/** Queries for login files and adds artifacts */ private void getLogin() { FileManager fileManager = currentCase.getServices().getFileManager(); List<AbstractFile> signonFiles; try { signonFiles = fileManager.findFiles(dataSource, "signons.sqlite", "Chrome"); // NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getLogin.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getName() + ": " + msg); return; } if (signonFiles.isEmpty()) { logger.log(Level.INFO, "Didn't find any Chrome signon files."); // NON-NLS return; } dataFound = true; int j = 0; while (j < signonFiles.size()) { AbstractFile signonFile = signonFiles.get(j++); if (signonFile.getSize() == 0) { continue; } String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + signonFile.getName().toString() + j + ".db"; // NON-NLS try { ContentUtils.writeToFile(signonFile, new File(temps)); } catch (IOException ex) { logger.log( Level.SEVERE, "Error writing temp sqlite db for Chrome login artifacts.{0}", ex); // NON-NLS this.addErrorMessage( NbBundle.getMessage( this.getClass(), "Chrome.getLogin.errMsg.errAnalyzingFiles", this.getName(), signonFile.getName())); continue; } File dbFile = new File(temps); if (context.dataSourceIngestIsCancelled()) { dbFile.delete(); break; } List<HashMap<String, Object>> tempList = this.dbConnect(temps, loginQuery); logger.log( Level.INFO, "{0}- Now getting login information from {1} with {2}artifacts identified.", new Object[] {moduleName, temps, tempList.size()}); // NON-NLS for (HashMap<String, Object> result : tempList) { Collection<BlackboardAttribute> bbattributes = new ArrayList<>(); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_URL.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("origin_url").toString() != null) ? result.get("origin_url").toString() : ""))); // NON-NLS // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), // "Recent Activity", ((result.get("origin_url").toString() != null) ? // EscapeUtil.decodeURL(result.get("origin_url").toString()) : ""))); // TODO Revisit usage of deprecated constructor as per TSK-583 // bbattributes.add(new // BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), "Recent Activity", // "Last Visited", ((Long.valueOf(result.get("last_visit_time").toString())) / 1000000))); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (Util.extractDomain( (result.get("origin_url").toString() != null) ? result.get("url").toString() : "")))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), result.get("signon_realm").toString())); // NON-NLS this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, signonFile, bbattributes); Collection<BlackboardAttribute> osAcctAttributes = new ArrayList<>(); osAcctAttributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_USER_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("username_value").toString() != null) ? result.get("username_value").toString().replaceAll("'", "''") : ""))); // NON-NLS this.addArtifact(ARTIFACT_TYPE.TSK_OS_ACCOUNT, signonFile, osAcctAttributes); } dbFile.delete(); } IngestServices.getInstance() .fireModuleDataEvent( new ModuleDataEvent( NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); }
/** Query for history databases and add artifacts */ private void getHistory() { FileManager fileManager = currentCase.getServices().getFileManager(); List<AbstractFile> historyFiles; try { historyFiles = fileManager.findFiles(dataSource, "History", "Chrome"); // NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getName() + ": " + msg); return; } // get only the allocated ones, for now List<AbstractFile> allocatedHistoryFiles = new ArrayList<>(); for (AbstractFile historyFile : historyFiles) { if (historyFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.ALLOC)) { allocatedHistoryFiles.add(historyFile); } } // log a message if we don't have any allocated history files if (allocatedHistoryFiles.isEmpty()) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getHistory.errMsg.couldntFindAnyFiles"); logger.log(Level.INFO, msg); return; } dataFound = true; int j = 0; while (j < historyFiles.size()) { String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + historyFiles.get(j).getName().toString() + j + ".db"; // NON-NLS final AbstractFile historyFile = historyFiles.get(j++); if (historyFile.getSize() == 0) { continue; } try { ContentUtils.writeToFile(historyFile, new File(temps)); } catch (IOException ex) { logger.log( Level.SEVERE, "Error writing temp sqlite db for Chrome web history artifacts.