def initComponents(self):
self.apps_checkboxes_list = []
self.setLayout(BoxLayout(self, BoxLayout.PAGE_AXIS))
# title
self.p_title = SettingsUtils.createPanel()
self.lb_title = JLabel("Android Forensics")
self.lb_title.setFont(self.lb_title.getFont().deriveFont(Font.BOLD, 11))
self.p_title.add(self.lb_title)
self.add(self.p_title)
# end of title
# info menu
self.p_info = SettingsUtils.createPanel()
self.lb_info = JLabel("")
self.lb_info2 = JLabel("")
self.p_info.add(self.lb_info)
self.p_info.add(self.lb_info2)
self.add(self.p_info)
# end of info menu
# method menu
self.p_method = SettingsUtils.createPanel()
self.bg_method = ButtonGroup()
self.rb_selectedDatasource = SettingsUtils.createRadioButton("Analyse selected datasource", "method_datasource", self.onMethodChange)
self.rb_importReportFile = SettingsUtils.createRadioButton("Import previous generated report file","method_importfile" ,self.onMethodChange)
self.rb_liveExtraction = SettingsUtils.createRadioButton("Live extraction with ADB","method_adb", self.onMethodChange)
self.rb_selectedDatasource.setSelected(True)
self.bg_method.add(self.rb_selectedDatasource)
self.bg_method.add(self.rb_importReportFile)
self.bg_method.add(self.rb_liveExtraction)
self.p_method.add(JLabel("Analysis method"))
self.p_method.add(self.rb_selectedDatasource)
self.p_method.add(self.rb_importReportFile)
self.p_method.add(self.rb_liveExtraction)
self.add(self.p_method)
# end of method menu
#app checkboxes menu
self.p_apps = SettingsUtils.createPanel()
sorted_items = OrderedDict(sorted(Utils.get_all_packages().items()))
for app, app_id in sorted_items.iteritems():
#(app, app_id)
checkbox = SettingsUtils.addApplicationCheckbox(app, app_id, self.getSelectedApps)
self.add(checkbox)
self.apps_checkboxes_list.append(checkbox)
self.p_apps.add(checkbox)
self.add(self.p_apps)
def appsBlock(self):
sorted_items = OrderedDict(sorted(Utils.get_all_packages().items()))
for app, app_id in sorted_items.iteritems():
#(app, app_id)
checkbox = SettingsUtils.addApplicationCheckbox(
app, app_id, self.updateCheckboxes, visible=True)
#self.add(checkbox)
self.apps_checkboxes_list.append(checkbox)
self.p_apps.add(checkbox)
def process(self, dataSource, progressBar):
#Set progressbar to an scale of 100%
self.progressBar = progressBar
progressBar.switchToDeterminate(100)
#Initialize list of possible data sources
data_sources = []
max_apps = len(Utils.get_all_packages().values())
#Extract method for adb selected #THIS IS ONLY USED IN <= AUTOPSY 4.16
if self.method == "method_adb":
#Get list of selected apps to extract
self.apps = json.loads(self.settings.getSetting('apps'))
jobs = max_apps * 3 #extract, analyser, index
self.progressJob = ProgressJob(progressBar, jobs)
self.progressJob.next_job("Extracting from ADB")
logging.info("Starting ADB")
#Variable used to store all folders for each device
folders = Extractor(self.apps, DeviceCommunication.list_devices(), self.progressJob, dsprocessor = False).dump_apps()
# Add one datasource for each device, with the list of the possible folders
for serial, folders_list in folders.items():
