Autopsy: /home/carriersleuth/repos/autopsy/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java Source File

Autopsy 4.6.0

Graphical digital forensics platform for The Sleuth Kit and other tools.

File List

Chrome.java

Go to the documentation of this file.

1 /*

2 *

3 * Autopsy Forensic Browser

4 *

6 *

8 *

9 * Project Contact/Architect: carrier <at> sleuthkit <dot> org

10 *

11 * Licensed under the Apache License, Version 2.0 (the "License");

12 * you may not use this file except in compliance with the License.

13 * You may obtain a copy of the License at

14 *

15 * http://www.apache.org/licenses/LICENSE-2.0

16 *

17 * Unless required by applicable law or agreed to in writing, software

18 * distributed under the License is distributed on an "AS IS" BASIS,

19 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

20 * See the License for the specific language governing permissions and

21 * limitations under the License.

22 */

23 package org.sleuthkit.autopsy.recentactivity;

25 import com.google.gson.JsonArray;

26 import com.google.gson.JsonElement;

27 import com.google.gson.JsonIOException;

28 import com.google.gson.JsonObject;

29 import com.google.gson.JsonParser;

30 import com.google.gson.JsonSyntaxException;

31 import org.openide.util.NbBundle;

32 import org.sleuthkit.autopsy.ingest.IngestServices;

33 import org.sleuthkit.autopsy.datamodel.ContentUtils;

34 import java.util.logging.Level;

35 import java.util.*;

36 import java.io.File;

37 import java.io.FileNotFoundException;

38 import java.io.FileReader;

39 import java.io.IOException;

40 import org.sleuthkit.autopsy.casemodule.services.FileManager;

41 import org.sleuthkit.autopsy.coreutils.Logger;

42 import org.sleuthkit.autopsy.ingest.IngestJobContext;

43 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;

44 import org.sleuthkit.datamodel.AbstractFile;

45 import org.sleuthkit.datamodel.BlackboardArtifact;

46 import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;

47 import org.sleuthkit.datamodel.BlackboardAttribute;

48 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;

49 import org.sleuthkit.datamodel.Content;

50 import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;

51 import org.sleuthkit.datamodel.TskCoreException;

52 import org.sleuthkit.datamodel.TskData;

57 class Chrome extends Extract {

59 private static final String HISTORY_QUERY = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " //NON-NLS

60 + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) AS from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; //NON-NLS

61 private static final String COOKIE_QUERY = "SELECT name, value, host_key, expires_utc,last_access_utc, creation_utc FROM cookies"; //NON-NLS

62 private static final String DOWNLOAD_QUERY = "SELECT full_path, url, start_time, received_bytes FROM downloads"; //NON-NLS

63 private static final String DOWNLOAD_QUERY_V30 = "SELECT current_path AS full_path, url, start_time, received_bytes FROM downloads, downloads_url_chains WHERE downloads.id=downloads_url_chains.id"; //NON-NLS

64 private static final String LOGIN_QUERY = "SELECT origin_url, username_value, signon_realm from logins"; //NON-NLS

65 private final Logger logger = Logger.getLogger(this.getClass().getName());

66 private Content dataSource;

67 private IngestJobContext context;

69 Chrome() {

70 moduleName = NbBundle.getMessage(Chrome.class, "Chrome.moduleName");

71 }

73 @Override

74 public void process(Content dataSource, IngestJobContext context) {

75 this.dataSource = dataSource;

76 this.context = context;

77 dataFound = false;

78 this.getHistory();

79 this.getBookmark();

80 this.getCookie();

81 this.getLogin();

82 this.getDownload();

83 }

88 private void getHistory() {

89 FileManager fileManager = currentCase.getServices().getFileManager();

90 List<AbstractFile> historyFiles;

91 try {

92 historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS

93 } catch (TskCoreException ex) {

94 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");

95 logger.log(Level.SEVERE, msg, ex);

96 this.addErrorMessage(this.getName() + ": " + msg);

97 return;

