diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java index dde124dde9..5b556b92f1 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java @@ -31,6 +31,7 @@ import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; +import java.util.Optional; import java.util.logging.Level; import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTimeZone; @@ -52,6 +53,9 @@ import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifactTag; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.ContentTag; +import org.sleuthkit.datamodel.DataSource; +import org.sleuthkit.datamodel.OsAccount; +import org.sleuthkit.datamodel.OsAccountInstance; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -71,9 +75,55 @@ public final class OtherOccurrences { /** * Determine what attributes can be used for correlation based on the node. - * If EamDB is not enabled, get the default Files correlation. * * @param node The node to correlate + * @param osAccount the osAccount to correlate + * + * @return A list of attributes that can be used for correlation + */ + public static Collection getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount) { + Collection ret = new ArrayList<>(); + Optional osAccountAddr = osAccount.getAddr(); + + if (osAccountAddr.isPresent()) { + try { + for (OsAccountInstance instance : osAccount.getOsAccountInstances()) { + DataSource osAccountDataSource = instance.getDataSource(); + try { + CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); + CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( + CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), + osAccountAddr.get(), + correlationCase, + CorrelationDataSource.fromTSKDataSource(correlationCase, instance.getDataSource()), + "", + "", + TskData.FileKnown.KNOWN, + osAccount.getId()); + + ret.add(correlationAttributeInstance); + } catch (CentralRepoException ex) { + logger.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", osAccountAddr.get()), ex); //NON-NLS + } catch (NoCurrentCaseException ex) { + logger.log(Level.WARNING, String.format("Exception while getting open case looking up osAccount %s.", osAccountAddr.get()), ex); //NON-NLS + } catch (CorrelationAttributeNormalizationException ex) { + logger.log(Level.SEVERE, String.format("Exception with Correlation Attribute Normalization for osAccount %s.", osAccountAddr.get()), ex); //NON-NLS + } + } + } catch (TskCoreException ex) { + logger.log(Level.INFO, String.format("Unable to check create CorrelationAttribtueInstance for osAccount %s.", osAccountAddr.get()), ex); + } + } + + return ret; + } + + /** + * Determine what attributes can be used for correlation based on the node. + * If EamDB is not enabled, get the default Files correlation. + * + * @param node The node to correlate. + * @param file The file to correlate. * * @return A list of attributes that can be used for correlation */ @@ -195,6 +245,9 @@ public final class OtherOccurrences { * artifact. If the central repo is not enabled, this will only return files * from the current case with matching MD5 hashes. * + * @param file The current file. + * @param deviceId The device ID for the current data source. + * @param dataSourceName The name of the current data source. * @param corAttr CorrelationAttribute to query for * * @return A collection of correlated artifact instances diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java index 0654002f6f..ab8821931a 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java @@ -18,6 +18,7 @@ */ package org.sleuthkit.autopsy.centralrepository.contentviewer; +import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -37,6 +38,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.OsAccount; import org.sleuthkit.datamodel.TskException; /** @@ -60,7 +62,11 @@ class OtherOccurrencesNodeWorker extends SwingWorker @Override protected OtherOccurrencesData doInBackground() throws Exception { + OsAccount osAccount = node.getLookup().lookup(OsAccount.class); AbstractFile file = OtherOccurrences.getAbstractFileFromNode(node); + if (osAccount != null) { + file = node.getLookup().lookup(AbstractFile.class); + } String deviceId = ""; String dataSourceName = ""; Map caseNames = new HashMap<>(); @@ -77,8 +83,12 @@ class OtherOccurrencesNodeWorker extends SwingWorker // @@@ Review this behavior return null; } - Collection correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file); - + Collection correlationAttributes = new ArrayList<>(); + if (osAccount != null) { + correlationAttributes = OtherOccurrences.getCorrelationAttributeFromOsAccount(node, osAccount); + } else { + correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file); + } int totalCount = 0; Set