def __findGeoLocationsInDB(self, databasePath, abstractFile): if not databasePath: return try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException, SQLException) as ex: self._logger.log(Level.SEVERE, "Error opening database", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return try: resultSet = statement.executeQuery( "SELECT time, dest_lat, dest_lng, dest_title, dest_address, source_lat, source_lng FROM destination_history;") while resultSet.next(): time = Long.valueOf(resultSet.getString("time")) / 1000 dest_title = resultSet.getString("dest_title") dest_address = resultSet.getString("dest_address") dest_lat = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("dest_lat")) dest_lng = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("dest_lng")) source_lat = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("source_lat")) source_lng = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("source_lng")) artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, general.MODULE_NAME, "Destination")) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, time)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_END, general.MODULE_NAME, dest_lat)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_END, general.MODULE_NAME, dest_lng)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_START, general.MODULE_NAME, source_lat)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_START, general.MODULE_NAME, source_lng)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, general.MODULE_NAME, dest_title)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION, general.MODULE_NAME, dest_address)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME, "Google Maps History")) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error("Failed to index GPS route artifact for keyword search.", artifact.getDisplayName()) except Exception as ex: self._logger.log(Level.SEVERE, "Error parsing Google map locations to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: self._logger.log(Level.SEVERE, "Error closing the database", ex) self._logger.log(Level.SEVERE, traceback.format_exc())
def __findGeoLocationsInDB(self, databasePath, abstractFile): if not databasePath: return try: Class.forName("org.sqlite.JDBC") #load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error connecting to SQL databse. return resultSet = None try: resultSet = statement.executeQuery("SELECT timestamp, latitude, longitude, accuracy FROM CachedPosition;") while resultSet.next(): timestamp = Long.valueOf(resultSet.getString("timestamp")) / 1000 latitude = Double.valueOf(resultSet.getString("latitude")) longitude = Double.valueOf(resultSet.getString("longitude")) attributes = ArrayList() artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE, general.MODULE_NAME, latitude)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE, general.MODULE_NAME, longitude)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, timestamp)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME, "Browser Location History")) # artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy)) # NOTE: originally commented out artifact.addAttributes(attributes); try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactTypeName()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error("Failed to index GPS trackpoint artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: # Unable to execute browser location SQL query against database. pass except Exception as ex: self._logger.log(Level.SEVERE, "Error putting artifacts to blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing database. pass
def __findTangoMessagesInDB(self, tangoDb, dataSource): if not tangoDb: return try: current_case = Case.getCurrentCaseThrows() # Create a helper to parse the DB tangoDbHelper = CommunicationArtifactsHelper(current_case.getSleuthkitCase(), self._PARSER_NAME, tangoDb.getDBFile(), Account.Type.TANGO ) resultSet = tangoDb.runQuery( "SELECT conv_id, create_time, direction, payload FROM messages ORDER BY create_time DESC;") while resultSet.next(): fromId = None toId = None conv_id = resultSet.getString("conv_id") # seems to wrap around the message found in payload after decoding from base-64 create_time = Long.valueOf(resultSet.getString("create_time")) / 1000 if resultSet.getString("direction") == "1": # 1 incoming, 2 outgoing direction = CommunicationDirection.INCOMING else: direction = CommunicationDirection.OUTGOING payload = resultSet.getString("payload") msgBody = TangoMessageAnalyzer.decodeMessage(conv_id, payload) messageArtifact = tangoDbHelper.addMessage( self._MESSAGE_TYPE, direction, fromId, toId, create_time, MessageReadStatus.UNKNOWN, "", # subject msgBody, "") except SQLException as ex: self._logger.log(Level.WARNING, "Error processing query result for Tango messages", ex) self._logger.log(Level.WARNING, traceback.format_exc()) except TskCoreException as ex: self._logger.log(Level.SEVERE, "Failed to add Tango message artifacts.", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) except BlackboardException as ex: self._logger.log(Level.WARNING, "Failed to post artifacts.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) except NoCurrentCaseException as ex: self._logger.log(Level.WARNING, "No case currently open.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) finally: tangoDb.close()
