/**
* Create a tag for an artifact with TSK_TAG_NAME as tagName.
*
* @param artifact to create tag for
* @param tagName TSK_TAG_NAME
* @param comment the tag comment or null if not present
*/
public static void createTag(BlackboardArtifact artifact, String tagName, String comment) {
try {
Case currentCase = Case.getCurrentCase();
SleuthkitCase skCase = currentCase.getSleuthkitCase();
AbstractFile file = skCase.getAbstractFileById(artifact.getObjectID());
final BlackboardArtifact bookArt =
file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT);
List<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>();
BlackboardAttribute attr1 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(), "", tagName);
if (comment != null && !comment.isEmpty()) {
BlackboardAttribute attr2 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), "", comment);
attrs.add(attr2);
}
BlackboardAttribute attr3 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAGGED_ARTIFACT.getTypeID(),
"",
artifact.getArtifactID());
attrs.add(attr1);
attrs.add(attr3);
bookArt.addAttributes(attrs);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to create tag for artifact " + artifact.getArtifactID());
}
}
/**
* Generic method for adding a blackboard artifact to the blackboard
*
* @param type is a blackboard.artifact_type enum to determine which type the artifact should be
* @param content is the FsContent object that needs to have the artifact added for it
* @param bbattributes is the collection of blackboard attributes that need to be added to the
* artifact after the artifact has been created
*/
public void addArtifact(
BlackboardArtifact.ARTIFACT_TYPE type,
FsContent content,
Collection<BlackboardAttribute> bbattributes) {
try {
BlackboardArtifact bbart = content.newArtifact(type);
bbart.addAttributes(bbattributes);
} catch (TskException ex) {
logger.log(Level.SEVERE, "Error while trying to add an artifact: " + ex);
}
}
/**
* Generic method for adding a blackboard artifact to the blackboard
*
* @param type is a blackboard.artifact_type enum to determine which type the artifact should be
* @param content is the FsContent object that needs to have the artifact added for it
* @param bbattributes is the collection of blackboard attributes that need to be added to the
* artifact after the artifact has been created
*/
public void addArtifact(
BlackboardArtifact.ARTIFACT_TYPE type,
FsContent content,
Collection<BlackboardAttribute> bbattributes) {
try {
BlackboardArtifact bbart = content.newArtifact(type);
bbart.addAttributes(bbattributes);
} catch (TskException ex) {
logger.log(Level.WARNING, "Error while trying to add an artifact: " + ex);
this.addErrorMessage(
this.getName()
+ ": Error while trying to add artifact to case for file:"
+ content.getName());
}
}
/**
* Create a tag for a file with TSK_TAG_NAME as tagName.
*
* @param file to create tag for
* @param tagName TSK_TAG_NAME
* @param comment the tag comment, or null if not present
*/
public static void createTag(AbstractFile file, String tagName, String comment) {
try {
final BlackboardArtifact bookArt =
file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE);
List<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>();
BlackboardAttribute attr1 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TAG_NAME.getTypeID(), "", tagName);
attrs.add(attr1);
if (comment != null && !comment.isEmpty()) {
BlackboardAttribute attr2 =
new BlackboardAttribute(
BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT.getTypeID(), "", comment);
attrs.add(attr2);
}
bookArt.addAttributes(attrs);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Failed to create tag for " + file.getName());
}
}
/** Search for bookmark files and make artifacts. */
private void getBookmark() {
FileManager fileManager = currentCase.getServices().getFileManager();
List<AbstractFile> bookmarkFiles = null;
try {
bookmarkFiles = fileManager.findFiles(dataSource, "Bookmarks", "Chrome"); // NON-NLS
} catch (TskCoreException ex) {
String msg =
NbBundle.getMessage(this.getClass(), "Chrome.getBookmark.errMsg.errGettingFiles");
logger.log(Level.SEVERE, msg, ex);
this.addErrorMessage(this.getName() + ": " + msg);
return;
}
if (bookmarkFiles.isEmpty()) {
logger.log(Level.INFO, "Didn't find any Chrome bookmark files."); // NON-NLS
return;
}
dataFound = true;
int j = 0;
while (j < bookmarkFiles.size()) {