dataSources = new HashSet<>(); for (CorrelationAttributeInstance corAttr : correlationAttributes) { diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED index f43b438b2c..a80f1f7d86 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED @@ -25,7 +25,9 @@ CorrelationType.ICCID.displayName=ICCID Number CorrelationType.IMEI.displayName=IMEI Number CorrelationType.IMSI.displayName=IMSI Number CorrelationType.MAC.displayName=MAC Addresses +CorrelationType.OS_ACCOUNT.displayName=Os Account CorrelationType.PHONE.displayName=Phone Numbers +CorrelationType.PROG_NAME.displayName=Installed Programs CorrelationType.SSID.displayName=Wireless Networks CorrelationType.USBID.displayName=USB Devices EamArtifactInstances.knownStatus.bad=Bad diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java new file mode 100644 index 0000000000..e19cfd8155 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java @@ -0,0 +1,63 @@ +/* + * Central Repository + * + * Copyright 2021 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.centralrepository.datamodel; + +import java.sql.Connection; +import java.sql.SQLException; +import java.sql.Statement; +import org.sleuthkit.datamodel.CaseDbSchemaVersionNumber; + +/** + * This class updates CR schema to 1.6 + * + */ +public class CentralRepoDbUpgrader15To16 implements CentralRepoDbUpgrader { + + @Override + public void upgradeSchema(CaseDbSchemaVersionNumber dbSchemaVersion, Connection connection) throws CentralRepoException, SQLException { + + if (dbSchemaVersion.compareTo(new CaseDbSchemaVersionNumber(1, 6)) < 0) { + + try (Statement statement = connection.createStatement();) { + + CentralRepoPlatforms selectedPlatform = CentralRepoDbManager.getSavedDbChoice().getDbPlatform(); + + for (CorrelationAttributeInstance.Type type : CorrelationAttributeInstance.getDefaultCorrelationTypes()) { + String instance_type_dbname = CentralRepoDbUtil.correlationTypeToInstanceTableName(type); + + if ((type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) || + (type.getId() == CorrelationAttributeInstance.OSACCOUNT_TYPE_ID)){ + + // these are new Correlation types - new tables need to be created + statement.execute(String.format(RdbmsCentralRepoFactory.getCreateAccountInstancesTableTemplate(selectedPlatform), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddCaseIdIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddDataSourceIdIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddValueIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddKnownStatusIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddObjectIdIndexTemplate(), instance_type_dbname, instance_type_dbname)); + + // add new correlation type + CentralRepoDbUtil.insertCorrelationType(connection, type); + + } + } + } + } + } +} diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java index 32121989e0..64d41dcf25 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java @@ -257,6 +257,8 @@ public class CorrelationAttributeInstance implements Serializable { public static final int IMEI_TYPE_ID = 7; public static final int IMSI_TYPE_ID = 8; public static final int ICCID_TYPE_ID = 9; + public static final int INSTALLED_PROGS_TYPE_ID = 10; + public static final int OSACCOUNT_TYPE_ID = 11; // An offset to assign Ids for additional correlation types. public static final int ADDITIONAL_TYPES_BASE_ID = 1000; @@ -276,7 +278,9 @@ public class CorrelationAttributeInstance implements Serializable { "CorrelationType.MAC.displayName=MAC Addresses", "CorrelationType.IMEI.displayName=IMEI Number", "CorrelationType.IMSI.displayName=IMSI Number", - "CorrelationType.ICCID.displayName=ICCID Number"}) + "CorrelationType.PROG_NAME.displayName=Installed Programs", + "CorrelationType.ICCID.displayName=ICCID Number", + "CorrelationType.OS_ACCOUNT.displayName=Os Account"}) public static List getDefaultCorrelationTypes() throws CentralRepoException { List defaultCorrelationTypes = new ArrayList<>(); @@ -290,6 +294,8 @@ public class CorrelationAttributeInstance implements Serializable { defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMEI_TYPE_ID, Bundle.CorrelationType_IMEI_displayName(), "imei_number", true, true)); //NON-NLS defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMSI_TYPE_ID, Bundle.CorrelationType_IMSI_displayName(), "imsi_number", true, true)); //NON-NLS defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(ICCID_TYPE_ID, Bundle.CorrelationType_ICCID_displayName(), "iccid_number", true, true)); //NON-NLS + defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(INSTALLED_PROGS_TYPE_ID, Bundle.CorrelationType_PROG_NAME_displayName(), "installed_programs", true, true)); //NON-NLS + defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(OSACCOUNT_TYPE_ID, Bundle.CorrelationType_OS_ACCOUNT_displayName(), "os_accounts", true, true)); //NON-NLS // Create Correlation Types for Accounts. int correlationTypeId = ADDITIONAL_TYPES_BASE_ID; diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java index 2d0315ef7b..d606ee4da5 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java @@ -93,6 +93,7 @@ public class CorrelationAttributeUtil { add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()); add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()); add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()); + add(ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()); } }; @@ -189,6 +190,13 @@ public class CorrelationAttributeUtil { } else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) { makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact); + } else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) { + BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)); + if (setNameAttr != null) { + makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID); + } else { + makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID); + } } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) { @@ -388,7 +396,18 @@ public class CorrelationAttributeUtil { } CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); - return new CorrelationAttributeInstance( + if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) { + return new CorrelationAttributeInstance( + correlationType, + value, + correlationCase, + CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()), + "", + "", + TskData.FileKnown.UNKNOWN, + bbSourceFile.getId()); + } else { + return new CorrelationAttributeInstance( correlationType, value, correlationCase, @@ -397,7 +416,7 @@ public class CorrelationAttributeUtil { "", TskData.FileKnown.UNKNOWN, bbSourceFile.getId()); - + } } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS return null; diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java index 1b4ce08c18..2e2dafbefd 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java @@ -69,7 +69,7 @@ abstract class RdbmsCentralRepo implements CentralRepository { static final String SCHEMA_MINOR_VERSION_KEY = "SCHEMA_MINOR_VERSION"; static final String CREATION_SCHEMA_MAJOR_VERSION_KEY = "CREATION_SCHEMA_MAJOR_VERSION"; static final String CREATION_SCHEMA_MINOR_VERSION_KEY = "CREATION_SCHEMA_MINOR_VERSION"; - static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 5); + static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 6); protected final List defaultCorrelationTypes; @@ -3976,6 +3976,9 @@ abstract class RdbmsCentralRepo implements CentralRepository { // Upgrade to 1.5 (new CentralRepoDbUpgrader14To15()).upgradeSchema(dbSchemaVersion, conn); + // Upgrade to 1.6 + (new CentralRepoDbUpgrader15To16()).upgradeSchema(dbSchemaVersion, conn); + updateSchemaVersion(conn); conn.commit(); logger.log(Level.INFO, String.format("Central Repository schema updated to version %s", SOFTWARE_CR_DB_SCHEMA_VERSION)); diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED index e95a759c4f..d71782c0ee 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED @@ -1,4 +1,7 @@ caseeventlistener.evidencetag=Evidence +CaseEventsListener.module.name=Central Repository +CaseEventsListener.prevCaseComment.text=Users seen in previous cases +CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository) CentralRepositoryNotificationDialog.bulletHeader=This data is used to: CentralRepositoryNotificationDialog.bulletOne=Ignore common items (files, domains, and accounts) CentralRepositoryNotificationDialog.bulletThree=Create personas that group accounts diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java index 218a0101e8..71dff36eaf 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java @@ -21,13 +21,19 @@ package org.sleuthkit.autopsy.centralrepository.eventlisteners; import com.google.common.util.concurrent.ThreadFactoryBuilder; import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeListener; +import java.util.Arrays; +import java.util.Collection; import java.util.EnumSet; import java.util.List; +import java.util.Optional; import java.util.Set; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.logging.Level; +import java.util.stream.Collectors; import org.apache.commons.lang.StringUtils; +import org.openide.util.Exceptions; +import org.openide.util.NbBundle; import org.openide.util.NbBundle.Messages; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; @@ -55,9 +61,18 @@ import org.sleuthkit.datamodel.TagName; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; +import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException; import