mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
removing newArtifact and newBlackboardArtifact from autopsy
This commit is contained in:
Greg DiCristofaro
parent
6fb71a03e8
commit
1d2b460b8c
@ -68,6 +68,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.PersonaAccount;
|
||||
import org.sleuthkit.datamodel.Account;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT;
|
||||
import org.sleuthkit.datamodel.CommunicationsUtils;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
|
||||
/**
|
||||
* Listen for ingest events and update entries in the Central Repository
|
||||
@ -205,17 +206,20 @@ public class IngestEventsListener {
|
||||
}
|
||||
|
||||
/**
|
||||
* Make an Interesting Item artifact based on a new artifact being previously seen.
|
||||
* Make an Interesting Item artifact based on a new artifact being
|
||||
* previously seen.
|
||||
*
|
||||
* @param originalArtifact Original artifact that we want to flag
|
||||
* @param caseDisplayNames List of case names artifact was previously seen in
|
||||
* @param caseDisplayNames List of case names artifact was previously seen
|
||||
* in
|
||||
*/
|
||||
@NbBundle.Messages({"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)",
|
||||
"IngestEventsListener.prevCaseComment.text=Previous Case: "})
|
||||
static private void makeAndPostPreviousNotableArtifact(BlackboardArtifact originalArtifact, List<String> caseDisplayNames) {
|
||||
|
||||
Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(new BlackboardAttribute(
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevTaggedSet_text()),
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevTaggedSet_text()),
|
||||
new BlackboardAttribute(
|
||||
TSK_COMMENT, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(","))),
|
||||
@ -230,7 +234,8 @@ public class IngestEventsListener {
|
||||
* in the central repository.
|
||||
*
|
||||
* @param originalArtifact the artifact to create the interesting item for
|
||||
* @param caseDisplayNames the case names the artifact was previously seen in
|
||||
* @param caseDisplayNames the case names the artifact was previously seen
|
||||
* in
|
||||
*/
|
||||
@NbBundle.Messages({"IngestEventsListener.prevExists.text=Previously Seen Devices (Central Repository)",
|
||||
"# {0} - typeName",
|
||||
@ -238,8 +243,8 @@ public class IngestEventsListener {
|
||||
"IngestEventsListener.prevCount.text=Number of previous {0}: {1}"})
|
||||
static private void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact, List<String> caseDisplayNames) {
|
||||
Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(new BlackboardAttribute(
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevExists_text()),
|
||||
TSK_SET_NAME, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevExists_text()),
|
||||
new BlackboardAttribute(
|
||||
TSK_COMMENT, MODULE_NAME,
|
||||
Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(","))),
|
||||
@ -250,9 +255,11 @@ public class IngestEventsListener {
|
||||
}
|
||||
|
||||
/**
|
||||
* Make an interesting item artifact to flag the passed in artifact.
|
||||
* @param originalArtifact Artifact in current case we want to flag
|
||||
* @param attributesForNewArtifact Attributes to assign to the new Interesting items artifact
|
||||
* Make an interesting item artifact to flag the passed in artifact.
|
||||
*
|
||||
* @param originalArtifact Artifact in current case we want to flag
|
||||
* @param attributesForNewArtifact Attributes to assign to the new
|
||||
* Interesting items artifact
|
||||
*/
|
||||
private static void makeAndPostInterestingArtifact(BlackboardArtifact originalArtifact, Collection<BlackboardAttribute> attributesForNewArtifact) {
|
||||
try {
|
||||
@ -261,8 +268,10 @@ public class IngestEventsListener {
|
||||
Blackboard blackboard = tskCase.getBlackboard();
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(abstractFile, TSK_INTERESTING_ARTIFACT_HIT, attributesForNewArtifact)) {
|
||||
BlackboardArtifact newInterestingArtifact = abstractFile.newArtifact(TSK_INTERESTING_ARTIFACT_HIT);
|
||||
newInterestingArtifact.addAttributes(attributesForNewArtifact);
|
||||
BlackboardArtifact newInterestingArtifact = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_ARTIFACT_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributesForNewArtifact)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
// index the artifact for keyword search
|
||||
@ -320,7 +329,7 @@ public class IngestEventsListener {
|
||||
LOGGER.log(Level.SEVERE, "Failed to connect to Central Repository database.", ex);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
switch (IngestManager.IngestJobEvent.valueOf(evt.getPropertyName())) {
|
||||
case DATA_SOURCE_ANALYSIS_COMPLETED: {
|
||||
jobProcessingExecutor.submit(new AnalysisCompleteTask(dbManager, evt));
|
||||
@ -334,15 +343,15 @@ public class IngestEventsListener {
|
||||
}
|
||||
|
||||
private final class AnalysisCompleteTask implements Runnable {
|
||||
|
||||
|
||||
private final CentralRepository dbManager;
|
||||
private final PropertyChangeEvent event;
|
||||
|
||||
|
||||
private AnalysisCompleteTask(CentralRepository db, PropertyChangeEvent evt) {
|
||||
dbManager = db;
|
||||
event = evt;
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public void run() {
|
||||
// clear the tracker to reduce memory usage
|
||||
@ -370,7 +379,7 @@ public class IngestEventsListener {
|
||||
if (!(dataSource instanceof Image)) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
dataSourceName = dataSource.getName();
|
||||
dataSourceObjectId = dataSource.getId();
|
||||
|
||||
@ -398,7 +407,7 @@ public class IngestEventsListener {
|
||||
if (StringUtils.equals(imageMd5Hash, crMd5Hash) == false) {
|
||||
correlationDataSource.setMd5(imageMd5Hash);
|
||||
}
|
||||
|
||||
|
||||
String imageSha1Hash = image.getSha1();
|
||||
if (imageSha1Hash == null) {
|
||||
imageSha1Hash = "";
|
||||
@ -407,7 +416,7 @@ public class IngestEventsListener {
|
||||
if (StringUtils.equals(imageSha1Hash, crSha1Hash) == false) {
|
||||
correlationDataSource.setSha1(imageSha1Hash);
|
||||
}
|
||||
|
||||
|
||||
String imageSha256Hash = image.getSha256();
|
||||
if (imageSha256Hash == null) {
|
||||
imageSha256Hash = "";
|
||||
@ -484,7 +493,7 @@ public class IngestEventsListener {
|
||||
}
|
||||
}
|
||||
if (flagPreviousItemsEnabled
|
||||
&& (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID
|
||||
&& (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID
|
||||
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID
|
||||
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID
|
||||
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID
|
||||
|
||||
@ -56,6 +56,7 @@ import org.sleuthkit.datamodel.HashUtility;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
|
||||
/**
|
||||
* Ingest module for inserting entries into the Central Repository database on
|
||||
@ -345,8 +346,10 @@ final class CentralRepoIngestModule implements FileIngestModule {
|
||||
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(abstractFile, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact tifArtifact = abstractFile.newArtifact(TSK_INTERESTING_FILE_HIT);
|
||||
tifArtifact.addAttributes(attributes);
|
||||
BlackboardArtifact tifArtifact = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
try {
|
||||
// index the artifact for keyword search
|
||||
blackboard.postArtifact(tifArtifact, MODULE_NAME);
|
||||
|
||||
@ -386,11 +386,13 @@ public final class FileTypes implements AutopsyVisitableItem {
|
||||
return content.getChildrenIds();
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
@Override
|
||||
public BlackboardArtifact newArtifact(int artifactTypeID) throws TskCoreException {
|
||||
return content.newArtifact(artifactTypeID);
|
||||
}
|
||||
|
||||
@Deprecated
|
||||
@Override
|
||||
public BlackboardArtifact newArtifact(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException {
|
||||
return content.newArtifact(type);
|
||||
|
||||
@ -24,6 +24,7 @@ import java.util.Collection;
|
||||
import java.util.List;
|
||||
import java.util.logging.Level;
|
||||
import org.sleuthkit.autopsy.coreutils.Logger;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Account;
|
||||
import org.sleuthkit.datamodel.Blackboard.BlackboardException;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
@ -313,9 +314,10 @@ final class XRYCallsFileParser extends AbstractSingleEntityParser {
|
||||
}
|
||||
|
||||
if (!otherAttributes.isEmpty()) {
|
||||
BlackboardArtifact artifact = parent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG);
|
||||
artifact.addAttributes(otherAttributes);
|
||||
|
||||
BlackboardArtifact artifact = (parent instanceof AbstractFile)
|
||||
? ((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG), otherAttributes)
|
||||
: parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG), otherAttributes, null);
|
||||
|
||||
currentCase.getBlackboard().postArtifact(artifact, PARSER_NAME);
|
||||
}
|
||||
} else {
|
||||
|
||||
@ -142,9 +142,10 @@ final class XRYContactsFileParser extends AbstractSingleEntityParser {
|
||||
} else {
|
||||
// Just create an artifact with the attributes that we do have.
