/** Queries for login files and adds artifacts */
private void getLogin() {
FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> signonFiles;
try {
signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); // NON-NLS
} catch (TskCoreException ex) {
String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles");
logger.log(Level.SEVERE, msg, ex);
this.addErrorMessage(this.getName() + ": " + msg);
return;
}
if (signonFiles.isEmpty()) {
logger.log(Level.INFO, "Didn't find any Chrome signon files."); // NON-NLS
return;
}
dataFound = true;
int j = 0;
while (j < signonFiles.size()) {
AbstractFile signonFile = signonFiles.get(j++);
if (signonFile.getSize() == 0) {
continue;
}
String temps =
RAImageIngestModule.getRATempPath(currentCase, "chrome")
+ File.separator
+ signonFile.getName().toString()
+ j
+ ".db"; // NON-NLS
try {
ContentUtils.writeToFile(signonFile, new File(temps));
} catch (IOException ex) {
logger.log(
Level.SEVERE,
"Error writing temp sqlite db for Chrome login artifacts.{0}",
ex); // NON-NLS
this.addErrorMessage(
NbBundle.getMessage(
this.getClass(),
"Chrome.getLogin.errMsg.errAnalyzingFiles",
this.getName(),
signonFile.getName()));
continue;
}
File dbFile = new File(temps);
if (context.dataSourceIngestIsCancelled()) {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, loginQuery);
logger.log(
Level.INFO,
"{0}- Now getting login information from {1} with {2}artifacts identified.",
new Object[] {moduleName, temps, tempList.size()}); // NON-NLS
for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("origin_url").toString() != null)
? result.get("origin_url").toString()
: ""))); // NON-NLS
// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(),
// "Recent Activity", ((result.get("origin_url").toString() != null) ?
// EscapeUtil.decodeURL(result.get("origin_url").toString()) : "")));
// TODO Revisit usage of deprecated constructor as per TSK-583
// bbattributes.add(new
// BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity",
// "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000)));
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
(Long.valueOf(result.get("last_visit_time").toString()) / 1000000)
- Long.valueOf("11644473600"))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("from_visit").toString() != null)
? result.get("from_visit").toString()
: ""))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("title").toString() != null)
? result.get("title").toString()
: ""))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
(Util.extractDomain(
(result.get("origin_url").toString() != null)
? result.get("url").toString()
: "")))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("username_value").toString() != null)
? result.get("username_value").toString().replaceAll("'", "''")
: ""))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
result.get("signon_realm").toString())); // NON-NLS
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes);
Collection<BlackboardAttribute> osAcctAttributes = new ArrayList<>();
osAcctAttributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("username_value").toString() != null)
? result.get("username_value").toString().replaceAll("'", "''")
: ""))); // NON-NLS
this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes);
}
dbFile.delete();
}
IngestServices.getInstance()
.fireModuleDataEvent(
new ModuleDataEvent(
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
}
/** Queries for cookie files and adds artifacts */
private void getCookie() {
FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> cookiesFiles;
try {
cookiesFiles = fileManager.findFiles(dataSource, "Cookies", "Chrome"); // NON-NLS
} catch (TskCoreException ex) {
String msg = NbBundle.getMessage(this.getClass(), "Chrome.getCookie.errMsg.errGettingFiles");
logger.log(Level.SEVERE, msg, ex);
this.addErrorMessage(this.getName() + ": " + msg);
return;
}
if (cookiesFiles.isEmpty()) {
logger.log(Level.INFO, "Didn't find any Chrome cookies files."); // NON-NLS
return;
}
dataFound = true;
int j = 0;
while (j < cookiesFiles.size()) {
AbstractFile cookiesFile = cookiesFiles.get(j++);
if (cookiesFile.getSize() == 0) {
continue;
}
String temps =
RAImageIngestModule.getRATempPath(currentCase, "chrome")
+ File.separator
+ cookiesFile.getName().toString()
+ j
+ ".db"; // NON-NLS
try {
ContentUtils.writeToFile(cookiesFile, new File(temps));
} catch (IOException ex) {
logger.log(
Level.SEVERE,
"Error writing temp sqlite db for Chrome cookie artifacts.{0}",
ex); // NON-NLS
this.addErrorMessage(
NbBundle.getMessage(
this.getClass(),
"Chrome.getCookie.errMsg.errAnalyzeFile",
this.getName(),
cookiesFile.getName()));
continue;
}
File dbFile = new File(temps);
if (context.dataSourceIngestIsCancelled()) {
dbFile.delete();
break;
}
List<HashMap<String, Object>> tempList = this.dbConnect(temps, cookieQuery);
logger.log(
Level.INFO,
"{0}- Now getting cookies from {1} with {2}artifacts identified.",
new Object[] {moduleName, temps, tempList.size()}); // NON-NLS
for (HashMap<String, Object> result : tempList) {
Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("host_key").toString() != null)
? result.get("host_key").toString()
: ""))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
(Long.valueOf(result.get("last_access_utc").toString()) / 1000000)
- Long.valueOf("11644473600"))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("name").toString() != null)
? result.get("name").toString()
: ""))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
((result.get("value").toString() != null)
? result.get("value").toString()
: ""))); // NON-NLS
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
String domain = result.get("host_key").toString(); // NON-NLS
domain = domain.replaceFirst("^\\.+(?!$)", "");
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
domain));
this.addArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE, cookiesFile, bbattributes);
}
dbFile.delete();
}
IngestServices.getInstance()
.fireModuleDataEvent(
new ModuleDataEvent(
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE));
}
