles = len(files)
for file in files:
#self.log(Level.INFO, "Files ==> " + file.getName())
if (file.getName() == "..") or (file.getName()
== '.') or (file.getName()
== 'fseventsd-uuid'):
pass
#self.log(Level.INFO, "Files ==> " + str(file))
else:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
# Save the DB locally in the temp folder. use file id as name to reduce collisions
filePath = os.path.join(Temp_Dir + "\MacFSEvents",
file.getName())
ContentUtils.writeToFile(file, File(filePath))
self.log(Level.INFO, "Number of files to process ==> " + str(numFiles))
self.log(Level.INFO, "Running program ==> " + self.MacFSEvents_Executable + " -c Autopsy " + "-o " + Temp_Dir + \
" -s " + Temp_Dir + "\MacFSEvents")
pipe = Popen([
self.MacFSEvents_Executable, "-c", "Autopsy", "-o", Temp_Dir, "-s",
Temp_Dir + "\MacFSEvents"
],
stdout=PIPE,
stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
database_file = Temp_Dir + "\\autopsy_FSEvents-Parsed_Records_DB.sqlite"
#open the database to get the SQL and artifact info out of
try:
head, tail = os.path.split(os.path.abspath(__file__))
settings_db = head + "\\fsevents_sql.db3"
Class.forName("org.sqlite.JDBC").newInstance()
dbConn1 = DriverManager.getConnection("jdbc:sqlite:%s" %
settings_db)
except SQLException as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
database_file + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
try:
stmt1 = dbConn1.createStatement()
sql_statement1 = "select distinct artifact_name, artifact_title from extracted_content_sql;"
#self.log(Level.INFO, "SQL Statement ==> " + sql_statement)
resultSet1 = stmt1.executeQuery(sql_statement1)
while resultSet1.next():
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_fse = skCase.addArtifactType(
resultSet1.getString("artifact_name"),
resultSet1.getString("artifact_title"))
except:
self.log(
Level.INFO, "Artifacts Creation Error, " +
resultSet1.getString("artifact_name") +
" some artifacts may not exist now. ==> ")
except SQLException as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
database_file + " (" + e.getMessage() + ")")
#return IngestModule.ProcessResult.OK
# Create the attribute type, if it exists then catch the error
try:
attID_fse_fn = skCase.addArtifactAttributeType(
"TSK_FSEVENTS_FILE_NAME",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"File Name")
except:
self.log(Level.INFO, "Attributes Creation Error, File Name. ==> ")
try:
attID_fse_msk = skCase.addArtifactAttributeType(
"TSK_FSEVENTS_FILE_MASK",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Mask")
except:
self.log(Level.INFO, "Attributes Creation Error, Mask. ==> ")
try:
attID_fse_src = skCase.addArtifactAttributeType(
"TSK_FSEVENTS_SOURCE",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Source File")
except:
self.log(Level.INFO, "Attributes Creation Error, Mask. ==> ")
try:
attID_fse_dte = skCase.addArtifactAttributeType(
"TSK_FSEVENTS_DATES",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Date(s)")
except:
self.log(Level.INFO, "Attributes Creation Error, Mask. ==> ")
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection(
"jdbc:sqlite:%s" % Temp_Dir +
"\\autopsy_FSEvents-Parsed_Records_DB.sqlite")
except SQLException as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
database_file + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
#artID_fse = skCase.getArtifactTypeID("TSK_MACOS_FSEVENTS")
#artID_fse_evt = skCase.getArtifactType("TSK_MACOS_FSEVENTS")
artID_fse = skCase.getArtifactTypeID("TSK_MACOS_ALL_FSEVENTS")
artID_fse_evt = skCase.getArtifactType("TSK_MACOS_ALL_FSEVENTS")
attID_fse_fn = skCase.getAttributeType("TSK_FSEVENTS_FILE_NAME")
attID_fse_msk = skCase.getAttributeType("TSK_FSEVENTS_FILE_MASK")
attID_fse_src = skCase.getAttributeType("TSK_FSEVENTS_SOURCE")
attID_fse_dte = skCase.getAttributeType("TSK_FSEVENTS_DATES")
# Query the database
for file in files:
if ('slack' in file.getName()):
pass
elif (file.getName() == '..') or (file.getName() == '.'):
pass
else:
stmt1 = dbConn1.createStatement()
sql_statement1 = "select sql_statement, artifact_name, artifact_title from extracted_content_sql;"
#self.log(Level.INFO, "SQL Statement ==> " + sql_statement)
resultSet1 = stmt1.executeQuery(sql_statement1)
while resultSet1.next():
try:
artID_fse = skCase.getArtifactTypeID(
resultSet1.getString("artifact_name"))
artID_fse_evt = skCase.getArtifactType(
resultSet1.getString("artifact_name"))
try:
stmt = dbConn.createStatement()
sql_statement = resultSet1.getString(
"sql_statement"
) + " and source like '%" + file.getName() + "';"
#self.log(Level.INFO, "SQL Statement ==> " + sql_statement)
resultSet = stmt.executeQuery(sql_statement)
#self.log(Level.INFO, "query SQLite Master table ==> " )
#self.log(Level.INFO, "query " + str(resultSet))
# Cycle through each row and create artifact
while resultSet.next():