{0}", ex); // NON-NLS this.addErrorMessage( NbBundle.getMessage( this.getClass(), "Chrome.getHistory.errMsg.errAnalyzingFile", this.getName(), historyFile.getName())); continue; } File dbFile = new File(temps); if (context.dataSourceIngestIsCancelled()) { dbFile.delete(); break; } List<HashMap<String, Object>> tempList; tempList = this.dbConnect(temps, historyQuery); logger.log( Level.INFO, "{0}- Now getting history from {1} with {2}artifacts identified.", new Object[] {moduleName, temps, tempList.size()}); // NON-NLS for (HashMap<String, Object> result : tempList) { Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_URL.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (Long.valueOf(result.get("last_visit_time").toString()) / 1000000) - Long.valueOf("11644473600"))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("from_visit").toString() != null) ? result.get("from_visit").toString() : ""))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("title").toString() != null) ? result.get("title").toString() : ""))); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (Util.extractDomain( (result.get("url").toString() != null) ? result.get("url").toString() : "")))); // NON-NLS this.addArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY, historyFile, bbattributes); } dbFile.delete(); } IngestServices.getInstance() .fireModuleDataEvent( new ModuleDataEvent( NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY)); }
/** Queries for download files and adds artifacts */ private void getDownload() { FileManager fileManager = currentCase.getServices().getFileManager(); List<AbstractFile> downloadFiles = null; try { downloadFiles = fileManager.findFiles(dataSource, "History", "Chrome"); // NON-NLS } catch (TskCoreException ex) { String msg = NbBundle.getMessage(this.getClass(), "Chrome.getDownload.errMsg.errGettingFiles"); logger.log(Level.SEVERE, msg, ex); this.addErrorMessage(this.getName() + ": " + msg); return; } if (downloadFiles.isEmpty()) { logger.log(Level.INFO, "Didn't find any Chrome download files."); // NON-NLS return; } dataFound = true; int j = 0; while (j < downloadFiles.size()) { AbstractFile downloadFile = downloadFiles.get(j++); if (downloadFile.getSize() == 0) { continue; } String temps = RAImageIngestModule.getRATempPath(currentCase, "chrome") + File.separator + downloadFile.getName().toString() + j + ".db"; // NON-NLS try { ContentUtils.writeToFile(downloadFile, new File(temps)); } catch (IOException ex) { logger.log( Level.SEVERE, "Error writing temp sqlite db for Chrome download artifacts.{0}", ex); // NON-NLS this.addErrorMessage( NbBundle.getMessage( this.getClass(), "Chrome.getDownload.errMsg.errAnalyzeFiles1", this.getName(), downloadFile.getName())); continue; } File dbFile = new File(temps); if (context.dataSourceIngestIsCancelled()) { dbFile.delete(); break; } List<HashMap<String, Object>> tempList; if (isChromePreVersion30(temps)) { tempList = this.dbConnect(temps, downloadQuery); } else { tempList = this.dbConnect(temps, downloadQueryVersion30); } logger.log( Level.INFO, "{0}- Now getting downloads from {1} with {2}artifacts identified.", new Object[] {moduleName, temps, tempList.size()}); // NON-NLS for (HashMap<String, Object> result : tempList) { Collection<BlackboardAttribute> bbattributes = new ArrayList<BlackboardAttribute>(); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), (result.get("full_path").toString()))); // NON-NLS long pathID = Util.findID(dataSource, (result.get("full_path").toString())); // NON-NLS if (pathID != -1) { bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), pathID)); } bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_URL.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), ((result.get("url").toString() != null) ? result.get("url").toString() : ""))); // NON-NLS // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL_DECODED.getTypeID(), // "Recent Activity", ((result.get("url").toString() != null) ? // EscapeUtil.decodeURL(result.get("url").toString()) : ""))); Long time = (Long.valueOf(result.get("start_time").toString()) / 1000000) - Long.valueOf("11644473600"); // NON-NLS // TODO Revisit usage of deprecated constructor as per TSK-583 // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), // "Recent Activity", "Last Visited", time)); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), time)); String domain = Util.extractDomain( (result.get("url").toString() != null) ? result.get("url").toString() : ""); // NON-NLS bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), domain)); bbattributes.add( new BlackboardAttribute( ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(), NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), NbBundle.getMessage(this.getClass(), "Chrome.moduleName"))); this.addArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD, downloadFile, bbattributes); } dbFile.delete(); } IngestServices.getInstance() .fireModuleDataEvent( new ModuleDataEvent( NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"), BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD)); }