mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 16:06:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'develop' of github.com:sleuthkit/autopsy into 7079-messagingDomains

Browse Source
This commit is contained in:
Greg DiCristofaro 2020-12-11 15:09:05 -05:00
commit 12fea8dbbf
13 changed files with 237 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
Core/src/org/sleuthkit/autopsy/contentviewers/artifactviewers/GeneralPurposeArtifactViewer.java
View File

@ -43,9 +43,11 @@ import org.openide.util.NbBundle;
import org.openide.util.lookup.ServiceProvider;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.ThreadConfined;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.autopsy.discovery.ui.AbstractArtifactDetailsPanel;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.TimeUtilities;
import org.sleuthkit.datamodel.TskCoreException;
/**
@ -116,7 +118,7 @@ public class GeneralPurposeArtifactViewer extends AbstractArtifactDetailsPanel i
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Unable to get attributes for artifact " + artifact.getArtifactID(), ex);
}
updateView(artifact.getArtifactTypeID(), attributeMap, dataSourceName, sourceFileName);
updateView(artifact, attributeMap, dataSourceName, sourceFileName);
}
this.setLayout(this.gridBagLayout);
this.revalidate();
@ -195,7 +197,8 @@ public class GeneralPurposeArtifactViewer extends AbstractArtifactDetailsPanel i
* the artifact.
*/
@ThreadConfined(type = ThreadConfined.ThreadType.AWT)
private void updateView(Integer artifactTypeId, Map<Integer, List<BlackboardAttribute>> attributeMap, String dataSourceName, String sourceFileName) {
private void updateView(BlackboardArtifact artifact, Map<Integer, List<BlackboardAttribute>> attributeMap, String dataSourceName, String sourceFileName) {
final Integer artifactTypeId = artifact.getArtifactTypeID();
if (!(artifactTypeId < 1 || artifactTypeId >= Integer.MAX_VALUE)) {
addHeader(Bundle.GeneralPurposeArtifactViewer_details_attrHeader());
Integer[] orderingArray = orderingMap.get(artifactTypeId);
@ -206,13 +209,21 @@ public class GeneralPurposeArtifactViewer extends AbstractArtifactDetailsPanel i
List<BlackboardAttribute> attrList = attributeMap.remove(attrId);
if (attrList != null) {
for (BlackboardAttribute bba : attrList) {
addNameValueRow(bba.getAttributeType().getDisplayName(), bba.getDisplayString());
if (bba.getAttributeType().getTypeName().startsWith("TSK_DATETIME")) {
addNameValueRow(bba.getAttributeType().getDisplayName(), TimeUtilities.epochToTime(bba.getValueLong(), ContentUtils.getTimeZone(artifact)));
} else {
addNameValueRow(bba.getAttributeType().getDisplayName(), bba.getDisplayString());
}
}
}
}
for (int key : attributeMap.keySet()) {
for (BlackboardAttribute bba : attributeMap.get(key)) {
addNameValueRow(bba.getAttributeType().getDisplayName(), bba.getDisplayString());
if (bba.getAttributeType().getTypeName().startsWith("TSK_DATETIME")) {
addNameValueRow(bba.getAttributeType().getDisplayName(), TimeUtilities.epochToTime(bba.getValueLong(), ContentUtils.getTimeZone(artifact)));
} else {
addNameValueRow(bba.getAttributeType().getDisplayName(), bba.getDisplayString());
}
}
}
addHeader(Bundle.GeneralPurposeArtifactViewer_details_sourceHeader());