|
||||
if (!additionalAttributes.isEmpty()) {
|
||||
BlackboardArtifact artifact = parent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT);
|
||||
artifact.addAttributes(additionalAttributes);
|
||||
|
||||
BlackboardArtifact artifact = (parent instanceof AbstractFile)
|
||||
? ((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT), additionalAttributes)
|
||||
: parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT), additionalAttributes, null);
|
||||
|
||||
currentCase.getBlackboard().postArtifact(artifact, PARSER_NAME);
|
||||
}
|
||||
}
|
||||
|
||||
@ -105,9 +105,11 @@ final class XRYDeviceGenInfoFileParser extends AbstractSingleEntityParser {
|
||||
}
|
||||
}
|
||||
if(!attributes.isEmpty()) {
|
||||
BlackboardArtifact artifact = parent.newArtifact(
|
||||
BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO);
|
||||
artifact.addAttributes(attributes);
|
||||
if (parent instanceof AbstractFile) {
|
||||
((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO), attributes)
|
||||
} else {
|
||||
parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO), attributes, null);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -78,8 +78,11 @@ final class XRYWebBookmarksFileParser extends AbstractSingleEntityParser {
|
||||
}
|
||||
}
|
||||
if(!attributes.isEmpty()) {
|
||||
BlackboardArtifact artifact = parent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK);
|
||||
artifact.addAttributes(attributes);
|
||||
if (parent instanceof AbstractFile) {
|
||||
((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK), attributes)
|
||||
} else {
|
||||
parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK), attributes, null);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -76,6 +76,7 @@ import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.DerivedFile;
|
||||
import org.sleuthkit.datamodel.EncodedFileOutputStream;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
|
||||
@ -314,8 +315,9 @@ class SevenZipExtractor {
|
||||
details));
|
||||
|
||||
if (!blackboard.artifactExists(archiveFile, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact artifact = rootArchive.getArchiveFile().newArtifact(TSK_INTERESTING_FILE_HIT);
|
||||
artifact.addAttributes(attributes);
|
||||
BlackboardArtifact artifact = rootArchive.getArchiveFile().newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
try {
|
||||
/*
|
||||
* post the artifact which will index the artifact for
|
||||
@ -852,8 +854,11 @@ class SevenZipExtractor {
|
||||
if (hasEncrypted) {
|
||||
String encryptionType = fullEncryption ? ENCRYPTION_FULL : ENCRYPTION_FILE_LEVEL;
|
||||
try {
|
||||
BlackboardArtifact artifact = archiveFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED);
|
||||
artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, encryptionType));
|
||||
BlackboardArtifact artifact = archiveFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED), Score.SCORE_UNKNOWN,
|
||||
null, null, null,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, encryptionType)))
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
|
||||
@ -19,6 +19,7 @@
|
||||
package org.sleuthkit.autopsy.modules.encryptiondetection;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.logging.Level;
|
||||
import org.openide.util.NbBundle.Messages;
|
||||
@ -36,6 +37,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.Image;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.Volume;
|
||||
import org.sleuthkit.datamodel.VolumeSystem;
|
||||
@ -80,31 +82,31 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges
|
||||
|
||||
try {
|
||||
if (dataSource instanceof Image) {
|
||||
|
||||
|
||||
if (((Image) dataSource).getPaths().length == 0) {
|
||||
logger.log(Level.SEVERE, String.format("Unable to process data source '%s' - image has no paths", dataSource.getName()));
|
||||
return IngestModule.ProcessResult.ERROR;
|
||||
}
|
||||
|
||||
|
||||
List<VolumeSystem> volumeSystems = ((Image) dataSource).getVolumeSystems();
|
||||
progressBar.switchToDeterminate(volumeSystems.size());
|
||||
int numVolSystemsChecked = 0;
|
||||
progressBar.progress(Bundle.EncryptionDetectionDataSourceIngestModule_processing_message(), 0);
|
||||
for (VolumeSystem volumeSystem : volumeSystems) {
|
||||
|
||||
|
||||
if (context.dataSourceIngestIsCancelled()) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
|
||||
|
||||
for (Volume volume : volumeSystem.getVolumes()) {
|
||||
|
||||
|
||||
if (context.dataSourceIngestIsCancelled()) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
if (BitlockerDetection.isBitlockerVolume(volume)) {
|
||||
return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_bitlocker());
|
||||
}
|
||||
|
||||
|
||||
if (context.dataSourceIngestIsCancelled()) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
@ -144,22 +146,24 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges
|
||||
* Create a blackboard artifact.
|
||||
*
|
||||
* @param volume The volume to be processed.
|
||||
* @param artifactType The type of artifact to create.
|
||||
* @param artifactType The type of artifact to create. This is assumed to be
|
||||
* an analysis result type.
|
||||
* @param comment A comment to be attached to the artifact.
|
||||
*
|
||||
* @return 'OK' if the volume was processed successfully, or 'ERROR' if
|
||||
* there was a problem.
|
||||
*/
|
||||
private IngestModule.ProcessResult flagVolume(Volume volume, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) {
|
||||
|
||||
|
||||
if (context.dataSourceIngestIsCancelled()) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
|
||||
try {
|
||||
BlackboardArtifact artifact = volume.newArtifact(artifactType);
|
||||
artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment));
|
||||
|
||||
try {
|
||||
BlackboardArtifact artifact = volume.newAnalysisResult(new BlackboardArtifact.Type(artifactType), Score.SCORE_UNKNOWN, null, null, null,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment)))
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
* post the artifact which will index the artifact for keyword
|
||||
|
||||
@ -29,6 +29,7 @@ import java.io.BufferedInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.nio.BufferUnderflowException;
|
||||
import java.util.Arrays;
|
||||
import java.util.logging.Level;
|
||||
import org.apache.tika.exception.EncryptedDocumentException;
|
||||
import org.apache.tika.exception.TikaException;
|
||||
@ -52,6 +53,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
import org.xml.sax.ContentHandler;
|
||||
@ -106,7 +108,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
|
||||
public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException {
|
||||
try {
|
||||
validateSettings();
|
||||
this.context = context;
|
||||
this.context = context;
|
||||
blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard();
|
||||
|
||||
fileTypeDetector = new FileTypeDetector();
|
||||
@ -130,12 +132,12 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
|
||||
* verify the file hasn't been deleted.
|
||||
*/
|
||||
if (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
|
||||
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
|
||||
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR)
|
||||
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR)
|
||||
&& (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed)
|
||||
&& !file.getKnown().equals(TskData.FileKnown.KNOWN)
|
||||
&& !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) {
|
||||
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
|
||||
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR)
|
||||
&& !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR)
|
||||
&& (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed)
|
||||
&& !file.getKnown().equals(TskData.FileKnown.KNOWN)
|
||||
&& !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) {
|
||||
/*
|
||||
* Is the file in FILE_IGNORE_LIST?
|
||||
*/
|
||||
@ -187,7 +189,8 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
|
||||
* Create a blackboard artifact.
|
||||
*
|
||||
* @param file The file to be processed.
|
||||
* @param artifactType The type of artifact to create.
|
||||
* @param artifactType The type of artifact to create. Assumed to be an
|
||||
* analysis result type.
