From 8ae23cfe4778ecf3b3bed7507c67daa23f61b309 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Wed, 9 Jun 2021 17:18:41 -0400 Subject: [PATCH 01/13] Added LocalFilesDataSourceNode --- .../datamodel/Bundle.properties-MERGED | 39 ++++---- .../autopsy/datamodel/ContentNodeVisitor.java | 9 +- .../datamodel/CreateSleuthkitNodeVisitor.java | 6 ++ .../datamodel/DisplayableItemNodeVisitor.java | 9 +- .../datamodel/LocalFilesDataSourceNode.java | 99 +++++++++++++++++++ .../datamodel/VirtualDirectoryNode.java | 77 +-------------- 6 files changed, 146 insertions(+), 93 deletions(-) create mode 100755 Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED index 16a5f738fb..6dd6851b03 100755 --- a/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED @@ -45,6 +45,7 @@ AttachmentNode.getActions.openInExtViewer.text=Open in External Viewer Ctrl+E AttachmentNode.getActions.searchFilesSameMD5.text=Search for files with the same MD5 hash AttachmentNode.getActions.viewFileInDir.text=View File in Directory AttachmentNode.getActions.viewInNewWin.text=View in New Window +# {0} - node name BaseChildFactory.NoSuchEventBusException.message=No event bus for node: {0} BlackboardArtifactNode.createSheet.artifactDetails.displayName=Result Details BlackboardArtifactNode.createSheet.artifactDetails.name=Result Details @@ -170,6 +171,23 @@ KeywordHits.kwHits.text=Keyword Hits KeywordHits.simpleLiteralSearch.text=Single Literal Keyword Search KeywordHits.singleRegexSearch.text=Single Regular Expression Search LayoutFileNode.getActions.viewFileInDir.text=View File in Directory +LocalFilesDataSourceNode.createSheet.deviceId.desc=Device ID of the image +LocalFilesDataSourceNode.createSheet.deviceId.displayName=Device ID +LocalFilesDataSourceNode.createSheet.deviceId.name=Device ID +LocalFilesDataSourceNode.createSheet.name.desc=no description +LocalFilesDataSourceNode.createSheet.name.displayName=Name +LocalFilesDataSourceNode.createSheet.name.name=Name +LocalFilesDataSourceNode.createSheet.noDesc=no description +LocalFilesDataSourceNode.createSheet.size.desc=Size of the data source in bytes. +LocalFilesDataSourceNode.createSheet.size.displayName=Size (Bytes) +LocalFilesDataSourceNode.createSheet.size.name=Size (Bytes) +LocalFilesDataSourceNode.createSheet.timezone.desc=Timezone of the image +LocalFilesDataSourceNode.createSheet.timezone.displayName=Timezone +LocalFilesDataSourceNode.createSheet.timezone.name=Timezone +LocalFilesDataSourceNode.createSheet.type.desc=Type of the image. +LocalFilesDataSourceNode.createSheet.type.displayName=Type +LocalFilesDataSourceNode.createSheet.type.name=Type +LocalFilesDataSourceNode.createSheet.type.text=Logical File Set OpenIDE-Module-Name=DataModel AbstractContentChildren.CreateTSKNodeVisitor.exception.noNodeMsg=No Node defined for the given SleuthkitItem AbstractContentChildren.createAutopsyNodeVisitor.exception.noNodeMsg=No Node defined for the given DisplayableItem @@ -271,10 +289,10 @@ ImageNode.getActions.viewInNewWin.text=View in New Window ImageNode.createSheet.name.name=Name ImageNode.createSheet.name.displayName=Name ImageNode.createSheet.name.desc=no description -Installer.exception.tskVerStringNull.msg=Sleuth Kit JNI test call returned without error, but version string was null! -Installer.exception.taskVerStringBang.msg=Sleuth Kit JNI test call returned without error, but version string was ""! -Installer.tskLibErr.msg=Problem with Sleuth Kit JNI. Test call failed!\n\nDetails: {0} -Installer.tskLibErr.err=Fatal Error! +Installer.exception.tskVerStringNull.msg=Sleuth Kit JNI test call returned without error, but version string was null\! +Installer.exception.taskVerStringBang.msg=Sleuth Kit JNI test call returned without error, but version string was ""\! +Installer.tskLibErr.msg=Problem with Sleuth Kit JNI. Test call failed\!