9
Core/src/org/sleuthkit/autopsy/discovery/search/Bundle.properties-MERGED
View File

@ -7,8 +7,8 @@ DiscoveryAttributes.GroupingAttributeType.interestingItem.displayName=Interestin
DiscoveryAttributes.GroupingAttributeType.keywordList.displayName=Keyword
DiscoveryAttributes.GroupingAttributeType.mostRecentDate.displayName=Most Recent Activity Date
DiscoveryAttributes.GroupingAttributeType.none.displayName=None
DiscoveryAttributes.GroupingAttributeType.numberOfVisits.displayName=Number of Visits
DiscoveryAttributes.GroupingAttributeType.object.displayName=Object Detected
DiscoveryAttributes.GroupingAttributeType.pageViews.displayName=Page Views
DiscoveryAttributes.GroupingAttributeType.parent.displayName=Parent Folder
DiscoveryAttributes.GroupingAttributeType.previouslyNotable.displayName=Previous Notability
DiscoveryAttributes.GroupingAttributeType.size.displayName=File Size
@ -25,10 +25,10 @@ DiscoveryKeyUtils.InterestingItemGroupKey.noSets=None
DiscoveryKeyUtils.KeywordListGroupKey.noKeywords=None
DiscoveryKeyUtils.MostRecentActivityDateGroupKey.noDate=No Date Available
DiscoveryKeyUtils.NoGroupingGroupKey.allFiles=All Files
# {0} - totalVisits
DiscoveryKeyUtils.NumberOfVisitsGroupKey.displayName={0} visits
DiscoveryKeyUtils.NumberOfVisitsGroupKey.noVisits=No visits
DiscoveryKeyUtils.ObjectDetectedGroupKey.noSets=None
# {0} - totalVisits
DiscoveryKeyUtils.PageViewsGroupKey.displayName={0} page views
DiscoveryKeyUtils.PageViewsGroupKey.noVisits=No page views
# {0} - domain
# {1} - artifactType
DomainSearchArtifactsRequest.toString.text=Domain: {0} ArtifactType: {1}
@ -53,6 +53,7 @@ FileSorter.SortingMethod.filetype.displayName=File Type
FileSorter.SortingMethod.frequency.displayName=Central Repo Frequency
FileSorter.SortingMethod.fullPath.displayName=Full Path
FileSorter.SortingMethod.keywordlist.displayName=Keyword List Names
FileSorter.SortingMethod.pageViews.displayName=Page Views
ResultFile.score.interestingResult.description=At least one instance of the file has an interesting result associated with it.
ResultFile.score.notableFile.description=At least one instance of the file was recognized as notable.
ResultFile.score.notableTaggedFile.description=At least one instance of the file is tagged with a notable tag.

17
Core/src/org/sleuthkit/autopsy/discovery/search/DiscoveryAttributes.java
View File

@ -730,13 +730,14 @@ public class DiscoveryAttributes {
}
/**
* Attribute for grouping/sorting by number of visits.
* Attribute for grouping/sorting domains by number of page views.
* Page views is defined at the number of TSK_WEB_HISTORY artifacts.
*/
static class NumberOfVisitsAttribute extends AttributeType {
static class PageViewsAttribute extends AttributeType {
@Override
public DiscoveryKeyUtils.GroupKey getGroupKey(Result result) {
return new DiscoveryKeyUtils.NumberOfVisitsGroupKey(result);
return new DiscoveryKeyUtils.PageViewsGroupKey(result);
}
}
@ -864,7 +865,7 @@ public class DiscoveryAttributes {
"DiscoveryAttributes.GroupingAttributeType.object.displayName=Object Detected",
"DiscoveryAttributes.GroupingAttributeType.mostRecentDate.displayName=Most Recent Activity Date",
"DiscoveryAttributes.GroupingAttributeType.firstDate.displayName=First Activity Date",
"DiscoveryAttributes.GroupingAttributeType.numberOfVisits.displayName=Number of Visits",
"DiscoveryAttributes.GroupingAttributeType.pageViews.displayName=Page Views",
"DiscoveryAttributes.GroupingAttributeType.none.displayName=None",
"DiscoveryAttributes.GroupingAttributeType.previouslyNotable.displayName=Previous Notability"})
public enum GroupingAttributeType {
@ -879,7 +880,7 @@ public class DiscoveryAttributes {
OBJECT_DETECTED(new ObjectDetectedAttribute(), Bundle.DiscoveryAttributes_GroupingAttributeType_object_displayName()),
MOST_RECENT_DATE(new MostRecentActivityDateAttribute(), Bundle.DiscoveryAttributes_GroupingAttributeType_mostRecentDate_displayName()),
FIRST_DATE(new FirstActivityDateAttribute(), Bundle.DiscoveryAttributes_GroupingAttributeType_firstDate_displayName()),
NUMBER_OF_VISITS(new NumberOfVisitsAttribute(), Bundle.DiscoveryAttributes_GroupingAttributeType_numberOfVisits_displayName()),
PAGE_VIEWS(new PageViewsAttribute(), Bundle.DiscoveryAttributes_GroupingAttributeType_pageViews_displayName()),
NO_GROUPING(new NoGroupingAttribute(), Bundle.DiscoveryAttributes_GroupingAttributeType_none_displayName()),
PREVIOUSLY_NOTABLE(new PreviouslyNotableAttribute(), Bundle.DiscoveryAttributes_GroupingAttributeType_previouslyNotable_displayName());
@ -928,7 +929,11 @@ public class DiscoveryAttributes {
* @return Enums that can be used to group files.
*/
public static List<GroupingAttributeType> getOptionsForGroupingForDomains() {
return Arrays.asList(FREQUENCY, MOST_RECENT_DATE, FIRST_DATE, NUMBER_OF_VISITS, PREVIOUSLY_NOTABLE);
if (CentralRepository.isEnabled()) {
return Arrays.asList(FREQUENCY, MOST_RECENT_DATE, FIRST_DATE, PAGE_VIEWS, PREVIOUSLY_NOTABLE);
} else {
return Arrays.asList(MOST_RECENT_DATE, FIRST_DATE, PAGE_VIEWS);
}
}
}