|
||||
* @param comment A comment to be attached to the artifact.
|
||||
*
|
||||
* @return 'OK' if the file was processed successfully, or 'ERROR' if there
|
||||
@ -198,10 +201,11 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
|
||||
if (context.fileIngestIsCancelled()) {
|
||||
return IngestModule.ProcessResult.OK;
|
||||
}
|
||||
|
||||
BlackboardArtifact artifact = file.newArtifact(artifactType);
|
||||
artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
EncryptionDetectionModuleFactory.getModuleName(), comment));
|
||||
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(new BlackboardArtifact.Type(artifactType), Score.SCORE_UNKNOWN, null, null, null,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
EncryptionDetectionModuleFactory.getModuleName(), comment)))
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
@ -326,14 +330,14 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter
|
||||
accessDatabase = databaseBuilder.open();
|
||||
} catch (InvalidCredentialsException ex) {
|
||||
logger.log(Level.INFO, String.format(
|
||||
"Jackcess throws invalid credentials exception for file (name: %s, id: %s). It will be assumed to be password protected.",
|
||||
"Jackcess throws invalid credentials exception for file (name: %s, id: %s). It will be assumed to be password protected.",
|
||||
file.getName(), file.getId()));
|
||||
return true;
|
||||
} catch (Exception ex) { // Firewall, see JIRA-7097
|
||||
logger.log(Level.WARNING, String.format("Unexpected exception "
|
||||
+ "trying to open msaccess database using Jackcess "
|
||||
+ "(name: %s, id: %d)", file.getName(), file.getId()), ex);
|
||||
return passwordProtected;
|
||||
return passwordProtected;
|
||||
}
|
||||
/*
|
||||
* No exception has been thrown at this point, so the file
|
||||
|
||||
@ -18,6 +18,7 @@
|
||||
*/
|
||||
package org.sleuthkit.autopsy.modules.fileextmismatch;
|
||||
|
||||
import java.util.Collections;
|
||||
import java.util.HashMap;
|
||||
import java.util.Set;
|
||||
import java.util.logging.Level;
|
||||
@ -38,6 +39,7 @@ import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
import org.sleuthkit.datamodel.TskData.FileKnown;
|
||||
import org.sleuthkit.datamodel.TskException;
|
||||
@ -119,15 +121,15 @@ public class FileExtMismatchIngestModule implements FileIngestModule {
|
||||
|
||||
// skip non-files
|
||||
if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)
|
||||
|| (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
|
||||
|| (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.SLACK)
|
||||
|| (abstractFile.isFile() == false)) {
|
||||
|| (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS)
|
||||
|| (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.SLACK)
|
||||
|| (abstractFile.isFile() == false)) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
|
||||
// deleted files often have content that was not theirs and therefor causes mismatch
|
||||
if ((abstractFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC))
|
||||
|| (abstractFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC))) {
|
||||
|| (abstractFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC))) {
|
||||
return ProcessResult.OK;
|
||||
}
|
||||
|
||||
@ -140,7 +142,9 @@ public class FileExtMismatchIngestModule implements FileIngestModule {
|
||||
|
||||
if (mismatchDetected) {
|
||||
// add artifact
|
||||
BlackboardArtifact bart = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED);
|
||||
BlackboardArtifact bart = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED), Score.SCORE_UNKNOWN, null, null, null, Collections.emptyList())
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
|
||||
@ -40,6 +40,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTER
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
/**
|
||||
@ -162,8 +163,10 @@ public class FileTypeIdIngestModule implements FileIngestModule {
|
||||
Blackboard tskBlackboard = currentCase.getSleuthkitCase().getBlackboard();
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!tskBlackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact artifact = file.newArtifact(TSK_INTERESTING_FILE_HIT);
|
||||
artifact.addAttributes(attributes);
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
* post the artifact which will index the artifact for
|
||||
|
||||
@ -48,6 +48,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.HashHitInfo;
|
||||
import org.sleuthkit.datamodel.HashUtility;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
@ -516,7 +517,7 @@ public class HashDbIngestModule implements FileIngestModule {
|
||||
private void postHashSetHitToBlackboard(AbstractFile abstractFile, String md5Hash, String hashSetName, String comment, boolean showInboxMessage) {
|
||||
try {
|
||||
String moduleName = HashLookupModuleFactory.getModuleName();
|
||||
BlackboardArtifact badFile = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_HASHSET_HIT);
|
||||
|
||||
Collection<BlackboardAttribute> attributes = new ArrayList<>();
|
||||
//TODO Revisit usage of deprecated constructor as per TSK-583
|
||||
//BlackboardAttribute att2 = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), MODULE_NAME, "Known Bad", hashSetName);
|
||||
@ -524,8 +525,9 @@ public class HashDbIngestModule implements FileIngestModule {
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HASH_MD5, moduleName, md5Hash));
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, comment));
|
||||
|
||||
badFile.addAttributes(attributes);
|
||||
|
||||
BlackboardArtifact badFile = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_HASHSET_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
try {
|
||||
/*
|
||||
* post the artifact which will index the artifact for keyword
|
||||
|
||||
@ -43,6 +43,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTER
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
|
||||
@ -142,7 +143,10 @@ final class FilesIdentifierIngestModule implements FileIngestModule {
|
||||
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact artifact = file.newArtifact(TSK_INTERESTING_FILE_HIT);
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
artifact.addAttributes(attributes);
|
||||
try {
|
||||
|
||||
|
||||
@ -71,6 +71,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskException;
|
||||
import org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper;
|
||||
@ -1218,10 +1219,24 @@ public final class LeappFileProcessor {
|
||||
* @return The newly-created artifact, or null on error
|
||||
*/
|
||||
private BlackboardArtifact createArtifactWithAttributes(int type, Content dataSource, Collection<BlackboardAttribute> bbattributes) {
|
||||
BlackboardArtifact.Type artType = new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.fromID(type));
|
||||
|
||||
try {
|
||||
BlackboardArtifact bbart = dataSource.newArtifact(type);
|
||||
bbart.addAttributes(bbattributes);
|
||||
return bbart;
|
||||
if (artType == null || artType.getCategory() == null) {
|
||||
logger.log(Level.WARNING, "Unable to get an artifact type for type: " + type);
|
||||
return null;
|
||||
}
|
||||
switch (artType.getCategory()) {
|
||||
case DATA_ARTIFACT:
|
||||
return (dataSource instanceof AbstractFile)
|
||||
? ((AbstractFile) dataSource).newDataArtifact(artType, bbattributes)
|
||||
: dataSource.newDataArtifact(artType, bbattributes, null);
|
||||
case ANALYSIS_RESULT:
|
||||
return dataSource.newAnalysisResult(artType, Score.SCORE_UNKNOWN, null, null, null, bbattributes).getAnalysisResult();
|
||||
default:
|
||||
logger.log(Level.SEVERE, "Unknown category type: " + artType.getCategory().getDisplayName());
|
||||
return null;
|
||||
}
|
||||
} catch (TskException ex) {
|
||||
logger.log(Level.WARNING, Bundle.LeappFileProcessor_error_creating_new_artifacts(), ex); //NON-NLS
|
||||
}
|
||||
|
||||
@ -29,6 +29,7 @@ import com.drew.metadata.exif.GpsDirectory;
|
||||
import java.io.BufferedInputStream;
|
||||
import java.io.IOException;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Date;
|
||||
import java.util.Set;
|
||||
@ -56,11 +57,12 @@ import org.sleuthkit.datamodel.Image;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.autopsy.modules.pictureanalyzer.spi.PictureProcessor;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
|
||||
/**
|
||||
* Extracts EXIF metadata from JPEG, TIFF, and WAV files. Currently only date,
|
||||
* latitude, longitude, altitude, device model, and device make are extracted.
|
||||
*
|
||||
*
|
||||
* User content suspected artifacts are also created by this processor.