\n\nDetails: {0} +Installer.tskLibErr.err=Fatal Error\! InterestingHits.interestingItems.text=INTERESTING ITEMS InterestingHits.displayName.text=Interesting Items InterestingHits.createSheet.name.name=Name @@ -377,19 +395,6 @@ ViewsNode.name.text=File Views ViewsNode.createSheet.name.name=Name ViewsNode.createSheet.name.displayName=Name ViewsNode.createSheet.name.desc=no description -VirtualDirectoryNode.createSheet.deviceId.desc=Device ID of the image -VirtualDirectoryNode.createSheet.deviceId.displayName=Device ID -VirtualDirectoryNode.createSheet.deviceId.name=Device ID -VirtualDirectoryNode.createSheet.size.desc=Size of the data source in bytes. -VirtualDirectoryNode.createSheet.size.displayName=Size (Bytes) -VirtualDirectoryNode.createSheet.size.name=Size (Bytes) -VirtualDirectoryNode.createSheet.timezone.desc=Timezone of the image -VirtualDirectoryNode.createSheet.timezone.displayName=Timezone -VirtualDirectoryNode.createSheet.timezone.name=Timezone -VirtualDirectoryNode.createSheet.type.desc=Type of the image. -VirtualDirectoryNode.createSheet.type.displayName=Type -VirtualDirectoryNode.createSheet.type.name=Type -VirtualDirectoryNode.createSheet.type.text=Logical File Set VirtualDirectoryNode.getActions.viewInNewWin.text=View in New Window VirtualDirectoryNode.createSheet.name.name=Name VirtualDirectoryNode.createSheet.name.displayName=Name diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/ContentNodeVisitor.java b/Core/src/org/sleuthkit/autopsy/datamodel/ContentNodeVisitor.java index 3f6706952a..e7ce03dd7d 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/ContentNodeVisitor.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/ContentNodeVisitor.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011 Basis Technology Corp. + * Copyright 2011-2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -55,6 +55,8 @@ interface ContentNodeVisitor { T visit(UnsupportedContentNode ucn); T visit(OsAccountNode bban); + + T visit(LocalFilesDataSourceNode lfdsn); /** * Visitor with an implementable default behavior for all types. Override @@ -137,5 +139,10 @@ interface ContentNodeVisitor { public T visit(OsAccountNode bban) { return defaultVisit(bban); } + + @Override + public T visit(LocalFilesDataSourceNode lfdsn) { + return defaultVisit(lfdsn); + } } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java b/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java index 7601f4a88c..00712fc99a 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java @@ -28,6 +28,7 @@ import org.sleuthkit.datamodel.Image; import org.sleuthkit.datamodel.LayoutFile; import org.sleuthkit.datamodel.LocalDirectory; import org.sleuthkit.datamodel.LocalFile; +import org.sleuthkit.datamodel.LocalFilesDataSource; import org.sleuthkit.datamodel.Pool; import org.sleuthkit.datamodel.SlackFile; import org.sleuthkit.datamodel.SleuthkitItemVisitor; @@ -111,4 +112,9 @@ public class CreateSleuthkitNodeVisitor extends SleuthkitItemVisitor.Default visit(LocalFilesDataSource ld) { + return new LocalFilesDataSourceNode(ld); + } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java b/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java index 5ee350da34..47db7732ea 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011 - 2018 Basis Technology Corp. + * Copyright 2011 - 2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -202,6 +202,8 @@ public interface DisplayableItemNodeVisitor { * Unsupported node */ T visit(UnsupportedContentNode ucn); + + T visit(LocalFilesDataSourceNode lfdsn); /** * Visitor with an implementable default behavior for all types. Override @@ -574,5 +576,10 @@ public interface DisplayableItemNodeVisitor { public T visit(UnsupportedContentNode node) { return defaultVisit(node); } + + @Override + public T visit(LocalFilesDataSourceNode node) { + return defaultVisit(node); + } } } diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java new file mode 100755 index 0000000000..cd011898e9 --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java @@ -0,0 +1,99 @@ +/* + * Autopsy Forensic Browser + * + * Copyright 2021 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.datamodel; + +import org.openide.nodes.Sheet; +import org.openide.util.NbBundle; +import org.sleuthkit.datamodel.LocalFilesDataSource; + +/** + * + * + */ +public class LocalFilesDataSourceNode extends VirtualDirectoryNode { + + private final LocalFilesDataSource localFileDataSource; + + public LocalFilesDataSourceNode(LocalFilesDataSource ld) { + super(ld); + localFileDataSource = ld; + this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS + } + + @Override + @NbBundle.Messages({"LocalFilesDataSourceNode.createSheet.size.name=Size (Bytes)", + "LocalFilesDataSourceNode.createSheet.size.displayName=Size (Bytes)", + "LocalFilesDataSourceNode.createSheet.size.desc=Size of the data source in bytes.", + "LocalFilesDataSourceNode.createSheet.type.name=Type", + "LocalFilesDataSourceNode.createSheet.type.displayName=Type", + "LocalFilesDataSourceNode.createSheet.type.desc=Type of the image.", + "LocalFilesDataSourceNode.createSheet.type.text=Logical File Set", + "LocalFilesDataSourceNode.createSheet.timezone.name=Timezone", + "LocalFilesDataSourceNode.createSheet.timezone.displayName=Timezone", + "LocalFilesDataSourceNode.createSheet.timezone.desc=Timezone of the image", + "LocalFilesDataSourceNode.createSheet.deviceId.name=Device ID", + "LocalFilesDataSourceNode.createSheet.deviceId.displayName=Device ID", + "LocalFilesDataSourceNode.createSheet.deviceId.desc=Device ID of the image", + "LocalFilesDataSourceNode.createSheet.name.name=Name", + "LocalFilesDataSourceNode.createSheet.name.displayName=Name", + "LocalFilesDataSourceNode.createSheet.name.desc=no description", + "LocalFilesDataSourceNode.createSheet.noDesc=no description",}) + protected Sheet createSheet() { + Sheet sheet = new Sheet(); + Sheet.Set sheetSet = Sheet.createPropertiesSet(); + sheet.put(sheetSet); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_name_name(), + Bundle.LocalFilesDataSourceNode_createSheet_name_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_name_desc(), + getName())); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_type_name(), + Bundle.LocalFilesDataSourceNode_createSheet_type_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_type_desc(), + Bundle.LocalFilesDataSourceNode_createSheet_type_text())); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_size_name(), + Bundle.LocalFilesDataSourceNode_createSheet_size_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_size_desc(), + this.content.getSize())); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_timezone_name(), + Bundle.LocalFilesDataSourceNode_createSheet_timezone_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_timezone_desc(), + "")); + + sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_deviceId_name(), + Bundle.LocalFilesDataSourceNode_createSheet_deviceId_displayName(), + Bundle.LocalFilesDataSourceNode_createSheet_deviceId_desc(), + localFileDataSource.getDeviceId())); + + return sheet; + } + + @Override + public T accept(ContentNodeVisitor visitor) { + return visitor.visit(this); + } + + @Override + public T accept(DisplayableItemNodeVisitor visitor) { + return visitor.visit(this); + } +} diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java index 86aedbd0af..4092dc599f 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2011-2019 Basis Technology Corp. + * Copyright 2011-2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -18,16 +18,9 @@ */ package org.sleuthkit.autopsy.datamodel; -import java.sql.ResultSet; -import java.sql.SQLException; -import java.util.logging.Level; import org.openide.nodes.Sheet; import org.openide.util.NbBundle; -import org.sleuthkit.autopsy.casemodule.Case; -import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; import org.sleuthkit.autopsy.coreutils.Logger; -import org.sleuthkit.datamodel.SleuthkitCase; -import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.VirtualDirectory; /** @@ -47,76 +40,12 @@ public class VirtualDirectoryNode extends SpecialDirectoryNode { super(ld); this.setDisplayName(nameForVirtualDirectory(ld)); - - //set icon for name, special case for logical file set - if (ld.isDataSource()) { - this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS - } else { - this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS - } + + this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS } @Override - @NbBundle.Messages({"VirtualDirectoryNode.createSheet.size.name=Size (Bytes)", - "VirtualDirectoryNode.createSheet.size.displayName=Size (Bytes)", - "VirtualDirectoryNode.createSheet.size.desc=Size of the data source in bytes.", - "VirtualDirectoryNode.createSheet.type.name=Type", - "VirtualDirectoryNode.createSheet.type.displayName=Type", - "VirtualDirectoryNode.createSheet.type.desc=Type of the image.", - "VirtualDirectoryNode.createSheet.type.text=Logical