98 }

100 // get only the allocated ones, for now

101 List<AbstractFile> allocatedHistoryFiles = new ArrayList<>();

102 for (AbstractFile historyFile : historyFiles) {

103 if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {

104 allocatedHistoryFiles.add(historyFile);

105 }

106 }

107

108 // log a message if we don't have any allocated history files

109 if (allocatedHistoryFiles.isEmpty()) {

110 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles");

111 logger.log(Level.INFO, msg);

112 return;

113 }

114

115 dataFound = true;

116 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

117 int j = 0;

118 while (j < historyFiles.size()) {

119 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName() + j + ".db"; //NON-NLS

120 final AbstractFile historyFile = historyFiles.get(j++);

121 if (historyFile.getSize() == 0) {

122 continue;

123 }

124 try {

125 ContentUtils.writeToFile(historyFile, new File(temps), context::dataSourceIngestIsCancelled);

126 } catch (ReadContentInputStreamException ex) {

127 logger.log(Level.WARNING, String.format("Error reading Chrome web history artifacts file '%s' (id=%d).",

128 historyFile.getName(), historyFile.getId()), ex); //NON-NLS

129 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",

130 this.getName(), historyFile.getName()));

131 continue;

132 } catch (IOException ex) {

133 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome web history artifacts file '%s' (id=%d).",

134 temps, historyFile.getName(), historyFile.getId()), ex); //NON-NLS

135 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile",

136 this.getName(), historyFile.getName()));

137 continue;

138 }

139 File dbFile = new File(temps);

140 if (context.dataSourceIngestIsCancelled()) {

141 dbFile.delete();

142 break;

143 }

144 List<HashMap<String, Object>> tempList;

145 tempList = this.dbConnect(temps, HISTORY_QUERY);

146 logger.log(Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

147 for (HashMap<String, Object> result : tempList) {

148 Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();

149 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

150 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

151 ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS

152 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,

153 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

154 (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS

155 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,

156 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

157 ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS

158 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,

159 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

160 ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS

161 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

162 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

163 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

164 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

165 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

166 (Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS

167

168 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);

169 if (bbart != null) {

170 bbartifacts.add(bbart);

171 }

172 }

173 dbFile.delete();

174 }

175

176 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

177 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

178 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));

179 }

180

184 private void getBookmark() {

185 FileManager fileManager = currentCase.getServices().getFileManager();

186 List<AbstractFile> bookmarkFiles;

187 try {

188 bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); //NON-NLS

189 } catch (TskCoreException ex) {

190 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");

191 logger.log(Level.SEVERE, msg, ex);

192 this.addErrorMessage(this.getName() + ": " + msg);

193 return;

194 }

195

196 if (bookmarkFiles.isEmpty()) {

197 logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); //NON-NLS

198 return;

199 }

200

201 dataFound = true;

202 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

203 int j = 0;

204

205 while (j < bookmarkFiles.size()) {

206 AbstractFile bookmarkFile = bookmarkFiles.get(j++);

207 if (bookmarkFile.getSize() == 0) {

208 continue;

209 }

210 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + bookmarkFile.getName() + j + ".db"; //NON-NLS

211 try {

212 ContentUtils.writeToFile(bookmarkFile, new File(temps), context::dataSourceIngestIsCancelled);

213 } catch (ReadContentInputStreamException ex) {

214 logger.log(Level.WARNING, String.format("Error reading Chrome bookmark artifacts file '%s' (id=%d).",

215 bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS

216 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",

217 this.getName(), bookmarkFile.getName()));

218 continue;

219 } catch (IOException ex) {

220 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome bookmark artifacts file '%s' (id=%d).",

221 temps, bookmarkFile.getName(), bookmarkFile.getId()), ex); //NON-NLS

222 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile",

223 this.getName(), bookmarkFile.getName()));

224 continue;

225 }

226

227 logger.log(Level.INFO, "{0}- Now getting Bookmarks from {1}", new Object[]{moduleName, temps}); //NON-NLS