|
||||
*/
|
||||
@ServiceProvider(service = PictureProcessor.class)
|
||||
@ -143,16 +145,18 @@ public class EXIFProcessor implements PictureProcessor {
|
||||
if (context.fileIngestIsCancelled()) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
final Blackboard blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard();
|
||||
|
||||
if (!attributes.isEmpty() && !blackboard.artifactExists(file, TSK_METADATA_EXIF, attributes)) {
|
||||
|
||||
final BlackboardArtifact exifArtifact = file.newDataArtifact(new BlackboardArtifact.Type(TSK_METADATA_EXIF), attributes);
|
||||
|
||||
final BlackboardArtifact userSuspectedArtifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_USER_CONTENT_SUSPECTED), Score.SCORE_UNKNOWN, null, null, null,
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, Bundle.ExifProcessor_userContent_description())))
|
||||
.getAnalysisResult();
|
||||
|
||||
final BlackboardArtifact exifArtifact = file.newArtifact(TSK_METADATA_EXIF);
|
||||
final BlackboardArtifact userSuspectedArtifact = file.newArtifact(TSK_USER_CONTENT_SUSPECTED);
|
||||
exifArtifact.addAttributes(attributes);
|
||||
userSuspectedArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
MODULE_NAME, Bundle.ExifProcessor_userContent_description()));
|
||||
try {
|
||||
// index the artifact for keyword search
|
||||
blackboard.postArtifact(exifArtifact, MODULE_NAME);
|
||||
|
||||
@ -345,8 +345,9 @@ public class PlasoIngestModule implements DataSourceIngestModule {
|
||||
eventType.getTypeID()));
|
||||
|
||||
try {
|
||||
BlackboardArtifact bbart = resolvedFile.newArtifact(TSK_TL_EVENT);
|
||||
bbart.addAttributes(bbattributes);
|
||||
BlackboardArtifact bbart = resolvedFile instanceof AbstractFile
|
||||
? ((AbstractFile) resolvedFile).newDataArtifact(new BlackboardArtifact.Type(TSK_TL_EVENT), bbattributes)
|
||||
: resolvedFile.newDataArtifact(new BlackboardArtifact.Type(TSK_TL_EVENT), bbattributes, null);
|
||||
try {
|
||||
/*
|
||||
* Post the artifact which will index the artifact for
|
||||
|
||||
@ -39,6 +39,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_YARA_
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
/**
|
||||
@ -112,7 +113,7 @@ final class YaraIngestHelper {
|
||||
* Scan the given AbstractFile for yara rule matches from the rule sets in
|
||||
* the given directory creating a blackboard artifact for each matching
|
||||
* rule.
|
||||
*
|
||||
*
|
||||
* @param file The Abstract File being processed.
|
||||
* @param baseRuleSetDirectory Base directory of the compiled rule sets.
|
||||
* @param localFile Local copy of file.
|
||||
@ -141,7 +142,7 @@ final class YaraIngestHelper {
|
||||
* Scan the given file byte array for rule matches using the YaraJNIWrapper
|
||||
* API.
|
||||
*
|
||||
* @param fileBytes An array of the file data.
|
||||
* @param fileBytes An array of the file data.
|
||||
* @param ruleSetDirectory Base directory of the compiled rule sets.
|
||||
*
|
||||
* @return List of rules that match from the given file from the given rule
|
||||
@ -162,15 +163,17 @@ final class YaraIngestHelper {
|
||||
}
|
||||
|
||||
/**
|
||||
* Scan the given file for rules that match from the given rule set directory.
|
||||
*
|
||||
* @param scanFile Locally stored file to scan.
|
||||
* Scan the given file for rules that match from the given rule set
|
||||
* directory.
|
||||
*
|
||||
* @param scanFile Locally stored file to scan.
|
||||
* @param ruleSetDirectory Base directory of the compiled rule sets.
|
||||
* @param timeout YARA Scanner timeout value.
|
||||
*
|
||||
* @return List of matching rules, if none were found the list will be empty.
|
||||
*
|
||||
* @throws YaraWrapperException
|
||||
* @param timeout YARA Scanner timeout value.
|
||||
*
|
||||
* @return List of matching rules, if none were found the list will be
|
||||
* empty.
|
||||
*
|
||||
* @throws YaraWrapperException
|
||||
*/
|
||||
private static List<String> scanFileForMatch(File scanFile, File ruleSetDirectory, int timeout) throws YaraWrapperException {
|
||||
List<String> matchingRules = new ArrayList<>();
|
||||
@ -198,13 +201,15 @@ final class YaraIngestHelper {
|
||||
private static List<BlackboardArtifact> createArtifact(AbstractFile abstractFile, String ruleSetName, List<String> matchingRules) throws TskCoreException {
|
||||
List<BlackboardArtifact> artifacts = new ArrayList<>();
|
||||
for (String rule : matchingRules) {
|
||||
BlackboardArtifact artifact = abstractFile.newArtifact(TSK_YARA_HIT);
|
||||
|
||||
List<BlackboardAttribute> attributes = new ArrayList<>();
|
||||
|
||||
attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName));
|
||||
attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule));
|
||||
|
||||
artifact.addAttributes(attributes);
|
||||
BlackboardArtifact artifact = abstractFile.newAnalysisResult(new BlackboardArtifact.Type(TSK_YARA_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
artifacts.add(artifact);
|
||||
}
|
||||
return artifacts;
|
||||
|
||||
@ -64,7 +64,6 @@ import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Account;
|
||||
import org.sleuthkit.datamodel.Blackboard.BlackboardException;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifactTag;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.CaseDbAccessManager;
|
||||
@ -75,9 +74,7 @@ import org.sleuthkit.datamodel.FileSystem;
|
||||
import org.sleuthkit.datamodel.Host;
|
||||
import org.sleuthkit.datamodel.Image;
|
||||
import org.sleuthkit.datamodel.LocalFilesDataSource;
|
||||
import org.sleuthkit.datamodel.OsAccount;
|
||||
import org.sleuthkit.datamodel.Pool;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
|
||||
import org.sleuthkit.datamodel.TagName;
|
||||
@ -106,7 +103,7 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
// These are the types for the exported file subfolders
|
||||
private static final List<FileTypeCategory> FILE_TYPE_CATEGORIES = Arrays.asList(FileTypeCategory.AUDIO, FileTypeCategory.DOCUMENTS,
|
||||
FileTypeCategory.EXECUTABLE, FileTypeCategory.IMAGE, FileTypeCategory.VIDEO);
|
||||
|
||||
|
||||
// These are attribute types that have special handling and should not be copied
|
||||
// into the new artifact directly.
|
||||
private static final List<Integer> SPECIALLY_HANDLED_ATTRS = Arrays.asList(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID(),
|
||||
@ -455,7 +452,7 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
if (options.shouldCompress()) {
|
||||
progressPanel.updateStatusLabel(Bundle.PortableCaseReportModule_generateReport_compressingCase());
|
||||
|
||||
if (!compressCase(progressPanel, options.includeApplication() ? outputDir.getAbsolutePath() : caseFolder.getAbsolutePath())) {
|
||||
if(!compressCase(progressPanel, options.includeApplication() ? outputDir.getAbsolutePath() : caseFolder.getAbsolutePath())){
|
||||
// Errors have been handled already
|
||||
return;
|
||||
}
|
||||
@ -873,9 +870,8 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
/**
|
||||
* Add all artifacts with a given tag to the portable case.
|
||||
*
|
||||
* @param dataSourceId The data source id.
|
||||
* @param oldTagName The TagName object from the current case.
|
||||
* @param progressPanel The progress panel.