org.sleuthkit.datamodel.Tag; import org.sleuthkit.autopsy.events.AutopsyEvent; +import org.sleuthkit.datamodel.Blackboard; +import org.sleuthkit.datamodel.BlackboardAttribute; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; +import org.sleuthkit.datamodel.OsAccount; import org.sleuthkit.datamodel.OsAccountInstance; +import org.sleuthkit.datamodel.Score; +import org.sleuthkit.datamodel.SleuthkitCase; /** * Listen for case events and update entries in the Central Repository database @@ -134,10 +149,8 @@ public final class CaseEventListener implements PropertyChangeListener { } break; case OS_ACCT_INSTANCES_ADDED: { - // STUB, TO BE REPLACED - List osAcctInstances = ((OsAcctInstancesAddedEvent) evt).getOsAccountInstances(); - for (OsAccountInstance instance : osAcctInstances) { - LOGGER.log(Level.INFO, String.format("Received OS account instance added message (instance ID = %d)", instance.getInstanceId())); + if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) { + jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt)); } } break; @@ -300,10 +313,10 @@ public final class CaseEventListener implements PropertyChangeListener { * Sets the known status for the correlation attribute instance for the * given abstract file. * - * @param af The abstract file for which to set the correlation - * attribute instance. + * @param af The abstract file for which to set the correlation + * attribute instance. * @param knownStatus The new known status for the correlation attribute - * instance. + * instance. */ private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) { final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af); @@ -396,7 +409,7 @@ public final class CaseEventListener implements PropertyChangeListener { * for the item. If there are, set known status as notable. If not set * status as unknown. * - * @param content The content for the tag that was added or deleted. + * @param content The content for the tag that was added or deleted. * @param bbArtifact The artifact for the tag that was added or deleted. */ private void handleTagChange(Content content, BlackboardArtifact bbArtifact) { @@ -441,7 +454,7 @@ public final class CaseEventListener implements PropertyChangeListener { * Sets the known status of a blackboard artifact in the central * repository. * - * @param bbArtifact The blackboard artifact to set known status. + * @param bbArtifact The blackboard artifact to set known status. * @param knownStatus The new known status. */ private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) { @@ -646,6 +659,97 @@ public final class CaseEventListener implements PropertyChangeListener { } // CURRENT_CASE } + @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository", + "CaseEventsListener.prevCaseComment.text=Users seen in previous cases", + "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"}) + /** + * Add OsAccount Instance to CR and find interesting items based on the OsAccount + */ + private final class OsAccountInstancesAddedTask implements Runnable { + + private final CentralRepository dbManager; + private final PropertyChangeEvent event; + private final String MODULE_NAME = Bundle.CaseEventsListener_module_name(); + + private OsAccountInstancesAddedTask(CentralRepository db, PropertyChangeEvent evt) { + dbManager = db; + event = evt; + } + + @Override + public void run() { + if (!CentralRepository.isEnabled()) { + return; + } + + final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event; + List addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances(); + for (OsAccountInstance osAccountInstance : addedOsAccountNew) { + try { + OsAccount osAccount = osAccountInstance.getOsAccount(); + Optional accountAddr = osAccount.getAddr(); + // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system + // and they are not unique + if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) { + return; + } + try { + + CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); + CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( + CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), + accountAddr.get(), + correlationCase, + CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()), + "", + "", + TskData.FileKnown.KNOWN, + osAccount.getId()); + + dbManager.addArtifactInstance(correlationAttributeInstance); + + List previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue()); + List caseDisplayNames; + for (CorrelationAttributeInstance instance : previousOccurences) { + if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) { + caseDisplayNames = dbManager.getListCasesHavingArtifactInstances(correlationAttributeInstance.getCorrelationType(), correlationAttributeInstance.getCorrelationValue()); + SleuthkitCase tskCase = osAccount.getSleuthkitCase(); + Blackboard blackboard = tskCase.getBlackboard(); + + Collection attributesForNewArtifact = Arrays.asList( + new BlackboardAttribute( + TSK_SET_NAME, MODULE_NAME, + Bundle.CaseEventsListener_prevExists_text()), + new BlackboardAttribute( + TSK_COMMENT, MODULE_NAME, + Bundle.CaseEventsListener_prevCaseComment_text())); + BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult( + BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE, + null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult(); + try { + // index the artifact for keyword search + blackboard.postArtifact(newAnalysisResult, MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS + } + } + } + + } catch (CentralRepoException ex) { + LOGGER.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", accountAddr.get()), ex); //NON-NLS + } catch (NoCurrentCaseException ex) { + LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS + } catch (CorrelationAttributeNormalizationException ex) { + LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS + } + + } catch (TskCoreException ex) { + LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); + } + } + } + } + private final class DataSourceNameChangedTask implements Runnable { private final CentralRepository dbManager; diff --git a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java index 0fb2beac00..9e13769730 100644 --- a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java +++ b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2017-2018 Basis Technology Corp. + * Copyright 2017-2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -70,7 +70,6 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; -import java.util.concurrent.ExecutionException; import java.util.concurrent.Future; import java.util.function.BiConsumer; import java.util.logging.Level; @@ -583,30 +582,14 @@ final public class VisualizationPanel extends JPanel { ModalDialogProgressIndicator progressIndicator = new ModalDialogProgressIndicator(windowAncestor, Bundle.VisualizationPanel_computingLayout()); progressIndicator.start(Bundle.VisualizationPanel_computingLayout()); - - new SwingWorker() { - @Override - protected Void doInBackground() { - graph.getModel().beginUpdate(); - try { - layout.execute(graph.getDefaultParent()); - fitGraph(); - } finally { - graph.getModel().endUpdate(); - progressIndicator.finish(); - } - return null; - } - - @Override - protected void done() { - try { - get(); - } catch (InterruptedException | ExecutionException ex) { - logger.log(Level.WARNING, "CVT graph layout failed.", ex); - } - } - }.execute(); + graph.getModel().beginUpdate(); + try { + layout.execute(graph.getDefaultParent()); + fitGraph(); + } finally { + graph.getModel().endUpdate(); + progressIndicator.finish(); + } } private void clearVizButtonActionPerformed(ActionEvent evt) {//GEN-FIRST:event_clearVizButtonActionPerformed diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java b/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java index 8321b8816a..d4becd5d63 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java @@ -106,7 +106,7 @@ public final class AutopsyTreeChildFactory extends ChildFactory.Detachable sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -55,6 +55,8 @@ interface ContentNodeVisitor { T visit(UnsupportedContentNode ucn); T visit(OsAccountNode bban); + + T visit(LocalFilesDataSourceNode lfdsn); /** * Visitor with an implementable default behavior for all types. Override @@ -137,5 +139,10 @@ interface ContentNodeVisitor { public T visit(OsAccountNode bban) { return defaultVisit(bban); } + + @Override + public T visit(LocalFilesDataSourceNode lfdsn) { + return defaultVisit(lfdsn); + } } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java b/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java index 7601f4a88c..00712fc99a 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java @@ -28,6 +28,7 @@ import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.LayoutFile; import org.sleuthkit.datamodel.LocalDirectory; import org.sleuthkit.datamodel.LocalFile; +import org.sleuthkit.datamodel.LocalFilesDataSource; import org.sleuthkit.datamodel.Pool; import org.sleuthkit.datamodel.SlackFile; import org.sleuthkit.datamodel.SleuthkitItemVisitor; @@ -111,4 +112,9 @@ public class CreateSleuthkitNodeVisitor extends SleuthkitItemVisitor.Default visit(LocalFilesDataSource ld) { + return new LocalFilesDataSourceNode(ld); + } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java b/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java