228 File dbFile = new File(temps);

229 if (context.dataSourceIngestIsCancelled()) {

230 dbFile.delete();

231 break;

232 }

233

234 FileReader tempReader;

235 try {

236 tempReader = new FileReader(temps);

237 } catch (FileNotFoundException ex) {

238 logger.log(Level.SEVERE, "Error while trying to read into the Bookmarks for Chrome.", ex); //NON-NLS

239 this.addErrorMessage(

240 NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzeFile", this.getName(),

241 bookmarkFile.getName()));

242 continue;

243 }

244

245 final JsonParser parser = new JsonParser();

246 JsonElement jsonElement;

247 JsonObject jElement, jRoot, jBookmark;

248 JsonArray jBookmarkArray;

249

250 try {

251 jsonElement = parser.parse(tempReader);

252 jElement = jsonElement.getAsJsonObject();

253 jRoot = jElement.get("roots").getAsJsonObject(); //NON-NLS

254 jBookmark = jRoot.get("bookmark_bar").getAsJsonObject(); //NON-NLS

255 jBookmarkArray = jBookmark.getAsJsonArray("children"); //NON-NLS

256 } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {

257 logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); //NON-NLS

258 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile3",

259 this.getName(), bookmarkFile.getName()));

260 continue;

261 }

262

263 for (JsonElement result : jBookmarkArray) {

264 JsonObject address = result.getAsJsonObject();

265 if (address == null) {

266 continue;

267 }

268 JsonElement urlEl = address.get("url"); //NON-NLS

269 String url;

270 if (urlEl != null) {

271 url = urlEl.getAsString();

272 } else {

273 url = "";

274 }

275 String name;

276 JsonElement nameEl = address.get("name"); //NON-NLS

277 if (nameEl != null) {

278 name = nameEl.getAsString();

279 } else {

280 name = "";

281 }

282 Long date;

283 JsonElement dateEl = address.get("date_added"); //NON-NLS

284 if (dateEl != null) {

285 date = dateEl.getAsLong();

286 } else {

287 date = Long.valueOf(0);

288 }

289 String domain = Util.extractDomain(url);

290 try {

291 BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);

292 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();

293 //TODO Revisit usage of deprecated constructor as per TSK-583

294 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

295 NbBundle.getMessage(this.getClass(),

296 "Chrome.parentModuleName"), url));

297 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_TITLE,

298 NbBundle.getMessage(this.getClass(),

299 "Chrome.parentModuleName"), name));

300 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_CREATED,

301 NbBundle.getMessage(this.getClass(),

302 "Chrome.parentModuleName"), (date / 1000000) - Long.valueOf("11644473600")));

303 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

304 NbBundle.getMessage(this.getClass(),

305 "Chrome.parentModuleName"),

306 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

307 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

308 NbBundle.getMessage(this.getClass(),

309 "Chrome.parentModuleName"), domain));

310 bbart.addAttributes(bbattributes);

311

312 // index the artifact for keyword search

313 this.indexArtifact(bbart);

314 bbartifacts.add(bbart);

315 } catch (TskCoreException ex) {

316 logger.log(Level.SEVERE, "Error while trying to insert Chrome bookmark artifact{0}", ex); //NON-NLS

317 this.addErrorMessage(

318 NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errAnalyzingFile4",

319 this.getName(), bookmarkFile.getName()));

320 }

321 }

322 dbFile.delete();

323 }

324

325 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

326 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

327 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK, bbartifacts));

328 }

329

333 private void getCookie() {

334

335 FileManager fileManager = currentCase.getServices().getFileManager();

336 List<AbstractFile> cookiesFiles;

337 try {

338 cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); //NON-NLS

339 } catch (TskCoreException ex) {

340 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles");

341 logger.log(Level.SEVERE, msg, ex);

342 this.addErrorMessage(this.getName() + ": " + msg);

343 return;

344 }

345

346 if (cookiesFiles.isEmpty()) {

347 logger.log(Level.INFO, "Didn't find any Chrome cookies files."); //NON-NLS

348 return;

