/**
* The run() method is where the modules work is performed.
* The module will be passed a pointer to a file from which both
* content and metadata can be retrieved.
* @param pFile A pointer to a file to be processed.
* @returns TskModule::OK on success and TskModule::FAIL on error.
*/
TskModule::Status TSK_MODULE_EXPORT run(TskFile * pFile)
{
if (pFile == NULL)
{
LOGERROR(L"CalcFileSizeModule module passed NULL file pointer.");
return TskModule::FAIL;
}
try
{
if (!pFile->exists())
{
std::wstringstream msg;
msg << L"File to be analyzed does not exist: " << pFile->getPath().c_str();
LOGERROR(msg.str());
return TskModule::FAIL;
}
// Open file.
pFile->open();
long totalBytes = 0;
char buffer[FILE_BUFFER_SIZE];
int bytesRead = 0;
// Read file content into buffer.
do
{
memset(buffer, 0, FILE_BUFFER_SIZE);
bytesRead = pFile->read(buffer, FILE_BUFFER_SIZE);
totalBytes += bytesRead;
} while (bytesRead > 0);
// Post the file size to the blackboard
TskBlackboardArtifact genInfo = pFile->getGenInfo();
TskBlackboardAttribute attr((int) TSK_VALUE, "CalcFileSizeModule", "ByteCount", totalBytes);
genInfo.addAttribute(attr);
// Close file.
pFile->close();
}
catch (TskException& tskEx)
{
std::wstringstream msg;
msg << L"CalcFileSizeModule - Caught framework exception: " << tskEx.what();
LOGERROR(msg.str());
return TskModule::FAIL;
}
catch (std::exception& ex)
{
std::wstringstream msg;
msg << L"CalcFileSizeModule - Caught exception: " << ex.what();
LOGERROR(msg.str());
return TskModule::FAIL;
}
return TskModule::OK;
}
/**
* Module execution function. Looks for files matching the criteria specified in the
* configuration file and posts its findings to the blackboard.
*
* @returns Returns TskModule::FAIL if an error occurs, TskModule::OK otherwise.
*/
TSK_MODULE_EXPORT TskModule::Status report()
{
TskModule::Status status = TskModule::OK;
const std::string MSG_PREFIX = "InterestingFilesModule::report : ";
try
{
if (configFilePath.empty())
{
// Initialization failed. The reason why was already logged in initialize().
return TskModule::FAIL;
}
for (std::vector<InterestingFilesSet>::iterator fileSet = fileSets.begin(); fileSet != fileSets.end(); ++fileSet)
{
for (std::vector<string>::iterator condition = (*fileSet).conditions.begin(); condition != (*fileSet).conditions.end(); ++condition)
{
vector<uint64_t> fileIds = TskServices::Instance().getImgDB().getFileIds(*condition);
for (size_t i = 0; i < fileIds.size(); i++)
{
TskBlackboardArtifact artifact = TskServices::Instance().getBlackboard().createArtifact(fileIds[i], TSK_INTERESTING_FILE_HIT);
TskBlackboardAttribute attribute(TSK_SET_NAME, "InterestingFiles", (*fileSet).description, (*fileSet).name);
artifact.addAttribute(attribute);
}
}
}
}
catch (TskException &ex)
{
status = TskModule::FAIL;
std::ostringstream msg;
msg << MSG_PREFIX << "TskException: " << ex.message();
LOGERROR(msg.str());
}
catch (Poco::Exception &ex)
{
status = TskModule::FAIL;
std::ostringstream msg;
msg << MSG_PREFIX << "Poco::Exception: " << ex.displayText();
LOGERROR(msg.str());
}
catch (std::exception &ex)
{
status = TskModule::FAIL;
std::ostringstream msg;
msg << MSG_PREFIX << "std::exception: " << ex.what();
LOGERROR(msg.str());
}
catch (...)
