diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java index 52ef90b9b1..1de62fedd1 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java @@ -68,6 +68,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.PersonaAccount; import org.sleuthkit.datamodel.Account; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT; import org.sleuthkit.datamodel.CommunicationsUtils; +import org.sleuthkit.datamodel.Score; /** * Listen for ingest events and update entries in the Central Repository @@ -205,17 +206,20 @@ public class IngestEventsListener { } /** - * Make an Interesting Item artifact based on a new artifact being previously seen. + * Make an Interesting Item artifact based on a new artifact being + * previously seen. + * * @param originalArtifact Original artifact that we want to flag - * @param caseDisplayNames List of case names artifact was previously seen in + * @param caseDisplayNames List of case names artifact was previously seen + * in */ @NbBundle.Messages({"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)", "IngestEventsListener.prevCaseComment.text=Previous Case: "}) static private void makeAndPostPreviousNotableArtifact(BlackboardArtifact originalArtifact, List caseDisplayNames) { Collection attributesForNewArtifact = Arrays.asList(new BlackboardAttribute( - TSK_SET_NAME, MODULE_NAME, - Bundle.IngestEventsListener_prevTaggedSet_text()), + TSK_SET_NAME, MODULE_NAME, + Bundle.IngestEventsListener_prevTaggedSet_text()), new BlackboardAttribute( TSK_COMMENT, MODULE_NAME, Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(","))), @@ -230,7 +234,8 @@ public class IngestEventsListener { * in the central repository. * * @param originalArtifact the artifact to create the interesting item for - * @param caseDisplayNames the case names the artifact was previously seen in + * @param caseDisplayNames the case names the artifact was previously seen + * in */ @NbBundle.Messages({"IngestEventsListener.prevExists.text=Previously Seen Devices (Central Repository)", "# {0} - typeName", @@ -238,8 +243,8 @@ public class IngestEventsListener { "IngestEventsListener.prevCount.text=Number of previous {0}: {1}"}) static private void makeAndPostPreviousSeenArtifact(BlackboardArtifact originalArtifact, List caseDisplayNames) { Collection attributesForNewArtifact = Arrays.asList(new BlackboardAttribute( - TSK_SET_NAME, MODULE_NAME, - Bundle.IngestEventsListener_prevExists_text()), + TSK_SET_NAME, MODULE_NAME, + Bundle.IngestEventsListener_prevExists_text()), new BlackboardAttribute( TSK_COMMENT, MODULE_NAME, Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(","))), @@ -250,9 +255,11 @@ public class IngestEventsListener { } /** - * Make an interesting item artifact to flag the passed in artifact. - * @param originalArtifact Artifact in current case we want to flag - * @param attributesForNewArtifact Attributes to assign to the new Interesting items artifact + * Make an interesting item artifact to flag the passed in artifact. + * + * @param originalArtifact Artifact in current case we want to flag + * @param attributesForNewArtifact Attributes to assign to the new + * Interesting items artifact */ private static void makeAndPostInterestingArtifact(BlackboardArtifact originalArtifact, Collection attributesForNewArtifact) { try { @@ -261,8 +268,10 @@ public class IngestEventsListener { Blackboard blackboard = tskCase.getBlackboard(); // Create artifact if it doesn't already exist. if (!blackboard.artifactExists(abstractFile, TSK_INTERESTING_ARTIFACT_HIT, attributesForNewArtifact)) { - BlackboardArtifact newInterestingArtifact = abstractFile.newArtifact(TSK_INTERESTING_ARTIFACT_HIT); - newInterestingArtifact.addAttributes(attributesForNewArtifact); + BlackboardArtifact newInterestingArtifact = abstractFile.newAnalysisResult( + new BlackboardArtifact.Type(TSK_INTERESTING_ARTIFACT_HIT), + Score.SCORE_UNKNOWN, null, null, null, attributesForNewArtifact) + .getAnalysisResult(); try { // index the artifact for keyword search @@ -320,7 +329,7 @@ public class IngestEventsListener { LOGGER.log(Level.SEVERE, "Failed to connect to Central Repository database.", ex); return; } - + switch (IngestManager.IngestJobEvent.valueOf(evt.getPropertyName())) { case DATA_SOURCE_ANALYSIS_COMPLETED: { jobProcessingExecutor.submit(new AnalysisCompleteTask(dbManager, evt)); @@ -334,15 +343,15 @@ public class IngestEventsListener { } private final class AnalysisCompleteTask implements Runnable { - + private final CentralRepository dbManager; private final PropertyChangeEvent event; - + private AnalysisCompleteTask(CentralRepository db, PropertyChangeEvent evt) { dbManager = db; event = evt; } - + @Override public void run() { // clear the tracker to reduce memory usage @@ -370,7 +379,7 @@ public class IngestEventsListener { if (!(dataSource instanceof Image)) { return; } - + dataSourceName = dataSource.getName(); dataSourceObjectId = dataSource.getId(); @@ -398,7 +407,7 @@ public class IngestEventsListener { if (StringUtils.equals(imageMd5Hash, crMd5Hash) == false) { correlationDataSource.setMd5(imageMd5Hash); } - + String imageSha1Hash = image.getSha1(); if (imageSha1Hash == null) { imageSha1Hash = ""; @@ -407,7 +416,7 @@ public class IngestEventsListener { if (StringUtils.equals(imageSha1Hash, crSha1Hash) == false) { correlationDataSource.setSha1(imageSha1Hash); } - + String imageSha256Hash = image.getSha256(); if (imageSha256Hash == null) { imageSha256Hash = ""; @@ -484,7 +493,7 @@ public class IngestEventsListener { } } if (flagPreviousItemsEnabled - && (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID + && (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java index 210e361261..6d2f0a7e40 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java @@ -56,6 +56,7 @@ import org.sleuthkit.datamodel.HashUtility; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; +import org.sleuthkit.datamodel.Score; /** * Ingest module for inserting entries into the Central Repository database on @@ -345,8 +346,10 @@ final class CentralRepoIngestModule implements FileIngestModule { // Create artifact if it doesn't already exist. if (!blackboard.artifactExists(abstractFile, TSK_INTERESTING_FILE_HIT, attributes)) { - BlackboardArtifact tifArtifact = abstractFile.newArtifact(TSK_INTERESTING_FILE_HIT); - tifArtifact.addAttributes(attributes); + BlackboardArtifact tifArtifact = abstractFile.newAnalysisResult( + new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), + Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); try { // index the artifact for keyword search blackboard.postArtifact(tifArtifact, MODULE_NAME); diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java b/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java index 331c72ee20..f41c06769e 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java @@ -386,11 +386,13 @@ public final class FileTypes implements AutopsyVisitableItem { return content.getChildrenIds(); } + @Deprecated @Override public BlackboardArtifact newArtifact(int artifactTypeID) throws TskCoreException { return content.newArtifact(artifactTypeID); } + @Deprecated @Override public BlackboardArtifact newArtifact(BlackboardArtifact.ARTIFACT_TYPE type) throws TskCoreException { return content.newArtifact(type); diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java index 8777b4e829..4fff8f7e78 100755 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java @@ -24,6 +24,7 @@ import java.util.Collection; import java.util.List; import java.util.logging.Level; import org.sleuthkit.autopsy.coreutils.Logger; +import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Account; import org.sleuthkit.datamodel.Blackboard.BlackboardException; import org.sleuthkit.datamodel.BlackboardArtifact; @@ -313,9 +314,10 @@ final class XRYCallsFileParser extends AbstractSingleEntityParser { } if (!otherAttributes.isEmpty()) { - BlackboardArtifact artifact = parent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG); - artifact.addAttributes(otherAttributes); - + BlackboardArtifact artifact = (parent instanceof AbstractFile) + ? ((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG), otherAttributes) + : parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG), otherAttributes, null); + currentCase.getBlackboard().postArtifact(artifact, PARSER_NAME); } } else { diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYContactsFileParser.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYContactsFileParser.java index 5f00a3e6e4..92cbaa65ec 100755 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYContactsFileParser.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYContactsFileParser.java @@ -142,9 +142,10 @@ final class XRYContactsFileParser extends AbstractSingleEntityParser { } else { // Just create an artifact with the attributes that we do have. if (!additionalAttributes.isEmpty()) { - BlackboardArtifact artifact = parent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT); - artifact.addAttributes(additionalAttributes); - + BlackboardArtifact artifact = (parent instanceof AbstractFile) + ? ((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT), additionalAttributes) + : parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT), additionalAttributes, null); + currentCase.getBlackboard().postArtifact(artifact, PARSER_NAME); } } diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYDeviceGenInfoFileParser.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYDeviceGenInfoFileParser.java index ee2552c8a0..e174d3ffc4 100755 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYDeviceGenInfoFileParser.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYDeviceGenInfoFileParser.java @@ -105,9 +105,11 @@ final class XRYDeviceGenInfoFileParser extends AbstractSingleEntityParser { } } if(!attributes.isEmpty()) { - BlackboardArtifact artifact = parent.newArtifact( - BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO); - artifact.addAttributes(attributes); + if (parent instanceof AbstractFile) { + ((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO), attributes) + } else { + parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_INFO), attributes, null); + } } } diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYWebBookmarksFileParser.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYWebBookmarksFileParser.java index d37e9e7de2..c8f55f9175 100755 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYWebBookmarksFileParser.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYWebBookmarksFileParser.java @@ -78,8 +78,11 @@ final class XRYWebBookmarksFileParser extends AbstractSingleEntityParser { } } if(!attributes.isEmpty()) { - BlackboardArtifact artifact = parent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK); - artifact.addAttributes(attributes); + if (parent instanceof AbstractFile) { + ((AbstractFile) parent).newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK), attributes) + } else { + parent.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK), attributes, null); + } } } } \ No newline at end of file diff --git a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java index fdf4fea231..ec4d803fa1 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java @@ -76,6 +76,7 @@ import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.DerivedFile; import org.sleuthkit.datamodel.EncodedFileOutputStream; import org.sleuthkit.datamodel.ReadContentInputStream; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -314,8 +315,9 @@ class SevenZipExtractor { details)); if (!blackboard.artifactExists(archiveFile, TSK_INTERESTING_FILE_HIT, attributes)) { - BlackboardArtifact artifact = rootArchive.getArchiveFile().newArtifact(TSK_INTERESTING_FILE_HIT); - artifact.addAttributes(attributes); + BlackboardArtifact artifact = rootArchive.getArchiveFile().newAnalysisResult( + new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); try { /* * post the artifact which will index the artifact for @@ -852,8 +854,11 @@ class SevenZipExtractor { if (hasEncrypted) { String encryptionType = fullEncryption ? ENCRYPTION_FULL : ENCRYPTION_FILE_LEVEL; try { - BlackboardArtifact artifact = archiveFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED); - artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, encryptionType)); + BlackboardArtifact artifact = archiveFile.newAnalysisResult( + new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED), Score.SCORE_UNKNOWN, + null, null, null, + Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, encryptionType))) + .getAnalysisResult(); try { /* diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java index 8b249b16c1..ccc19843db 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionDataSourceIngestModule.java @@ -19,6 +19,7 @@ package org.sleuthkit.autopsy.modules.encryptiondetection; import java.io.IOException; +import java.util.Arrays; import java.util.List; import java.util.logging.Level; import org.openide.util.NbBundle.Messages; @@ -36,6 +37,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.ReadContentInputStream; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.Volume; import org.sleuthkit.datamodel.VolumeSystem; @@ -80,31 +82,31 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges try { if (dataSource instanceof Image) { - + if (((Image) dataSource).getPaths().length == 0) { logger.log(Level.SEVERE, String.format("Unable to process data source '%s' - image has no paths", dataSource.getName())); return IngestModule.ProcessResult.ERROR; } - + List volumeSystems = ((Image) dataSource).getVolumeSystems(); progressBar.switchToDeterminate(volumeSystems.size()); int numVolSystemsChecked = 0; progressBar.progress(Bundle.EncryptionDetectionDataSourceIngestModule_processing_message(), 0); for (VolumeSystem volumeSystem : volumeSystems) { - + if (context.dataSourceIngestIsCancelled()) { return ProcessResult.OK; } - + for (Volume volume : volumeSystem.getVolumes()) { - + if (context.dataSourceIngestIsCancelled()) { return ProcessResult.OK; } if (BitlockerDetection.isBitlockerVolume(volume)) { return flagVolume(volume, BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED, Bundle.EncryptionDetectionDataSourceIngestModule_artifactComment_bitlocker()); } - + if (context.dataSourceIngestIsCancelled()) { return ProcessResult.OK; } @@ -144,22 +146,24 @@ final class EncryptionDetectionDataSourceIngestModule implements DataSourceInges * Create a blackboard artifact. * * @param volume The volume to be processed. - * @param artifactType The type of artifact to create. + * @param artifactType The type of artifact to create. This is assumed to be + * an analysis result type. * @param comment A comment to be attached to the artifact. * * @return 'OK' if the volume was processed successfully, or 'ERROR' if * there was a problem. */ private IngestModule.ProcessResult flagVolume(Volume volume, BlackboardArtifact.ARTIFACT_TYPE artifactType, String comment) { - + if (context.dataSourceIngestIsCancelled()) { return ProcessResult.OK; } - - try { - BlackboardArtifact artifact = volume.newArtifact(artifactType); - artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment)); + try { + BlackboardArtifact artifact = volume.newAnalysisResult(new BlackboardArtifact.Type(artifactType), Score.SCORE_UNKNOWN, null, null, null, + Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, EncryptionDetectionModuleFactory.getModuleName(), comment))) + .getAnalysisResult(); + try { /* * post the artifact which will index the artifact for keyword diff --git a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java index df510873ff..1609e4a5a6 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/encryptiondetection/EncryptionDetectionFileIngestModule.java @@ -29,6 +29,7 @@ import java.io.BufferedInputStream; import java.io.IOException; import java.io.InputStream; import java.nio.BufferUnderflowException; +import java.util.Arrays; import java.util.logging.Level; import org.apache.tika.exception.EncryptedDocumentException; import org.apache.tika.exception.TikaException; @@ -52,6 +53,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.ReadContentInputStream.ReadContentInputStreamException; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; import org.xml.sax.ContentHandler; @@ -106,7 +108,7 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter public void startUp(IngestJobContext context) throws IngestModule.IngestModuleException { try { validateSettings(); - this.context = context; + this.context = context; blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard(); fileTypeDetector = new FileTypeDetector(); @@ -130,12 +132,12 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter * verify the file hasn't been deleted. */ if (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) - && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) - && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR) - && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR) - && (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed) - && !file.getKnown().equals(TskData.FileKnown.KNOWN) - && !