|
||||
* @param oldTagName The TagName object from the current case
|
||||
* @param progressPanel The progress panel
|
||||
*
|
||||
* @throws TskCoreException
|
||||
*/
|
||||
@ -896,14 +892,11 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
long newContentId = copyContentToPortableCase(content, progressPanel);
|
||||
|
||||
// Copy the artifact
|
||||
Long dataSourceObjId = content == null || content.getDataSource() == null
|
||||
? null
|
||||
: content.getDataSource().getId();
|
||||
BlackboardArtifact newArtifact = copyArtifact(dataSourceObjId, newContentId, tag.getArtifact());
|
||||
|
||||
BlackboardArtifact newArtifact = copyArtifact(newContentId, tag.getArtifact());
|
||||
|
||||
// Copy any attachments
|
||||
copyAttachments(newArtifact, tag.getArtifact(), portableSkCase.getAbstractFileById(newContentId));
|
||||
|
||||
|
||||
// Copy any files associated with this artifact through the TSK_PATH_ID attribute
|
||||
copyPathID(newArtifact, tag.getArtifact());
|
||||
|
||||
@ -919,16 +912,15 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
* Copy an artifact into the new case. Will also copy any associated
|
||||
* artifacts
|
||||
*
|
||||
* @param newDataSourceId The data source ID (in the portable case).
|
||||
* @param newContentId The content ID (in the portable case) of the
|
||||
* source content.
|
||||
* @param artifactToCopy The artifact to copy.
|
||||
* @param newContentId The content ID (in the portable case) of the source
|
||||
* content
|
||||
* @param artifactToCopy The artifact to copy
|
||||
*
|
||||
* @return The new artifact in the portable case.
|
||||
* @return The new artifact in the portable case
|
||||
*
|
||||
* @throws TskCoreException
|
||||
*/
|
||||
private BlackboardArtifact copyArtifact(Long newDataSourceId, long newContentId, BlackboardArtifact artifactToCopy) throws TskCoreException {
|
||||
private BlackboardArtifact copyArtifact(long newContentId, BlackboardArtifact artifactToCopy) throws TskCoreException {
|
||||
|
||||
if (oldArtifactIdToNewArtifact.containsKey(artifactToCopy.getArtifactID())) {
|
||||
return oldArtifactIdToNewArtifact.get(artifactToCopy.getArtifactID());
|
||||
@ -939,11 +931,14 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
List<BlackboardAttribute> newAttrs = new ArrayList<>();
|
||||
if (oldAssociatedAttribute != null) {
|
||||
BlackboardArtifact oldAssociatedArtifact = currentCase.getSleuthkitCase().getBlackboardArtifact(oldAssociatedAttribute.getValueLong());
|
||||
BlackboardArtifact newAssociatedArtifact = copyArtifact(newDataSourceId, newContentId, oldAssociatedArtifact);
|
||||
BlackboardArtifact newAssociatedArtifact = copyArtifact(newContentId, oldAssociatedArtifact);
|
||||
newAttrs.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
|
||||
String.join(",", oldAssociatedAttribute.getSources()), newAssociatedArtifact.getArtifactID()));
|
||||
}
|
||||
|
||||
|
||||
// Create the new artifact
|
||||
int newArtifactTypeId = getNewArtifactTypeId(artifactToCopy);
|
||||
BlackboardArtifact newArtifact = portableSkCase.newBlackboardArtifact(newArtifactTypeId, newContentId);
|
||||
List<BlackboardAttribute> oldAttrs = artifactToCopy.getAttributes();
|
||||
|
||||
// Copy over each attribute, making sure the type is in the new case.
|
||||
@ -983,21 +978,8 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
}
|
||||
}
|
||||
|
||||
// Create the new artifact
|
||||
int newArtifactTypeId = getNewArtifactTypeId(artifactToCopy);
|
||||
BlackboardArtifact.Type type = new BlackboardArtifact.Type(ARTIFACT_TYPE.fromID(newArtifactTypeId));
|
||||
BlackboardArtifact newArtifact = null;
|
||||
switch (type.getCategory()) {
|
||||
case ANALYSIS_RESULT:
|
||||
newArtifact = portableSkCase.getBlackboard().newDataArtifact(type, newContentId, newDataSourceId, newAttrs, osAccount);
|
||||
break;
|
||||
case DATA_ARTIFACT:
|
||||
newArtifact = portableSkCase.getBlackboard().newAnalysisResult(type, newContentId, newDataSourceId, Score.SCORE_UNKNOWN, null, null, null, newAttrs);
|
||||
break;
|
||||
default:
|
||||
throw new TskCoreException("Unknown category: " + type.getCategory());
|
||||
}
|
||||
|
||||
newArtifact.addAttributes(newAttrs);
|
||||
|
||||
oldArtifactIdToNewArtifact.put(artifactToCopy.getArtifactID(), newArtifact);
|
||||
return newArtifact;
|
||||
}
|
||||
@ -1093,21 +1075,19 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
parentId = copyContent(content.getParent());
|
||||
}
|
||||
|
||||
Long dataSourceObjId = content.getDataSource() == null ? null : content.getDataSource().getId();
|
||||
|
||||
Content newContent;
|
||||
if (content instanceof BlackboardArtifact) {
|
||||
BlackboardArtifact artifactToCopy = (BlackboardArtifact) content;
|
||||
newContent = copyArtifact(dataSourceObjId, parentId, artifactToCopy);
|
||||
newContent = copyArtifact(parentId, artifactToCopy);
|
||||
} else {
|
||||
|
||||
|
||||
// Get or create the host (if needed) before beginning transaction.
|
||||
Host newHost = null;
|
||||
if (content instanceof DataSource) {
|
||||
Host oldHost = ((DataSource) content).getHost();
|
||||
Host oldHost = ((DataSource)content).getHost();
|
||||
newHost = portableSkCase.getHostManager().newHost(oldHost.getName());
|
||||
}
|
||||
|
||||
|
||||
CaseDbTransaction trans = portableSkCase.beginTransaction();
|
||||
try {
|
||||
if (content instanceof Image) {
|
||||
@ -1131,7 +1111,7 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
fs.getName(), trans);
|
||||
} else if (content instanceof BlackboardArtifact) {
|
||||
BlackboardArtifact artifactToCopy = (BlackboardArtifact) content;
|
||||
newContent = copyArtifact(dataSourceObjId, parentId, artifactToCopy);
|
||||
newContent = copyArtifact(parentId, artifactToCopy);
|
||||
} else if (content instanceof AbstractFile) {
|
||||
AbstractFile abstractFile = (AbstractFile) content;
|
||||
|
||||
@ -1189,13 +1169,12 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
|
||||
/**
|
||||
* Copy path ID attribute to new case along with the referenced file.
|
||||
*
|
||||
* @param newArtifact The new artifact in the portable case. Should not have
|
||||
* a TSK_PATH_ID attribute.
|
||||
*
|
||||
* @param newArtifact The new artifact in the portable case. Should not have a TSK_PATH_ID attribute.
|
||||
* @param oldArtifact The old artifact.
|
||||
*
|
||||
* @throws TskCoreException
|
||||
*/
|
||||
*
|
||||
* @throws TskCoreException
|
||||
*/
|
||||
private void copyPathID(BlackboardArtifact newArtifact, BlackboardArtifact oldArtifact) throws TskCoreException {
|
||||
// Get the path ID attribute
|
||||
BlackboardAttribute oldPathIdAttr = oldArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID));
|
||||
@ -1210,17 +1189,15 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Copy attachments to the portable case.
|
||||
*
|
||||
* @param newArtifact The new artifact in the portable case. Should not have
|
||||
* a TSK_ATTACHMENTS attribute.
|
||||
*
|
||||
* @param newArtifact The new artifact in the portable case. Should not have a TSK_ATTACHMENTS attribute.
|
||||
* @param oldArtifact The old artifact.
|
||||
* @param newFile The new file in the portable case associated with the
|
||||
* artifact.
|
||||
*
|
||||
* @throws TskCoreException
|
||||
* @param newFile The new file in the portable case associated with the artifact.
|
||||
*
|
||||
* @throws TskCoreException
|
||||
*/
|
||||
private void copyAttachments(BlackboardArtifact newArtifact, BlackboardArtifact oldArtifact, AbstractFile newFile) throws TskCoreException {
|
||||
// Get the attachments from TSK_ATTACHMENTS attribute.