48
Core/src/org/sleuthkit/autopsy/discovery/search/DiscoveryKeyUtils.java
View File

@ -1260,12 +1260,14 @@ public class DiscoveryKeyUtils {
}
/**
* Key representing the number of visits.
* Key representing the number of page views.
* Page views are defined as the number of TSK_WEB_HISTORY artifacts that match
* a domain value.
*/
static class NumberOfVisitsGroupKey extends GroupKey {
static class PageViewsGroupKey extends GroupKey {
private final String displayName;
private final Long visits;
private final Long pageViews;
/**
* Construct a new NumberOfVisitsGroupKey.
@ -1274,19 +1276,19 @@ public class DiscoveryKeyUtils {
*/
@NbBundle.Messages({
"# {0} - totalVisits",
"DiscoveryKeyUtils.NumberOfVisitsGroupKey.displayName={0} visits",
"DiscoveryKeyUtils.NumberOfVisitsGroupKey.noVisits=No visits"})
NumberOfVisitsGroupKey(Result result) {
"DiscoveryKeyUtils.PageViewsGroupKey.displayName={0} page views",
"DiscoveryKeyUtils.PageViewsGroupKey.noVisits=No page views"})
PageViewsGroupKey(Result result) {
if (result instanceof ResultDomain) {
Long totalVisits = ((ResultDomain) result).getTotalVisits();
if (totalVisits == null) {
totalVisits = 0L;
Long totalPageViews = ((ResultDomain) result).getTotalPageViews();
if (totalPageViews == null) {
totalPageViews = 0L;
}
visits = totalVisits;
displayName = Bundle.DiscoveryKeyUtils_NumberOfVisitsGroupKey_displayName(Long.toString(visits));
pageViews = totalPageViews;
displayName = Bundle.DiscoveryKeyUtils_PageViewsGroupKey_displayName(Long.toString(pageViews));
} else {
displayName = Bundle.DiscoveryKeyUtils_NumberOfVisitsGroupKey_noVisits();
visits = -1L;
displayName = Bundle.DiscoveryKeyUtils_PageViewsGroupKey_noVisits();
pageViews = -1L;
}
}
@ -1301,12 +1303,12 @@ public class DiscoveryKeyUtils {
}
/**
* Get the number of visits this group is for.
* Get the number of page views this group is for.
*
* @return The number of visits this group is for.
* @return The number of page views this group is for.
*/
Long getVisits() {
return visits;
Long getPageViews() {
return pageViews;
}
@Override
@ -1315,19 +1317,19 @@ public class DiscoveryKeyUtils {
return true;
}
if (!(otherKey instanceof NumberOfVisitsGroupKey)) {
if (!(otherKey instanceof PageViewsGroupKey)) {
return false;
}
NumberOfVisitsGroupKey visitsKey = (NumberOfVisitsGroupKey) otherKey;
return visits.equals(visitsKey.getVisits());
PageViewsGroupKey pageViewsKey = (PageViewsGroupKey) otherKey;
return pageViews.equals(pageViewsKey.getPageViews());
}
@Override
public int compareTo(GroupKey otherGroupKey) {
if (otherGroupKey instanceof NumberOfVisitsGroupKey) {
NumberOfVisitsGroupKey visitsKey = (NumberOfVisitsGroupKey) otherGroupKey;
return Long.compare(getVisits(), visitsKey.getVisits());
if (otherGroupKey instanceof PageViewsGroupKey) {
PageViewsGroupKey pageViewsKey = (PageViewsGroupKey) otherGroupKey;
return Long.compare(getPageViews(), pageViewsKey.getPageViews());
} else {
return compareClassNames(otherGroupKey);
}