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) { + && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) + && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR) + && !file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.LOCAL_DIR) + && (!file.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) || slackFilesAllowed) + && !file.getKnown().equals(TskData.FileKnown.KNOWN) + && !file.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) { /* * Is the file in FILE_IGNORE_LIST? */ @@ -187,7 +189,8 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter * Create a blackboard artifact. * * @param file The file to be processed. - * @param artifactType The type of artifact to create. + * @param artifactType The type of artifact to create. Assumed to be an + * analysis result type. * @param comment A comment to be attached to the artifact. * * @return 'OK' if the file was processed successfully, or 'ERROR' if there @@ -198,10 +201,11 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter if (context.fileIngestIsCancelled()) { return IngestModule.ProcessResult.OK; } - - BlackboardArtifact artifact = file.newArtifact(artifactType); - artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, - EncryptionDetectionModuleFactory.getModuleName(), comment)); + + BlackboardArtifact artifact = file.newAnalysisResult(new BlackboardArtifact.Type(artifactType), Score.SCORE_UNKNOWN, null, null, null, + Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, + EncryptionDetectionModuleFactory.getModuleName(), comment))) + .getAnalysisResult(); try { /* @@ -326,14 +330,14 @@ final class EncryptionDetectionFileIngestModule extends FileIngestModuleAdapter accessDatabase = databaseBuilder.open(); } catch (InvalidCredentialsException ex) { logger.log(Level.INFO, String.format( - "Jackcess throws invalid credentials exception for file (name: %s, id: %s). It will be assumed to be password protected.", + "Jackcess throws invalid credentials exception for file (name: %s, id: %s). It will be assumed to be password protected.", file.getName(), file.getId())); return true; } catch (Exception ex) { // Firewall, see JIRA-7097 logger.log(Level.WARNING, String.format("Unexpected exception " + "trying to open msaccess database using Jackcess " + "(name: %s, id: %d)", file.getName(), file.getId()), ex); - return passwordProtected; + return passwordProtected; } /* * No exception has been thrown at this point, so the file diff --git a/Core/src/org/sleuthkit/autopsy/modules/fileextmismatch/FileExtMismatchIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/fileextmismatch/FileExtMismatchIngestModule.java index 0fac779ca4..b17523c69a 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/fileextmismatch/FileExtMismatchIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/fileextmismatch/FileExtMismatchIngestModule.java @@ -18,6 +18,7 @@ */ package org.sleuthkit.autopsy.modules.fileextmismatch; +import java.util.Collections; import java.util.HashMap; import java.util.Set; import java.util.logging.Level; @@ -38,6 +39,7 @@ import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskData.FileKnown; import org.sleuthkit.datamodel.TskException; @@ -119,15 +121,15 @@ public class FileExtMismatchIngestModule implements FileIngestModule { // skip non-files if ((abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS) - || (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) - || (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) - || (abstractFile.isFile() == false)) { + || (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) + || (abstractFile.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.SLACK) + || (abstractFile.isFile() == false)) { return ProcessResult.OK; } // deleted files often have content that was not theirs and therefor causes mismatch if ((abstractFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) - || (abstractFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC))) { + || (abstractFile.isDirNameFlagSet(TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC))) { return ProcessResult.OK; } @@ -140,7 +142,9 @@ public class FileExtMismatchIngestModule implements FileIngestModule { if (mismatchDetected) { // add artifact - BlackboardArtifact bart = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED); + BlackboardArtifact bart = abstractFile.newAnalysisResult( + new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED), Score.SCORE_UNKNOWN, null, null, null, Collections.emptyList()) + .getAnalysisResult(); try { /* diff --git a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java index 1af1825c6d..644cc0aede 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java @@ -40,6 +40,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTER import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; /** @@ -162,8 +163,10 @@ public class FileTypeIdIngestModule implements FileIngestModule { Blackboard tskBlackboard = currentCase.getSleuthkitCase().getBlackboard(); // Create artifact if it doesn't already exist. if (!tskBlackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) { - BlackboardArtifact artifact = file.newArtifact(TSK_INTERESTING_FILE_HIT); - artifact.addAttributes(attributes); + BlackboardArtifact artifact = file.newAnalysisResult( + new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); + try { /* * post the artifact which will index the artifact for diff --git a/Core/src/org/sleuthkit/autopsy/modules/hashdatabase/HashDbIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/hashdatabase/HashDbIngestModule.java index 19b9ff28b7..ecb2574149 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/hashdatabase/HashDbIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/hashdatabase/HashDbIngestModule.java @@ -48,6 +48,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.HashHitInfo; import org.sleuthkit.datamodel.HashUtility; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -516,7 +517,7 @@ public class HashDbIngestModule implements FileIngestModule { private void postHashSetHitToBlackboard(AbstractFile abstractFile, String md5Hash, String hashSetName, String comment, boolean showInboxMessage) { try { String moduleName = HashLookupModuleFactory.getModuleName(); - BlackboardArtifact badFile = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_HASHSET_HIT); + Collection attributes = new ArrayList<>(); //TODO Revisit usage of deprecated constructor as per TSK-583 //BlackboardAttribute att2 = new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), MODULE_NAME, "Known Bad", hashSetName); @@ -524,8 +525,9 @@ public class HashDbIngestModule implements FileIngestModule { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_HASH_MD5, moduleName, md5Hash)); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_COMMENT, moduleName, comment)); - badFile.addAttributes(attributes); - + BlackboardArtifact badFile = abstractFile.newAnalysisResult( + new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_HASHSET_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); try { /* * post the artifact which will index the artifact for keyword diff --git a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java index c3c9d73d85..302e902095 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java @@ -43,6 +43,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTER import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -142,7 +143,10 @@ final class FilesIdentifierIngestModule implements FileIngestModule { // Create artifact if it doesn't already exist. if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) { - BlackboardArtifact artifact = file.newArtifact(TSK_INTERESTING_FILE_HIT); + BlackboardArtifact artifact = file.newAnalysisResult( + new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); + artifact.addAttributes(attributes); try { diff --git a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java index 6a361fbbd1..bf4cb2a929 