Example #1
0
  /** Query for history databases and add artifacts */
  private void getHistory() {
    FileManager fileManager = currentCase.getServices().getFileManager();
    List<AbstractFile> historyFiles;
    try {
      historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); // NON-NLS
    } catch (TskCoreException ex) {
      String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles");
      logger.log(Level.SEVERE, msg, ex);
      this.addErrorMessage(this.getName() + ": " + msg);
      return;
    }

    // get only the allocated ones, for now
    List<AbstractFile> allocatedHistoryFiles = new ArrayList<>();
    for (AbstractFile historyFile : historyFiles) {
      if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) {
        allocatedHistoryFiles.add(historyFile);
      }
    }

    // log a message if we don't have any allocated history files
    if (allocatedHistoryFiles.isEmpty()) {
      String msg =
          NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles");
      logger.log(Level.INFO, msg);
      return;
    }

    dataFound = true;
    int j = 0;
    while (j < historyFiles.size()) {
      String temps =
          RAImageIngestModule.getRATempPath(currentCase, "chrome")
              + File.separator
              + historyFiles.get(j).getName().toString()
              + j
              + ".db"; // NON-NLS
      final AbstractFile historyFile = historyFiles.get(j++);
      if (historyFile.getSize() == 0) {
        continue;
      }
      try {
        ContentUtils.writeToFile(historyFile, new File(temps));
      } catch (IOException ex) {
        logger.log(
            Level.SEVERE,
            "Error writing temp sqlite db for Chrome web history artifacts.{0}",
            ex); // NON-NLS
        this.addErrorMessage(
            NbBundle.getMessage(
                this.getClass(),
                "Chrome.getHistory.errMsg.errAnalyzingFile",
                this.getName(),
                historyFile.getName()));
        continue;
      }
      File dbFile = new File(temps);
      if (context.dataSourceIngestIsCancelled()) {
        dbFile.delete();
        break;
      }
      List<HashMap<String, Object>> tempList;
      tempList = this.dbConnect(temps, historyQuery);
      logger.log(
          Level.INFO,
          "{0}- Now getting history from {1} with {2}artifacts identified.",
          new Object[] {moduleName, temps, tempList.size()}); // NON-NLS
      for (HashMap<String, Object> result : tempList) {
        Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>();
        bbattributes.add(
            new BlackboardAttribute(
                ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                ((result.get("url").toString() != null)
                    ? result.get("url").toString()
                    : ""))); // NON-NLS
        bbattributes.add(
            new BlackboardAttribute(
                ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(),
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                (Long.valueOf(result.get("last_visit_time").toString()) / 1000000)
                    - Long.valueOf("11644473600"))); // NON-NLS
        bbattributes.add(
            new BlackboardAttribute(
                ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                ((result.get("from_visit").toString() != null)
                    ? result.get("from_visit").toString()
                    : ""))); // NON-NLS
        bbattributes.add(
            new BlackboardAttribute(
                ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(),
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                ((result.get("title").toString() != null)
                    ? result.get("title").toString()
                    : ""))); // NON-NLS
        bbattributes.add(
            new BlackboardAttribute(
                ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
        bbattributes.add(
            new BlackboardAttribute(
                ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                (Util.extractDomain(
                    (result.get("url").toString() != null)
                        ? result.get("url").toString()
                        : "")))); // NON-NLS
        this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes);
      }
      dbFile.delete();
    }

    IngestServices.getInstance()
        .fireModuleDataEvent(
            new ModuleDataEvent(
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY));
  }
Example #2
0
  /** Search for bookmark files and make artifacts. */
  private void getBookmark() {
    FileManager fileManager = currentCase.getServices().getFileManager();
    List<AbstractFile> bookmarkFiles = null;
    try {
      bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); // NON-NLS
    } catch (TskCoreException ex) {
      String msg =
          NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");
      logger.log(Level.SEVERE, msg, ex);
      this.addErrorMessage(this.getName() + ": " + msg);
      return;
    }

    if (bookmarkFiles.isEmpty()) {
      logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); // NON-NLS
      return;
    }

    dataFound = true;
    int j = 0;