{
status = TskModule::FAIL;
LOGERROR(MSG_PREFIX + "unrecognized exception");
}
return status;
}
/* Function to populate TSK Blackboard exif related attributes */
void extractExifData(ExifData * exifData, TskFile * pFile)
{
std::map<ExifTag, TSK_ATTRIBUTE_TYPE>::iterator it;
std::vector<TskBlackboardAttribute> attrs;
std::string datetime = "";
int timezone = 0;
for (it = tagMap.begin(); it != tagMap.end(); ++it)
{
ExifEntry * exifEntry = exif_data_get_entry(exifData, it->first);
char tag_data[256];
if (exifEntry == NULL)
continue;
if (it->first == EXIF_TAG_GPS_LATITUDE ||
it->first == EXIF_TAG_GPS_LONGITUDE)
{
// Check for the EXIF_IFD_GPS image file directory to avoid interoperability value
ExifIfd ifd = exif_entry_get_ifd(exifEntry);
if (ifd != EXIF_IFD_GPS)
continue;
exif_entry_get_value(exifEntry, tag_data, 256);
float decDegrees = getDecimalDegrees(tag_data);
char refValue[2];
if (it->first == EXIF_TAG_GPS_LATITUDE)
{
// Get the latitude reference value; used to determine if positive or negative decimal value
ExifEntry * latitudeRef = exif_data_get_entry(exifData, it->first);
exif_entry_get_value(latitudeRef, refValue,2);
if (strcmp(refValue, "S") == 0)
decDegrees *= -1;
}
else
{
// Get the longitude reference value; used to determine if positive or negative decimal value
ExifEntry * longitudeRef = exif_data_get_entry(exifData, it->first);
exif_entry_get_value(longitudeRef, refValue,2);
if (strcmp(refValue, "W") == 0)
decDegrees *= -1;
}
TskBlackboardAttribute attr(it->second, name(), "", decDegrees);
attrs.push_back(attr);
}
else if (it->first == EXIF_TAG_GPS_SPEED)
{
// Check for the EXIF_IFD_GPS image file directory to avoid interoperability value
ExifIfd ifd = exif_entry_get_ifd(exifEntry);
if (ifd != EXIF_IFD_GPS)
continue;
//Get the GPS speed value
exif_entry_get_value(exifEntry, tag_data, 256);
float speed = getGPSSpeed(tag_data);
char refValue[2];
//Get the GPS speed reference value
ExifEntry * speedRef = exif_data_get_entry(exifData, it->first);
exif_entry_get_value(speedRef, refValue,2);
//Convert Kilometers per hour to meters per second
if (strcmp(refValue, "K") == 0)
{
speed *= 0.277778;
}
//Convert Miles per hour to meters per second
if (strcmp(refValue, "M") == 0)
{
speed *= 0.44704;
}
//Convert Knots to meters per second
if (strcmp(refValue, "N") == 0)
{
speed *= 0.514444;
}
TskBlackboardAttribute attr(it->second, name(), "", speed);
attrs.push_back(attr);
}
else if (it->first == EXIF_TAG_DATE_TIME_ORIGINAL)
{
exif_entry_get_value(exifEntry, tag_data, 256);
datetime = std::string(tag_data);
}
else if(it->first == EXIF_TAG_TIME_ZONE_OFFSET){
exif_entry_get_value(exifEntry, tag_data, 256);
timezone = atoi(tag_data);
}
else
{
// Get the tag's data
exif_entry_get_value(exifEntry, tag_data, 256);
// Add tag data to blackboard
TskBlackboardAttribute attr(it->second, name(), "", tag_data);
attrs.push_back(attr);
}
}
if(!datetime.empty()){
Poco::DateTime parsedDT;
int tzd;
Poco::DateTimeParser::tryParse(datetime, parsedDT, tzd);
if(timezone)
parsedDT.makeUTC(timezone);
else
parsedDT.makeUTC(tzd);
TskBlackboardAttribute attr(TSK_DATETIME, name(), "", (uint64_t)parsedDT.utcTime());
attrs.push_back(attr);
}
if(attrs.size() > 0){
TskBlackboardArtifact art = pFile->createArtifact(TSK_METADATA_EXIF);
for(size_t i = 0; i < attrs.size(); i++){
art.addAttribute(attrs[i]);
}
}
}