datasource_name = "ADB_{}_{}".format(serial, int(time.time()))
self.utils.add_to_fileset(datasource_name, folders_list)
# Add data source to case to be analised
for case_datasources in Case.getCurrentCase().getDataSources():
if case_datasources.getName() == datasource_name:
data_sources.append(case_datasources)
break
logging.info("Ending ADB")
# Add the selected files for the datasource (json, dumps or mount case)
else:
logging.info("Using Selected Datasource")
data_sources.append(dataSource)
self.progressJob = ProgressJob(progressBar, max_apps * 2) #indexing and analying
# For each data source, we will process it each one
for source in data_sources:
self.process_by_datasource(source)
self.progressJob.next_job("Done")
def initComponents(self):
self.apps_checkboxes_list = []
self.setLayout(BoxLayout(self, BoxLayout.PAGE_AXIS))
self.setPreferredSize(Dimension(300, 0))
# title
self.p_title = SettingsUtils.createPanel()
self.lb_title = JLabel("Forensic Analysis for Mobile Apps")
self.lb_title.setFont(self.lb_title.getFont().deriveFont(
Font.BOLD, 15))
self.p_title.add(self.lb_title)
self.add(self.p_title)
# end of title
# info menu
self.p_info = SettingsUtils.createPanel()
self.p_info.setPreferredSize(Dimension(300, 20))
self.lb_info = SettingsUtils.createInfoLabel("")
self.lb_info2 = SettingsUtils.createInfoLabel("")
self.sp2 = SettingsUtils.createSeparators(1)
self.p_method = SettingsUtils.createPanel()
self.bg_method = ButtonGroup()
autopsy_version = PsyUtils.get_autopsy_version()
if ((autopsy_version["major"] == 4 and autopsy_version["minor"] <= 17)
or autopsy_version["major"] < 4):
self.p_info.add(self.lb_info)
self.p_info.add(self.lb_info2, BorderLayout.SOUTH)
self.rb_selectedDatasource = SettingsUtils.createRadioButton(
"Analyze selected datasource", "method_datasource",
self.onMethodChange)
self.bg_method.add(self.rb_selectedDatasource)
# self.rb_importReportFile = SettingsUtils.createRadioButton("Import previous generated report file","method_importfile" ,self.onMethodChange)
self.rb_liveExtraction = SettingsUtils.createRadioButton(
"Live extraction with ADB", "method_adb", self.onMethodChange)
self.rb_selectedDatasource.setSelected(True)
#self.bg_method.add(self.rb_importReportFile)
self.bg_method.add(self.rb_liveExtraction)
self.p_method.add(JLabel("Analysis method"))
self.p_method.add(self.rb_selectedDatasource)
self.p_method.add(self.rb_liveExtraction)
else:
self.p_info.add(
SettingsUtils.createInfoLabel(
"It will analyze the data source with previously selected method and index the forensic artifacts."
))
self.add(self.p_method)
self.p_apps = SettingsUtils.createPanel(True)
sorted_items = OrderedDict(sorted(Utils.get_all_packages().items()))
for app, app_id in sorted_items.iteritems():
#(app, app_id)
checkbox = SettingsUtils.addApplicationCheckbox(
app, app_id, self.getSelectedApps)
self.add(checkbox)
self.apps_checkboxes_list.append(checkbox)
self.p_apps.add(checkbox)
self.add(self.p_apps)
self.add(self.p_info)
def process_by_datasource(self, dataSource):
#Since we are running ingest for the same datasource, we remove the output folder first but only for the datasource!