def __findTangoMessagesInDB(self, databasePath, abstractFile): if not databasePath: return try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException, SQLException) as ex: self._logger.log(Level.SEVERE, "Error opening database", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return try: resultSet = statement.executeQuery( "SELECT conv_id, create_time, direction, payload FROM messages ORDER BY create_time DESC;") while resultSet.next(): conv_id = resultSet.getString("conv_id") # seems to wrap around the message found in payload after decoding from base-64 create_time = Long.valueOf(resultSet.getString("create_time")) / 1000 if resultSet.getString("direction") == "1": # 1 incoming, 2 outgoing direction = "Incoming" else: direction = "Outgoing" payload = resultSet.getString("payload") artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE) #create a call log and then add attributes from result set. artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, create_time)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, direction)) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT, general.MODULE_NAME, TangoMessageAnalyzer.decodeMessage(conv_id, payload))) artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE, general.MODULE_NAME, "Tango Message")) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error("Failed to index Tango message artifact for keyword search.", artifact.getDisplayName()) except Exception as ex: self._logger.log(Level.SEVERE, "Error parsing Tango messages to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: self._logger.log(Level.SEVERE, "Error closing database", ex) self._logger.log(Level.SEVERE, traceback.format_exc())
def __findGeoLocationsInDB(self, databasePath, abstractFile): if not databasePath: return try: Class.forName("org.sqlite.JDBC") #load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error connecting to SQL databse. return resultSet = None try: resultSet = statement.executeQuery( "SELECT timestamp, latitude, longitude, accuracy FROM CachedPosition;" ) while resultSet.next(): timestamp = Long.valueOf( resultSet.getString("timestamp")) / 1000 latitude = Double.valueOf(resultSet.getString("latitude")) longitude = Double.valueOf(resultSet.getString("longitude")) attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE, general.MODULE_NAME, latitude)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE, general.MODULE_NAME, longitude)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, timestamp)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME, "Browser Location History")) # artifact.addAttribute(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),moduleName, accuracy)) # NOTE: originally commented out artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices( ).getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log( Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactTypeName()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error( "Failed to index GPS trackpoint artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: # Unable to execute browser location SQL query against database. pass except Exception as ex: self._logger.log(Level.SEVERE, "Error putting artifacts to blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing database. pass
def __findTextsInDB(self, databasePath, abstractFile, dataSource): if not databasePath: return bbartifacts = list() try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException, SQLException) as ex: self._logger.log(Level.SEVERE, "Error opening database", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return # Create a 'Device' account using the data source device id datasourceObjId = dataSource.getDataSource().getId() ds = Case.getCurrentCase().getSleuthkitCase().getDataSource( datasourceObjId) deviceID = ds.getDeviceId() deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase( ).getCommunicationsManager().createAccountFileInstance( Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile) try: resultSet = statement.executeQuery( "SELECT address, date, read, type, subject, body FROM sms;") while resultSet.next(): address = resultSet.getString( "address") # may be phone number, or other addresses date = Long.valueOf(resultSet.getString("date")) / 1000 read = resultSet.getInt("read") # may be unread = 0, read = 1 subject = resultSet.getString("subject") # message subject body = resultSet.getString("body") # message body attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE) #create Message artifact and then add attributes from result set. if resultSet.getString("type") == "1": attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, "Incoming")) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_PHONE_NUMBER_FROM, general.MODULE_NAME, address)) else: attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, "Outgoing")) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE. TSK_PHONE_NUMBER_TO, general.MODULE_NAME, address)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, date)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_READ_STATUS, general.MODULE_NAME, Integer(read))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT, general.MODULE_NAME, subject)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT, general.MODULE_NAME, body)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE, general.MODULE_NAME, "SMS Message")) artifact.addAttributes(attributes) # Create an account msgAccountInstance = Case.getCurrentCase().getSleuthkitCase( ).getCommunicationsManager().createAccountFileInstance( Account.Type.PHONE, address, general.MODULE_NAME, abstractFile) # create relationship between accounts Case.getCurrentCase().getSleuthkitCase( ).getCommunicationsManager().addRelationships( deviceAccountInstance, [msgAccountInstance], artifact, Relationship.Type.MESSAGE, date) bbartifacts.append(artifact) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices( ).getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log( Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error( "Failed to index text message artifact for keyword search.", artifact.getDisplayName()) except Exception as ex: self._logger.log(Level.SEVERE, "Error parsing text messages to blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: if bbartifacts: IngestServices.getInstance().fireModuleDataEvent( ModuleDataEvent( general.MODULE_NAME, BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE, bbartifacts)) try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: self._logger.log(Level.SEVERE, "Error closing database", ex) self._logger.log(Level.SEVERE, traceback.format_exc())