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java @@ -71,6 +71,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskException; import org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper; @@ -1218,10 +1219,24 @@ public final class LeappFileProcessor { * @return The newly-created artifact, or null on error */ private BlackboardArtifact createArtifactWithAttributes(int type, Content dataSource, Collection bbattributes) { + BlackboardArtifact.Type artType = new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.fromID(type)); + try { - BlackboardArtifact bbart = dataSource.newArtifact(type); - bbart.addAttributes(bbattributes); - return bbart; + if (artType == null || artType.getCategory() == null) { + logger.log(Level.WARNING, "Unable to get an artifact type for type: " + type); + return null; + } + switch (artType.getCategory()) { + case DATA_ARTIFACT: + return (dataSource instanceof AbstractFile) + ? ((AbstractFile) dataSource).newDataArtifact(artType, bbattributes) + : dataSource.newDataArtifact(artType, bbattributes, null); + case ANALYSIS_RESULT: + return dataSource.newAnalysisResult(artType, Score.SCORE_UNKNOWN, null, null, null, bbattributes).getAnalysisResult(); + default: + logger.log(Level.SEVERE, "Unknown category type: " + artType.getCategory().getDisplayName()); + return null; + } } catch (TskException ex) { logger.log(Level.WARNING, Bundle.LeappFileProcessor_error_creating_new_artifacts(), ex); //NON-NLS } diff --git a/Core/src/org/sleuthkit/autopsy/modules/pictureanalyzer/impls/EXIFProcessor.java b/Core/src/org/sleuthkit/autopsy/modules/pictureanalyzer/impls/EXIFProcessor.java index 3dbe2c7360..12872f69c1 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/pictureanalyzer/impls/EXIFProcessor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/pictureanalyzer/impls/EXIFProcessor.java @@ -29,6 +29,7 @@ import com.drew.metadata.exif.GpsDirectory; import java.io.BufferedInputStream; import java.io.IOException; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Date; import java.util.Set; @@ -56,11 +57,12 @@ import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.autopsy.modules.pictureanalyzer.spi.PictureProcessor; +import org.sleuthkit.datamodel.Score; /** * Extracts EXIF metadata from JPEG, TIFF, and WAV files. Currently only date, * latitude, longitude, altitude, device model, and device make are extracted. - * + * * User content suspected artifacts are also created by this processor. */ @ServiceProvider(service = PictureProcessor.class) @@ -143,16 +145,18 @@ public class EXIFProcessor implements PictureProcessor { if (context.fileIngestIsCancelled()) { return; } - + final Blackboard blackboard = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard(); if (!attributes.isEmpty() && !blackboard.artifactExists(file, TSK_METADATA_EXIF, attributes)) { + + final BlackboardArtifact exifArtifact = file.newDataArtifact(new BlackboardArtifact.Type(TSK_METADATA_EXIF), attributes); + + final BlackboardArtifact userSuspectedArtifact = file.newAnalysisResult( + new BlackboardArtifact.Type(TSK_USER_CONTENT_SUSPECTED), Score.SCORE_UNKNOWN, null, null, null, + Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, Bundle.ExifProcessor_userContent_description()))) + .getAnalysisResult(); - final BlackboardArtifact exifArtifact = file.newArtifact(TSK_METADATA_EXIF); - final BlackboardArtifact userSuspectedArtifact = file.newArtifact(TSK_USER_CONTENT_SUSPECTED); - exifArtifact.addAttributes(attributes); - userSuspectedArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, - MODULE_NAME, Bundle.ExifProcessor_userContent_description())); try { // index the artifact for keyword search blackboard.postArtifact(exifArtifact, MODULE_NAME); diff --git a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java index d359332f84..33e1d9e595 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/plaso/PlasoIngestModule.java @@ -345,8 +345,9 @@ public class PlasoIngestModule implements DataSourceIngestModule { eventType.getTypeID())); try { - BlackboardArtifact bbart = resolvedFile.newArtifact(TSK_TL_EVENT); - bbart.addAttributes(bbattributes); + BlackboardArtifact bbart = resolvedFile instanceof AbstractFile + ? ((AbstractFile) resolvedFile).newDataArtifact(new BlackboardArtifact.Type(TSK_TL_EVENT), bbattributes) + : resolvedFile.newDataArtifact(new BlackboardArtifact.Type(TSK_TL_EVENT), bbattributes, null); try { /* * Post the artifact which will index the artifact for diff --git a/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java b/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java index e13f41fe7b..cdc1e3f02e 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java +++ b/Core/src/org/sleuthkit/autopsy/modules/yara/YaraIngestHelper.java @@ -39,6 +39,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_YARA_ import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_RULE; import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; /** @@ -112,7 +113,7 @@ final class YaraIngestHelper { * Scan the given AbstractFile for yara rule matches from the rule sets in * the given directory creating a blackboard artifact for each matching * rule. - * + * * @param file The Abstract File being processed. * @param baseRuleSetDirectory Base directory of the compiled rule sets. * @param localFile Local copy of file. @@ -141,7 +142,7 @@ final class YaraIngestHelper { * Scan the given file byte array for rule matches using the YaraJNIWrapper * API. * - * @param fileBytes An array of the file data. + * @param fileBytes An array of the file data. * @param ruleSetDirectory Base directory of the compiled rule sets. * * @return List of rules that match from the given file from the given rule @@ -162,15 +163,17 @@ final class YaraIngestHelper { } /** - * Scan the given file for rules that match from the given rule set directory. - * - * @param scanFile Locally stored file to scan. + * Scan the given file for rules that match from the given rule set + * directory. + * + * @param scanFile Locally stored file to scan. * @param ruleSetDirectory Base directory of the compiled rule sets. - * @param timeout YARA Scanner timeout value. - * - * @return List of matching rules, if none were found the list will be empty. - * - * @throws YaraWrapperException + * @param timeout YARA Scanner timeout value. + * + * @return List of matching rules, if none were found the list will be + * empty. + * + * @throws YaraWrapperException */ private static List scanFileForMatch(File scanFile, File ruleSetDirectory, int timeout) throws YaraWrapperException { List matchingRules = new ArrayList<>(); @@ -198,13 +201,15 @@ final class YaraIngestHelper { private static List createArtifact(AbstractFile abstractFile, String ruleSetName, List matchingRules) throws TskCoreException { List artifacts = new ArrayList<>(); for (String rule : matchingRules) { - BlackboardArtifact artifact = abstractFile.newArtifact(TSK_YARA_HIT); + List attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(TSK_SET_NAME, MODULE_NAME, ruleSetName)); attributes.add(new BlackboardAttribute(TSK_RULE, MODULE_NAME, rule)); - artifact.addAttributes(attributes); + BlackboardArtifact artifact = abstractFile.newAnalysisResult(new BlackboardArtifact.Type(TSK_YARA_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); + artifacts.add(artifact); } return artifacts; diff --git a/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java b/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java index d01fe0a10e..f8dbebe224 100644 --- a/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java +++ b/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java @@ -64,7 +64,6 @@ import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Account; import org.sleuthkit.datamodel.Blackboard.BlackboardException; import org.sleuthkit.datamodel.BlackboardArtifact; -import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifactTag; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.CaseDbAccessManager; @@ -75,9 +74,7 @@ import org.sleuthkit.datamodel.FileSystem; import org.sleuthkit.datamodel.Host; import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.LocalFilesDataSource; -import org.sleuthkit.datamodel.OsAccount; import org.sleuthkit.datamodel.Pool; -import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction; import