index 5ee350da34..47db7732ea 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011 - 2018 Basis Technology Corp. + * Copyright 2011 - 2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -202,6 +202,8 @@ public interface DisplayableItemNodeVisitor { * Unsupported node */ T visit(UnsupportedContentNode ucn); + + T visit(LocalFilesDataSourceNode lfdsn); /** * Visitor with an implementable default behavior for all types. Override @@ -574,5 +576,10 @@ public interface DisplayableItemNodeVisitor { public T visit(UnsupportedContentNode node) { return defaultVisit(node); } + + @Override + public T visit(LocalFilesDataSourceNode node) { + return defaultVisit(node); + } } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java b/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java index 742d656a82..9404362218 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java @@ -397,6 +397,11 @@ public final class FileTypes implements AutopsyVisitableItem { return content.newDataArtifact(artifactType, attributesList, osAccountId); } + @Override + public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection attributesList, Long osAccountId, long dataSourceId) throws TskCoreException { + return content.newDataArtifact(artifactType, attributesList, osAccountId, dataSourceId); + } + @Override public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection attributesList) throws TskCoreException { return content.newDataArtifact(artifactType, attributesList); @@ -467,6 +472,11 @@ public final class FileTypes implements AutopsyVisitableItem { return content.newAnalysisResult(type, score, string, string1, string2, clctn); } + @Override + public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type type, Score score, String string, String string1, String string2, Collection clctn, long dataSourceId) throws TskCoreException { + return content.newAnalysisResult(type, score, string, string1, string2, clctn, dataSourceId); + } + @Override public Score getAggregateScore() throws TskCoreException { return content.getAggregateScore(); diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java new file mode 100755 index 0000000000..cd011898e9 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java @@ -0,0 +1,99 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2021 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.datamodel; + +import org.openide.nodes.Sheet; +import org.openide.util.NbBundle; +import org.sleuthkit.datamodel.LocalFilesDataSource; + +/** + * + * + */ +public class LocalFilesDataSourceNode extends VirtualDirectoryNode { + + private final LocalFilesDataSource localFileDataSource; + + public LocalFilesDataSourceNode(LocalFilesDataSource ld) { + super(ld); + localFileDataSource = ld; + this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS + } + + @Override + @NbBundle.Messages({"LocalFilesDataSourceNode.createSheet.size.name=Size (Bytes)", + "LocalFilesDataSourceNode.createSheet.size.displayName=Size (Bytes)", + "LocalFilesDataSourceNode.createSheet.size.desc=Size of the data source in bytes.", + "LocalFilesDataSourceNode.createSheet.type.name=Type", + "LocalFilesDataSourceNode.createSheet.type.displayName=Type", + "LocalFilesDataSourceNode.createSheet.type.desc=Type of the image.", + "LocalFilesDataSourceNode.createSheet.type.text=Logical File Set", + "LocalFilesDataSourceNode.createSheet.timezone.name=Timezone", + "LocalFilesDataSourceNode.createSheet.timezone.displayName=Timezone", + "LocalFilesDataSourceNode.createSheet.timezone.desc=Timezone of the image", + "LocalFilesDataSourceNode.createSheet.deviceId.name=Device ID", + "LocalFilesDataSourceNode.createSheet.deviceId.displayName=Device ID", + "LocalFilesDataSourceNode.createSheet.deviceId.desc=Device ID of the image", + "LocalFilesDataSourceNode.createSheet.name.name=Name", + "LocalFilesDataSourceNode.createSheet.name.displayName=Name", + "LocalFilesDataSourceNode.createSheet.name.desc=no description", + "LocalFilesDataSourceNode.createSheet.noDesc=no description",}) + protected Sheet createSheet() { + Sheet sheet = new Sheet(); + Sheet.Set sheetSet = Sheet.createPropertiesSet(); + sheet.put(sheetSet); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_name_name(), + Bundle.LocalFilesDataSourceNode_createSheet_name_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_name_desc(), + getName())); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_type_name(), + Bundle.LocalFilesDataSourceNode_createSheet_type_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_type_desc(), + Bundle.LocalFilesDataSourceNode_createSheet_type_text())); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_size_name(), + Bundle.LocalFilesDataSourceNode_createSheet_size_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_size_desc(), + this.content.getSize())); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_timezone_name(), + Bundle.LocalFilesDataSourceNode_createSheet_timezone_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_timezone_desc(), + "")); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_deviceId_name(), + Bundle.LocalFilesDataSourceNode_createSheet_deviceId_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_deviceId_desc(), + localFileDataSource.getDeviceId())); + + return sheet; + } + + @Override + public T accept(ContentNodeVisitor visitor) { + return visitor.visit(this); + } + + @Override + public T accept(DisplayableItemNodeVisitor visitor) { + return visitor.visit(this); + } +} diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java index 86aedbd0af..4092dc599f 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011-2019 Basis Technology Corp. + * Copyright 2011-2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -18,16 +18,9 @@ */ package org.sleuthkit.autopsy.datamodel; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.util.logging.Level; import org.openide.nodes.Sheet; import org.openide.util.NbBundle; -import org.sleuthkit.autopsy.casemodule.Case; -import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.coreutils.Logger; -import org.sleuthkit.datamodel.SleuthkitCase; -import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.VirtualDirectory; /** @@ -47,76 +40,12 @@ public class VirtualDirectoryNode extends SpecialDirectoryNode { super(ld); this.setDisplayName(nameForVirtualDirectory(ld)); - - //set icon for name, special case for logical file set - if (ld.isDataSource()) { - this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS - } else { - this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS - } + + this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS } @Override - @NbBundle.Messages({"VirtualDirectoryNode.createSheet.size.name=Size (Bytes)", - "VirtualDirectoryNode.createSheet.size.displayName=Size (Bytes)", - "VirtualDirectoryNode.createSheet.size.desc=Size of the data source in bytes.", - "VirtualDirectoryNode.createSheet.type.name=Type", - "VirtualDirectoryNode.createSheet.type.displayName=Type", - "VirtualDirectoryNode.createSheet.type.desc=Type of the image.", - "VirtualDirectoryNode.createSheet.type.text=Logical File Set", - "VirtualDirectoryNode.createSheet.timezone.name=Timezone", - "VirtualDirectoryNode.createSheet.timezone.displayName=Timezone", - "VirtualDirectoryNode.createSheet.timezone.desc=Timezone of the image", - "VirtualDirectoryNode.createSheet.deviceId.name=Device ID", - "VirtualDirectoryNode.createSheet.deviceId.displayName=Device ID", - "VirtualDirectoryNode.createSheet.deviceId.desc=Device ID of the image"}) protected Sheet createSheet() { - //Do a special strategy for virtual directories.. - if(this.content.isDataSource()){ - Sheet sheet = new Sheet(); - Sheet.Set sheetSet = Sheet.createPropertiesSet(); - sheet.put(sheetSet); - - sheetSet.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.name"), - NbBundle.getMessage(this.getClass(), - "VirtualDirectoryNode.createSheet.name.displayName"), - NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.desc"), - getName())); - - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_type_name(), - Bundle.VirtualDirectoryNode_createSheet_type_displayName(), - Bundle.VirtualDirectoryNode_createSheet_type_desc(), - Bundle.VirtualDirectoryNode_createSheet_type_text())); - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_size_name(), - Bundle.VirtualDirectoryNode_createSheet_size_displayName(), - Bundle.VirtualDirectoryNode_createSheet_size_desc(), - this.content.getSize())); - try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT time_zone FROM data_source_info WHERE obj_id = " + this.content.getId())) { - ResultSet timeZoneSet = query.getResultSet(); - if (timeZoneSet.next()) { - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_timezone_name(), - Bundle.VirtualDirectoryNode_createSheet_timezone_displayName(), - Bundle.VirtualDirectoryNode_createSheet_timezone_desc(), - timeZoneSet.getString("time_zone"))); - } - } catch (SQLException | TskCoreException | NoCurrentCaseException ex) { - logger.log(Level.SEVERE, "Failed to get time zone for the following image: " + this.content.getId(), ex); - } - try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT device_id FROM data_source_info WHERE obj_id = " + this.content.getId());) { - ResultSet deviceIdSet = query.getResultSet(); - if (deviceIdSet.next()) { - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_deviceId_name(), - Bundle.VirtualDirectoryNode_createSheet_deviceId_displayName(), - Bundle.VirtualDirectoryNode_createSheet_deviceId_desc(), - deviceIdSet.getString("device_id"))); - } - } catch (SQLException | TskCoreException | NoCurrentCaseException ex) { - logger.log(Level.SEVERE, "Failed to get device id for the following image: " + this.content.getId(), ex); - } - return sheet; - } - - //Otherwise default to the AAFN createSheet method. Sheet defaultSheet = super.createSheet(); Sheet.Set defaultSheetSet = defaultSheet.get(Sheet.PROPERTIES); diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java b/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java index e4904a5cb8..975a659aa7 100644 --- a/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java +++ b/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java @@ -1517,9 +1517,8 @@ public final class DirectoryTreeTopComponent extends TopComponent implements Dat * Returns the credit card artifact's parent node or null if cannot be * found. * - * @param typesChildren The children object of the same category as credit - * card. - * @param art The artifact. + * @param accountRootChildren + * @param ccNumberName * * @return The credit card artifact's parent node or null if cannot be * found. diff --git a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java index 273737ff18..0a44614765 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java @@ -1450,6 +1450,9 @@ class SevenZipExtractor { * updating * @param statusMap - the map of existing files and their status * @param archiveFilePath - the archive file path for the unpacked node + * @param parentAr - the parent archive as an Archive object + * @param archiveFile - the parent archive as an AbstractFile + * @param depthMap - the depth map (to prevent zip bombs) * * @throws TskCoreException */ diff --git a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java index 52b6d9e191..bc3359a785 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java +++ b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java @@ -361,6 +361,8 @@ public class FileTypeDetector { * Determines whether or not a file matches a user-defined custom file type. * * @param file The file to test. + * @param startOfFileBuffer The beginning of the file data. + * @param bufLen The length of startOfFileBuffer. * * @return The MIME type as a string if a match is found; otherwise null. */ @@ -381,7 +383,9 @@ public class FileTypeDetector { * Autopsy. * * @param file The file to test. - * + * @param startOfFileBuffer The beginning of the file data. + * @param bufLen The length of startOfFileBuffer. + * * @return The MIME type as a string if a match is found; otherwise null. */ private String detectAutopsyDefinedType(AbstractFile file, byte[] startOfFileBuffer, int bufLen) { diff --git a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java index 5dd6f49410..0288d5b463 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java @@ -151,6 +151,8 @@ public class FileTypeIdIngestModule implements FileIngestModule { * Determines whether or not a file matches a user-defined custom file type. * * @param file The file to test. + * @param startOfFileBuffer The beginning of the file data. + * @param bufLen The length of startOfFileBuffer. * * @return The file type if a match is found; otherwise null. * diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index bc5a4de60e..092cea047d 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -817,7 +817,7 @@ class ExtractRegistry extends Extract { try { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime)); - BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_DELETED_PROG), bbattributes); + BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_INSTALLED_PROG), bbattributes); newArtifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.", ex); //NON-NLS diff --git a/docs/doxygen-user/multi-user/installSystems.dox b/docs/doxygen-user/multi-user/installSystems.dox index a583aeee93..7c46ce926f 100644 --- a/docs/doxygen-user/multi-user/installSystems.dox +++ b/docs/doxygen-user/multi-user/installSystems.dox @@ -26,14 +26,13 @@ We recommend: \subsection multiuser_system_hw Suggested Hardware -TODO +- PostgreSQL/ActiveMQ (Server 1): + - RAM: 16GB or more + - Local Storage: 500GB SSD -- PostgreSQL/ActiveMQ (server 1): - - RAM: - - Local Storage: Enough for databases -- Solr (server 2): - - RAM: - - Local Storage: Minimal +- Solr (Server 2): + - RAM: 32GB or more + - Local Storage: A single index will be roughly the size of the data source being ingested. For example 128GB E01 will usually generate a 128 GB index. \subsection multiuser_system_back Backups