temp_directory = os.path.join(self.temp_module_path, dataSource.getName().replace(":","_"))
Utils.remove_folder(temp_directory)
Utils.check_and_generate_folder(self.temp_module_path)
self.progressJob.change_text("Analyzing Information for {}".format(dataSource.getName()))
# We are going to use import previous json file or other data
if self.method == "method_importfile":
json_report = "Report.json"
reports_by_app = {}
# Find all Report.json in the data source
json_reports = self.fileManager.findFiles(dataSource, json_report)
# Processing all datasource json reports
for report in json_reports:
# Get app id of the json report
info = Utils.read_json(report.getLocalPath())
app_id = info["header"]["app_id"]
self.progressJob.next_job("Processing report {} ".format(app_id))
# Since we can have multiple json files for multiple apps, we have to track how many reports exists for each app
if not reports_by_app.get(app_id):
reports_by_app[app_id] = 1
else:
reports_by_app[app_id] += 1
# Path for every report
report_folder_path = os.path.join(temp_directory, app_id, str(reports_by_app[app_id]))
Utils.check_and_generate_folder(report_folder_path)
# Copy json report to output folder
report_location = os.path.join(report_folder_path, "Report.json")
copyfile(report.getLocalPath(), report_location)
item = {}
item["report"] = report_location
item["file"] = report
item["app"] = Utils.find_app_name(app_id)
self.process_report(item, dataSource)
# Not using json report
else:
reports_by_app = {}
#We will find all dumps on the datasource
internal = "%_internal.tar.gz"
external = "%_external.tar.gz"
dumps = []
dumps.extend(self.fileManager.findFiles(dataSource, internal))
dumps.extend(self.fileManager.findFiles(dataSource, external))
#We found dumps, the datasource is not a mount path
if dumps:
#For each dump, we are going to check it
for base in dumps:
#Get app id of the dump
app_id = base.getName().replace('_internal.tar.gz', '').replace('_external.tar.gz','')
self.progressJob.next_job("Processing report {} ".format(app_id))
#No reports for this app yet
if not reports_by_app.get(app_id):
reports_by_app[app_id] = []
#We can have multiple dumps for the same app. this ensure we don't add the same folder twice
base_path = os.path.dirname(base.getLocalPath())
if base_path in reports_by_app[app_id]:
continue
#Adds the folder to the list of reports by app
reports_by_app[app_id].append(base_path)
#Multiple dumps per app, we are going to create the folder based on the number of the reports
report_folder_path = os.path.join(temp_directory, app_id, str(len(reports_by_app[app_id])))
Utils.check_and_generate_folder(report_folder_path)
self.progressJob.change_text("Analyzing Information for {} ({})".format(dataSource.getName(), app_id))
#We are going to analyze the dumps and generate the report
analyzer = Analyzer(app_id, base_path, report_folder_path)
analyzer.generate_report()
#Generated json report location
report_location = os.path.join(report_folder_path, "Report.json")
#Add to reports list
item = {}
item["report"] = report_location
item["file"] = base
item["app"] = Utils.find_app_name(app_id)
self.process_report(item, dataSource)
else:
base_path = None
base = None
# Little hack to know datasource real path
# We only know the real path on files, folders doesn't provide the real path
# So we are going to search every file
files = self.fileManager.findFiles(dataSource, "%")
for x in files:
#We should add artifacts to a file, so we add it to the logicalfileset as reference
if not base:
base = x
# Script needs files inside /data/data/
# We find a file with this path, we got the base path
if x.getLocalPath() and '/data/data/' in x.getParentPath():
# Multiple SO normalization
local = Utils.replace_slash_platform(x.getLocalPath())
if Utils.get_platform().startswith("windows"):
base_path = local.split("\\data\\data\\")[0]
else:
base_path = local.split("/data/data/")[0]
#Already have the base folder, stop the find
break
# If have the base folder
if base_path:
# For all supported apps
for app_id in Utils.get_all_packages().values():
# If app data exists in mount
if os.path.exists(os.path.join(base_path, "data", "data", app_id)):
# Create report folder
report_number = 1
report_folder_path = os.path.join(temp_directory, app_id, str(report_number)) #report path
Utils.check_and_generate_folder(report_folder_path)
self.progressJob.change_text("Analyzing Information for {} ({})".format(dataSource.getName(), app_id))
# Folder to analyze
analyzer = Analyzer(app_id, base_path, report_folder_path)
analyzer.generate_report()
# Report
report_location = os.path.join(report_folder_path, "Report.json")
item = {}
item["report"] = report_location
item["file"] = base
item["app"] = Utils.find_app_name(app_id)
self.process_report(item, dataSource)
# After all reports, post a message to the ingest messages in box.
return IngestModule.ProcessResult.OK