# Add the attributes to the artifact.
art = file.newArtifact(artID_fse)
#self.log(Level.INFO, "Result ==> " + resultSet.getString("mask") + ' <==> ' + resultSet.getString("source"))
art.addAttributes(((BlackboardAttribute(attID_fse_fn, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("filename"))), \
(BlackboardAttribute(attID_fse_msk, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("mask"))), \
(BlackboardAttribute(attID_fse_src, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("source"))), \
(BlackboardAttribute(attID_fse_dte, MacFSEventsIngestModuleFactory.moduleName, resultSet.getString("OTHER_DATES")))))
#try:
# index the artifact for keyword search
#blackboard.indexArtifact(art)
#except:
#self.log(Level.INFO, "Error indexing artifact " + art.getDisplayName())
except SQLException as e:
self.log(
Level.INFO,
"Could not open database file (not SQLite) " +
database_file + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
except SQLException as e:
self.log(
Level.INFO,
"Could not open database file (not SQLite) " +
database_file + " (" + e.getMessage() + ")")
try:
stmt.close()
except:
self.log(Level.INFO,
"Error closing statement for " + file.getName())
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(MacFSEventsIngestModuleFactory.moduleName,
artID_fse_evt, None))
try:
stmt.close()
dbConn.close()
stmt1.close()
dbConn1.close()
os.remove(Temp_Dir + "\Autopsy_FSEvents-EXCEPTIONS_LOG.txt")
os.remove(Temp_Dir + "\Autopsy_FSEvents-Parsed_Records.tsv")
os.remove(Temp_Dir + "\Autopsy_FSEvents-Parsed_Records_DB.sqlite")
shutil.rmtree(Temp_Dir + "\MacFSEvents")
except:
self.log(
Level.INFO,
"removal of MacFSEvents imageinfo database failed " + Temp_Dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, "MacFSEventsSettings",
" MacFSEventsSettings Has Been Analyzed ")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Set the database to be read to the once created by the SAM parser program
skCase = Case.getCurrentCase().getSleuthkitCase();
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "$UsnJrnl:$J", "$Extend")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0;
# Create Event Log directory in temp directory, if it exists then continue on processing
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "create Directory " + Temp_Dir)
temp_dir = os.path.join(Temp_Dir, "usnj")
try:
os.mkdir(temp_dir)
except:
self.log(Level.INFO, "Usnj Directory already exists " + temp_dir)
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(temp_dir, "usnj.txt")
ContentUtils.writeToFile(file, File(lclDbPath))
self.log(Level.INFO, "Saved File ==> " + lclDbPath)
# Run the EXE, saving output to a sqlite database
#try:
self.log(Level.INFO, "Running program ==> " + self.path_to_exe + " " + Temp_Dir + "\\usnj\\usnj.txt" + \
" " + Temp_Dir + "\\usnj.db3")
pipe = Popen([self.path_to_exe, os.path.join(temp_dir, "usnj.txt"), os.path.join(temp_dir, "usnj.db3")], stdout=PIPE, stderr=PIPE)
out_text = pipe.communicate()[0]
self.log(Level.INFO, "Output from run is ==> " + out_text)
# Open the DB using JDBC
lclDbPath = os.path.join(temp_dir, "usnj.db3")
self.log(Level.INFO, "Path the system database file created ==> " + lclDbPath)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" % lclDbPath)
except SQLException as e:
self.log(Level.INFO, "Could not open database file (not SQLite) usnj.db3 (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the contacts table in the database and get all columns.
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER; ")
self.log(Level.INFO, "query SQLite Master table")
except SQLException as e:
self.log(Level.INFO, "Error querying database for system table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_usnj = skCase.addArtifactType("TSK_USNJ", "NTFS UsrJrnl entries")
except:
self.log(Level.INFO, "Artifacts Creation Error, some artifacts may not exist now. ==> ")
artID_usnj = skCase.getArtifactTypeID("TSK_USNJ")
artID_usnj_evt = skCase.getArtifactType("TSK_USNJ")
#self.log(Level.INFO, "get artifacts ID's " + str(artID_usnj))
#self.log(Level.INFO, "get artifacts ID's " + str(resultSet))
# Cycle through each row and create artifacts
while resultSet.next():
try:
#self.log(Level.INFO, "Result (" + resultSet.getString("tbl_name") + ")")
table_name = resultSet.getString("tbl_name")
#self.log(Level.INFO, "Result get information from table " + resultSet.getString("tbl_name") + " ")
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
#self.log(Level.INFO, SQL_String_1)
#self.log(Level.INFO, SQL_String_2)
Column_Names = []
Column_Types = []
resultSet2 = stmt.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(resultSet2.getString("name").upper())
Column_Types.append(resultSet2.getString("type"))
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_USNJ_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType("TSK_USNJ_" + resultSet2.getString("name").upper(), BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(Level.INFO, "Attributes Creation Error, " + resultSet2.getString("name") + " ==> ")
resultSet3 = stmt.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_usnj)
Column_Number = 1
for col_name in Column_Names:
#self.log(Level.INFO, "Result get information for column " + Column_Names[Column_Number - 1] + " ")
#self.log(Level.INFO, "Result get information for column " + Column_Types[Column_Number - 1] + " ")
#self.log(Level.INFO, "Result get information for column_number " + str(Column_Number) + " ")
c_name = "TSK_USNJ_" + col_name