AbstractFile bookmarkFile = bookmarkFiles.get(j++);
if (bookmarkFile.getSize() == 0) {
continue;
}
String temps =
RAImageIngestModule.getRATempPath(currentCase, "chrome")
+ File.separator
+ bookmarkFile.getName().toString()
+ j
+ ".db"; // NON-NLS
try {
ContentUtils.writeToFile(bookmarkFile, new File(temps));
} catch (IOException ex) {
logger.log(
Level.SEVERE,
"Error writing temp sqlite db for Chrome bookmark artifacts.{0}",
ex); // NON-NLS
this.addErrorMessage(
NbBundle.getMessage(
this.getClass(),
"Chrome.getBookmark.errMsg.errAnalyzingFile",
this.getName(),
bookmarkFile.getName()));
continue;
}
logger.log(
Level.INFO,
"{0}- Now getting Bookmarks from {1}",
new Object[] {moduleName, temps}); // NON-NLS
File dbFile = new File(temps);
if (context.dataSourceIngestIsCancelled()) {
dbFile.delete();
break;
}
FileReader tempReader;
try {
tempReader = new FileReader(temps);
} catch (FileNotFoundException ex) {
logger.log(
Level.SEVERE,
"Error while trying to read into the Bookmarks for Chrome.",
ex); // NON-NLS
this.addErrorMessage(
NbBundle.getMessage(
this.getClass(),
"Chrome.getBookmark.errMsg.errAnalyzeFile",
this.getName(),
bookmarkFile.getName()));
continue;
}
final JsonParser parser = new JsonParser();
JsonElement jsonElement;
JsonObject jElement, jRoot, jBookmark;
JsonArray jBookmarkArray;
try {
jsonElement = parser.parse(tempReader);
jElement = jsonElement.getAsJsonObject();
jRoot = jElement.get("roots").getAsJsonObject(); // NON-NLS
jBookmark = jRoot.get("bookmark_bar").getAsJsonObject(); // NON-NLS
jBookmarkArray = jBookmark.getAsJsonArray("children"); // NON-NLS
} catch (JsonIOException | JsonSyntaxException | IllegalStateException ex) {
logger.log(Level.WARNING, "Error parsing Json from Chrome Bookmark.", ex); // NON-NLS
this.addErrorMessage(
NbBundle.getMessage(
this.getClass(),
"Chrome.getBookmark.errMsg.errAnalyzingFile3",
this.getName(),
bookmarkFile.getName()));
continue;
}
for (JsonElement result : jBookmarkArray) {
JsonObject address = result.getAsJsonObject();
if (address == null) {
continue;
}
JsonElement urlEl = address.get("url"); // NON-NLS
String url;
if (urlEl != null) {
url = urlEl.getAsString();
} else {
url = "";
}
String name;
JsonElement nameEl = address.get("name"); // NON-NLS
if (nameEl != null) {
name = nameEl.getAsString();
} else {
name = "";
}
Long date;
JsonElement dateEl = address.get("date_added"); // NON-NLS
if (dateEl != null) {
date = dateEl.getAsLong();
} else {
date = Long.valueOf(0);
}
String domain = Util.extractDomain(url);
try {
BlackboardArtifact bbart = bookmarkFile.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
Collection<BlackboardAttribute> bbattributes = new ArrayList<>();
// TODO Revisit usage of deprecated constructor as per TSK-583
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_URL.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
url));
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
name));
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_DATETIME_CREATED.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
(date / 1000000) - Long.valueOf("11644473600")));
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
NbBundle.getMessage(this.getClass(), "Chrome.moduleName")));
bbattributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
domain));
bbart.addAttributes(bbattributes);
} catch (TskCoreException ex) {
logger.log(
Level.SEVERE,
"Error while trying to insert Chrome bookmark artifact{0}",
ex); // NON-NLS
this.addErrorMessage(
NbBundle.getMessage(
this.getClass(),
"Chrome.getBookmark.errMsg.errAnalyzingFile4",
this.getName(),
bookmarkFile.getName()));
}
}
dbFile.delete();
}
IngestServices.getInstance()
.fireModuleDataEvent(
new ModuleDataEvent(
NbBundle.getMessage(this.getClass(), "Chrome.parentModuleName"),
BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK));
}
@Override
public KeywordCachedArtifact writeSingleFileHitsToBlackBoard(
String termHit, KeywordHit hit, String snippet, String listName) {
BlackboardArtifact newArtifact;
Collection<BlackboardAttribute> attributes = new ArrayList<>();
if (keyword.getType() == ATTRIBUTE_TYPE.TSK_CARD_NUMBER) {
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE, MODULE_NAME, Account.Type.CREDIT_CARD.name()));
Map<BlackboardAttribute.Type, BlackboardAttribute> parsedTrackAttributeMap = new HashMap<>();
// try to match it against the track 1 regex
Matcher matcher = TRACK1_PATTERN.matcher(hit.getSnippet());
