Autopsy: /home/carriersleuth/repos/autopsy/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java Source File

Autopsy 4.5.0

Graphical digital forensics platform for The Sleuth Kit and other tools.

File List

Chrome.java

Go to the documentation of this file.

1 /*

2 *

3 * Autopsy Forensic Browser

4 *

6 *

8 *

9 * Project Contact/Architect: carrier <at> sleuthkit <dot> org

10 *

11 * Licensed under the Apache License, Version 2.0 (the "License");

12 * you may not use this file except in compliance with the License.

13 * You may obtain a copy of the License at

14 *

15 * http://www.apache.org/licenses/LICENSE-2.0

16 *

17 * Unless required by applicable law or agreed to in writing, software

18 * distributed under the License is distributed on an "AS IS" BASIS,

19 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

20 * See the License for the specific language governing permissions and

21 * limitations under the License.

22 */

23 package org.sleuthkit.autopsy.recentactivity;

25 import com.google.gson.JsonArray;

26 import com.google.gson.JsonElement;

27 import com.google.gson.JsonIOException;

28 import com.google.gson.JsonObject;

29 import com.google.gson.JsonParser;

30 import com.google.gson.JsonSyntaxException;

31 import org.openide.util.NbBundle;

32 import org.sleuthkit.autopsy.ingest.IngestServices;

33 import org.sleuthkit.autopsy.datamodel.ContentUtils;

34 import java.util.logging.Level;

35 import java.util.*;

36 import java.io.File;

37 import java.io.FileNotFoundException;

38 import java.io.FileReader;

39 import java.io.IOException;

40 import org.sleuthkit.autopsy.casemodule.services.FileManager;

41 import org.sleuthkit.autopsy.coreutils.Logger;

42 import org.sleuthkit.autopsy.ingest.IngestJobContext;

43 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;

44 import org.sleuthkit.datamodel.AbstractFile;

45 import org.sleuthkit.datamodel.BlackboardArtifact;

46 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;

47 import org.sleuthkit.datamodel.BlackboardAttribute;

48 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;

49 import org.sleuthkit.datamodel.Content;

50 import org.sleuthkit.datamodel.TskCoreException;

51 import org.sleuthkit.datamodel.TskData;

56 class Chrome extends Extract {

58 private static final String historyQuery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS

59 + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS

60 private static final String cookieQuery = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS

61 private static final String downloadQuery = "SELECT full_path, url, start_time, received_bytes FROM downloads"; //NON-NLS

62 private static final String downloadQueryVersion30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS

63 private static final String loginQuery = "SELECT origin_url, username_value, signon_realm from logins"; //NON-NLS

64 private final Logger logger = Logger.getLogger(this.getClass().getName());

65 private Content dataSource;

66 private IngestJobContext context;

68 Chrome() {

69 moduleName = NbBundle.getMessage(Chrome.class, "Chrome.moduleName");

70 }

72 @Override

73 public void process(Content dataSource, IngestJobContext context) {

74 this.dataSource = dataSource;

75 this.context = context;

76 dataFound = false;

77 this.getHistory();

78 this.getBookmark();

79 this.getCookie();

80 this.getLogin();

81 this.getDownload();

82 }

87 private void getHistory() {

88 FileManager fileManager = currentCase.getServices().getFileManager();

89 List<AbstractFile> historyFiles;

90 try {

91 historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS

92 } catch (TskCoreException ex) {

93 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");

94 logger.log(Level.SEVERE, msg, ex);

95 this.addErrorMessage(this.getName() + ": " + msg);

96 return;

97 }

99 // get only the allocated ones, for now

100 List<AbstractFile> allocatedHistoryFiles = new ArrayList<>();

101 for (AbstractFile historyFile : historyFiles) {

102 if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {

103 allocatedHistoryFiles.add(historyFile);

104 }

105 }

106

107 // log a message if we don't have any allocated history files

108 if (allocatedHistoryFiles.isEmpty()) {

109 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles");

110 logger.log(Level.INFO, msg);

111 return;

112 }

113

114 dataFound = true;

115 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

116 int j = 0;

117 while (j < historyFiles.size()) {

118 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; //NON-NLS

119 final AbstractFile historyFile = historyFiles.get(j++);

120 if (historyFile.getSize() == 0) {

121 continue;

122 }

123 try {

124 ContentUtils.writeToFile(historyFile, new File(temps), context::dataSourceIngestIsCancelled);

125 } catch (IOException ex) {

126 logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome web history artifacts.{0}", ex); //NON-NLS

127 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",

128 this.getName(), historyFile.getName()));

129 continue;

130 }

131 File dbFile = new File(temps);

132 if (context.dataSourceIngestIsCancelled()) {

133 dbFile.delete();

134 break;