88
Core/src/org/sleuthkit/autopsy/discovery/search/DomainSearchArtifactsCache.java
View File

@ -20,21 +20,38 @@ package org.sleuthkit.autopsy.discovery.search;
import com.google.common.cache.CacheBuilder;
import com.google.common.cache.LoadingCache;
import com.google.common.eventbus.Subscribe;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.sleuthkit.autopsy.discovery.search.DiscoveryEventUtils.SearchStartedEvent;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
/**
* Caches artifact requests.
*/
public class DomainSearchArtifactsCache {
private static final int MAXIMUM_CACHE_SIZE = 500;
private static final LoadingCache<DomainSearchArtifactsRequest, List<BlackboardArtifact>> cache
private static final int MAXIMUM_CACHE_SIZE = 10;
private static final int TIME_TO_LIVE = 5; // In minutes
private static final LoadingCache<ArtifactCacheKey, Map<String, List<BlackboardArtifact>>> cache
= CacheBuilder.newBuilder()
.maximumSize(MAXIMUM_CACHE_SIZE)
.expireAfterWrite(TIME_TO_LIVE, TimeUnit.MINUTES)
.build(new DomainSearchArtifactsLoader());
// Listen for new search events. When this happens, we should invalidate all the
// entries in the cache. This, along with the 5 minutes expiration, ensures that
// searches get up to date results during ingest.
private static final NewSearchListener newSearchListener = new NewSearchListener();
static {
DiscoveryEventUtils.getDiscoveryEventBus().register(newSearchListener);
}
/**
* Get artifact instances that match the requested criteria. If the request
* is new, the results will be automatically loaded.
@ -51,12 +68,73 @@ public class DomainSearchArtifactsCache {
if (!typeName.startsWith("TSK_WEB")) {
throw new IllegalArgumentException("Only web artifacts are valid arguments. Type provided was " + typeName);
}
try {
return cache.get(request);
Map<String, List<BlackboardArtifact>> artifactsByDomain = cache.get(new ArtifactCacheKey(request));
final String normalizedDomain = request.getDomain().trim().toLowerCase();
return artifactsByDomain.getOrDefault(normalizedDomain, Collections.emptyList());
} catch (ExecutionException ex) {
//throwing a new exception with the cause so that interrupted exceptions and other causes can be checked inside our wrapper
throw new DiscoveryException("Error fetching artifacts from cache for " + request.toString(), ex.getCause());
}
}
/**
* Listener for new searches performed by the user.
*/
static class NewSearchListener {
@Subscribe
public void listenToSearchStartedEvent(SearchStartedEvent event) {
cache.invalidateAll();
}
}
/**
* Key to use for caching. Using only the artifact type and case reference
* will result in greater utilization of the cached artifact instances.
*/
class ArtifactCacheKey {
private final ARTIFACT_TYPE type;
private final SleuthkitCase caseDatabase;
private ArtifactCacheKey(DomainSearchArtifactsRequest request) {
this.type = request.getArtifactType();
this.caseDatabase = request.getSleuthkitCase();
}
ARTIFACT_TYPE getType() {
return this.type;
}
SleuthkitCase getSleuthkitCase() {
return this.caseDatabase;
}
@Override
public int hashCode() {
int hash = 7;
hash = 67 * hash + Objects.hashCode(this.type);
hash = 67 * hash + Objects.hashCode(this.caseDatabase);
return hash;
}
@Override
public boolean equals(Object obj) {
if (this == obj) {
return true;
}
if (obj == null || getClass() != obj.getClass()) {
return false;
}
final ArtifactCacheKey other = (ArtifactCacheKey) obj;
// The artifact type and case database references must be equal.
return this.type == other.type &&
Objects.equals(this.caseDatabase, other.caseDatabase);
}
}
}