|
||||
@ -1243,19 +1220,20 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
newFileAttachments.add(new MessageAttachments.FileAttachment(portableSkCase.getAbstractFileById(newFileID)));
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Get the name of the module(s) that created the attachment
|
||||
String newSourceStr = "";
|
||||
List<String> oldSources = attachmentsAttr.getSources();
|
||||
if (!oldSources.isEmpty()) {
|
||||
if (! oldSources.isEmpty()) {
|
||||
newSourceStr = String.join(",", oldSources);
|
||||
}
|
||||
|
||||
|
||||
// Add the attachment. The account type specified in the constructor will not be used.
|
||||
CommunicationArtifactsHelper communicationArtifactsHelper = new CommunicationArtifactsHelper(currentCase.getSleuthkitCase(),
|
||||
newSourceStr, newFile, Account.Type.EMAIL);
|
||||
communicationArtifactsHelper.addAttachments(newArtifact, new MessageAttachments(newFileAttachments, msgAttachments.getUrlAttachments()));
|
||||
} catch (BlackboardJsonAttrUtil.InvalidJsonException ex) {
|
||||
}
|
||||
catch (BlackboardJsonAttrUtil.InvalidJsonException ex) {
|
||||
throw new TskCoreException(String.format("Unable to parse json for MessageAttachments object in artifact: %s", oldArtifact.getName()), ex);
|
||||
}
|
||||
} else { // backward compatibility - email message attachments are derived files, children of the message.
|
||||
@ -1426,7 +1404,7 @@ public class PortableCaseReportModule implements ReportModule {
|
||||
"PortableCaseReportModule.compressCase.errorCompressingCase=Error compressing case",
|
||||
"PortableCaseReportModule.compressCase.canceled=Compression canceled by user",})
|
||||
private boolean compressCase(ReportProgressPanel progressPanel, String folderToCompress) {
|
||||
|
||||
|
||||
closePortableCaseDatabase();
|
||||
|
||||
// Make a temporary folder for the compressed case
|
||||
|
||||
@ -34,6 +34,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
@ -87,8 +88,9 @@ class StixArtifactData {
|
||||
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact bba = file.newArtifact(TSK_INTERESTING_FILE_HIT);
|
||||
bba.addAttributes(attributes);
|
||||
BlackboardArtifact bba = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributes).getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
|
||||
@ -23,10 +23,13 @@ import java.util.List;
|
||||
import javax.xml.bind.DatatypeConverter;
|
||||
import org.joda.time.DateTime;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.Blackboard.BlackboardException;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
/**
|
||||
@ -93,7 +96,6 @@ final class CustomArtifactType {
|
||||
* artifact to the blackboard.
|
||||
*/
|
||||
static BlackboardArtifact createAndPostInstance(Content source) throws TskCoreException, Blackboard.BlackboardException {
|
||||
BlackboardArtifact artifact = source.newArtifact(artifactType.getTypeID());
|
||||
List<BlackboardAttribute> attributes = new ArrayList<>();
|
||||
attributes.add(new BlackboardAttribute(intAttrType, MODULE_NAME, 0));
|
||||
attributes.add(new BlackboardAttribute(doubleAttrType, MODULE_NAME, 0.0));
|
||||
@ -102,7 +104,6 @@ final class CustomArtifactType {
|
||||
attributes.add(new BlackboardAttribute(bytesAttrType, MODULE_NAME, DatatypeConverter.parseHexBinary("ABCD")));
|
||||
attributes.add(new BlackboardAttribute(stringAttrType, MODULE_NAME, "Zero"));
|
||||
attributes.add(new BlackboardAttribute(jsonAttrType, MODULE_NAME, "{\"fruit\": \"Apple\",\"size\": \"Large\",\"color\": \"Red\"}"));
|
||||
artifact.addAttributes(attributes);
|
||||
|
||||
/*
|
||||
* Add a second source module to the attributes. Try to do it twice. The
|
||||
@ -113,6 +114,30 @@ final class CustomArtifactType {
|
||||
attr.addSource(ADDITIONAL_MODULE_NAME);
|
||||
}
|
||||
|
||||
BlackboardArtifact artifact;
|
||||
|
||||
if (artifactType.getCategory() == null) {
|
||||
throw new TskCoreException(String.format("Artifact type: %s has no category.",
|
||||
artifactType.getDisplayName(), artifactType.getCategory().getDisplayName()));
|
||||
}
|
||||
|
||||
switch (artifactType.getCategory()) {
|
||||
case DATA_ARTIFACT:
|
||||
artifact = (source instanceof AbstractFile)
|
||||
? ((AbstractFile) source).newDataArtifact(artifactType, attributes)
|
||||
: source.newDataArtifact(artifactType, attributes, null);
|
||||
break;
|
||||
|
||||
case ANALYSIS_RESULT:
|
||||
artifact = source.newAnalysisResult(artifactType, Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
break;
|
||||
|
||||
default:
|
||||
throw new TskCoreException(String.format("Artifact type: %s has no known category: %s",
|
||||
artifactType.getDisplayName(), artifactType.getCategory().getDisplayName()));
|
||||
}
|
||||
|
||||
Blackboard blackboard = Case.getCurrentCase().getServices().getArtifactsBlackboard();
|
||||
blackboard.postArtifact(artifact, MODULE_NAME);
|
||||
|
||||
|
||||
@ -20,6 +20,7 @@ package org.sleuthkit.autopsy.test;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.logging.Level;
|
||||
import org.openide.util.NbBundle;
|
||||
import org.sleuthkit.autopsy.casemodule.Case;
|
||||
@ -31,6 +32,7 @@ import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
/**
|
||||
@ -77,11 +79,11 @@ final class InterestingArtifactCreatorIngestModule extends FileIngestModuleAdapt
|
||||
int randomArtIndex = (int) (Math.random() * 3);
|
||||
Blackboard blackboard = Case.getCurrentCaseThrows().getServices().getArtifactsBlackboard();
|
||||
BlackboardArtifact.Type artifactTypeBase = blackboard.getOrAddArtifactType(ARTIFACT_TYPE_NAMES[randomArtIndex], ARTIFACT_DISPLAY_NAMES[randomArtIndex]);
|
||||
BlackboardArtifact artifactBase = file.newArtifact(artifactTypeBase.getTypeID());
|
||||
|
||||
Collection<BlackboardAttribute> baseAttributes = new ArrayList<>();
|
||||
String commentTxt;
|
||||
BlackboardAttribute baseAttr;
|
||||
switch (artifactBase.getArtifactTypeID()) {
|
||||
switch (artifactTypeBase.getTypeID()) {
|
||||
case 2:
|
||||
commentTxt = "www.placeholderWebsiteDOTCOM";
|
||||
baseAttr = new BlackboardAttribute(
|
||||
@ -110,8 +112,20 @@ final class InterestingArtifactCreatorIngestModule extends FileIngestModuleAdapt
|
||||
commentTxt = "DEPENDENT ON ARTIFACT TYPE";
|
||||
break;
|
||||
}
|
||||
artifactBase.addAttributes(baseAttributes);
|
||||
BlackboardArtifact artifact = file.newArtifact(artifactType.getTypeID());
|
||||
|
||||
BlackboardArtifact artifactBase;
|
||||
switch (artifactTypeBase.getCategory()) {
|
||||
case DATA_ARTIFACT:
|
||||
artifactBase = file.newDataArtifact(artifactTypeBase, baseAttributes);
|
||||
break;
|
||||
case ANALYSIS_RESULT:
|
||||
artifactBase = file.newAnalysisResult(artifactTypeBase, Score.SCORE_UNKNOWN, null, null, null, baseAttributes)
|
||||
.getAnalysisResult();
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("Unknown category type: " + artifactTypeBase.getCategory().getDisplayName());
|
||||
}
|
||||
|
||||
Collection<BlackboardAttribute> attributes = new ArrayList<>();
|
||||
BlackboardAttribute att = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, "ArtifactsAndTxt");
|
||||
|
||||
@ -121,7 +135,19 @@ final class InterestingArtifactCreatorIngestModule extends FileIngestModuleAdapt
|
||||
attributes.add(att2);
|
||||
attributes.add(att3);
|
||||
attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, artifactBase.getArtifactID()));
|
||||
artifact.addAttributes(attributes);
|
||||
|
||||
switch (artifactType.getCategory()) {
|
||||
case DATA_ARTIFACT:
|
||||
file.newDataArtifact(artifactType, attributes);
|
||||
break;
|
||||
case ANALYSIS_RESULT:
|
||||
file.newAnalysisResult(artifactType, Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
break;
|
||||
default:
|
||||
throw new IllegalArgumentException("Unknown category type: " + artifactType.getCategory().getDisplayName());
|
||||
}
|
||||
|
||||
} catch (TskCoreException | NoCurrentCaseException ex) {
|
||||
logger.log(Level.SEVERE, String.format("Failed to process file (obj_id = %d)", file.getId()), ex);
|
||||
return ProcessResult.ERROR;
|
||||
|
||||
@ -22,7 +22,7 @@ import java.awt.Dialog;
|
||||
import java.time.Instant;
|
||||
import java.time.LocalDateTime;
|
||||
import java.time.ZoneId;
|
||||
import static java.util.Arrays.asList;
|
||||
import java.util.Arrays;
|
||||
import java.util.List;
|
||||
import java.util.Objects;
|
||||
import java.util.logging.Level;
|
||||
@ -142,9 +142,7 @@ public class AddManualEvent extends Action {
|
||||
try {
|
||||
//Use the current examiners name plus a fixed string as the source / module name.
