search

sleuthkit / autopsy

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
http://www.sleuthkit.org/autopsy/
2.42k stars 596 forks source link

Date-related errors with Recent Activity module #5946

Open lkfbr opened 4 years ago

lkfbr commented 4 years ago

Hello, I've encountered a quite confusing error with Recent Activity module in 4.15. When it parses an image on a system with non-US English locale, it does not parse all information and there are multiple errors like these produced in the log:

SEVERE: Failed to parse epoch time for installed program artifact.
java.text.ParseException: Unparseable date: "Thu Mar 21 19:17:32 2019"
    java.text.DateFormat.parse(DateFormat.java:366)
    org.sleuthkit.autopsy.recentactivity.ExtractRegistry.parseAutopsyPluginOutput(ExtractRegistry.java:741)
    org.sleuthkit.autopsy.recentactivity.ExtractRegistry.analyzeRegistryFiles(ExtractRegistry.java:319)
    org.sleuthkit.autopsy.recentactivity.ExtractRegistry.process(ExtractRegistry.java:1840)
    org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:127)
    org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:200)
    org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:113)
    org.sleuthkit.autopsy.ingest.DataSourceIngestJob.process(DataSourceIngestJob.java:744)
    org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)
    org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:926)
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    java.util.concurrent.FutureTask.run(FutureTask.java:266)
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    java.lang.Thread.run(Thread.java:748)
WARNING: The Accessed Time format in history file seems invalid 17.03.2019 20:30:00
java.text.ParseException: Unparseable date: "17.03.2019 20:30:00"
    java.text.DateFormat.parse(DateFormat.java:366)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.getCookieArtifact(ExtractEdge.java:645)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.getCookies(ExtractEdge.java:442)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.processWebCacheDbFile(ExtractEdge.java:237)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.process(ExtractEdge.java:171)
    org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:127)
    org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:200)
    org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:113)
    org.sleuthkit.autopsy.ingest.DataSourceIngestJob.process(DataSourceIngestJob.java:744)
    org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)
    org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:926)
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    java.util.concurrent.FutureTask.run(FutureTask.java:266)
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    java.lang.Thread.run(Thread.java:748)

When I change locale to US English or add -J-Duser.language=en to default_options in autopsy.conf there are no such errors and I have correct results from Recent Activity.

beyefendi commented 4 years ago

Use itemMtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy", Locale.getDefault()).parse(mTimeAttr).getTime();

instead itemMtime = new SimpleDateFormat("EEE MMM d HH:mm:ss yyyy").parse(mTimeAttr).getTime();

lkfbr commented 4 years ago

@beyefendi that would solve only the first error. In the second case the formatter is completely different than the value it's trying to parse:

private static final SimpleDateFormat DATE_FORMATTER = new SimpleDateFormat("MM/dd/yyyy hh:mm:ss a");

I guess the underlying tool uses the system locale thus the generated format.

jonas-koeritz commented 3 years ago

Same Error when running 4.17.0 on Windows 10 (german locale).

WARNING: The Accessed Time format in history file seems invalid 15.04.2020 12:04:40
java.text.ParseException: Unparseable date: "15.04.2020 12:04:40"
    java.text.DateFormat.parse(DateFormat.java:366)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.getHistoryArtifact(ExtractEdge.java:614)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.getHistory(ExtractEdge.java:339)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.processWebCacheDbFile(ExtractEdge.java:229)
    org.sleuthkit.autopsy.recentactivity.ExtractEdge.process(ExtractEdge.java:171)
    org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:133)
    org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:198)
    org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:111)
    org.sleuthkit.autopsy.ingest.IngestJobPipeline.process(IngestJobPipeline.java:943)
    org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)
    org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:961)
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    java.util.concurrent.FutureTask.run(FutureTask.java:266)
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    java.lang.Thread.run(Thread.java:748)
APriestman commented 3 years ago

The errors coming from ExtractEdge should be fixed in the upcoming release.