def analyze(self, dataSource, fileManager, context): selfAccountId = None messageDbs = AppSQLiteDB.findAppDatabases(dataSource, "mmssms.db", True, self._PACKAGE_NAME) for messageDb in messageDbs: try: current_case = Case.getCurrentCaseThrows() if selfAccountId is not None: messageDbHelper = CommunicationArtifactsHelper( current_case.getSleuthkitCase(), self._PARSER_NAME, messageDb.getDBFile(), Account.Type.PHONE, Account.Type.IMO, selfAccountId) else: messageDbHelper = CommunicationArtifactsHelper( current_case.getSleuthkitCase(), self._PARSER_NAME, messageDb.getDBFile(), Account.Type.PHONE) uuid = UUID.randomUUID().toString() messagesResultSet = messageDb.runQuery( "SELECT address, date, read, type, subject, body, thread_id FROM sms;" ) if messagesResultSet is not None: while messagesResultSet.next(): direction = "" address = None fromId = None toId = None address = messagesResultSet.getString( "address" ) # may be phone number, or other addresses timeStamp = Long.valueOf( messagesResultSet.getString("date")) / 1000 read = messagesResultSet.getInt( "read") # may be unread = 0, read = 1 subject = messagesResultSet.getString( "subject") # message subject msgBody = messagesResultSet.getString( "body") # message body thread_id = "{0}-{1}".format( uuid, messagesResultSet.getInt("thread_id")) if messagesResultSet.getString("type") == "1": direction = CommunicationDirection.INCOMING fromId = address else: direction = CommunicationDirection.OUTGOING toId = address message_read = messagesResultSet.getInt( "read") # may be unread = 0, read = 1 if (message_read == 1): msgReadStatus = MessageReadStatus.READ elif (message_read == 0): msgReadStatus = MessageReadStatus.UNREAD else: msgReadStatus = MessageReadStatus.UNKNOWN ## add a message if address is not None: messageArtifact = messageDbHelper.addMessage( self._MESSAGE_TYPE, direction, fromId, toId, timeStamp, msgReadStatus, subject, # subject msgBody, thread_id) except SQLException as ex: self._logger.log( Level.WARNING, "Error processing query result for Android messages.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) except TskCoreException as ex: self._logger.log(Level.SEVERE, "Failed to add Android message artifacts.", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) except BlackboardException as ex: self._logger.log(Level.WARNING, "Failed to post artifacts.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) except NoCurrentCaseException as ex: self._logger.log(Level.WARNING, "No case currently open.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) finally: messageDb.close()
def __findGeoLocationsInDB(self, databasePath, abstractFile): if not databasePath: return try: artifactHelper = GeoArtifactsHelper( self.current_case.getSleuthkitCase(), general.MODULE_NAME, self.PROGRAM_NAME, abstractFile) Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error opening database. return resultSet = None try: resultSet = statement.executeQuery( "SELECT time, dest_lat, dest_lng, dest_title, dest_address, source_lat, source_lng FROM destination_history;" ) while resultSet.next(): time = Long.valueOf(resultSet.getString("time")) / 1000 dest_title = resultSet.getString("dest_title") dest_address = resultSet.getString("dest_address") dest_lat = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("dest_lat")) dest_lng = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("dest_lng")) source_lat = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("source_lat")) source_lng = GoogleMapLocationAnalyzer.convertGeo( resultSet.getString("source_lng")) waypointlist = GeoWaypoints() waypointlist.addPoint( Waypoint(source_lat, source_lng, None, None)) waypointlist.addPoint( Waypoint(dest_lat, dest_lng, None, dest_address)) artifactHelper.addRoute(dest_title, time, waypointlist, None) except SQLException as ex: # Unable to execute Google map locations SQL query against database. pass except TskCoreException as ex: self._logger.log(Level.SEVERE, "Failed to add route artifacts.", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) except BlackboardException as ex: self._logger.log(Level.WARNING, "Failed to post artifacts.", ex) self._logger.log(Level.WARNING, traceback.format_exc()) except Exception as ex: self._logger.log(Level.SEVERE, "Error processing google maps history.", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing the database. pass
def __findGeoLocationsInDB(self, databasePath, abstractFile): if not databasePath: return try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error opening database. return resultSet = None try: resultSet = statement.executeQuery( "SELECT time, dest_lat, dest_lng, dest_title, dest_address, source_lat, source_lng FROM destination_history;") while resultSet.next(): time = Long.valueOf(resultSet.getString("time")) / 1000 dest_title = resultSet.getString("dest_title") dest_address = resultSet.getString("dest_address") dest_lat = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("dest_lat")) dest_lng = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("dest_lng")) source_lat = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("source_lat")) source_lng = GoogleMapLocationAnalyzer.convertGeo(resultSet.getString("source_lng")) attributes = ArrayList() artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, general.MODULE_NAME, "Destination")) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, time)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_END, general.MODULE_NAME, dest_lat)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_END, general.MODULE_NAME, dest_lng)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_START, general.MODULE_NAME, source_lat)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_START, general.MODULE_NAME, source_lng)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, general.MODULE_NAME, dest_title)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION, general.MODULE_NAME, dest_address)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, general.MODULE_NAME, "Google Maps History")) artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error("Failed to index GPS route artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: # Unable to execute Google map locations SQL query against database. pass except Exception as ex: self._logger.log(Level.SEVERE, "Error parsing Google map locations to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing the database. pass