|
||||
String source = MANUAL_CREATION + ": " + sleuthkitCase.getCurrentExaminer().getLoginName();
|
||||
|
||||
BlackboardArtifact artifact = sleuthkitCase.newBlackboardArtifact(TSK_TL_EVENT, eventInfo.datasource.getId());
|
||||
artifact.addAttributes(asList(
|
||||
List<BlackboardAttribute> attributes = Arrays.asList(
|
||||
new BlackboardAttribute(
|
||||
TSK_TL_EVENT_TYPE, source,
|
||||
TimelineEventType.USER_CREATED.getTypeID()),
|
||||
@ -154,7 +152,10 @@ public class AddManualEvent extends Action {
|
||||
new BlackboardAttribute(
|
||||
TSK_DATETIME, source,
|
||||
eventInfo.time)
|
||||
));
|
||||
);
|
||||
|
||||
BlackboardArtifact artifact = eventInfo.datasource.newDataArtifact(new BlackboardArtifact.Type(TSK_TL_EVENT), attributes, null);
|
||||
|
||||
try {
|
||||
sleuthkitCase.getBlackboard().postArtifact(artifact, source);
|
||||
} catch (Blackboard.BlackboardException ex) {
|
||||
|
||||
@ -19,8 +19,9 @@
|
||||
package org.sleuthkit.autopsy.experimental.objectdetection;
|
||||
|
||||
import java.io.File;
|
||||
import java.util.Collections;
|
||||
import java.util.Arrays;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
import java.util.logging.Level;
|
||||
import org.apache.commons.io.FilenameUtils;
|
||||
@ -43,12 +44,12 @@ import org.sleuthkit.autopsy.ingest.IngestMessage;
|
||||
import org.sleuthkit.autopsy.ingest.IngestModule;
|
||||
import org.sleuthkit.autopsy.ingest.IngestModuleReferenceCounter;
|
||||
import org.sleuthkit.autopsy.ingest.IngestServices;
|
||||
import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
|
||||
import org.sleuthkit.datamodel.AbstractFile;
|
||||
import org.sleuthkit.datamodel.Blackboard;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OBJECT_DETECTED;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
/**
|
||||
@ -163,14 +164,16 @@ public class ObjectDetectectionFileIngestModule extends FileIngestModuleAdapter
|
||||
if (!detectionRectangles.empty()) {
|
||||
//if any detections occurred create an artifact for this classifier and file combination
|
||||
try {
|
||||
BlackboardArtifact artifact = file.newArtifact(TSK_OBJECT_DETECTED);
|
||||
artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION,
|
||||
MODULE_NAME,
|
||||
classifierKey));
|
||||
artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT,
|
||||
MODULE_NAME,
|
||||
Bundle.ObjectDetectionFileIngestModule_classifierDetection_text((int) detectionRectangles.size().height)));
|
||||
|
||||
List<BlackboardAttribute> attributes = Arrays.asList(
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, MODULE_NAME, classifierKey),
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME,
|
||||
Bundle.ObjectDetectionFileIngestModule_classifierDetection_text((int) detectionRectangles.size().height))
|
||||
);
|
||||
|
||||
BlackboardArtifact artifact = file.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(TSK_OBJECT_DETECTED), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
/*
|
||||
* Index the artifact for keyword search.
|
||||
|
||||
@ -46,6 +46,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.Image;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData.EncodingType;
|
||||
import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM;
|
||||
@ -384,8 +385,10 @@ class VolatilityProcessor {
|
||||
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!blackboard.artifactExists(resolvedFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, attributes)) {
|
||||
BlackboardArtifact volArtifact = resolvedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
|
||||
volArtifact.addAttributes(attributes);
|
||||
BlackboardArtifact volArtifact = resolvedFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT),
|
||||
Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
// index the artifact for keyword search
|
||||
|
||||
@ -569,8 +569,7 @@ public final class KeywordSearchIngestModule implements FileIngestModule {
|
||||
}
|
||||
if (!attributes.isEmpty()) {
|
||||
try {
|
||||
BlackboardArtifact bbart = aFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA);
|
||||
bbart.addAttributes(attributes);
|
||||
BlackboardArtifact bbart = aFile.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA), attributes);
|
||||
bbartifacts.add(bbart);
|
||||
} catch (TskCoreException ex) {
|
||||
// Log error and return to continue processing
|
||||
|
||||
@ -40,6 +40,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskException;
|
||||
|
||||
@ -236,14 +237,6 @@ class LuceneQuery implements KeywordSearchQuery {
|
||||
final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName();
|
||||
|
||||
Collection<BlackboardAttribute> attributes = new ArrayList<>();
|
||||
BlackboardArtifact bba;
|
||||
try {
|
||||
bba = content.newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT);
|
||||
} catch (TskCoreException e) {
|
||||
logger.log(Level.WARNING, "Error adding bb artifact for keyword hit", e); //NON-NLS
|
||||
return null;
|
||||
}
|
||||
|
||||
if (snippet != null) {
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW, MODULE_NAME, snippet));
|
||||
}
|
||||
@ -270,10 +263,10 @@ class LuceneQuery implements KeywordSearchQuery {
|
||||
);
|
||||
|
||||
try {
|
||||
bba.addAttributes(attributes); //write out to bb
|
||||
return bba;
|
||||
return content.newAnalysisResult(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_KEYWORD_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
} catch (TskCoreException e) {
|
||||
logger.log(Level.WARNING, "Error adding bb attributes to artifact", e); //NON-NLS
|
||||
logger.log(Level.WARNING, "Error adding bb artifact for keyword hit", e); //NON-NLS
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
@ -52,6 +52,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
|
||||
@ -590,19 +591,11 @@ final class RegexQuery implements KeywordSearchQuery {
|
||||
* Create a "plain vanilla" keyword hit artifact with keyword and regex
|
||||
* attributes
|
||||
*/
|
||||
BlackboardArtifact newArtifact;
|
||||
Collection<BlackboardAttribute> attributes = new ArrayList<>();
|
||||
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD, MODULE_NAME, foundKeyword.getSearchTerm()));
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP, MODULE_NAME, getQueryString()));
|
||||
|
||||
try {
|
||||
newArtifact = content.newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT);
|
||||
} catch (TskCoreException ex) {
|
||||
LOGGER.log(Level.SEVERE, "Error adding artifact for keyword hit to blackboard", ex); //NON-NLS
|
||||
return null;
|
||||
}
|
||||
|
||||
if (StringUtils.isNotBlank(listName)) {
|
||||
attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, listName));
|
||||
}
|
||||
@ -621,8 +614,8 @@ final class RegexQuery implements KeywordSearchQuery {
|
||||
}
|
||||
|
||||
try {
|
||||
newArtifact.addAttributes(attributes);
|
||||
return newArtifact;
|
||||
return content.newAnalysisResult(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_KEYWORD_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes)
|
||||
.getAnalysisResult();
|
||||
} catch (TskCoreException e) {
|
||||
LOGGER.log(Level.SEVERE, "Error adding bb attributes for terms search artifact", e); //NON-NLS
|
||||
return null;
|
||||
|
||||
@ -31,6 +31,7 @@ import java.nio.charset.Charset;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
import java.util.List;
|
||||
@ -549,13 +550,12 @@ final class ChromeCacheExtractor {
|
||||
artifactsAdded.add(webCacheArtifact);
|
||||
|
||||
// Create a TSK_ASSOCIATED_OBJECT on the f_XXX or derived file file back to the CACHE entry
|
||||
BlackboardArtifact associatedObjectArtifact = cachedItemFile.newArtifact(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT);
|
||||