org.sleuthkit.datamodel.TagName; @@ -106,7 +103,7 @@ public class PortableCaseReportModule implements ReportModule { // These are the types for the exported file subfolders private static final List FILE_TYPE_CATEGORIES = Arrays.asList(FileTypeCategory.AUDIO, FileTypeCategory.DOCUMENTS, FileTypeCategory.EXECUTABLE, FileTypeCategory.IMAGE, FileTypeCategory.VIDEO); - + // These are attribute types that have special handling and should not be copied // into the new artifact directly. private static final List SPECIALLY_HANDLED_ATTRS = Arrays.asList(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID(), @@ -455,7 +452,7 @@ public class PortableCaseReportModule implements ReportModule { if (options.shouldCompress()) { progressPanel.updateStatusLabel(Bundle.PortableCaseReportModule_generateReport_compressingCase()); - if (!compressCase(progressPanel, options.includeApplication() ? outputDir.getAbsolutePath() : caseFolder.getAbsolutePath())) { + if(!compressCase(progressPanel, options.includeApplication() ? outputDir.getAbsolutePath() : caseFolder.getAbsolutePath())){ // Errors have been handled already return; } @@ -873,9 +870,8 @@ public class PortableCaseReportModule implements ReportModule { /** * Add all artifacts with a given tag to the portable case. * - * @param dataSourceId The data source id. - * @param oldTagName The TagName object from the current case. - * @param progressPanel The progress panel. + * @param oldTagName The TagName object from the current case + * @param progressPanel The progress panel * * @throws TskCoreException */ @@ -896,14 +892,11 @@ public class PortableCaseReportModule implements ReportModule { long newContentId = copyContentToPortableCase(content, progressPanel); // Copy the artifact - Long dataSourceObjId = content == null || content.getDataSource() == null - ? null - : content.getDataSource().getId(); - BlackboardArtifact newArtifact = copyArtifact(dataSourceObjId, newContentId, tag.getArtifact()); - + BlackboardArtifact newArtifact = copyArtifact(newContentId, tag.getArtifact()); + // Copy any attachments copyAttachments(newArtifact, tag.getArtifact(), portableSkCase.getAbstractFileById(newContentId)); - + // Copy any files associated with this artifact through the TSK_PATH_ID attribute copyPathID(newArtifact, tag.getArtifact()); @@ -919,16 +912,15 @@ public class PortableCaseReportModule implements ReportModule { * Copy an artifact into the new case. Will also copy any associated * artifacts * - * @param newDataSourceId The data source ID (in the portable case). - * @param newContentId The content ID (in the portable case) of the - * source content. - * @param artifactToCopy The artifact to copy. + * @param newContentId The content ID (in the portable case) of the source + * content + * @param artifactToCopy The artifact to copy * - * @return The new artifact in the portable case. + * @return The new artifact in the portable case * * @throws TskCoreException */ - private BlackboardArtifact copyArtifact(Long newDataSourceId, long newContentId, BlackboardArtifact artifactToCopy) throws TskCoreException { + private BlackboardArtifact copyArtifact(long newContentId, BlackboardArtifact artifactToCopy) throws TskCoreException { if (oldArtifactIdToNewArtifact.containsKey(artifactToCopy.getArtifactID())) { return oldArtifactIdToNewArtifact.get(artifactToCopy.getArtifactID()); @@ -939,11 +931,14 @@ public class PortableCaseReportModule implements ReportModule { List newAttrs = new ArrayList<>(); if (oldAssociatedAttribute != null) { BlackboardArtifact oldAssociatedArtifact = currentCase.getSleuthkitCase().getBlackboardArtifact(oldAssociatedAttribute.getValueLong()); - BlackboardArtifact newAssociatedArtifact = copyArtifact(newDataSourceId, newContentId, oldAssociatedArtifact); + BlackboardArtifact newAssociatedArtifact = copyArtifact(newContentId, oldAssociatedArtifact); newAttrs.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, String.join(",", oldAssociatedAttribute.getSources()), newAssociatedArtifact.getArtifactID())); } - + + // Create the new artifact + int newArtifactTypeId = getNewArtifactTypeId(artifactToCopy); + BlackboardArtifact newArtifact = portableSkCase.newBlackboardArtifact(newArtifactTypeId, newContentId); List oldAttrs = artifactToCopy.getAttributes(); // Copy over each attribute, making sure the type is in the new case. @@ -983,21 +978,8 @@ public class PortableCaseReportModule implements ReportModule { } } - // Create the new artifact - int newArtifactTypeId = getNewArtifactTypeId(artifactToCopy); - BlackboardArtifact.Type type = new BlackboardArtifact.Type(ARTIFACT_TYPE.fromID(newArtifactTypeId)); - BlackboardArtifact newArtifact = null; - switch (type.getCategory()) { - case ANALYSIS_RESULT: - newArtifact = portableSkCase.getBlackboard().newDataArtifact(type, newContentId, newDataSourceId, newAttrs, osAccount); - break; - case DATA_ARTIFACT: - newArtifact = portableSkCase.getBlackboard().newAnalysisResult(type, newContentId, newDataSourceId, Score.SCORE_UNKNOWN, null, null, null, newAttrs); - break; - default: - throw new TskCoreException("Unknown category: " + type.getCategory()); - } - + newArtifact.addAttributes(newAttrs); + oldArtifactIdToNewArtifact.put(artifactToCopy.getArtifactID(), newArtifact); return newArtifact; } @@ -1093,21 +1075,19 @@ public class PortableCaseReportModule implements ReportModule { parentId = copyContent(content.getParent()); } - Long dataSourceObjId = content.getDataSource() == null ? null : content.getDataSource().getId(); - Content newContent; if (content instanceof BlackboardArtifact) { BlackboardArtifact artifactToCopy = (BlackboardArtifact) content; - newContent = copyArtifact(dataSourceObjId, parentId, artifactToCopy); + newContent = copyArtifact(parentId, artifactToCopy); } else { - + // Get or create the host (if needed) before beginning transaction. Host newHost = null; if (content instanceof DataSource) { - Host oldHost = ((DataSource) content).getHost(); + Host oldHost = ((DataSource)content).getHost(); newHost = portableSkCase.getHostManager().newHost(oldHost.getName()); } - + CaseDbTransaction trans = portableSkCase.beginTransaction(); try { if (content instanceof Image) { @@ -1131,7 +1111,7 @@ public class PortableCaseReportModule implements ReportModule { fs.getName(), trans); } else if (content instanceof BlackboardArtifact) { BlackboardArtifact artifactToCopy = (BlackboardArtifact) content; - newContent = copyArtifact(dataSourceObjId, parentId, artifactToCopy); + newContent = copyArtifact(parentId, artifactToCopy); } else if (content instanceof AbstractFile) { AbstractFile abstractFile = (AbstractFile) content; @@ -1189,13 +1169,12 @@ public class PortableCaseReportModule implements ReportModule { /** * Copy path ID attribute to new case along with the referenced file. - * - * @param newArtifact The new artifact in the portable case. Should not have - * a TSK_PATH_ID attribute. + * + * @param newArtifact The new artifact in the portable case. Should not have a TSK_PATH_ID attribute. * @param oldArtifact The old artifact. - * - * @throws TskCoreException - */ + * + * @throws TskCoreException + */ private void copyPathID(BlackboardArtifact newArtifact, BlackboardArtifact oldArtifact) throws TskCoreException { // Get the path ID attribute BlackboardAttribute oldPathIdAttr = oldArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID)); @@ -1210,17 +1189,15 @@ public class PortableCaseReportModule implements ReportModule { } } } - + /** * Copy attachments to the portable case. - * - * @param newArtifact The new artifact in the portable case. Should not have - * a TSK_ATTACHMENTS attribute. + * + * @param newArtifact The new artifact in the portable case. Should not have a TSK_ATTACHMENTS attribute. * @param oldArtifact The old artifact. - * @param newFile The new file in the portable case associated with the - * artifact. - * - * @throws TskCoreException + * @param newFile The new file in the portable case associated with the artifact. + * + * @throws TskCoreException */ private void copyAttachments(BlackboardArtifact newArtifact, BlackboardArtifact oldArtifact, AbstractFile newFile) throws TskCoreException { // Get the attachments from TSK_ATTACHMENTS attribute. @@ -1243,19 +1220,20 @@ public class PortableCaseReportModule implements ReportModule { newFileAttachments.add(new