349 }

350

351 dataFound = true;

352 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

353 int j = 0;

354 while (j < cookiesFiles.size()) {

355 AbstractFile cookiesFile = cookiesFiles.get(j++);

356 if (cookiesFile.getSize() == 0) {

357 continue;

358 }

359 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + cookiesFile.getName() + j + ".db"; //NON-NLS

360 try {

361 ContentUtils.writeToFile(cookiesFile, new File(temps), context::dataSourceIngestIsCancelled);

362 } catch (ReadContentInputStreamException ex) {

363 logger.log(Level.WARNING, String.format("Error reading Chrome cookie artifacts file '%s' (id=%d).",

364 cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS

365 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",

366 this.getName(), cookiesFile.getName()));

367 continue;

368 } catch (IOException ex) {

369 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome cookie artifacts file '%s' (id=%d).",

370 temps, cookiesFile.getName(), cookiesFile.getId()), ex); //NON-NLS

371 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errAnalyzeFile",

372 this.getName(), cookiesFile.getName()));

373 continue;

374 }

375 File dbFile = new File(temps);

376 if (context.dataSourceIngestIsCancelled()) {

377 dbFile.delete();

378 break;

379 }

380

381 List<HashMap<String, Object>> tempList = this.dbConnect(temps, COOKIE_QUERY);

382 logger.log(Level.INFO, "{0}- Now getting cookies from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

383 for (HashMap<String, Object> result : tempList) {

384 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();

385 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

386 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

387 ((result.get("host_key").toString() != null) ? result.get("host_key").toString() : ""))); //NON-NLS

388 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME,

389 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

390 (Long.valueOf(result.get("last_access_utc").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS

391

392 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,

393 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

394 ((result.get("name").toString() != null) ? result.get("name").toString() : ""))); //NON-NLS

395 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE,

396 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

397 ((result.get("value").toString() != null) ? result.get("value").toString() : ""))); //NON-NLS

398 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

399 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

400 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

401 String domain = result.get("host_key").toString(); //NON-NLS

402 domain = domain.replaceFirst("^\\.+(?!$)", "");

403 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

404 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));

405

406 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);

407 if (bbart != null) {

408 bbartifacts.add(bbart);

409 }

410 }

411

412 dbFile.delete();

413 }

414

415 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

416 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

417 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE, bbartifacts));

418 }

419

423 private void getDownload() {

424 FileManager fileManager = currentCase.getServices().getFileManager();

425 List<AbstractFile> downloadFiles;

426 try {

427 downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); //NON-NLS

428 } catch (TskCoreException ex) {

429 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles");

430 logger.log(Level.SEVERE, msg, ex);

431 this.addErrorMessage(this.getName() + ": " + msg);

432 return;

433 }

434

435 if (downloadFiles.isEmpty()) {

436 logger.log(Level.INFO, "Didn't find any Chrome download files."); //NON-NLS

437 return;

438 }

439

440 dataFound = true;

441 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

442 int j = 0;

443 while (j < downloadFiles.size()) {

444 AbstractFile downloadFile = downloadFiles.get(j++);

445 if (downloadFile.getSize() == 0) {

446 continue;

447 }

448 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName() + j + ".db"; //NON-NLS

449 try {

450 ContentUtils.writeToFile(downloadFile, new File(temps), context::dataSourceIngestIsCancelled);

451 } catch (ReadContentInputStreamException ex) {

452 logger.log(Level.WARNING, String.format("Error reading Chrome download artifacts file '%s' (id=%d).",

453 downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS

454 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",

455 this.getName(), downloadFile.getName()));

456 continue;

457 } catch (IOException ex) {

458 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome download artifacts file '%s' (id=%d).",

459 temps, downloadFile.getName(), downloadFile.getId()), ex); //NON-NLS

460 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1",

461 this.getName(), downloadFile.getName()));

462 continue;