135 }

136 List<HashMap<String, Object>> tempList;

137 tempList = this.dbConnect(temps, historyQuery);

138 logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

139 for (HashMap<String, Object> result : tempList) {

140 Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();

141 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

142 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

143 ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS

144 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,

145 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

146 (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS

147 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,

148 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

149 ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS

150 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,

151 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

152 ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS

153 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

154 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

155 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

156 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

157 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

158 (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS

159

160 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);

161 if (bbart != null) {

162 bbartifacts.add(bbart);

163 }

164 }

165 dbFile.delete();

166 }

167

168 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

169 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

170 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));

171 }

172

176 private void getBookmark() {

177 FileManager fileManager = currentCase.getServices().getFileManager();

178 List<AbstractFile> bookmarkFiles = null;

179 try {

180 bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS

181 } catch (TskCoreException ex) {

182 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");

183 logger.log(Level.SEVERE, msg, ex);

184 this.addErrorMessage(this.getName() + ": " + msg);

185 return;

186 }

187

188 if (bookmarkFiles.isEmpty()) {

189 logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); //NON-NLS

190 return;

191 }

192

193 dataFound = true;

194 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

195 int j = 0;

196

197 while (j < bookmarkFiles.size()) {

198 AbstractFile bookmarkFile = bookmarkFiles.get(j++);

199 if (bookmarkFile.getSize() == 0) {

200 continue;

201 }

202 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName().toString() + j + ".db"; //NON-NLS

203 try {

204 ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled);

205 } catch (IOException ex) {

206 logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome bookmark artifacts.{0}", ex); //NON-NLS

207 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",

208 this.getName(), bookmarkFile.getName()));

209 continue;

210 }

211

212 logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{moduleName, temps}); //NON-NLS

213 File dbFile = new File(temps);

214 if (context.dataSourceIngestIsCancelled()) {

215 dbFile.delete();

216 break;

217 }

218

219 FileReader tempReader;

220 try {

221 tempReader = new FileReader(temps);

222 } catch (FileNotFoundException ex) {

223 logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS

224 this.addErrorMessage(

225 NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getName(),

226 bookmarkFile.getName()));

227 continue;

228 }

229

230 final JsonParser parser = new JsonParser();

231 JsonElement jsonElement;

232 JsonObject jElement, jRoot, jBookmark;

233 JsonArray jBookmarkArray;

234

235 try {

236 jsonElement = parser.parse(tempReader);

237 jElement = jsonElement.getAsJsonObject();

238 jRoot = jElement.get("roots").getAsJsonObject(); //NON-NLS

239 jBookmark = jRoot.get("bookmark_bar").getAsJsonObject(); //NON-NLS

240 jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS

241 } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {

242 logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS

243 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3",

244 this.getName(), bookmarkFile.getName()));

245 continue;

246 }

247

248 for (JsonElement result : jBookmarkArray) {

249 JsonObject address = result.getAsJsonObject();

250 if (address == null) {

251 continue;

252 }

253 JsonElement urlEl = address.get("url"); //NON-NLS

254 String url;

255 if (urlEl != null) {

256 url = urlEl.getAsString();

257 } else {

258 url = "";

259 }

260 String name;

261 JsonElement nameEl = address.get("name"); //NON-NLS

262 if (nameEl != null) {

263 name = nameEl.getAsString();

264 } else {

265 name = "";

266 }

267 Long date;

268 JsonElement dateEl = address.get("date_added"); //NON-NLS

269 if (dateEl != null) {

270 date = dateEl.getAsLong();

271 } else {

272 date = Long.valueOf(0);

273 }

274 String domain = Util.extractDomain(url);

275 try {

276 BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);

277 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();

278 //TODO Revisit usage of deprecated constructor as per TSK-583

279 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

280 NbBundle.getMessage(this.getClass(),

281 "Chrome.parentModuleName"), url));

282 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,

283 NbBundle.getMessage(this.getClass(),

284 "Chrome.parentModuleName"), name));

285 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,

286 NbBundle.getMessage(this.getClass(),

287 "Chrome.parentModuleName"), (date / 1000000) - Long.valueOf("11644473600")));

288 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

289 NbBundle.getMessage(this.getClass(),

290 "Chrome.parentModuleName"),

291 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

292 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

293 NbBundle.getMessage(this.getClass(),

294 "Chrome.parentModuleName"), domain));

295 bbart.addAttributes(bbattributes);

296

297 // index the artifact for keyword search

298 this.indexArtifact(bbart);

299 bbartifacts.add(bbart);

300 } catch (TskCoreException ex) {

301 logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS

302 this.addErrorMessage(

303 NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4",

304 this.getName(), bookmarkFile.getName()));

305 }

306 }

307 dbFile.delete();

308 }

309

310 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

311 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

312 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));

