Package me.mthw.forge.ingest.analyzer.file

Class FileAnalyzerOffice

java.lang.Object

me.mthw.forge.ingest.analyzer.Analyzer

me.mthw.forge.ingest.analyzer.file.FileAnalyzerOffice

public class FileAnalyzerOffice
extends Analyzer

The FileAnalyzerOffice class is responsible for analyzing files to determine if they are encrypted Microsoft Office documents. It utilizes the Apache POI library to inspect the file's encryption details and creates corresponding blackboard attributes and artifacts for further processing. This class extends the Analyzer class and provides specific implementations for processing Office files. It supports the detection of encryption mode, cipher algorithm, and hash algorithm used in encrypted Office documents. Attributes Created: - FORGE_OFFICE_MODE: Represents the encryption mode of the Office file. - FORGE_OFFICE_CYPHER_ALG: Represents the cipher algorithm used. - FORGE_OFFICE_HASH_ALG: Represents the hash algorithm used. Exceptions: - TskCoreException: Thrown if there is an error accessing the file's content. - BlackboardException: Thrown if there is an error creating blackboard attributes or artifacts. - IOException: Thrown if there is an error reading the file. - UnsupportedOperationException: Thrown when attempting to process unsupported content types.

Field Summary

Fields inherited from class me.mthw.forge.ingest.analyzer.Analyzer

artifactType, attributesMap, blackboard, context, mainAttribute, moduleName

Constructor Summary

Constructors

Constructor	Description
FileAnalyzerOffice(org.sleuthkit.datamodel.BlackboardAttribute.Type mainAttribute, org.sleuthkit.datamodel.Blackboard blackboard, org.sleuthkit.autopsy.ingest.IngestJobContext context)

Method Summary

Modifier and Type	Method	Description
protected void	createArtifact()	Creates an artifact with predefined type and description for MS Office files.
protected void	createAttributes()	Creates and populates the attributes map with specific attributes related to office file analysis.
boolean	process(org.sleuthkit.datamodel.AbstractFile file)	Processes an AbstractFile to determine if it is an encrypted Office document using POI library.
boolean	process(org.sleuthkit.datamodel.Volume volume)	Processes the given volume.

Methods inherited from class me.mthw.forge.ingest.analyzer.Analyzer

addArtifact, addArtifact, addArtifact, addArtifact, addAttributesToBlackBoard, createArtifact, createArtifact, getAttributeType

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

FileAnalyzerOffice

public FileAnalyzerOffice(org.sleuthkit.datamodel.BlackboardAttribute.Type mainAttribute,
 org.sleuthkit.datamodel.Blackboard blackboard,
 org.sleuthkit.autopsy.ingest.IngestJobContext context)
                   throws org.sleuthkit.datamodel.Blackboard.BlackboardException

Throws:

org.sleuthkit.datamodel.Blackboard.BlackboardException

Method Details

process

public boolean process(org.sleuthkit.datamodel.AbstractFile file)
                throws org.sleuthkit.datamodel.TskCoreException,
org.sleuthkit.datamodel.Blackboard.BlackboardException,
IOException

Processes an AbstractFile to determine if it is an encrypted Office document using POI library. If the file is an encrypted Office document, extracts encryption details and creates corresponding blackboard attributes and artifacts.

Specified by:

process in class Analyzer

Parameters:

file - The AbstractFile to be processed.

Returns:

true if the file is an encrypted Office document, false otherwise.

Throws:

org.sleuthkit.datamodel.TskCoreException - If there is an error accessing the file's content.

org.sleuthkit.datamodel.Blackboard.BlackboardException - If there is an error creating blackboard attributes or artifacts.

IOException - If there is an error reading the file.

createArtifact

protected void createArtifact()
                       throws org.sleuthkit.datamodel.Blackboard.BlackboardException

Creates an artifact with predefined type and description for MS Office files.

Specified by:

createArtifact in class Analyzer

Throws:

org.sleuthkit.datamodel.Blackboard.BlackboardException - if there is an error during artifact creation.

createAttributes

protected void createAttributes()

Creates and populates the attributes map with specific attributes related to office file analysis. Each attribute represents a property of the office file, such as encryption mode, cipher algorithm, and hash algorithm. Attributes added: - FORGE_OFFICE_MODE: Represents the encryption mode of the office file. - FORGE_OFFICE_CYPHER_ALG: Represents the cipher algorithm used. - FORGE_OFFICE_HASH_ALG: Represents the hash algorithm used.

Specified by:

createAttributes in class Analyzer

process

public boolean process(org.sleuthkit.datamodel.Volume volume)

Processes the given volume. This method is not supported for the content type Volume and will always throw an UnsupportedOperationException.

Specified by:

process in class Analyzer

Parameters:

volume - The volume to be processed.

Returns:

true if the processing is successful, false otherwise.

Throws:

UnsupportedOperationException - if this method is called, as processing of content type Volume is not supported