working through hash set module

2025-07-15 01:07:42 +00:00 · 2021-05-13 07:55:59 -04:00 · 2021-05-13 07:55:59 -04:00 · 14a21939a9
commit 14a21939a9
parent a3822f28bf
1 changed files with 46 additions and 20 deletions
--- a/Core/src/org/sleuthkit/autopsy/modules/hashdatabase/HashDbIngestModule.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/hashdatabase/HashDbIngestModule.java
@ -48,6 +48,8 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
 import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
 import org.sleuthkit.datamodel.HashHitInfo;
 import org.sleuthkit.datamodel.HashUtility;
+import org.sleuthkit.datamodel.Score;
+import org.sleuthkit.datamodel.Score.Significance;
 import org.sleuthkit.datamodel.SleuthkitCase;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskData;
@ -381,9 +383,8 @@ public class HashDbIngestModule implements FileIngestModule {

                    totalCount.incrementAndGet();
                    file.setKnown(statusIfFound);
-                    String hashSetName = db.getDisplayName();
                    String comment = generateComment(hashInfo);
-                    if (!createArtifactIfNotExists(hashSetName, file, comment, db)) {
+                    if (!createArtifactIfNotExists(file, comment, db)) {
                        wasError = true;
                    }
                }
@ -426,24 +427,23 @@ public class HashDbIngestModule implements FileIngestModule {
    /**
     * Creates a BlackboardArtifact if artifact does not already exist.
     *
-     * @param hashSetName The name of the hashset found.
     * @param file        The file that had a hash hit.
     * @param comment     The comment to associate with this artifact.
     * @param db          the database in which this file was found.
     *
     * @return True if the operation occurred successfully and without error.
     */
-    private boolean createArtifactIfNotExists(String hashSetName, AbstractFile file, String comment, HashDb db) {
+    private boolean createArtifactIfNotExists(AbstractFile file, String comment, HashDb db) {
        /*
         * We have a match. Now create an artifact if it is determined that one
         * hasn't been created yet.
         */
        List<BlackboardAttribute> attributesList = new ArrayList<>();
-        attributesList.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, HashLookupModuleFactory.getModuleName(), hashSetName));
+        attributesList.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, HashLookupModuleFactory.getModuleName(), db.getDisplayName()));
        try {
            Blackboard tskBlackboard = skCase.getBlackboard();
            if (tskBlackboard.artifactExists(file, BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT, attributesList) == false) {
-                postHashSetHitToBlackboard(file, file.getMd5Hash(), hashSetName, comment, db.getSendIngestMessages());
+                postHashSetHitToBlackboard(file, file.getMd5Hash(), db, comment);
            }
        } catch (TskCoreException ex) {
            logger.log(Level.SEVERE, String.format(
@ -500,31 +500,57 @@ public class HashDbIngestModule implements FileIngestModule {
        totals.totalCalctime.addAndGet(delta);
    }

+    /**
+     * Converts HashDb.KnownFilesType to a Score to be used to create an analysis result.
+     * @param knownFilesType The HashDb KnownFilesType to convert.
+     * @return The Score to use when creating an AnalysisResult.
+     */
+    private Score getScore(HashDb.KnownFilesType knownFilesType) {
+        if (knownFilesType == null) {
+            return Score.SCORE_UNKNOWN;
+        }
+        switch (knownFilesType) {
+            case KNOWN:
+                return new Score(Significance.NONE, Score.MethodCategory.AUTO);
+            case KNOWN_BAD:
+                return new Score(Significance.NOTABLE, Score.MethodCategory.AUTO);
+            default:
+            case NO_CHANGE:
+                return Score.SCORE_UNKNOWN;
+        }
+    }
    /**
     * Post a hash set hit to the blackboard.
     *
     * @param abstractFile     The file to be processed.
     * @param md5Hash          The MD5 hash value of the file.
-     * @param hashSetName      The name of the hash set with which to associate
-     *                         the hit.
+     * @param db               The database in which this file was found.
     * @param comment          A comment to be attached to the artifact.
-     * @param showInboxMessage Show a message in the inbox?
     */
    @Messages({
        "HashDbIngestModule.indexError.message=Failed to index hashset hit artifact for keyword search."
    })
-    private void postHashSetHitToBlackboard(AbstractFile abstractFile, String md5Hash, String hashSetName, String comment, boolean showInboxMessage) {
+    private void postHashSetHitToBlackboard(AbstractFile abstractFile, String md5Hash, HashDb db, String comment) {
        try {
            String moduleName = HashLookupModuleFactory.getModuleName();
-            BlackboardArtifact badFile = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_HASHSET_HIT);
-            Collection<BlackboardAttribute> attributes = new ArrayList<>();
-            //TODO Revisit usage of deprecated constructor as per TSK-583
-            //BlackboardAttribute att2 = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), MODULE_NAME, "Known Bad", hashSetName);
-            attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, moduleName, hashSetName));
-            attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HASH_MD5, moduleName, md5Hash));
-            attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, comment));
            
-            badFile.addAttributes(attributes);
+            List<BlackboardAttribute> attributes = Arrays.asList(
+                new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, moduleName, db.getDisplayName()),
+                new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HASH_MD5, moduleName, md5Hash),
+                new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, comment)
+            );
+            
+
+            String conclusion = TBD;
+            String configuration = TBD;
+            String justification = TBD;
+
+            // BlackboardArtifact.Type artifactType, Score score, String conclusion, String configuration, String justification, Collection<BlackboardAttribute> attributesList
+            BlackboardArtifact badFile = abstractFile.newAnalysisResult(
+                    BlackboardArtifact.Type.TSK_HASHSET_HIT, getScore(db.getKnownFilesType()), 
+                    conclusion, configuration, justification,
+                    attributes
+            ).getAnalysisResult();

            try {
                /*
@ -538,7 +564,7 @@ public class HashDbIngestModule implements FileIngestModule {
                        Bundle.HashDbIngestModule_indexError_message(), badFile.getDisplayName());
            }

-            if (showInboxMessage) {
+            if (db.getSendIngestMessages()) {
                StringBuilder detailsSb = new StringBuilder();
                //details
                detailsSb.append("<table border='0' cellpadding='4' width='280'>"); //NON-NLS
@ -563,7 +589,7 @@ public class HashDbIngestModule implements FileIngestModule {
                detailsSb.append("<th>") //NON-NLS
                        .append(NbBundle.getMessage(this.getClass(), "HashDbIngestModule.postToBB.hashsetName"))
                        .append("</th>"); //NON-NLS
-                detailsSb.append("<td>").append(hashSetName).append("</td>"); //NON-NLS
+                detailsSb.append("<td>").append(db.getDisplayName()).append("</td>"); //NON-NLS
                detailsSb.append("</tr>"); //NON-NLS

                detailsSb.append("</table>"); //NON-NLS