MessageAttachments.FileAttachment(portableSkCase.getAbstractFileById(newFileID))); } } - + // Get the name of the module(s) that created the attachment String newSourceStr = ""; List oldSources = attachmentsAttr.getSources(); - if (!oldSources.isEmpty()) { + if (! oldSources.isEmpty()) { newSourceStr = String.join(",", oldSources); } - + // Add the attachment. The account type specified in the constructor will not be used. CommunicationArtifactsHelper communicationArtifactsHelper = new CommunicationArtifactsHelper(currentCase.getSleuthkitCase(), newSourceStr, newFile, Account.Type.EMAIL); communicationArtifactsHelper.addAttachments(newArtifact, new MessageAttachments(newFileAttachments, msgAttachments.getUrlAttachments())); - } catch (BlackboardJsonAttrUtil.InvalidJsonException ex) { + } + catch (BlackboardJsonAttrUtil.InvalidJsonException ex) { throw new TskCoreException(String.format("Unable to parse json for MessageAttachments object in artifact: %s", oldArtifact.getName()), ex); } } else { // backward compatibility - email message attachments are derived files, children of the message. @@ -1426,7 +1404,7 @@ public class PortableCaseReportModule implements ReportModule { "PortableCaseReportModule.compressCase.errorCompressingCase=Error compressing case", "PortableCaseReportModule.compressCase.canceled=Compression canceled by user",}) private boolean compressCase(ReportProgressPanel progressPanel, String folderToCompress) { - + closePortableCaseDatabase(); // Make a temporary folder for the compressed case diff --git a/Core/src/org/sleuthkit/autopsy/report/modules/stix/StixArtifactData.java b/Core/src/org/sleuthkit/autopsy/report/modules/stix/StixArtifactData.java index 894cea26c5..91822de3b8 100644 --- a/Core/src/org/sleuthkit/autopsy/report/modules/stix/StixArtifactData.java +++ b/Core/src/org/sleuthkit/autopsy/report/modules/stix/StixArtifactData.java @@ -34,6 +34,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; @@ -87,8 +88,9 @@ class StixArtifactData { // Create artifact if it doesn't already exist. if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) { - BlackboardArtifact bba = file.newArtifact(TSK_INTERESTING_FILE_HIT); - bba.addAttributes(attributes); + BlackboardArtifact bba = file.newAnalysisResult( + new BlackboardArtifact.Type(TSK_INTERESTING_FILE_HIT), + Score.SCORE_UNKNOWN, null, null, null, attributes).getAnalysisResult(); try { /* diff --git a/Core/src/org/sleuthkit/autopsy/test/CustomArtifactType.java b/Core/src/org/sleuthkit/autopsy/test/CustomArtifactType.java index 0506962b7d..325565ca2d 100644 --- a/Core/src/org/sleuthkit/autopsy/test/CustomArtifactType.java +++ b/Core/src/org/sleuthkit/autopsy/test/CustomArtifactType.java @@ -23,10 +23,13 @@ import java.util.List; import javax.xml.bind.DatatypeConverter; import org.joda.time.DateTime; import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Blackboard; +import org.sleuthkit.datamodel.Blackboard.BlackboardException; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; /** @@ -93,7 +96,6 @@ final class CustomArtifactType { * artifact to the blackboard. */ static BlackboardArtifact createAndPostInstance(Content source) throws TskCoreException, Blackboard.BlackboardException { - BlackboardArtifact artifact = source.newArtifact(artifactType.getTypeID()); List attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(intAttrType, MODULE_NAME, 0)); attributes.add(new BlackboardAttribute(doubleAttrType, MODULE_NAME, 0.0)); @@ -102,7 +104,6 @@ final class CustomArtifactType { attributes.add(new BlackboardAttribute(bytesAttrType, MODULE_NAME, DatatypeConverter.parseHexBinary("ABCD"))); attributes.add(new BlackboardAttribute(stringAttrType, MODULE_NAME, "Zero")); attributes.add(new BlackboardAttribute(jsonAttrType, MODULE_NAME, "{\"fruit\": \"Apple\",\"size\": \"Large\",\"color\": \"Red\"}")); - artifact.addAttributes(attributes); /* * Add a second source module to the attributes. Try to do it twice. The @@ -113,6 +114,30 @@ final class CustomArtifactType { attr.addSource(ADDITIONAL_MODULE_NAME); } + BlackboardArtifact artifact; + + if (artifactType.getCategory() == null) { + throw new TskCoreException(String.format("Artifact type: %s has no category.", + artifactType.getDisplayName(), artifactType.getCategory().getDisplayName())); + } + + switch (artifactType.getCategory()) { + case DATA_ARTIFACT: + artifact = (source instanceof AbstractFile) + ? ((AbstractFile) source).newDataArtifact(artifactType, attributes) + : source.newDataArtifact(artifactType, attributes, null); + break; + + case ANALYSIS_RESULT: + artifact = source.newAnalysisResult(artifactType, Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); + break; + + default: + throw new TskCoreException(String.format("Artifact type: %s has no known category: %s", + artifactType.getDisplayName(), artifactType.getCategory().getDisplayName())); + } + Blackboard blackboard = Case.getCurrentCase().getServices().getArtifactsBlackboard(); blackboard.postArtifact(artifact, MODULE_NAME); diff --git a/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java b/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java index 1317b2e7f3..03e3bb5d00 100644 --- a/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java @@ -20,6 +20,7 @@ package org.sleuthkit.autopsy.test; import java.util.ArrayList; import java.util.Collection; +import java.util.Collections; import java.util.logging.Level; import org.openide.util.NbBundle; import org.sleuthkit.autopsy.casemodule.Case; @@ -31,6 +32,7 @@ import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; /** @@ -77,11 +79,11 @@ final class InterestingArtifactCreatorIngestModule extends FileIngestModuleAdapt int randomArtIndex = (int) (Math.random() * 3); Blackboard blackboard = Case.getCurrentCaseThrows().getServices().getArtifactsBlackboard(); BlackboardArtifact.Type artifactTypeBase = blackboard.getOrAddArtifactType(ARTIFACT_TYPE_NAMES[randomArtIndex], ARTIFACT_DISPLAY_NAMES[randomArtIndex]); - BlackboardArtifact artifactBase = file.newArtifact(artifactTypeBase.getTypeID()); + Collection baseAttributes = new ArrayList<>(); String commentTxt; BlackboardAttribute baseAttr; - switch (artifactBase.getArtifactTypeID()) { + switch (artifactTypeBase.getTypeID()) { case 2: commentTxt = "www.placeholderWebsiteDOTCOM"; baseAttr = new BlackboardAttribute( @@ -110,8 +112,20 @@ final class InterestingArtifactCreatorIngestModule extends FileIngestModuleAdapt commentTxt = "DEPENDENT ON ARTIFACT TYPE"; break; } - artifactBase.addAttributes(baseAttributes); - BlackboardArtifact artifact = file.newArtifact(artifactType.getTypeID()); + + BlackboardArtifact artifactBase; + switch (artifactTypeBase.getCategory()) { + case DATA_ARTIFACT: + artifactBase = file.newDataArtifact(artifactTypeBase, baseAttributes); + break; + case ANALYSIS_RESULT: + artifactBase = file.newAnalysisResult(artifactTypeBase, Score.SCORE_UNKNOWN, null, null, null, baseAttributes) + .getAnalysisResult(); + break; + default: + throw new IllegalArgumentException("Unknown category type: " + artifactTypeBase.getCategory().getDisplayName()); + } + Collection attributes = new ArrayList<>(); BlackboardAttribute att = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, "ArtifactsAndTxt"); @@ -121,7 +135,19 @@ final class InterestingArtifactCreatorIngestModule extends FileIngestModuleAdapt attributes.add(att2); attributes.add(att3); attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, artifactBase.getArtifactID())); - artifact.addAttributes(attributes); + + switch (artifactType.getCategory()) { + case DATA_ARTIFACT: + file.newDataArtifact(artifactType, attributes); + break; + case ANALYSIS_RESULT: + file.newAnalysisResult(artifactType, Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); + break; + default: + throw new IllegalArgumentException("Unknown category type: " + artifactType.getCategory().getDisplayName()); + } + } catch (TskCoreException | NoCurrentCaseException ex) { logger.log(Level.SEVERE, String.format("Failed to process file (obj_id = %d)", file.getId()), ex); return ProcessResult.ERROR; diff --git a/Core/src/org/sleuthkit/autopsy/timeline/actions/AddManualEvent.java b/Core/src/org/sleuthkit/autopsy/timeline/actions/AddManualEvent.java index 33220b173a..4b7f43cb8f 100755 --- a/Core/src/org/sleuthkit/autopsy/timeline/actions/AddManualEvent.java +++ b/Core/src/org/sleuthkit/autopsy/timeline/actions/AddManualEvent.java @@ -22,7 +22,7 @@ import java.awt.Dialog; import java.time.Instant; import java.time.LocalDateTime; import java.time.ZoneId; -import static java.util.Arrays.asList; +import java.util.Arrays; import java.util.List; import java.util.Objects; import java.util.logging.Level; @@ -142,9 +142,7 @@ public class AddManualEvent extends Action { try { //Use the current examiners name plus a fixed string as the source / module name. String source = MANUAL_CREATION + ": " + sleuthkitCase.getCurrentExaminer().getLoginName(); - - BlackboardArtifact artifact = sleuthkitCase.newBlackboardArtifact(TSK_TL_EVENT, eventInfo.datasource.getId()); - artifact.addAttributes(asList( + List attributes = Arrays.asList( new BlackboardAttribute( TSK_TL_EVENT_TYPE, source, TimelineEventType.USER_CREATED.getTypeID()), @@ -154,7 +152,10 @@ public class AddManualEvent extends Action { new BlackboardAttribute( TSK_DATETIME, source, eventInfo.time) - )); + ); + + BlackboardArtifact artifact = eventInfo.datasource.newDataArtifact(new BlackboardArtifact.Type(TSK_TL_EVENT), attributes, null); + try { sleuthkitCase.getBlackboard().postArtifact(artifact, source); } catch (Blackboard.BlackboardException ex) { diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/objectdetection/ObjectDetectectionFileIngestModule.java b/Experimental/src/org/sleuthkit/autopsy/experimental/objectdetection/ObjectDetectectionFileIngestModule.java index be7a3c72a7..1ac5a62d88 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/objectdetection/ObjectDetectectionFileIngestModule.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/objectdetection/ObjectDetectectionFileIngestModule.java @@ -19,8 +19,9 @@ package org.sleuthkit.autopsy.experimental.objectdetection; import java.io.File; -import java.util.Collections; +import java.util.Arrays; import java.util.HashMap; +import java.util.List; import java.util.Map; import java.util.logging.Level; import org.apache.commons.io.FilenameUtils; @@ -43,12 +44,12 @@ import org.sleuthkit.autopsy.ingest.IngestMessage; import org.sleuthkit.autopsy.ingest.IngestModule; import org.sleuthkit.autopsy.ingest.IngestModuleReferenceCounter; import org.sleuthkit.autopsy.ingest.IngestServices; -import org.sleuthkit.autopsy.ingest.ModuleDataEvent; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_OBJECT_DETECTED; import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; /** @@ -163,14 +164,16 @@ public class ObjectDetectectionFileIngestModule extends FileIngestModuleAdapter if (!detectionRectangles.empty()) { //if any detections occurred create an artifact for this classifier and file combination try { - BlackboardArtifact artifact = file.newArtifact(TSK_OBJECT_DETECTED); - artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, - MODULE_NAME, - classifierKey)); - artifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, - MODULE_NAME, - Bundle.ObjectDetectionFileIngestModule_classifierDetection_text((int) detectionRectangles.size().height))); - + List attributes = Arrays.asList( + new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION, MODULE_NAME, classifierKey), + new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, + Bundle.ObjectDetectionFileIngestModule_classifierDetection_text((int) detectionRectangles.size().height)) + ); + + BlackboardArtifact artifact = file.newAnalysisResult( + new BlackboardArtifact.Type(TSK_OBJECT_DETECTED), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); + try { /* * Index the artifact for keyword search. diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index 9282362c1c..83cf2666b3 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -46,6 +46,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Image; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData.EncodingType; import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM; @@ -384,8 +385,10 @@ class VolatilityProcessor { // Create artifact if it doesn't already exist. if (!blackboard.artifactExists(resolvedFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, attributes)) { - BlackboardArtifact volArtifact = resolvedFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); - volArtifact.addAttributes(attributes); + BlackboardArtifact volArtifact = resolvedFile.newAnalysisResult( + new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT), + Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); try { // index the artifact for keyword search diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java index 0d8e48e9c4..034f53af74 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestModule.java @@ -569,8 +569,7 @@ public final class KeywordSearchIngestModule implements FileIngestModule { } if (!attributes.isEmpty()) { try { - BlackboardArtifact bbart = aFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA); - bbart.addAttributes(attributes); + BlackboardArtifact bbart = aFile.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA), attributes); bbartifacts.add(bbart); } catch (TskCoreException ex) { // Log error and return to continue processing diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java index a324c03324..2d10d5cbbc 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/LuceneQuery.java @@ -40,6 +40,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskException; @@ -236,14 +237,6 @@ class LuceneQuery implements KeywordSearchQuery { final String MODULE_NAME = KeywordSearchModuleFactory.getModuleName(); Collection attributes = new ArrayList<>(); - BlackboardArtifact bba; - try { - bba = content.newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT); - } catch (TskCoreException e) { - logger.log(Level.WARNING, "Error adding bb artifact for keyword hit", e); //NON-NLS - return null; - } - if (snippet != null) { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW, MODULE_NAME, snippet)); } @@ -270,10 +263,10 @@ class LuceneQuery implements KeywordSearchQuery { ); try { - bba.addAttributes(attributes); //write out to bb - return bba; + return content.newAnalysisResult(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_KEYWORD_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); } catch (TskCoreException e) { - logger.log(Level.WARNING, "Error adding bb attributes to artifact", e); //NON-NLS + logger.log(Level.WARNING, "Error adding bb artifact for keyword hit", e); //NON-NLS return null; } } diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java index 9bfde16c35..ebaf078585 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/RegexQuery.java @@ -52,6 +52,7 @@ import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -590,19 +591,11 @@ final class RegexQuery implements KeywordSearchQuery { * Create a "plain vanilla" keyword hit artifact with keyword and regex * attributes */ - BlackboardArtifact newArtifact; Collection attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD, MODULE_NAME, foundKeyword.getSearchTerm())); attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP, MODULE_NAME, getQueryString())); - try { - newArtifact = content.newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT); - } catch (TskCoreException ex) { - LOGGER.log(Level.SEVERE, "Error adding artifact for keyword hit to blackboard", ex); //NON-NLS - return null; - } - if (StringUtils.isNotBlank(listName)) { attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, listName)); } @@ -621,8 +614,8 @@ final class RegexQuery implements KeywordSearchQuery { } try { - newArtifact.addAttributes(attributes); - return newArtifact; + return content.newAnalysisResult(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_KEYWORD_HIT), Score.SCORE_UNKNOWN, null, null, null, attributes) + .getAnalysisResult(); } catch (TskCoreException e) { LOGGER.log(Level.SEVERE, "Error adding bb attributes for terms search artifact", e); //NON-NLS return null; diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java index 1acfc4f253..63df42fa26 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ChromeCacheExtractor.java @@ -31,6 +31,7 @@ import java.nio.charset.Charset; import java.nio.file.Path; import java.nio.file.Paths; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.HashMap; import java.util.List; @@ -549,13 +550,12 @@ final class ChromeCacheExtractor { artifactsAdded.add(webCacheArtifact); // Create