313 }

314

318 private void getCookie() {

319

320 FileManager fileManager = currentCase.getServices().getFileManager();

321 List<AbstractFile> cookiesFiles;

322 try {

323 cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS

324 } catch (TskCoreException ex) {

325 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles");

326 logger.log(Level.SEVERE, msg, ex);

327 this.addErrorMessage(this.getName() + ": " + msg);

328 return;

329 }

330

331 if (cookiesFiles.isEmpty()) {

332 logger.log(Level.INFO, "Didn't find any Chrome cookies files."); //NON-NLS

333 return;

334 }

335

336 dataFound = true;

337 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

338 int j = 0;

339 while (j < cookiesFiles.size()) {

340 AbstractFile cookiesFile = cookiesFiles.get(j++);

341 if (cookiesFile.getSize() == 0) {

342 continue;

343 }

344 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName().toString() + j + ".db"; //NON-NLS

345 try {

346 ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled);

347 } catch (IOException ex) {

348 logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome cookie artifacts.{0}", ex); //NON-NLS

349 this.addErrorMessage(

350 NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile", this.getName(),

351 cookiesFile.getName()));

352 continue;

353 }

354 File dbFile = new File(temps);

355 if (context.dataSourceIngestIsCancelled()) {

356 dbFile.delete();

357 break;

358 }

359

360 List<HashMap<String, Object>> tempList = this.dbConnect(temps, cookieQuery);

361 logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

362 for (HashMap<String, Object> result : tempList) {

363 Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();

364 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

365 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

366 ((result.get("host_key").toString() != null) ? result.get("host_key").toString() : ""))); //NON-NLS

367 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,

368 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

369 (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS

370

371 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,

372 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

373 ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS

374 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,

375 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

376 ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS

377 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

378 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

379 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

380 String domain = result.get("host_key").toString(); //NON-NLS

381 domain = domain.replaceFirst("^\\.+(?!$)", "");

382 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

383 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));

384

385 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);

386 if (bbart != null) {

387 bbartifacts.add(bbart);

388 }

389 }

390

391 dbFile.delete();

392 }

393

394 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

395 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

396 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));

397 }

398

402 private void getDownload() {

403 FileManager fileManager = currentCase.getServices().getFileManager();

404 List<AbstractFile> downloadFiles = null;

405 try {

406 downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS

407 } catch (TskCoreException ex) {

408 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles");

409 logger.log(Level.SEVERE, msg, ex);

410 this.addErrorMessage(this.getName() + ": " + msg);

411 return;

412 }

413

414 if (downloadFiles.isEmpty()) {

415 logger.log(Level.INFO, "Didn't find any Chrome download files."); //NON-NLS

416 return;

417 }

418

419 dataFound = true;

420 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

421 int j = 0;

422 while (j < downloadFiles.size()) {

423 AbstractFile downloadFile = downloadFiles.get(j++);

424 if (downloadFile.getSize() == 0) {

425 continue;

426 }

427 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName().toString() + j + ".db"; //NON-NLS

428 try {

429 ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled);

430 } catch (IOException ex) {

431 logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex); //NON-NLS

432 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",

433 this.getName(), downloadFile.getName()));

434 continue;

435 }

436 File dbFile = new File(temps);

437 if (context.dataSourceIngestIsCancelled()) {

438 dbFile.delete();

439 break;

440 }

441

442 List<HashMap<String, Object>> tempList;

443

444 if (isChromePreVersion30(temps)) {

445 tempList = this.dbConnect(temps, downloadQuery);

446 } else {

447 tempList = this.dbConnect(temps, downloadQueryVersion30);

448 }

449

450 logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

451 for (HashMap<String, Object> result : tempList) {

452 Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();

453 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,

454 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (result.get("full_path").toString()))); //NON-NLS

455 long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS

456 if (pathID != -1) {

457 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,

458 NbBundle.getMessage(this.getClass(),

459 "Chrome.parentModuleName"), pathID));

460 }

461 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

462 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

463 ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS

464 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));

465 Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS

466

467 //TODO Revisit usage of deprecated constructor as per TSK-583

468 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", time));

469 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,

470 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), time));

471 String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); //NON-NLS

472 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

473 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));

474 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

475 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

476 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

477

478 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);

479 if (bbart != null) {

480 bbartifacts.add(bbart);

481 }

482 }

483

484 dbFile.delete();

485 }

486

487 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

488 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

489 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts));

490 }

491

495 private void getLogin() {

496 FileManager fileManager = currentCase.getServices().getFileManager();

497 List<AbstractFile> signonFiles;

498 try {

499 signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); //NON-NLS

500 } catch (TskCoreException ex) {

501 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles");

502 logger.log(Level.SEVERE, msg, ex);

503 this.addErrorMessage(this.getName() + ": " + msg);

504 return;