48
Core/src/org/sleuthkit/autopsy/discovery/search/DomainSearchArtifactsLoader.java
View File

@ -19,46 +19,46 @@
package org.sleuthkit.autopsy.discovery.search;
import com.google.common.cache.CacheLoader;
import java.util.List;
import java.util.ArrayList;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute.Type;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
/**
* Loads artifacts for the given request. Searches TSK_DOMAIN and TSK_URL
* attributes for the requested domain name. TSK_DOMAIN is exact match (ignoring
* case). TSK_URL is sub-string match (ignoring case).
* Loads artifacts for the given request. Searches for TSK domain attributes and
* organizes artifacts by those values.
*/
public class DomainSearchArtifactsLoader extends CacheLoader<DomainSearchArtifactsRequest, List<BlackboardArtifact>> {
private static final Type TSK_DOMAIN = new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN);
private static final Type TSK_URL = new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_URL);
public class DomainSearchArtifactsLoader extends CacheLoader<DomainSearchArtifactsCache.ArtifactCacheKey, Map<String, List<BlackboardArtifact>>> {
private static final BlackboardAttribute.Type TSK_DOMAIN = new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN);
@Override
public List<BlackboardArtifact> load(DomainSearchArtifactsRequest artifactsRequest) throws TskCoreException, InterruptedException {
final SleuthkitCase caseDb = artifactsRequest.getSleuthkitCase();
final String normalizedDomain = artifactsRequest.getDomain().toLowerCase();
final List<BlackboardArtifact> artifacts = caseDb.getBlackboardArtifacts(artifactsRequest.getArtifactType());
final List<BlackboardArtifact> matchingDomainArtifacts = new ArrayList<>();
public Map<String, List<BlackboardArtifact>> load(DomainSearchArtifactsCache.ArtifactCacheKey artifactKey) throws TskCoreException, InterruptedException {
final SleuthkitCase caseDb = artifactKey.getSleuthkitCase();
final ARTIFACT_TYPE type = artifactKey.getType();
List<BlackboardArtifact> artifacts = caseDb.getBlackboardArtifacts(type);
Map<String, List<BlackboardArtifact>> artifactsByDomain = new HashMap<>();
// Grab artifacts with matching domain names.
for (BlackboardArtifact artifact : artifacts) {
if(Thread.currentThread().isInterrupted()) {
throw new InterruptedException();
}
final BlackboardAttribute tskDomain = artifact.getAttribute(TSK_DOMAIN);
final BlackboardAttribute tskUrl = artifact.getAttribute(TSK_URL);
if (tskDomain != null && tskDomain.getValueString().equalsIgnoreCase(normalizedDomain)) {
matchingDomainArtifacts.add(artifact);
} else if (tskUrl != null && tskUrl.getValueString().toLowerCase().contains(normalizedDomain)) {
matchingDomainArtifacts.add(artifact);
if (tskDomain != null) {
final String normalizedDomain = tskDomain.getValueString().trim().toLowerCase();
List<BlackboardArtifact> artifactsWithDomain = artifactsByDomain.getOrDefault(normalizedDomain, new ArrayList<>());
artifactsWithDomain.add(artifact);
artifactsByDomain.put(normalizedDomain, artifactsWithDomain);
}
}
return matchingDomainArtifacts;
return artifactsByDomain;
}
}

14
Core/src/org/sleuthkit/autopsy/discovery/search/DomainSearchCacheLoader.java
View File

@ -154,12 +154,12 @@ class DomainSearchCacheLoader extends CacheLoader<SearchKey, Map<GroupKey, List<
+ " SUM(CASE "
+ " WHEN artifact_type_id = " + TSK_WEB_HISTORY.getTypeID() + " THEN 1 "
+ " ELSE 0 "
+ " END) AS totalVisits,"
+ " END) AS totalPageViews,"
+ " SUM(CASE "
+ " WHEN artifact_type_id = " + TSK_WEB_HISTORY.getTypeID() + " AND"
+ " date BETWEEN " + sixtyDaysAgo.getEpochSecond() + " AND " + currentTime.getEpochSecond() + " THEN 1 "
+ " ELSE 0 "
+ " END) AS last60,"
+ " END) AS pageViewsInLast60,"
+ " MAX(data_source_obj_id) AS dataSource "
+ "FROM blackboard_artifacts"
+ " JOIN (" + domainsTable + ") AS domains_table"
@ -298,21 +298,21 @@ class DomainSearchCacheLoader extends CacheLoader<SearchKey, Map<GroupKey, List<
if (resultSet.wasNull()) {
filesDownloaded = null;
}
Long totalVisits = resultSet.getLong("totalVisits");
Long totalPageViews = resultSet.getLong("totalPageViews");
if (resultSet.wasNull()) {
totalVisits = null;
totalPageViews = null;
}
Long visitsInLast60 = resultSet.getLong("last60");
Long pageViewsInLast60 = resultSet.getLong("pageViewsInLast60");
if (resultSet.wasNull()) {
visitsInLast60 = null;
pageViewsInLast60 = null;
}
Long dataSourceID = resultSet.getLong("dataSource");
Content dataSource = skc.getContentById(dataSourceID);
resultDomains.add(new ResultDomain(domain, activityStart,
activityEnd, totalVisits, visitsInLast60, filesDownloaded, dataSource));
activityEnd, totalPageViews, pageViewsInLast60, filesDownloaded, dataSource));
}
} catch (SQLException ex) {
this.sqlCause = ex;