#self.log(Level.INFO, "Attribute Name is " + c_name + " Atribute Type is " + str(Column_Types[Column_Number - 1]))
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
art.addAttribute(BlackboardAttribute(attID_ex1, ParseUsnJIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
else:
art.addAttribute(BlackboardAttribute(attID_ex1, ParseUsnJIngestModuleFactory.moduleName, resultSet3.getInt(Column_Number)))
Column_Number = Column_Number + 1
except SQLException as e:
self.log(Level.INFO, "Error getting values from usnj table (" + e.getMessage() + ")")
# Clean up
stmt.close()
dbConn.close()
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ParseUsnJIngestModuleFactory.moduleName, artID_usnj_evt, None))
#Clean up EventLog directory and files
os.remove(lclDbPath)
try:
os.remove(os.path.join(temp_dir, "usnj.txt"))
except:
self.log(Level.INFO, "removal of usnj.txt file failed " + temp_dir + "\\" + file.getName())
try:
os.rmdir(temp_dir)
except:
self.log(Level.INFO, "removal of usnj directory failed " + temp_dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Usnj Parser", " Usnj Has Been Analyzed " )
IngestServices.getInstance().postMessage(message)
# Fire an event to notify the UI and others that there are new artifacts
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(ParseUsnJIngestModuleFactory.moduleName, artID_usnj_evt, None))
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "Amcache.hve")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
# Create Event Log directory in temp directory, if it exists then continue on processing
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "create Directory " + Temp_Dir)
try:
os.mkdir(Temp_Dir + "\Amcache")
except:
self.log(Level.INFO,
"Amcache Directory already exists " + Temp_Dir)
# Write out each Event Log file to the temp directory
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
#self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Save the DB locally in the temp folder. use file id as name to reduce collisions
lclDbPath = os.path.join(Temp_Dir + "\Amcache", file.getName())
ContentUtils.writeToFile(file, File(lclDbPath))
# Example has only a Windows EXE, so bail if we aren't on Windows
if not PlatformUtil.isWindowsOS():
self.log(Level.INFO,
"Ignoring data source. Not running on Windows")
return IngestModule.ProcessResult.OK
# Run the EXE, saving output to a sqlite database
self.log(
Level.INFO, "Running program on data source parm 1 ==> " +
Temp_Dir + " Parm 2 ==> " + Temp_Dir + "\Amcache.db3")
subprocess.Popen([
self.path_to_exe, Temp_Dir + "\Amcache\Amcache.hve",
Temp_Dir + "\Amcache.db3"
]).communicate()[0]
for file in files:
# Open the DB using JDBC
lclDbPath = os.path.join(Case.getCurrentCase().getTempDirectory(),
"Amcache.db3")
self.log(Level.INFO,
"Path the Amcache database file created ==> " + lclDbPath)
try:
Class.forName("org.sqlite.JDBC").newInstance()
dbConn = DriverManager.getConnection("jdbc:sqlite:%s" %
lclDbPath)
except SQLException as e:
self.log(
Level.INFO, "Could not open database file (not SQLite) " +
file.getName() + " (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Query the contacts table in the database and get all columns.
for am_table_name in self.List_Of_tables:
try:
stmt = dbConn.createStatement()
resultSet = stmt.executeQuery(
"Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('"
+ am_table_name + "'); ")
# resultSet = stmt.executeQuery("Select tbl_name from SQLITE_MASTER where lower(tbl_name) in ('associated_file_entries', " + \
# "'unassociated_programs', 'program_entries'); ")
self.log(Level.INFO,
"query SQLite Master table for " + am_table_name)
except SQLException as e:
self.log(
Level.INFO,
"Error querying database for Prefetch table (" +
e.getMessage() + ")")
return IngestModule.ProcessResult.OK
# Cycle through each row and create artifacts
while resultSet.next():
try:
self.log(
Level.INFO,
"Result (" + resultSet.getString("tbl_name") + ")")
table_name = resultSet.getString("tbl_name")
#self.log(Level.INFO, "Result get information from table " + resultSet.getString("tbl_name") + " ")
SQL_String_1 = "Select * from " + table_name + ";"
SQL_String_2 = "PRAGMA table_info('" + table_name + "')"
artifact_name = "TSK_" + table_name.upper()
artifact_desc = "Amcache " + table_name.upper()
#self.log(Level.INFO, SQL_String_1)
#self.log(Level.INFO, "Artifact_Name ==> " + artifact_name)
#self.log(Level.INFO, "Artifact_desc ==> " + artifact_desc)
#self.log(Level.INFO, SQL_String_2)
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_amc = skCase.addArtifactType(
artifact_name, artifact_desc)
except:
self.log(
Level.INFO,
"Artifacts Creation Error, some artifacts may not exist now. ==> "
)
artID_amc = skCase.getArtifactTypeID(artifact_name)
artID_amc_evt = skCase.getArtifactType(artifact_name)
Column_Names = []
Column_Types = []
resultSet2 = stmt.executeQuery(SQL_String_2)
while resultSet2.next():
Column_Names.append(
resultSet2.getString("name").upper())
Column_Types.append(
resultSet2.getString("type").upper())
#self.log(Level.INFO, "Add Attribute TSK_" + resultSet2.getString("name").upper() + " ==> " + resultSet2.getString("type"))
#self.log(Level.INFO, "Add Attribute TSK_" + resultSet2.getString("name").upper() + " ==> " + resultSet2.getString("name"))
#attID_ex1 = skCase.addAttrType("TSK_" + resultSet2.getString("name").upper(), resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
if resultSet2.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" +
resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.