463 }

464 File dbFile = new File(temps);

465 if (context.dataSourceIngestIsCancelled()) {

466 dbFile.delete();

467 break;

468 }

469

470 List<HashMap<String, Object>> tempList;

471

472 if (isChromePreVersion30(temps)) {

473 tempList = this.dbConnect(temps, DOWNLOAD_QUERY);

474 } else {

475 tempList = this.dbConnect(temps, DOWNLOAD_QUERY_V30);

476 }

477

478 logger.log(Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

479 for (HashMap<String, Object> result : tempList) {

480 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();

481 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,

482 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (result.get("full_path").toString()))); //NON-NLS

483 long pathID = Util.findID(dataSource, (result.get("full_path").toString())); //NON-NLS

484 if (pathID != -1) {

485 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID,

486 NbBundle.getMessage(this.getClass(),

487 "Chrome.parentModuleName"), pathID));

488 }

489 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

490 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

491 ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); //NON-NLS

492 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("url").toString() != null) ? EscapeUtil.decodeURL(result.get("url").toString()) : "")));

493 Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); //NON-NLS

494

495 //TODO Revisit usage of deprecated constructor as per TSK-583

496 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", time));

497 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,

498 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), time));

499 String domain = Util.extractDomain((result.get("url").toString() != null) ? result.get("url").toString() : ""); //NON-NLS

500 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

501 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain));

502 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

503 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

504 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

505

506 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes);

507 if (bbart != null) {

508 bbartifacts.add(bbart);

509 }

510 }

511

512 dbFile.delete();

513 }

514

515 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

516 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

517 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, bbartifacts));

518 }

519

523 private void getLogin() {

524 FileManager fileManager = currentCase.getServices().getFileManager();

525 List<AbstractFile> signonFiles;

526 try {

527 signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); //NON-NLS

528 } catch (TskCoreException ex) {

529 String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles");

530 logger.log(Level.SEVERE, msg, ex);

531 this.addErrorMessage(this.getName() + ": " + msg);

532 return;

533 }

534

535 if (signonFiles.isEmpty()) {

536 logger.log(Level.INFO, "Didn't find any Chrome signon files."); //NON-NLS

537 return;

538 }

539

540 dataFound = true;

541 Collection<BlackboardArtifact> bbartifacts = new ArrayList<>();

542 int j = 0;

543 while (j < signonFiles.size()) {

544 AbstractFile signonFile = signonFiles.get(j++);

545 if (signonFile.getSize() == 0) {

546 continue;

547 }

548 String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName() + j + ".db"; //NON-NLS

549 try {

550 ContentUtils.writeToFile(signonFile, new File(temps), context::dataSourceIngestIsCancelled);

551 } catch (ReadContentInputStreamException ex) {

552 logger.log(Level.WARNING, String.format("Error reading Chrome login artifacts file '%s' (id=%d).",

553 signonFile.getName(), signonFile.getId()), ex); //NON-NLS

554 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",

555 this.getName(), signonFile.getName()));

556 continue;

557 } catch (IOException ex) {

558 logger.log(Level.SEVERE, String.format("Error writing temp sqlite db file '%s' for Chrome login artifacts file '%s' (id=%d).",

559 temps, signonFile.getName(), signonFile.getId()), ex); //NON-NLS

560 this.addErrorMessage(NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles",

561 this.getName(), signonFile.getName()));

562 continue;

563 }

564 File dbFile = new File(temps);

565 if (context.dataSourceIngestIsCancelled()) {

566 dbFile.delete();

567 break;

568 }

569 List<HashMap<String, Object>> tempList = this.dbConnect(temps, LOGIN_QUERY);

570 logger.log(Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[]{moduleName, temps, tempList.size()}); //NON-NLS

571 for (HashMap<String, Object> result : tempList) {

572 Collection<BlackboardAttribute> bbattributes = new ArrayList<>();

573 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL,

574 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

575 ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); //NON-NLS

576 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), "Recent Activity", ((result.get("origin_url").toString() != null) ? EscapeUtil.decodeURL(result.get("origin_url").toString()) : "")));