505 }

506

507 if (signonFiles.isEmpty()) {

508 logger.log(Level.INFO, "Didn't find any Chrome signon files."); //NON-NLS

509 return;

510 }

511

512 dataFound = true;

513 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

514 int j = 0;

515 while (j < signonFiles.size()) {

516 AbstractFile signonFile = signonFiles.get(j++);

517 if (signonFile.getSize() == 0) {

518 continue;

519 }

520 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName().toString() + j + ".db"; //NON-NLS

521 try {

522 ContentUtils.writeToFile(signonFile, new File(temps), context::dataSourceIngestIsCancelled);

523 } catch (IOException ex) {

524 logger.log(Level.SEVERE, "Error writing temp sqlite db for Chrome login artifacts.{0}", ex); //NON-NLS

525 this.addErrorMessage(

526 NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getName(),

527 signonFile.getName()));

528 continue;

529 }

530 File dbFile = new File(temps);

531 if (context.dataSourceIngestIsCancelled()) {

532 dbFile.delete();

533 break;

534 }

535 List<HashMap<String, Object>> tempList = this.dbConnect(temps, loginQuery);

536 logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

537 for (HashMap<String, Object> result : tempList) {

538 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();

539 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

540 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

541 ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); //NON-NLS

542 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("origin_url").toString() != null) ? EscapeUtil.decodeURL(result.get("origin_url").toString()) : "")));

543 //TODO Revisit usage of deprecated constructor as per TSK-583

544 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000)));

545 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,

546 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

547 (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS

548 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,

549 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

550 ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS

551 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,

552 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

553 ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS

554 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

555 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

556 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

557 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED,

558 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

559 (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS

560 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,

561 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

562 ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS

563 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

564 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

565 result.get("signon_realm").toString())); //NON-NLS

566

567 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes);

568 if (bbart != null) {

569 bbartifacts.add(bbart);

570 }

571

572 // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent

573 Collection<BlackboardAttribute> osAcctAttributes = new ArrayList<>();

574 osAcctAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,

575 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

576 ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS

577 this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes);

578 }

579

580 dbFile.delete();

581 }

582

583 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

584 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

585 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));

586 }

587

588 private boolean isChromePreVersion30(String temps) {

589 String query = "PRAGMA table_info(downloads)"; //NON-NLS

590 List<HashMap<String, Object>> columns = this.dbConnect(temps, query);

591 for (HashMap<String, Object> col : columns) {

592 if (col.get("name").equals("url")) { //NON-NLS

593 return true;

594 }

595 }

596

597 return false;

598 }

599 }

org.sleuthkit

org.sleuthkit.autopsy.casemodule.services

Definition: Blackboard.java:19

org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.getRATempPath

static String getRATempPath(Case a_case, String mod)

Definition: RAImageIngestModule.java:195

org.sleuthkit.autopsy.datamodel.ContentUtils

Definition: ContentUtils.java:54

org

org.sleuthkit.autopsy.casemodule

Definition: AddImageAction.java:19

org.sleuthkit.autopsy.datamodel

Definition: AbstractAbstractFileNode.java:19

org.sleuthkit.autopsy.ingest.ModuleDataEvent

Definition: ModuleDataEvent.java:49

org.sleuthkit.autopsy.datamodel.ContentUtils.writeToFile

static< T > long writeToFile(Content content, java.io.File outputFile, ProgressHandle progress, Future< T > worker, boolean source)

Definition: ContentUtils.java:188

org.sleuthkit.autopsy.coreutils

Definition: AutopsyExceptionHandler.java:19

org.sleuthkit.autopsy.coreutils.Logger

Definition: Logger.java:36

org.sleuthkit.autopsy.ingest

Definition: DataSourceIngestCancellationPanel.java:19

org.sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent

void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)

Definition: IngestServices.java:98

org.sleuthkit.autopsy.recentactivity.RAImageIngestModule

Definition: RAImageIngestModule.java:46

org.sleuthkit.autopsy.ingest.IngestJobContext

Definition: IngestJobContext.java:29

org.sleuthkit.autopsy.ingest.IngestServices

Definition: IngestServices.java:32

org.sleuthkit.autopsy.ingest.IngestJobContext.dataSourceIngestIsCancelled

boolean dataSourceIngestIsCancelled()

Definition: IngestJobContext.java:85

org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles

synchronized List< AbstractFile > findFiles(String fileName)

Definition: FileManager.java:134

org.sleuthkit.autopsy.coreutils.Logger.getLogger

synchronized static Logger getLogger(String name)

Definition: Logger.java:124

org.sleuthkit.autopsy

org.sleuthkit.autopsy.casemodule.services.FileManager

Definition: FileManager.java:58

org.sleuthkit.autopsy.ingest.IngestServices.getInstance

static synchronized IngestServices getInstance()

Definition: IngestServices.java:45