STRING, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(
Level.INFO,
"Attributes Creation Error, " +
resultSet2.getString("name") + " ==> ")
elif resultSet2.getString("type").upper() == "":
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" +
resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.
STRING, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(
Level.INFO,
"Attributes Creation Error, " +
resultSet2.getString("name") + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType(
"TSK_" +
resultSet2.getString("name").upper(),
BlackboardAttribute.
TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.
LONG, resultSet2.getString("name"))
#self.log(Level.INFO, "attribure id for " + "TSK_" + resultSet2.getString("name") + " == " + str(attID_ex1))
except:
self.log(
Level.INFO,
"Attributes Creation Error, " +
resultSet2.getString("name") + " ==> ")
resultSet3 = stmt.executeQuery(SQL_String_1)
while resultSet3.next():
art = file.newArtifact(artID_amc)
Column_Number = 1
for col_name in Column_Names:
#self.log(Level.INFO, "Result get information for column " + Column_Names[Column_Number - 1] + " ")
#self.log(Level.INFO, "Result get information for column_number " + str(Column_Number) + " ")
#self.log(Level.INFO, "Result get information for column type " + Column_Types[Column_Number - 1] + " <== ")
c_name = "TSK_" + col_name
#self.log(Level.INFO, "Attribute Name is " + c_name + " ")
attID_ex1 = skCase.getAttributeType(c_name)
if Column_Types[Column_Number - 1] == "TEXT":
art.addAttribute(
BlackboardAttribute(
attID_ex1,
ParseAmcacheIngestModuleFactory.
moduleName,
resultSet3.getString(
Column_Number)))
# art.addAttribute(BlackboardAttribute(attID_ex1, ParseAmcacheIngestModuleFactory.moduleName, resultSet3.getString(Column_Number)))
elif Column_Types[Column_Number - 1] == "":
art.addAttribute(
BlackboardAttribute(
attID_ex1,
ParseAmcacheIngestModuleFactory.
moduleName,
resultSet3.getString(
Column_Number)))
# elif Column_Types[Column_Number - 1] == "BLOB":
# art.addAttribute(BlackboardAttribute(attID_ex1, ParseAmcacheIngestModuleFactory.moduleName, "BLOBS Not Supported"))
# elif Column_Types[Column_Number - 1] == "REAL":
# art.addAttribute(BlackboardAttribute(attID_ex1, ParseAmcacheIngestModuleFactory.moduleName, resultSet3.getFloat(Column_Number)))
else:
#self.log(Level.INFO, "Value for column type ==> " + str(resultSet3.getInt(Column_Number)) + " <== ")
art.addAttribute(
BlackboardAttribute(
attID_ex1,
ParseAmcacheIngestModuleFactory.
moduleName,
long(
resultSet3.getInt(
Column_Number))))
Column_Number = Column_Number + 1
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(
ParseAmcacheIngestModuleFactory.moduleName,
artID_amc_evt, None))
except SQLException as e:
self.log(
Level.INFO,
"Error getting values from contacts table (" +
e.getMessage() + ")")
# Clean up
stmt.close()
dbConn.close()
#os.remove(lclDbPath)
#Clean up EventLog directory and files
for file in files:
try:
os.remove(Temp_Dir + "\\" + file.getName())
except:
self.log(
Level.INFO, "removal of Amcache file failed " + Temp_Dir +
"\\" + file.getName())
try:
os.rmdir(Temp_Dir)
except:
self.log(Level.INFO,
"removal of Amcache directory failed " + Temp_Dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"Amcache Parser",
" Amcache Has Been Analyzed ")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def processSpotlightDb(self, dbConn, file):
skCase = Case.getCurrentCase().getSleuthkitCase();
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID = skCase.addArtifactType("TSK_SPOTLIGHT", "Mac OS Spotlight Data")
except:
self.log(Level.INFO, "Artifacts Creation Error, TSK_SPOTLIGHT some artifacts may not exist now. ==> ")
columnDefs = []
sqlPragma = 'Pragma Table_Info (spotlight_data)'
try:
sqlStmtPragma = dbConn.createStatement()
resultSetPragma = sqlStmtPragma.executeQuery(sqlPragma)
except:
return IngestModule.ProcessResult.OK
while resultSetPragma.next():
columnDef = []
attributeName = 'TSK_' + resultSetPragma.getString("name").upper()
columnName = resultSetPragma.getString("name").upper()
columnDef.append(columnName)
columnDef.append(resultSetPragma.getString("type").upper())
if resultSetPragma.getString("type").upper() == "TEXT":
try:
attID_ex1 = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, columnName)
except:
self.log(Level.INFO, "Attributes Creation Error, " + attributeName + " ==> ")
else:
try:
attID_ex1 = skCase.addArtifactAttributeType(attributeName, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.LONG, columnName)
except:
self.log(Level.INFO, "Attributes Creation Error, " + attributeName + " ==> ")
columnDef.append(attributeName)
columnDef.append(skCase.getAttributeType(attributeName))
columnDefs.append(columnDef)
sqlStatement = 'select * from spotlight_data'
#self.log(Level.INFO, "SQL Statement ==> ")
