Update prefetch recent activity

[markmckinnon]

Update prefetch recent activity parser

Summary by CodeRabbit

• New Features
  • Expanded prefetch analysis to natively support Windows, Linux, and macOS across x64 and aarch64 processor architectures with refined parsing configuration.
  • Added operating system detection utilities to enhance system compatibility checks.

[bcarrier]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two files are enhanced: PlatformUtil gains public OS-detection helper methods, while ExtractPrefetch is updated to select platform-specific and architecture-specific prefetch parser binaries and adjust command-line invocation arguments accordingly.

Changes

Cohort / File(s)	Summary
OS Detection Utilities Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java	Added public static methods isLinuxOS() and isMacOS() for simplified OS detection.
Platform-Specific Tool Selection RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java	Replaced single tool constants with five architecture-specific prefetch parser binaries (x64 Windows, x64/aarch64 Linux, x64/aarch64 macOS); updated getPathForPrefetchDumper() to branch on OS type and CPU architecture; modified parsePrefetchFiles() command-line arguments to include -a prefetch -f <prefetchDir> -db flags.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 A rabbit hops from platform to platform with glee,
Windows, Linux, Mac—now supporting all three!
With aarch64 and x64 in tow,
The prefetch parser knows just where to go,
Multi-arch binaries make testing a breeze! 🎉

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Update prefetch recent activity' directly summarizes the main change: updating the prefetch parser in the recent activity module with multi-OS and multi-architecture support.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 PMD (7.23.0)

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java

[ERROR] Cannot load ruleset rulesets/java/basic.xml/SimplifiedTernary: Cannot resolve rule/ruleset reference 'rulesets/java/basic.xml/SimplifiedTernary'. Make sure the resource is a valid file or URL and is on the CLASSPATH. Use --debug (or a fine log level) to see the current classpath.
[WARN] Progressbar rendering conflicts with reporting to STDOUT. No progressbar will be shown. Try running with argument -r to output the report to a file instead.

Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java

[ERROR] Cannot load ruleset rulesets/java/basic.xml/SimplifiedTernary: Cannot resolve rule/ruleset reference 'rulesets/java/basic.xml/SimplifiedTernary'. Make sure the resource is a valid file or URL and is on the CLASSPATH. Use --debug (or a fine log level) to see the current classpath.
[WARN] Progressbar rendering conflicts with reporting to STDOUT. No progressbar will be shown. Try running with argument -r to output the report to a file instead.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java (1)

223-249: ⚠️ Potential issue | 🟠 Major

Potential NullPointerException if OS is unrecognized.

If none of the OS conditions match (e.g., an unexpected OS name or a BSD variant), path remains null and line 241 will throw a NullPointerException when calling path.toString().

🐛 Proposed fix: Add null check before using path

         } else if (PlatformUtil.isMacOS()) {
             if ("aarch64".equals(PlatformUtil.getOSArch())) {
                 path = Paths.get(PREFETCH_TOOL_FOLDER, PREFETCH_TOOL_NAME_AARCH64_MACOS);
             } else {
                 path = Paths.get(PREFETCH_TOOL_FOLDER, PREFETCH_TOOL_NAME_X64_MACOS);                
             }
             
         }
+        
+        if (path == null) {
+            logger.log(Level.SEVERE, "Unsupported operating system: " + PlatformUtil.getOSName()); //NON-NLS
+            return null;
+        }
+        
         File prefetchToolFile = InstalledFileLocator.getDefault().locate(path.toString(),
                 ExtractPrefetch.class.getPackage().getName(), false);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java`
around lines 223 - 249, getPathForPrefetchDumper currently can leave local
variable path null for unrecognized OSes, causing a NullPointerException when
calling path.toString() for InstalledFileLocator.locate; update
getPathForPrefetchDumper to check if path is null before calling
InstalledFileLocator.locate (e.g., return null or log an unsupported OS via
process logger) and only call InstalledFileLocator.locate when path is non-null
so the method safely handles unknown OS/arch combinations.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In
`@RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java`:
- Around line 223-249: getPathForPrefetchDumper currently can leave local
variable path null for unrecognized OSes, causing a NullPointerException when
calling path.toString() for InstalledFileLocator.locate; update
getPathForPrefetchDumper to check if path is null before calling
InstalledFileLocator.locate (e.g., return null or log an unsupported OS via
process logger) and only call InstalledFileLocator.locate when path is non-null
so the method safely handles unknown OS/arch combinations.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7f5925f1-ed9c-4eac-91d6-579a0d388d91

📥 Commits

Reviewing files that changed from the base of the PR and between 1775aa0 and 7cc7bd6.

⛔ Files ignored due to path filters (2)

• thirdparty/markmckinnon/mm_artifact_parser_x64_win.exe is excluded by !**/*.exe
• thirdparty/markmckinnon/parse_prefetch.exe is excluded by !**/*.exe

📒 Files selected for processing (7)

• Core/src/org/sleuthkit/autopsy/coreutils/PlatformUtil.java
• RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractPrefetch.java
• thirdparty/markmckinnon/mm_artifact_parser_aarch64_linux
• thirdparty/markmckinnon/mm_artifact_parser_aarch64_macos
• thirdparty/markmckinnon/mm_artifact_parser_x64_linux
• thirdparty/markmckinnon/mm_artifact_parser_x64_macos
• thirdparty/markmckinnon/parse_prefetch_linux