34
Core/src/org/sleuthkit/autopsy/discovery/search/ResultDomain.java
View File

@ -30,8 +30,8 @@ public class ResultDomain extends Result {
private final String domain;
private final Long activityStart;
private final Long activityEnd;
private final Long totalVisits;
private final Long visitsInLast60;
private final Long totalPageViews;
private final Long pageViewsInLast60;
private final Long filesDownloaded;
private final Content dataSource;
@ -42,15 +42,15 @@ public class ResultDomain extends Result {
*
* @param domain The domain the result is being created from.
*/
ResultDomain(String domain, Long activityStart, Long activityEnd, Long totalVisits,
Long visitsInLast60, Long filesDownloaded, Content dataSource) {
ResultDomain(String domain, Long activityStart, Long activityEnd, Long totalPageViews,
Long pageViewsInLast60, Long filesDownloaded, Content dataSource) {
this.domain = domain;
this.dataSource = dataSource;
this.dataSourceId = dataSource.getId();
this.activityStart = activityStart;
this.activityEnd = activityEnd;
this.totalVisits = totalVisits;
this.visitsInLast60 = visitsInLast60;
this.totalPageViews = totalPageViews;
this.pageViewsInLast60 = pageViewsInLast60;
this.filesDownloaded = filesDownloaded;
}
@ -82,22 +82,24 @@ public class ResultDomain extends Result {
}
/**
* Get the total number of visits that this domain has had.
* Get the total number of page views that this domain has had.
* Pages views is defined as the count of TSK_WEB_HISTORY artifacts.
*
* @return The total number of visits that this domain has had.
* @return The total number of page views that this domain has had.
*/
public Long getTotalVisits() {
return totalVisits;
public Long getTotalPageViews() {
return totalPageViews;
}
/**
* Get the number of visits that this domain has had in the last 60 days.
* Get the number of page views that this domain has had in the last 60 days.
* Page views is defined as the count of TSK_WEB_HISTORY artifacts.
*
* @return The number of visits that this domain has had in the last 60
* @return The number of page views that this domain has had in the last 60
* days.
*/
public Long getVisitsInLast60() {
return visitsInLast60;
public Long getPageViewsInLast60Days() {
return pageViewsInLast60;
}
/**
@ -132,8 +134,8 @@ public class ResultDomain extends Result {
@Override
public String toString() {
return "[domain=" + this.domain + ", data_source=" + this.dataSourceId + ", start="
+ this.activityStart + ", end=" + this.activityEnd + ", totalVisits=" + this.totalVisits + ", visitsLast60="
+ this.visitsInLast60 + ", downloads=" + this.filesDownloaded + ", frequency="
+ this.activityStart + ", end=" + this.activityEnd + ", totalVisits=" + this.totalPageViews + ", visitsLast60="
+ this.pageViewsInLast60 + ", downloads=" + this.filesDownloaded + ", frequency="
+ this.getFrequency() + "]";
}
}

41
Core/src/org/sleuthkit/autopsy/discovery/search/ResultsSorter.java
View File

@ -69,6 +69,9 @@ public class ResultsSorter implements Comparator<Result> {
case BY_DOMAIN_NAME:
comparators.add(getDomainNameComparator());
break;
case BY_PAGE_VIEWS:
comparators.add(getPageViewComparator());
break;
default:
// The default comparator will be added afterward
break;
@ -248,21 +251,31 @@ public class ResultsSorter implements Comparator<Result> {
return compareStrings(first.getDomain().toLowerCase(), second.getDomain().toLowerCase());
};
}
/**
* Sorts results by most recent date time.
*
* @return -1 if domain1 comes before domain2, 0 if equal, 1 otherwise.
* Sorts domains by page view count. If a result domain reports it's
* page view count as `null`, then it's assumed to be equivalent to 0.
*
* This comparator sorts results in descending order (largest -> smallest).
*/
private static Comparator<Result> getMostRecentDateTimeComparator() {
return (Result result1, Result result2) -> {
if (result1.getType() != SearchData.Type.DOMAIN) {
private static Comparator<Result> getPageViewComparator() {
return (Result domain1, Result domain2) -> {
if (domain1.getType() != SearchData.Type.DOMAIN) {
return 0;
}
ResultDomain first = (ResultDomain) result1;
ResultDomain second = (ResultDomain) result2;
return Long.compare(second.getActivityEnd(), first.getActivityEnd());
ResultDomain first = (ResultDomain) domain1;
ResultDomain second = (ResultDomain) domain2;
Long firstPageViews = first.getTotalPageViews();
Long secondPageViews = second.getTotalPageViews();
if (firstPageViews != null && secondPageViews != null) {
return Long.compare(secondPageViews, firstPageViews);
} else if (firstPageViews == null) {
return 1;
} else {
return -1;
}
};
}
@ -318,7 +331,8 @@ public class ResultsSorter implements Comparator<Result> {
"FileSorter.SortingMethod.frequency.displayName=Central Repo Frequency",
"FileSorter.SortingMethod.keywordlist.displayName=Keyword List Names",
"FileSorter.SortingMethod.fullPath.displayName=Full Path",
"FileSorter.SortingMethod.domain.displayName=Domain"})
"FileSorter.SortingMethod.domain.displayName=Domain",
"FileSorter.SortingMethod.pageViews.displayName=Page Views"})
public enum SortingMethod {
BY_FILE_NAME(new ArrayList<>(),
Bundle.FileSorter_SortingMethod_filename_displayName()), // Sort alphabetically by file name
@ -335,7 +349,8 @@ public class ResultsSorter implements Comparator<Result> {
BY_FULL_PATH(new ArrayList<>(),
Bundle.FileSorter_SortingMethod_fullPath_displayName()), // Sort alphabetically by path
BY_DOMAIN_NAME(new ArrayList<>(),
Bundle.FileSorter_SortingMethod_domain_displayName());
Bundle.FileSorter_SortingMethod_domain_displayName()),
BY_PAGE_VIEWS(new ArrayList<>(), Bundle.FileSorter_SortingMethod_pageViews_displayName());
private final String displayName;
private final List<DiscoveryAttributes.AttributeType> requiredAttributes;
@ -381,7 +396,7 @@ public class ResultsSorter implements Comparator<Result> {
* @return Enum values that can be used to ordering files.
*/
public static List<SortingMethod> getOptionsForOrderingDomains() {
return Arrays.asList(BY_DOMAIN_NAME, BY_DATA_SOURCE);
return Arrays.asList(BY_PAGE_VIEWS, BY_DOMAIN_NAME, BY_DATA_SOURCE);
}
}