# Query the contacts table in the database and get all columns.
try:
sqlStmt = dbConn.createStatement()
resultSet = sqlStmt.executeQuery(sqlStatement)
#self.log(Level.INFO, "query message table")
except SQLException as e:
#self.log(Level.INFO, "Error querying database for message table (" + e.getMessage() + ")")
return IngestModule.ProcessResult.OK
artIdSpotlight = skCase.getArtifactTypeID("TSK_SPOTLIGHT")
artIdSpotlightType = skCase.getArtifactType("TSK_SPOTLIGHT")
moduleName = ProcessSpotlightIngestModuleFactory.moduleName
# Cycle through each row and create artifacts
while resultSet.next():
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
try:
artSpotlight = file.newArtifact(artIdSpotlight)
attributes = ArrayList()
for columnName in columnDefs:
self.log(Level.INFO, "Column Info ==> " + str(columnName[0]) + " " + str(columnName[1]) + " " + str(columnName[2]) + " " + str(columnName[3]))
attId = skCase.getAttributeType(columnName[2])
self.log(Level.INFO, "Column Info ==> " + str(attId))
if columnName[1] == "TEXT":
attributes.add(BlackboardAttribute(attId, moduleName, resultSet.getString(columnName[0])))
else:
attributes.add(BlackboardAttribute(attId, moduleName, long(resultSet.getInt(columnName[0]))))
artSpotlight.addAttributes(attributes)
try:
blackboard.indexArtifact(artSpotlight)
except:
pass
# self._logger.log(Level.SEVERE, "Error indexing artifact " + artEmail.getDisplayName())
except SQLException as e:
self.log(Level.INFO, "Error getting values from message table (" + e.getMessage() + ")")
# Close the database statement
sqlStmt.close()
sqlStmtPragma.close()
def __findTangoMessagesInDB(self, databasePath, abstractFile, dataSource):
if not databasePath:
return
try:
Class.forName("org.sqlite.JDBC") # load JDBC driver
connection = DriverManager.getConnection("jdbc:sqlite:" +
databasePath)
statement = connection.createStatement()
except (ClassNotFoundException) as ex:
self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
return
except (SQLException) as ex:
# Error opening database.
return
# Create a 'Device' account using the data source device id
datasourceObjId = dataSource.getDataSource().getId()
ds = Case.getCurrentCase().getSleuthkitCase().getDataSource(
datasourceObjId)
deviceID = ds.getDeviceId()
deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase(
).getCommunicationsManager().createAccountFileInstance(
Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile)
resultSet = None
try:
resultSet = statement.executeQuery(
"SELECT conv_id, create_time, direction, payload FROM messages ORDER BY create_time DESC;"
)
while resultSet.next():
conv_id = resultSet.getString(
"conv_id"
) # seems to wrap around the message found in payload after decoding from base-64
create_time = Long.valueOf(
resultSet.getString("create_time")) / 1000
if resultSet.getString(
"direction") == "1": # 1 incoming, 2 outgoing
direction = "Incoming"
else:
direction = "Outgoing"
payload = resultSet.getString("payload")
attributes = ArrayList()
artifact = abstractFile.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE
) #create a call log and then add attributes from result set.
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME,
general.MODULE_NAME, create_time))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION,
general.MODULE_NAME, direction))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT,
general.MODULE_NAME,
TangoMessageAnalyzer.decodeMessage(conv_id, payload)))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE,
general.MODULE_NAME, "Tango Message"))
artifact.addAttributes(attributes)
try:
# index the artifact for keyword search
blackboard = Case.getCurrentCase().getSleuthkitCase(
).getBlackboard()
blackboard.postArtifact(artifact, general.MODULE_NAME)
except Blackboard.BlackboardException as ex:
self._logger.log(
Level.SEVERE, "Unable to index blackboard artifact " +
str(artifact.getArtifactID()), ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
MessageNotifyUtil.Notify.error(
"Failed to index Tango message artifact for keyword search.",
artifact.getDisplayName())
except SQLException as ex:
# Unable to execute Tango messages SQL query against database.
pass
except Exception as ex:
self._logger.log(Level.SEVERE,
"Error parsing Tango messages to the blackboard",
ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
finally:
try:
if resultSet is not None:
resultSet.close()
statement.close()
connection.close()
except Exception as ex:
# Error closing database.
pass
def __findContactsInDB(self, databasePath, abstractFile, dataSource):
if not databasePath:
return
bbartifacts = list()
try:
Class.forName("org.sqlite.JDBC") # load JDBC driver
connection = DriverManager.getConnection("jdbc:sqlite:" +
databasePath)
statement = connection.createStatement()
except (ClassNotFoundException) as ex:
self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
return
except (SQLException) as ex:
# Error opening database.
return
# Create a 'Device' account using the data source device id
datasourceObjId = dataSource.getDataSource().getId()
ds = Case.getCurrentCase().getSleuthkitCase().getDataSource(
datasourceObjId)
deviceID = ds.getDeviceId()
deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase(
).getCommunicationsManager().createAccountFileInstance(
Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile)
resultSet = None
try:
# get display_name, mimetype(email or phone number) and data1 (phonenumber or email address depending on mimetype)
# sorted by name, so phonenumber/email would be consecutive for a person if they exist.
# check if contacts.name_raw_contact_id exists. Modify the query accordingly.
columnFound = False
metadata = connection.getMetaData()
columnListResultSet = metadata.getColumns(None, None, "contacts",
None)
while columnListResultSet.next():
if columnListResultSet.getString(
"COLUMN_NAME") == "name_raw_contact_id":
columnFound = True
break
if columnFound:
resultSet = statement.executeQuery(
"SELECT mimetype, data1, name_raw_contact.display_name AS display_name \n"
+
"FROM raw_contacts JOIN contacts ON (raw_contacts.contact_id=contacts._id) \n"
+
"JOIN raw_contacts AS name_raw_contact ON(name_raw_contact_id=name_raw_contact._id) "
+
"LEFT OUTER JOIN data ON (data.raw_contact_id=raw_contacts._id) \n"
+
"LEFT OUTER JOIN mimetypes ON (data.mimetype_id=mimetypes._id) \n"
+
"WHERE mimetype = 'vnd.android.cursor.item/phone_v2' OR mimetype = 'vnd.android.cursor.item/email_v2'\n"
+ "ORDER BY name_raw_contact.display_name ASC;")
else:
resultSet = statement.executeQuery(
"SELECT mimetype, data1, raw_contacts.display_name AS display_name \n"
+
"FROM raw_contacts JOIN contacts ON (raw_contacts.contact_id=contacts._id) \n"
+
"LEFT OUTER JOIN data ON (data.raw_contact_id=raw_contacts._id) \n"
+
"LEFT OUTER JOIN mimetypes ON (data.mimetype_id=mimetypes._id) \n"
+
"WHERE mimetype = 'vnd.android.cursor.item/phone_v2' OR mimetype = 'vnd.android.cursor.item/email_v2'\n"
+ "ORDER BY raw_contacts.display_name ASC;")
attributes = ArrayList()
artifact = abstractFile.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT)
oldName = ""
while resultSet.next():
name = resultSet.getString("display_name")
data1 = resultSet.getString(
"data1") # the phone number or email
mimetype = resultSet.getString(
"mimetype") # either phone or email
attributes = ArrayList()
if name != oldName:
artifact = abstractFile.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT)
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME,
general.MODULE_NAME, name))
if mimetype == "vnd.android.cursor.item/phone_v2":
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.
TSK_PHONE_NUMBER, general.MODULE_NAME, data1))
acctType = Account.Type.PHONE
else:
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL,
general.MODULE_NAME, data1))
acctType = Account.Type.EMAIL
artifact.addAttributes(attributes)
# Create an account instance
contactAccountInstance = Case.getCurrentCase(
).getSleuthkitCase().getCommunicationsManager(
).createAccountFileInstance(acctType, data1,
general.MODULE_NAME, abstractFile)
# create relationship between accounts
Case.getCurrentCase().getSleuthkitCase(
).getCommunicationsManager().addRelationships(
deviceAccountInstance, [contactAccountInstance], artifact,
Relationship.Type.CONTACT, 0)
oldName = name
bbartifacts.append(artifact)
except SQLException as ex:
# Unable to execute contacts SQL query against database.
pass
except TskCoreException as ex:
self._logger.log(Level.SEVERE, "Error posting to blackboard", ex)
self._logger.log(Level.SEVERE, traceback.format_exc())
finally:
if bbartifacts:
Case.getCurrentCase().getSleuthkitCase().getBlackboard(
).postArtifacts(bbartifacts, general.MODULE_NAME)
try:
if resultSet is not None:
resultSet.close()
statement.close()
connection.close()
except Exception as ex:
# Error closing database.
pass
def process(self, dataSource, progressBar):
skCase = Case.getCurrentCase().getSleuthkitCase()
#Create all the variables needed for show them in the autopsy interface
self.log(Level.INFO, "Begin Create New Artifacts")
try:
artID_eu = skCase.addArtifactType("TSK_ATPR", "ATPR Results")
except:
self.log(Level.INFO, "Artifacts Creation Error, ID ==> ")
try:
attID_filePath = skCase.addArtifactAttributeType(
"TSK_FILE_PATH",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"File Path")
except:
self.log(Level.INFO, "Attributes Creation Error, File path ==> ")
try:
attID_match = skCase.addArtifactAttributeType(
"TSK_WORD",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Word")
except:
self.log(Level.INFO, "Attributes Creation Error, Word ==> ")
try:
attTotal_match = skCase.addArtifactAttributeType(
"TSK_TOTAL",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Total")
except:
self.log(Level.INFO, "Attributes Creation Error, Total ==> ")
try:
attType_match = skCase.addArtifactAttributeType(
"TSK_TYPE",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Type")
except:
self.log(Level.INFO, "Attributes Creation Error, Type ==> ")
try:
attDict_match = skCase.addArtifactAttributeType(
"TSK_DICT",
BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
"Dict")
except:
self.log(Level.INFO, "Attributes Creation Error, Dict ==> ")
artID_eu = skCase.getArtifactTypeID("TSK_ATPR")
artID_eu_evt = skCase.getArtifactType("TSK_ATPR")
attID_fp = skCase.getAttributeType("TSK_FILE_PATH")
attID_match = skCase.getAttributeType("TSK_WORD")
attTotal_match = skCase.getAttributeType("TSK_TOTAL")
attType_match = skCase.getAttributeType("TSK_TYPE")
attDict_match = skCase.getAttributeType("TSK_DICT")
# we don't know how much work there will be
progressBar.switchToIndeterminate()
# Get the folder with de texts files
inputDir = Case.getCurrentCase().getModulesOutputDirAbsPath(
) + "\TextFiles"
try:
os.makesdirs(inputDir)
self.log(
Level.INFO,
"Find Text Directory must exists for launching the module" +
inputDir)
except:
self.log(Level.INFO, "Find Text Directory exists " + inputDir)
# We'll save our output to a file in the reports folder, named based on EXE and data source ID
reportPath = Case.getCurrentCase().getCaseDirectory(
) + "\\Reports\\atprResult-" + str(dataSource.getId()) + ".csv"
#reportPath = os.path.join(Case.getCurrentCase().getTempDirectory(), str(dataSource.getId()))
logPath = Case.getCurrentCase().getCaseDirectory(
) + "\\Reports\\log" + str(dataSource.getId()) + ".txt"
logHandle = open(logPath, 'w')
# Run the EXE, saving output to the report
self.log(Level.INFO, "Running program on data source")
self.log(
Level.INFO, self.path_to_exe + " -c match -i " + inputDir +
" -d " + self.path_to_dirs + " -o " + reportPath)
subprocess.Popen([
self.path_to_exe, "-c", "match", "-i", inputDir, "-d",
self.path_to_dirs, "-o", reportPath
],
stdout=logHandle).communicate()
logHandle.close()
# Add the report to the case, so it shows up in the tree
Case.getCurrentCase().addReport(reportPath, "Run EXE",
"ATPR result output")
self.log(Level.INFO, "Report created on " + reportPath)
self.log(Level.INFO, "Adding elements to Autopsy")
#Open with codecs for utf-8 parsing
result = codecs.open(reportPath, encoding='utf-8')
files_array = set()
for line in result:
fields = line.split(';')
fields_splitted = fields[0].split("\\")
files_array.add(fields_splitted[len(fields_splitted) - 1])
fileManager = Case.getCurrentCase().getServices().getFileManager()
result.close()
#Adding elements to autopsy reports interface
for item in files_array:
files = fileManager.findFiles(dataSource, item)
for file in files:
result = codecs.open(reportPath, encoding='utf-8')
for line in result:
fields = line.split(';')
if file.getName() in fields[0]:
art = file.newArtifact(artID_eu)
art.addAttributes(((BlackboardAttribute(attID_fp, RunExeIngestModuleFactory.moduleName, fields[0])), \
(BlackboardAttribute(attID_match, RunExeIngestModuleFactory.moduleName, fields[1])), \
(BlackboardAttribute(attTotal_match, RunExeIngestModuleFactory.moduleName, fields[2])), \
(BlackboardAttribute(attType_match, RunExeIngestModuleFactory.moduleName, fields[3])), \
(BlackboardAttribute(attDict_match, RunExeIngestModuleFactory.moduleName, fields[4]))))
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(RunExeIngestModuleFactory.moduleName,
artID_eu_evt, None))
result.close()
self.log(Level.INFO, "Done")
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Use blackboard class to index blackboard artifacts for keyword search
blackboard = Case.getCurrentCase().getServices().getBlackboard()
# Find files named contacts.db, regardless of parent path
fileManager = Case.getCurrentCase().getServices().getFileManager()
files = fileManager.findFiles(dataSource, "%.jpg")
numFiles = len(files)
self.log(Level.INFO, "found " + str(numFiles) + " files")
progressBar.switchToDeterminate(numFiles)
fileCount = 0
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
self.log(Level.INFO, "Processing file: " + file.getName())
fileCount += 1
# Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of
# artifact. Refer to the developer docs for other examples.
art = file.newArtifact(
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT)
att = BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME,
PerceptualHashIngestModuleFactory.moduleName, "Picture Files")
art.addAttribute(att)
try:
# index the artifact for keyword search
blackboard.indexArtifact(art)
except Blackboard.BlackboardException as e:
self.log(Level.SEVERE,
"Error indexing artifact " + art.getDisplayName())
# Fire an event to notify the UI and others that there is a new artifact
IngestServices.getInstance().fireModuleDataEvent(
ModuleDataEvent(
PerceptualHashIngestModuleFactory.moduleName,
BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT,
None))
Temp_Dir = Case.getCurrentCase().getTempDirectory()
self.log(Level.INFO, "Create Directory " + Temp_Dir)
try:
temp_dir = os.path.join(Temp_Dir, "Pictures")
os.mkdir(temp_dir)
except:
self.log(Level.INFO,
"Pictures Directory already exists " + temp_dir)