def __findTangoMessagesInDB(self, databasePath, abstractFile, dataSource): if not databasePath: return try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error opening database. return # Create a 'Device' account using the data source device id datasourceObjId = dataSource.getDataSource().getId() ds = Case.getCurrentCase().getSleuthkitCase().getDataSource( datasourceObjId) deviceID = ds.getDeviceId() deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase( ).getCommunicationsManager().createAccountFileInstance( Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile) resultSet = None try: resultSet = statement.executeQuery( "SELECT conv_id, create_time, direction, payload FROM messages ORDER BY create_time DESC;" ) while resultSet.next(): conv_id = resultSet.getString( "conv_id" ) # seems to wrap around the message found in payload after decoding from base-64 create_time = Long.valueOf( resultSet.getString("create_time")) / 1000 if resultSet.getString( "direction") == "1": # 1 incoming, 2 outgoing direction = "Incoming" else: direction = "Outgoing" payload = resultSet.getString("payload") attributes = ArrayList() artifact = abstractFile.newArtifact( BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE ) #create a call log and then add attributes from result set. attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, create_time)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, direction)) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT, general.MODULE_NAME, TangoMessageAnalyzer.decodeMessage(conv_id, payload))) attributes.add( BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE, general.MODULE_NAME, "Tango Message")) artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getSleuthkitCase( ).getBlackboard() blackboard.postArtifact(artifact, general.MODULE_NAME) except Blackboard.BlackboardException as ex: self._logger.log( Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error( "Failed to index Tango message artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: # Unable to execute Tango messages SQL query against database. pass except Exception as ex: self._logger.log(Level.SEVERE, "Error parsing Tango messages to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing database. pass
def __findTangoMessagesInDB(self, databasePath, abstractFile, dataSource): if not databasePath: return try: Class.forName("org.sqlite.JDBC") # load JDBC driver connection = DriverManager.getConnection("jdbc:sqlite:" + databasePath) statement = connection.createStatement() except (ClassNotFoundException) as ex: self._logger.log(Level.SEVERE, "Error loading JDBC driver", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) return except (SQLException) as ex: # Error opening database. return # Create a 'Device' account using the data source device id datasourceObjId = dataSource.getDataSource().getId() ds = Case.getCurrentCase().getSleuthkitCase().getDataSource(datasourceObjId) deviceID = ds.getDeviceId() deviceAccountInstance = Case.getCurrentCase().getSleuthkitCase().getCommunicationsManager().createAccountFileInstance(Account.Type.DEVICE, deviceID, general.MODULE_NAME, abstractFile) resultSet = None try: resultSet = statement.executeQuery( "SELECT conv_id, create_time, direction, payload FROM messages ORDER BY create_time DESC;") while resultSet.next(): conv_id = resultSet.getString("conv_id") # seems to wrap around the message found in payload after decoding from base-64 create_time = Long.valueOf(resultSet.getString("create_time")) / 1000 if resultSet.getString("direction") == "1": # 1 incoming, 2 outgoing direction = "Incoming" else: direction = "Outgoing" payload = resultSet.getString("payload") attributes = ArrayList() artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE) #create a call log and then add attributes from result set. attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME, general.MODULE_NAME, create_time)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, general.MODULE_NAME, direction)) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT, general.MODULE_NAME, TangoMessageAnalyzer.decodeMessage(conv_id, payload))) attributes.add(BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE, general.MODULE_NAME, "Tango Message")) artifact.addAttributes(attributes) try: # index the artifact for keyword search blackboard = Case.getCurrentCase().getServices().getBlackboard() blackboard.indexArtifact(artifact) except Blackboard.BlackboardException as ex: self._logger.log(Level.SEVERE, "Unable to index blackboard artifact " + str(artifact.getArtifactID()), ex) self._logger.log(Level.SEVERE, traceback.format_exc()) MessageNotifyUtil.Notify.error("Failed to index Tango message artifact for keyword search.", artifact.getDisplayName()) except SQLException as ex: # Unable to execute Tango messages SQL query against database. pass except Exception as ex: self._logger.log(Level.SEVERE, "Error parsing Tango messages to the blackboard", ex) self._logger.log(Level.SEVERE, traceback.format_exc()) finally: try: if resultSet is not None: resultSet.close() statement.close() connection.close() except Exception as ex: # Error closing database. pass