if (associatedObjectArtifact != null) {
|
||||
associatedObjectArtifact.addAttribute(
|
||||
new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
|
||||
moduleName, webCacheArtifact.getArtifactID()));
|
||||
artifactsAdded.add(associatedObjectArtifact);
|
||||
}
|
||||
BlackboardArtifact associatedObjectArtifact = cachedItemFile.newDataArtifact(
|
||||
new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT),
|
||||
Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT,
|
||||
moduleName, webCacheArtifact.getArtifactID())));
|
||||
|
||||
artifactsAdded.add(associatedObjectArtifact);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -52,6 +52,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOC
|
||||
import org.sleuthkit.datamodel.BlackboardAttribute;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.OsAccount;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
|
||||
@ -160,12 +161,13 @@ abstract class Extract {
|
||||
*/
|
||||
BlackboardArtifact createArtifactWithAttributes(BlackboardArtifact.Type type, Content content, Collection<BlackboardAttribute> attributes) throws TskCoreException {
|
||||
Optional<OsAccount> optional = getOsAccount(content);
|
||||
if (optional.isPresent() && type.getCategory() == BlackboardArtifact.Category.DATA_ARTIFACT) {
|
||||
return content.newDataArtifact(type, attributes, optional.get());
|
||||
} else {
|
||||
BlackboardArtifact bbart = content.newArtifact(type.getTypeID());
|
||||
bbart.addAttributes(attributes);
|
||||
return bbart;
|
||||
switch (type.getCategory()) {
|
||||
case DATA_ARTIFACT:
|
||||
return content.newDataArtifact(type, attributes, optional.orElse(null));
|
||||
case ANALYSIS_RESULT:
|
||||
return content.newAnalysisResult(type, Score.SCORE_UNKNOWN, null, null, null, attributes).getAnalysisResult();
|
||||
default:
|
||||
throw new TskCoreException("Unknown category type: " + type.getCategory().getDisplayName());
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -807,9 +807,7 @@ class ExtractRegistry extends Extract {
|
||||
try {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime));
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DELETED_PROG);
|
||||
bbart.addAttributes(bbattributes);
|
||||
|
||||
BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_DELETED_PROG), bbattributes);
|
||||
newArtifacts.add(bbart);
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.", ex); //NON-NLS
|
||||
@ -819,7 +817,6 @@ class ExtractRegistry extends Extract {
|
||||
String officeName = artnode.getAttribute("name"); //NON-NLS
|
||||
|
||||
try {
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT);
|
||||
// @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item
|
||||
if (mtime != null) {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, parentModuleName, mtime));
|
||||
@ -827,8 +824,8 @@ class ExtractRegistry extends Extract {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, officeName));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName()));
|
||||
bbart.addAttributes(bbattributes);
|
||||
|
||||
BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_RECENT_OBJECT), bbattributes);
|
||||
|
||||
newArtifacts.add(bbart);
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.", ex); //NON-NLS
|
||||
@ -866,12 +863,12 @@ class ExtractRegistry extends Extract {
|
||||
try {
|
||||
String localPath = artnode.getAttribute("localPath"); //NON-NLS
|
||||
String remoteName = value;
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE);
|
||||
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH,
|
||||
parentModuleName, localPath));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH,
|
||||
parentModuleName, remoteName));
|
||||
bbart.addAttributes(bbattributes);
|
||||
BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_REMOTE_DRIVE), bbattributes);
|
||||
newArtifacts.add(bbart);
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding network artifact to blackboard.", ex); //NON-NLS
|
||||
@ -885,8 +882,7 @@ class ExtractRegistry extends Extract {
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SSID, parentModuleName, value));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, lastWriteTime));
|
||||
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID, parentModuleName, adapter));
|
||||
BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_WIFI_NETWORK);
|
||||
bbart.addAttributes(bbattributes);
|
||||
BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_WIFI_NETWORK), bbattributes);
|
||||
newArtifacts.add(bbart);
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, "Error adding SSID artifact to blackboard.", ex); //NON-NLS
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
#Updated by build script
|
||||
#Mon, 25 Jan 2021 12:41:22 -0500
|
||||
#Wed, 28 Apr 2021 08:03:47 -0400
|
||||
LBL_splash_window_title=Starting Autopsy
|
||||
SPLASH_HEIGHT=314
|
||||
SPLASH_WIDTH=538
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
#Updated by build script
|
||||
#Mon, 25 Jan 2021 12:41:22 -0500
|
||||
#Wed, 28 Apr 2021 08:03:47 -0400
|
||||
CTL_MainWindow_Title=Autopsy 4.18.0
|
||||
CTL_MainWindow_Title_No_Project=Autopsy 4.18.0
|
||||
|
||||
@ -59,6 +59,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
|
||||
import org.sleuthkit.datamodel.DerivedFile;
|
||||
import org.sleuthkit.datamodel.ReadContentInputStream;
|
||||
import org.sleuthkit.datamodel.Relationship;
|
||||
import org.sleuthkit.datamodel.Score;
|
||||
import org.sleuthkit.datamodel.TskCoreException;
|
||||
import org.sleuthkit.datamodel.TskData;
|
||||
import org.sleuthkit.datamodel.TskDataException;
|
||||
@ -240,8 +241,15 @@ public final class ThunderbirdMboxFileIngestModule implements FileIngestModule {
|
||||
// encrypted pst: Add encrypted file artifact
|
||||
try {
|
||||
|
||||
BlackboardArtifact artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED);
|
||||
artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, EmailParserModuleFactory.getModuleName(), NbBundle.getMessage(this.getClass(), "ThunderbirdMboxFileIngestModule.encryptionFileLevel")));
|
||||
BlackboardArtifact artifact = abstractFile.newAnalysisResult(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED),
|
||||
Score.SCORE_UNKNOWN, null, null, null, Arrays.asList(
|
||||
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
|
||||
EmailParserModuleFactory.getModuleName(),
|
||||
NbBundle.getMessage(this.getClass(),
|
||||
"ThunderbirdMboxFileIngestModule.encryptionFileLevel"))
|
||||
))
|
||||
.getAnalysisResult();
|
||||
|
||||
try {
|
||||
// index the artifact for keyword search
|
||||
@ -759,8 +767,9 @@ public final class ThunderbirdMboxFileIngestModule implements FileIngestModule {
|
||||
return null;
|
||||
}
|
||||
|
||||
bbart = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG);
|
||||
bbart.addAttributes(bbattributes);
|
||||
bbart = abstractFile.newDataArtifact(
|
||||
new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG),
|
||||
bbattributes);
|
||||
|
||||
if (context.fileIngestIsCancelled()) {
|
||||
return null;
|
||||
|
||||
@ -223,10 +223,9 @@ final class VcardParser {
|
||||
try {
|
||||
// Create artifact if it doesn't already exist.
|
||||
if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT, attributes)) {
|
||||
artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT);
|
||||
artifact.addAttributes(attributes);
|
||||
artifact = abstractFile.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT), attributes);
|
||||
|
||||
extractPhotos(vcard, abstractFile, artifact);
|
||||
extractPhotos(vcard, abstractFile, artifact);
|
||||
|
||||
// Add account relationships.
|
||||
if (deviceAccountInstance != null) {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user