    while (j < bookmarkFiles.size()) {
      AbstractFile bookmarkFile = bookmarkFiles.get(j++);
      if (bookmarkFile.getSize() == 0) {
        continue;
      }
      String temps =
          RAImageIngestModule.getRATempPath(currentCase, "chrome")
              + File.separator
              + bookmarkFile.getName().toString()
              + j
              + ".db"; // NON-NLS
      try {
        ContentUtils.writeToFile(bookmarkFile, new File(temps));
      } catch (IOException ex) {
        logger.log(
            Level.SEVERE,
            "Error writing temp sqlite db for Chrome bookmark artifacts.{0}",
            ex); // NON-NLS
        this.addErrorMessage(
            NbBundle.getMessage(
                this.getClass(),
                "Chrome.getBookmark.errMsg.errAnalyzingFile",
                this.getName(),
                bookmarkFile.getName()));
        continue;
      }

      logger.log(
          Level.INFO,
          "{0}- Now getting Bookmarks from {1}",
          new Object[] {moduleName, temps}); // NON-NLS
      File dbFile = new File(temps);
      if (context.dataSourceIngestIsCancelled()) {
        dbFile.delete();
        break;
      }

      FileReader tempReader;
      try {
        tempReader = new FileReader(temps);
      } catch (FileNotFoundException ex) {
        logger.log(
            Level.SEVERE,
            "Error while trying to read into the Bookmarks for Chrome.",
            ex); // NON-NLS
        this.addErrorMessage(
            NbBundle.getMessage(
                this.getClass(),
                "Chrome.getBookmark.errMsg.errAnalyzeFile",
                this.getName(),
                bookmarkFile.getName()));
        continue;
      }

      final JsonParser parser = new JsonParser();
      JsonElement jsonElement;
      JsonObject jElement, jRoot, jBookmark;
      JsonArray jBookmarkArray;

      try {
        jsonElement = parser.parse(tempReader);
        jElement = jsonElement.getAsJsonObject();
        jRoot = jElement.get("roots").getAsJsonObject(); // NON-NLS
        jBookmark = jRoot.get("bookmark_bar").getAsJsonObject(); // NON-NLS
        jBookmarkArray = jBookmark.getAsJsonArray("children"); // NON-NLS
      } catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
        logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); // NON-NLS
        this.addErrorMessage(
            NbBundle.getMessage(
                this.getClass(),
                "Chrome.getBookmark.errMsg.errAnalyzingFile3",
                this.getName(),
                bookmarkFile.getName()));
        continue;
      }

      for (JsonElement result : jBookmarkArray) {
        JsonObject address = result.getAsJsonObject();
        if (address == null) {
          continue;
        }
        JsonElement urlEl = address.get("url"); // NON-NLS
        String url;
        if (urlEl != null) {
          url = urlEl.getAsString();
        } else {
          url = "";
        }
        String name;
        JsonElement nameEl = address.get("name"); // NON-NLS
        if (nameEl != null) {
          name = nameEl.getAsString();
        } else {
          name = "";
        }
        Long date;
        JsonElement dateEl = address.get("date_added"); // NON-NLS
        if (dateEl != null) {
          date = dateEl.getAsLong();
        } else {
          date = Long.valueOf(0);
        }
        String domain = Util.extractDomain(url);
        try {
          BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
          Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
          // TODO Revisit usage of deprecated constructor as per TSK-583
          bbattributes.add(
              new BlackboardAttribute(
                  ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
                  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                  url));
          bbattributes.add(
              new BlackboardAttribute(
                  ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(),
                  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                  name));
          bbattributes.add(
              new BlackboardAttribute(
                  ATTRIBUTE_TYPE.TSK_DATETIME_CREATED.getTypeID(),
                  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                  (date / 1000000) - Long.valueOf("11644473600")));
          bbattributes.add(
              new BlackboardAttribute(
                  ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
                  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                  NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
          bbattributes.add(
              new BlackboardAttribute(
                  ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
                  NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                  domain));
          bbart.addAttributes(bbattributes);
        } catch (TskCoreException ex) {
          logger.log(
              Level.SEVERE,
              "Error while trying to insert Chrome bookmark artifact{0}",
              ex); // NON-NLS
          this.addErrorMessage(
              NbBundle.getMessage(
                  this.getClass(),
                  "Chrome.getBookmark.errMsg.errAnalyzingFile4",
                  this.getName(),
                  bookmarkFile.getName()));
        }
      }
      dbFile.delete();
    }

    IngestServices.getInstance()
        .fireModuleDataEvent(
            new ModuleDataEvent(
                NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
                BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
  }