18
Core/src/org/sleuthkit/autopsy/discovery/ui/ArtifactsListPanel.java
View File

@ -31,8 +31,10 @@ import org.openide.util.NbBundle;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.coreutils.ThreadConfined;
import org.sleuthkit.autopsy.datamodel.ContentUtils;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.TimeUtilities;
import org.sleuthkit.datamodel.TskCoreException;
/**
@ -238,10 +240,11 @@ final class ArtifactsListPanel extends AbstractArtifactListPanel {
@Override
public Object getValueAt(int rowIndex, int columnIndex) {
if (columnIndex < 2 || artifactType == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_CACHE) {
final BlackboardArtifact artifact = getArtifactByRow(rowIndex);
try {
for (BlackboardAttribute bba : getArtifactByRow(rowIndex).getAttributes()) {
for (BlackboardAttribute bba : artifact.getAttributes()) {
if (!StringUtils.isBlank(bba.getDisplayString())) {
String stringFromAttribute = getStringForColumn(bba, columnIndex);
String stringFromAttribute = getStringForColumn(artifact, bba, columnIndex);
if (!StringUtils.isBlank(stringFromAttribute)) {
return stringFromAttribute;
}
@ -249,7 +252,7 @@ final class ArtifactsListPanel extends AbstractArtifactListPanel {
}
return getFallbackValue(rowIndex, columnIndex);
} catch (TskCoreException ex) {
logger.log(Level.WARNING, "Error getting attributes for artifact " + getArtifactByRow(rowIndex).getArtifactID(), ex);
logger.log(Level.WARNING, "Error getting attributes for artifact " + artifact.getArtifactID(), ex);
}
}
return Bundle.ArtifactsListPanel_value_noValue();
@ -270,9 +273,9 @@ final class ArtifactsListPanel extends AbstractArtifactListPanel {
* the TSK_PATH_ID.
*/
@ThreadConfined(type = ThreadConfined.ThreadType.AWT)
private String getStringForColumn(BlackboardAttribute bba, int columnIndex) throws TskCoreException {
private String getStringForColumn(BlackboardArtifact artifact, BlackboardAttribute bba, int columnIndex) throws TskCoreException {
if (columnIndex == 0 && bba.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID()) {
return bba.getDisplayString();
return TimeUtilities.epochToTime(bba.getValueLong(), ContentUtils.getTimeZone(artifact));
} else if (columnIndex == 1) {
if (artifactType == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD || artifactType == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_CACHE) {
if (bba.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID()) {
@ -305,9 +308,10 @@ final class ArtifactsListPanel extends AbstractArtifactListPanel {
*/
@ThreadConfined(type = ThreadConfined.ThreadType.AWT)
private String getFallbackValue(int rowIndex, int columnIndex) throws TskCoreException {
for (BlackboardAttribute bba : getArtifactByRow(rowIndex).getAttributes()) {
final BlackboardArtifact artifact = getArtifactByRow(rowIndex);
for (BlackboardAttribute bba : artifact.getAttributes()) {
if (columnIndex == 0 && bba.getAttributeType().getTypeName().startsWith("TSK_DATETIME") && !StringUtils.isBlank(bba.getDisplayString())) {
return bba.getDisplayString();
return TimeUtilities.epochToTime(bba.getValueLong(), ContentUtils.getTimeZone(artifact));
} else if (columnIndex == 1 && bba.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL.getTypeID() && !StringUtils.isBlank(bba.getDisplayString())) {
return bba.getDisplayString();
} else if (columnIndex == 1 && bba.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getTypeID() && !StringUtils.isBlank(bba.getDisplayString())) {