577 //TODO Revisit usage of deprecated constructor as per TSK-583

578 //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity", "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000)));

579 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED,

580 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

581 (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); //NON-NLS

582 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER,

583 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

584 ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); //NON-NLS

585 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,

586 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

587 ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); //NON-NLS

588 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME,

589 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

590 NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));

591 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED,

592 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

593 (Util.extractDomain((result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); //NON-NLS

594 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,

595 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

596 ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS

597 bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN,

598 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

599 result.get("signon_realm").toString())); //NON-NLS

600

601 BlackboardArtifact bbart = this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes);

602 if (bbart != null) {

603 bbartifacts.add(bbart);

604 }

605

606 // Don't add TSK_OS_ACCOUNT artifacts to the ModuleDataEvent

607 Collection<BlackboardAttribute> osAcctAttributes = new ArrayList<>();

608 osAcctAttributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USER_NAME,

609 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

610 ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); //NON-NLS

611 this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes);

612 }

613

614 dbFile.delete();

615 }

616

617 IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(

618 NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),

619 BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY, bbartifacts));

620 }

621

622 private boolean isChromePreVersion30(String temps) {

623 String query = "PRAGMA table_info(downloads)"; //NON-NLS

624 List<HashMap<String, Object>> columns = this.dbConnect(temps, query);

625 for (HashMap<String, Object> col : columns) {

626 if (col.get("name").equals("url")) { //NON-NLS

627 return true;

628 }

629 }

630

631 return false;

632 }

633 }

org.sleuthkit

org.sleuthkit.autopsy.casemodule.services

Definition: Blackboard.java:19

org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.getRATempPath

static String getRATempPath(Case a_case, String mod)

Definition: RAImageIngestModule.java:200

org.sleuthkit.autopsy.datamodel.ContentUtils

Definition: ContentUtils.java:55

org

org.sleuthkit.autopsy.casemodule

Definition: AddImageAction.java:19

org.sleuthkit.autopsy.datamodel

Definition: AbstractAbstractFileNode.java:19

org.sleuthkit.autopsy.ingest.ModuleDataEvent

Definition: ModuleDataEvent.java:49

org.sleuthkit.autopsy.datamodel.ContentUtils.writeToFile

static< T > long writeToFile(Content content, java.io.File outputFile, ProgressHandle progress, Future< T > worker, boolean source)

Definition: ContentUtils.java:210

org.sleuthkit.autopsy.coreutils

Definition: AutopsyExceptionHandler.java:19

org.sleuthkit.autopsy.coreutils.Logger

Definition: Logger.java:36

org.sleuthkit.autopsy.ingest

Definition: BlockingIngestTaskQueue.java:19

org.sleuthkit.autopsy.ingest.IngestServices.fireModuleDataEvent

void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)

Definition: IngestServices.java:101

org.sleuthkit.autopsy.recentactivity.RAImageIngestModule

Definition: RAImageIngestModule.java:46

org.sleuthkit.autopsy.ingest.IngestJobContext

Definition: IngestJobContext.java:29

org.sleuthkit.autopsy.ingest.IngestServices

Definition: IngestServices.java:33

org.sleuthkit.autopsy.ingest.IngestJobContext.dataSourceIngestIsCancelled

boolean dataSourceIngestIsCancelled()

Definition: IngestJobContext.java:85

org.sleuthkit.autopsy.casemodule.services.FileManager.findFiles

synchronized List< AbstractFile > findFiles(String fileName)

Definition: FileManager.java:165

org.sleuthkit.autopsy.coreutils.Logger.getLogger

synchronized static Logger getLogger(String name)

Definition: Logger.java:124

org.sleuthkit.autopsy

org.sleuthkit.autopsy.casemodule.services.FileManager

Definition: FileManager.java:58

org.sleuthkit.autopsy.ingest.IngestServices.getInstance

static synchronized IngestServices getInstance()

Definition: IngestServices.java:46