# Save the File locally in a user-defined temp folder.
lclDbPath = os.path.join(temp_dir, file.getName())
ContentUtils.writeToFile(file, File(lclDbPath))
# This code will use the phash library to calculate perceptual hash value and difference.
phash = PHash()
path_img = os.path.join(temp_dir, file.getName())
bit_phash = phash.getHash(path_img)
hex_phash = PHash.binaryString2hexString(bit_phash)
self.log(Level.INFO,
file.getName() + ":Path ==> " + path_img + " ")
#self.log(Level.INFO,
#file.getName() + ":pHash(bit) ==> " + bit_phash + " ")
self.log(Level.INFO,
file.getName() + ":PHash ==> " + hex_phash + " ")
if (self.pHashToCheck != ""):
self.log(Level.INFO,
"pHashToCheck ==> " + self.pHashToCheck + " ")
differ_phash = PHash.distance(
PHash.hexString2binaryString(self.pHashToCheck), bit_phash)
self.log(
Level.INFO,
file.getName() + ":Difference ==> " + str(differ_phash) +
" ")
if (differ_phash < 20):
self.log(Level.INFO,
file.getName() + ":Similar? ==> True ")
else:
self.log(Level.INFO,
file.getName() + ":Similar? ==> False ")
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(IngestMessage.MessageType.DATA,
"PerceptualHash Analyzer",
"Found %d files" % fileCount)
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
def process(self, dataSource, progressBar):
# we don't know how much work there is yet
progressBar.switchToIndeterminate()
# Hive files to extract
filesToExtract = ("SAM", "SYSTEM")
# Set the database to be read to the once created by the prefetch parser program
skCase = Case.getCurrentCase().getSleuthkitCase()
fileManager = Case.getCurrentCase().getServices().getFileManager()
# Create BAM directory in temp directory, if it exists then continue on processing
Temp_Dir = Case.getCurrentCase().getTempDirectory()
temp_dir = os.path.join(Temp_Dir, "bam")
self.log(Level.INFO, "create Directory " + temp_dir)
try:
os.mkdir(temp_dir)
except:
self.log(Level.INFO, "bam Directory already exists " + temp_dir)
# Setup variables to use to store information
systemHiveFile = []
userRids = {}
bamRecord = []
for fileName in filesToExtract:
files = fileManager.findFiles(dataSource, fileName,
"Windows/System32/Config")
numFiles = len(files)
for file in files:
# Check if the user pressed cancel while we were busy
if self.context.isJobCancelled():
return IngestModule.ProcessResult.OK
# Check path to only get the hive files in the config directory and no others
if file.getParentPath().upper() == '/WINDOWS/SYSTEM32/CONFIG/':
# Save the DB locally in the temp folder. use file id as name to reduce collisions
filePath = os.path.join(temp_dir, file.getName())
ContentUtils.writeToFile(file, File(filePath))
# Save SYSTEM Hive abstract file information to use later
if file.getName() == 'SYSTEM':
systemHiveFile = file
bamRecord = self.processSYSTEMHive(filePath)
elif file.getName() == 'SAM':
# Get information from the SAM file returns dictionary with key of rid and value of user name
userRids = self.processSAMHive(filePath)
# Setup Artifact
try:
self.log(Level.INFO, "Begin Create New Artifacts")
artID_ls = skCase.addArtifactType("TSK_BAM_KEY",
"BAM Registry Key")
except:
self.log(
Level.INFO,
"Artifacts Creation Error, some artifacts may not exist now. ==> "
)
artifactName = "TSK_BAM_KEY"
artId = skCase.getArtifactTypeID(artifactName)
moduleName = BamKeyIngestModuleFactory.moduleName
# Attributes to use TSK_USER_NAME, TSK_PROG_NAME, TSK_DATETIME
for bamRec in bamRecord:
attributes = ArrayList()
art = systemHiveFile.newArtifact(artId)
self.log(Level.INFO, "BamRec ==> " + str(bamRec))
if bamRec[0] in userRids.keys():
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME.
getTypeID(), moduleName, userRids[bamRec[0]]))
else:
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME.
getTypeID(), moduleName, bamRec[0]))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(
), moduleName, bamRec[1]))
attributes.add(
BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(
), moduleName, int(bamRec[2])))
art.addAttributes(attributes)
# index the artifact for keyword search
try:
blackboard.indexArtifact(artChat)
except:
self._logger.log(
Level.WARNING,
"Error indexing artifact " + art.getDisplayName())
#Clean up prefetch directory and files
try:
shutil.rmtree(temp_dir)
except:
self.log(Level.INFO,
"removal of directory tree failed " + temp_dir)
# After all databases, post a message to the ingest messages in box.
message = IngestMessage.createMessage(
IngestMessage.MessageType.DATA, "BamKey",
" BamKey Files Have Been Analyzed ")
IngestServices.getInstance().postMessage(message)
return IngestModule.ProcessResult.OK