4
Core/src/org/sleuthkit/autopsy/discovery/ui/Bundle.properties-MERGED
View File

@ -56,8 +56,8 @@ DomainDetailsPanel.miniTimelineTitle.text=Mini Timeline
DomainSummaryPanel.activity.text=Activity: {0} to {1}
DomainSummaryPanel.downloads.text=Files downloaded:
DomainSummaryPanel.loadingImages.text=Loading thumbnail...
DomainSummaryPanel.pages.text=Pages in past 60 days:
DomainSummaryPanel.totalPages.text=Total visits:
DomainSummaryPanel.pages.text=Page views in past 60 days:
DomainSummaryPanel.totalPages.text=Total page views:
GroupsListPanel.noDomainResults.message.text=No domains were found for the selected filters.\n\nReminder:\n -The Recent Activity module must be run on each data source you want to find results in.\n -The Central Repository module must be run on each data source if you want to filter or sort by past occurrences.\n -The iOS Analyzer (iLEAPP) module must be run on each data source which contains data from an iOS device.\n
GroupsListPanel.noFileResults.message.text=No files were found for the selected filters.\n\nReminder:\n -The File Type Identification module must be run on each data source you want to find results in.\n -The Hash Lookup module must be run on each data source if you want to filter by past occurrence.\n -The Picture Analyzer module must be run on each data source if you are filtering by User Created content.
GroupsListPanel.noResults.title.text=No results found

8
Core/src/org/sleuthkit/autopsy/discovery/ui/DomainSummaryPanel.java
View File

@ -142,8 +142,8 @@ class DomainSummaryPanel extends javax.swing.JPanel implements ListCellRenderer<
@NbBundle.Messages({"# {0} - startDate",
"# {1} - endDate",
"DomainSummaryPanel.activity.text=Activity: {0} to {1}",
"DomainSummaryPanel.pages.text=Pages in past 60 days: ",
"DomainSummaryPanel.totalPages.text=Total visits: ",
"DomainSummaryPanel.pages.text=Page views in past 60 days: ",
"DomainSummaryPanel.totalPages.text=Total page views: ",
"DomainSummaryPanel.downloads.text=Files downloaded: ",
"DomainSummaryPanel.loadingImages.text=Loading thumbnail..."})
@Override
@ -152,8 +152,8 @@ class DomainSummaryPanel extends javax.swing.JPanel implements ListCellRenderer<
String startDate = dateFormat.format(new Date(value.getResultDomain().getActivityStart() * 1000));
String endDate = dateFormat.format(new Date(value.getResultDomain().getActivityEnd() * 1000));
activityLabel.setText(Bundle.DomainSummaryPanel_activity_text(startDate, endDate));
totalVisitsLabel.setText(Bundle.DomainSummaryPanel_totalPages_text() + value.getResultDomain().getTotalVisits());
pagesLabel.setText(Bundle.DomainSummaryPanel_pages_text() + value.getResultDomain().getVisitsInLast60());
totalVisitsLabel.setText(Bundle.DomainSummaryPanel_totalPages_text() + value.getResultDomain().getTotalPageViews());
pagesLabel.setText(Bundle.DomainSummaryPanel_pages_text() + value.getResultDomain().getPageViewsInLast60Days());
filesDownloadedLabel.setText(Bundle.DomainSummaryPanel_downloads_text() + value.getResultDomain().getFilesDownloaded());
if (value.getThumbnail() == null) {
numberOfImagesLabel.setText(Bundle.DomainSummaryPanel_loadingImages_text());

4
Core/src/org/sleuthkit/autopsy/discovery/ui/PreviouslyNotableFilterPanel.java
View File

@ -22,6 +22,7 @@ import org.sleuthkit.autopsy.discovery.search.AbstractFilter;
import javax.swing.JCheckBox;
import javax.swing.JLabel;
import javax.swing.JList;
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
import org.sleuthkit.autopsy.coreutils.ThreadConfined;
import org.sleuthkit.autopsy.discovery.search.SearchFiltering;
@ -35,6 +36,9 @@ final class PreviouslyNotableFilterPanel extends AbstractDiscoveryFilterPanel {
@ThreadConfined(type = ThreadConfined.ThreadType.AWT)
PreviouslyNotableFilterPanel() {
initComponents();
if (!CentralRepository.isEnabled()) {
previouslyNotableCheckbox.setEnabled(false);
}
}
/**