a TSK_ASSOCIATED_OBJECT on the f_XXX or derived file file back to the CACHE entry - BlackboardArtifact associatedObjectArtifact = cachedItemFile.newArtifact(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT); - if (associatedObjectArtifact != null) { - associatedObjectArtifact.addAttribute( - new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, - moduleName, webCacheArtifact.getArtifactID())); - artifactsAdded.add(associatedObjectArtifact); - } + BlackboardArtifact associatedObjectArtifact = cachedItemFile.newDataArtifact( + new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT), + Arrays.asList(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, + moduleName, webCacheArtifact.getArtifactID()))); + + artifactsAdded.add(associatedObjectArtifact); } /** diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java index 5945712018..ef1bed134a 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Extract.java @@ -52,6 +52,7 @@ import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOC import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.OsAccount; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; @@ -160,12 +161,13 @@ abstract class Extract { */ BlackboardArtifact createArtifactWithAttributes(BlackboardArtifact.Type type, Content content, Collection attributes) throws TskCoreException { Optional optional = getOsAccount(content); - if (optional.isPresent() && type.getCategory() == BlackboardArtifact.Category.DATA_ARTIFACT) { - return content.newDataArtifact(type, attributes, optional.get()); - } else { - BlackboardArtifact bbart = content.newArtifact(type.getTypeID()); - bbart.addAttributes(attributes); - return bbart; + switch (type.getCategory()) { + case DATA_ARTIFACT: + return content.newDataArtifact(type, attributes, optional.orElse(null)); + case ANALYSIS_RESULT: + return content.newAnalysisResult(type, Score.SCORE_UNKNOWN, null, null, null, attributes).getAnalysisResult(); + default: + throw new TskCoreException("Unknown category type: " + type.getCategory().getDisplayName()); } } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index c692ff77fb..7584e243c9 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -807,9 +807,7 @@ class ExtractRegistry extends Extract { try { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime)); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_DELETED_PROG); - bbart.addAttributes(bbattributes); - + BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_DELETED_PROG), bbattributes); newArtifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.", ex); //NON-NLS @@ -819,7 +817,6 @@ class ExtractRegistry extends Extract { String officeName = artnode.getAttribute("name"); //NON-NLS try { - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); // @@@ BC: Consider removing this after some more testing. It looks like an Mtime associated with the root key and not the individual item if (mtime != null) { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED, parentModuleName, mtime)); @@ -827,8 +824,8 @@ class ExtractRegistry extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, parentModuleName, officeName)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, artnode.getNodeName())); - bbart.addAttributes(bbattributes); - + BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_RECENT_OBJECT), bbattributes); + newArtifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding recent object artifact to blackboard.", ex); //NON-NLS @@ -866,12 +863,12 @@ class ExtractRegistry extends Extract { try { String localPath = artnode.getAttribute("localPath"); //NON-NLS String remoteName = value; - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_REMOTE_DRIVE); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LOCAL_PATH, parentModuleName, localPath)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REMOTE_PATH, parentModuleName, remoteName)); - bbart.addAttributes(bbattributes); + BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_REMOTE_DRIVE), bbattributes); newArtifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding network artifact to blackboard.", ex); //NON-NLS @@ -885,8 +882,7 @@ class ExtractRegistry extends Extract { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SSID, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, lastWriteTime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID, parentModuleName, adapter)); - BlackboardArtifact bbart = regFile.newArtifact(ARTIFACT_TYPE.TSK_WIFI_NETWORK); - bbart.addAttributes(bbattributes); + BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_WIFI_NETWORK), bbattributes); newArtifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding SSID artifact to blackboard.", ex); //NON-NLS diff --git a/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties b/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties index c2df473fe0..185c4f4ea3 100644 --- a/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties +++ b/branding/core/core.jar/org/netbeans/core/startup/Bundle.properties @@ -1,5 +1,5 @@ #Updated by build script -#Mon, 25 Jan 2021 12:41:22 -0500 +#Wed, 28 Apr 2021 08:03:47 -0400 LBL_splash_window_title=Starting Autopsy SPLASH_HEIGHT=314 SPLASH_WIDTH=538 diff --git a/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties b/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties index d519362703..cb40d1abec 100644 --- a/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties +++ b/branding/modules/org-netbeans-core-windows.jar/org/netbeans/core/windows/view/ui/Bundle.properties @@ -1,4 +1,4 @@ #Updated by build script -#Mon, 25 Jan 2021 12:41:22 -0500 +#Wed, 28 Apr 2021 08:03:47 -0400 CTL_MainWindow_Title=Autopsy 4.18.0 CTL_MainWindow_Title_No_Project=Autopsy 4.18.0 diff --git a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java index f2e5a107b9..e46ee74932 100644 --- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java +++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestModule.java @@ -59,6 +59,7 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.DerivedFile; import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.Relationship; +import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; import org.sleuthkit.datamodel.TskDataException; @@ -240,8 +241,15 @@ public final class ThunderbirdMboxFileIngestModule implements FileIngestModule { // encrypted pst: Add encrypted file artifact try { - BlackboardArtifact artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED); - artifact.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, EmailParserModuleFactory.getModuleName(), NbBundle.getMessage(this.getClass(), "ThunderbirdMboxFileIngestModule.encryptionFileLevel"))); + BlackboardArtifact artifact = abstractFile.newAnalysisResult( + new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED), + Score.SCORE_UNKNOWN, null, null, null, Arrays.asList( + new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME, + EmailParserModuleFactory.getModuleName(), + NbBundle.getMessage(this.getClass(), + "ThunderbirdMboxFileIngestModule.encryptionFileLevel")) + )) + .getAnalysisResult(); try { // index the artifact for keyword search @@ -759,8 +767,9 @@ public final class ThunderbirdMboxFileIngestModule implements FileIngestModule { return null; } - bbart = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG); - bbart.addAttributes(bbattributes); + bbart = abstractFile.newDataArtifact( + new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG), + bbattributes); if (context.fileIngestIsCancelled()) { return null; diff --git a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java index 886a3bc41f..fadaa720b1 100755 --- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java +++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java @@ -223,10 +223,9 @@ final class VcardParser { try { // Create artifact if it doesn't already exist. if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT, attributes)) { - artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT); - artifact.addAttributes(attributes); + artifact = abstractFile.newDataArtifact(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT), attributes); - extractPhotos(vcard, abstractFile, artifact); + extractPhotos(vcard, abstractFile, artifact); // Add account relationships. if (deviceAccountInstance != null) {