if (matcher.find()) {
parseTrack1Data(parsedTrackAttributeMap, matcher);
}
// then try to match it against the track 2 regex
matcher = TRACK2_PATTERN.matcher(hit.getSnippet());
if (matcher.find()) {
parseTrack2Data(parsedTrackAttributeMap, matcher);
}
// if we couldn't parse the CCN abort this artifact
final BlackboardAttribute ccnAttribute =
parsedTrackAttributeMap.get(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_CARD_NUMBER));
if (ccnAttribute == null || StringUtils.isBlank(ccnAttribute.getValueString())) {
if (hit.isArtifactHit()) {
LOGGER.log(
Level.SEVERE,
String.format(
"Failed to parse credit card account number for artifact keyword hit: term = %s, snippet = '%s', artifact id = %d",
termHit, hit.getSnippet(), hit.getArtifact().getArtifactID()));
} else {
LOGGER.log(
Level.SEVERE,
String.format(
"Failed to parse credit card account number for content keyword hit: term = %s, snippet = '%s', object id = %d",
termHit, hit.getSnippet(), hit.getContent().getId()));
}
return null;
}
attributes.addAll(parsedTrackAttributeMap.values());
// look up the bank name, schem, etc from the BIN
final int bin = Integer.parseInt(ccnAttribute.getValueString().substring(0, 8));
CreditCards.BankIdentificationNumber binInfo = CreditCards.getBINInfo(bin);
if (binInfo != null) {
binInfo
.getScheme()
.ifPresent(
scheme ->
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_CARD_SCHEME, MODULE_NAME, scheme)));
binInfo
.getCardType()
.ifPresent(
cardType ->
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_CARD_TYPE, MODULE_NAME, cardType)));
binInfo
.getBrand()
.ifPresent(
brand ->
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_BRAND_NAME, MODULE_NAME, brand)));
binInfo
.getBankName()
.ifPresent(
bankName ->
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_BANK_NAME, MODULE_NAME, bankName)));
binInfo
.getBankPhoneNumber()
.ifPresent(
phoneNumber ->
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, MODULE_NAME, phoneNumber)));
binInfo
.getBankURL()
.ifPresent(
url ->
attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL, MODULE_NAME, url)));
binInfo
.getCountry()
.ifPresent(
country ->
attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COUNTRY, MODULE_NAME, country)));
binInfo
.getBankCity()
.ifPresent(
city ->
attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_CITY, MODULE_NAME, city)));
}
/* if the hit is from unused or unalocated blocks, record the
* KEYWORD_SEARCH_DOCUMENT_ID, so we can show just that chunk in the
* UI
*/
if (hit.getContent() instanceof AbstractFile) {
AbstractFile file = (AbstractFile) hit.getContent();
if (file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS
|| file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) {
attributes.add(
new BlackboardAttribute(
KEYWORD_SEARCH_DOCUMENT_ID, MODULE_NAME, hit.getSolrDocumentId()));
}
}
// make account artifact
try {
newArtifact = hit.getContent().newArtifact(ARTIFACT_TYPE.TSK_ACCOUNT);
} catch (TskCoreException tskCoreException) {
LOGGER.log(
Level.SEVERE, "Error adding bb artifact for account", tskCoreException); // NON-NLS
return null;
}
} else {
// regex match
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD, MODULE_NAME, termHit));
// regex keyword
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP, MODULE_NAME, keyword.getQuery()));
// make keyword hit artifact
try {
newArtifact = hit.getContent().newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT);
} catch (TskCoreException tskCoreException) {
LOGGER.log(
Level.SEVERE, "Error adding bb artifact for keyword hit", tskCoreException); // NON-NLS
return null;
}
}
if (StringUtils.isNotBlank(listName)) {
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, listName));
}
// preview
if (snippet != null) {
attributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW, MODULE_NAME, snippet));
}
if (hit.isArtifactHit()) {
attributes.add(
new BlackboardAttribute(
ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
MODULE_NAME,
hit.getArtifact().getArtifactID()));
}
try {
// TODO: do we still/really need this KeywordCachedArtifact class?
newArtifact.addAttributes(attributes);
KeywordCachedArtifact writeResult = new KeywordCachedArtifact(newArtifact);
writeResult.add(attributes);
return writeResult;
} catch (TskCoreException e) {
LOGGER.log(
Level.SEVERE, "Error adding bb attributes for terms search artifact", e); // NON-NLS
return null;
}
}