File Set", - "VirtualDirectoryNode.createSheet.timezone.name=Timezone", - "VirtualDirectoryNode.createSheet.timezone.displayName=Timezone", - "VirtualDirectoryNode.createSheet.timezone.desc=Timezone of the image", - "VirtualDirectoryNode.createSheet.deviceId.name=Device ID", - "VirtualDirectoryNode.createSheet.deviceId.displayName=Device ID", - "VirtualDirectoryNode.createSheet.deviceId.desc=Device ID of the image"}) protected Sheet createSheet() { - //Do a special strategy for virtual directories.. - if(this.content.isDataSource()){ - Sheet sheet = new Sheet(); - Sheet.Set sheetSet = Sheet.createPropertiesSet(); - sheet.put(sheetSet); - - sheetSet.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.name"), - NbBundle.getMessage(this.getClass(), - "VirtualDirectoryNode.createSheet.name.displayName"), - NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.desc"), - getName())); - - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_type_name(), - Bundle.VirtualDirectoryNode_createSheet_type_displayName(), - Bundle.VirtualDirectoryNode_createSheet_type_desc(), - Bundle.VirtualDirectoryNode_createSheet_type_text())); - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_size_name(), - Bundle.VirtualDirectoryNode_createSheet_size_displayName(), - Bundle.VirtualDirectoryNode_createSheet_size_desc(), - this.content.getSize())); - try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT time_zone FROM data_source_info WHERE obj_id = " + this.content.getId())) { - ResultSet timeZoneSet = query.getResultSet(); - if (timeZoneSet.next()) { - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_timezone_name(), - Bundle.VirtualDirectoryNode_createSheet_timezone_displayName(), - Bundle.VirtualDirectoryNode_createSheet_timezone_desc(), - timeZoneSet.getString("time_zone"))); - } - } catch (SQLException | TskCoreException | NoCurrentCaseException ex) { - logger.log(Level.SEVERE, "Failed to get time zone for the following image: " + this.content.getId(), ex); - } - try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT device_id FROM data_source_info WHERE obj_id = " + this.content.getId());) { - ResultSet deviceIdSet = query.getResultSet(); - if (deviceIdSet.next()) { - sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_deviceId_name(), - Bundle.VirtualDirectoryNode_createSheet_deviceId_displayName(), - Bundle.VirtualDirectoryNode_createSheet_deviceId_desc(), - deviceIdSet.getString("device_id"))); - } - } catch (SQLException | TskCoreException | NoCurrentCaseException ex) { - logger.log(Level.SEVERE, "Failed to get device id for the following image: " + this.content.getId(), ex); - } - return sheet; - } - - //Otherwise default to the AAFN createSheet method. Sheet defaultSheet = super.createSheet(); Sheet.Set defaultSheetSet = defaultSheet.get(Sheet.PROPERTIES); From f98f6d80ff2b8bcfb635e2b37188e6faeef7f674 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Thu, 17 Jun 2021 09:48:44 -0400 Subject: [PATCH 02/13] TSK_INSTALLED_PROG Added to CR TSK_INSTALLED_PROG added to CR Table added to CR for TSK_INSTALLED_PROG Upgrade CR if older version to add TSK_INSTALLED_PROG --- .../datamodel/Bundle.properties-MERGED | 1 + .../CentralRepoDbUpgrader15To16.java | 62 +++++++++++++++++++ .../CorrelationAttributeInstance.java | 3 + .../datamodel/CorrelationAttributeUtil.java | 23 ++++++- .../datamodel/RdbmsCentralRepo.java | 5 +- .../recentactivity/ExtractRegistry.java | 2 +- 6 files changed, 92 insertions(+), 4 deletions(-) create mode 100644 Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED index f43b438b2c..d18133dac4 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED @@ -26,6 +26,7 @@ CorrelationType.IMEI.displayName=IMEI Number CorrelationType.IMSI.displayName=IMSI Number CorrelationType.MAC.displayName=MAC Addresses CorrelationType.PHONE.displayName=Phone Numbers +CorrelationType.PROG_NAME.displayName=Installed Programs CorrelationType.SSID.displayName=Wireless Networks CorrelationType.USBID.displayName=USB Devices EamArtifactInstances.knownStatus.bad=Bad diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java new file mode 100644 index 0000000000..6294283f8e --- /dev/null +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java @@ -0,0 +1,62 @@ +/* + * Central Repository + * + * Copyright 2020 Basis Technology Corp. + * Contact: carrier sleuthkit org + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.sleuthkit.autopsy.centralrepository.datamodel; + +import java.sql.Connection; +import java.sql.SQLException; +import java.sql.Statement; +import org.sleuthkit.datamodel.CaseDbSchemaVersionNumber; + +/** + * This class updates CR schema to 1.5 + * + */ +public class CentralRepoDbUpgrader15To16 implements CentralRepoDbUpgrader { + + @Override + public void upgradeSchema(CaseDbSchemaVersionNumber dbSchemaVersion, Connection connection) throws CentralRepoException, SQLException { + + if (dbSchemaVersion.compareTo(new CaseDbSchemaVersionNumber(1, 6)) < 0) { + + try (Statement statement = connection.createStatement();) { + + CentralRepoPlatforms selectedPlatform = CentralRepoDbManager.getSavedDbChoice().getDbPlatform(); + + for (CorrelationAttributeInstance.Type type : CorrelationAttributeInstance.getDefaultCorrelationTypes()) { + String instance_type_dbname = CentralRepoDbUtil.correlationTypeToInstanceTableName(type); + + if (type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) { + + // these are new Correlation types - new tables need to be created + statement.execute(String.format(RdbmsCentralRepoFactory.getCreateAccountInstancesTableTemplate(selectedPlatform), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddCaseIdIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddDataSourceIdIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddValueIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddKnownStatusIndexTemplate(), instance_type_dbname, instance_type_dbname)); + statement.execute(String.format(RdbmsCentralRepoFactory.getAddObjectIdIndexTemplate(), instance_type_dbname, instance_type_dbname)); + + // add new correlation type + CentralRepoDbUtil.insertCorrelationType(connection, type); + + } + } + } + } + } +} diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java index 32121989e0..e82eca8494 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java @@ -257,6 +257,7 @@ public class CorrelationAttributeInstance implements Serializable { public static final int IMEI_TYPE_ID = 7; public static final int IMSI_TYPE_ID = 8; public static final int ICCID_TYPE_ID = 9; + public static final int INSTALLED_PROGS_TYPE_ID = 10; // An offset to assign Ids for additional correlation types. public static final int ADDITIONAL_TYPES_BASE_ID = 1000; @@ -276,6 +277,7 @@ public class CorrelationAttributeInstance implements Serializable { "CorrelationType.MAC.displayName=MAC Addresses", "CorrelationType.IMEI.displayName=IMEI Number", "CorrelationType.IMSI.displayName=IMSI Number", + "CorrelationType.PROG_NAME.displayName=Installed Programs", "CorrelationType.ICCID.displayName=ICCID Number"}) public static List getDefaultCorrelationTypes() throws CentralRepoException { List defaultCorrelationTypes = new ArrayList<>(); @@ -290,6 +292,7 @@ public class CorrelationAttributeInstance implements Serializable { defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMEI_TYPE_ID, Bundle.CorrelationType_IMEI_displayName(), "imei_number", true, true)); //NON-NLS defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMSI_TYPE_ID, Bundle.CorrelationType_IMSI_displayName(), "imsi_number", true, true)); //NON-NLS defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(ICCID_TYPE_ID, Bundle.CorrelationType_ICCID_displayName(), "iccid_number", true, true)); //NON-NLS + defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(INSTALLED_PROGS_TYPE_ID, Bundle.CorrelationType_PROG_NAME_displayName(), "installed_programs", true, true)); //NON-NLS // Create Correlation Types for Accounts. int correlationTypeId = ADDITIONAL_TYPES_BASE_ID; diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java index 2d0315ef7b..d606ee4da5 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java @@ -93,6 +93,7 @@ public class CorrelationAttributeUtil { add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()); add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()); add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()); + add(ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()); } }; @@ -189,6 +190,13 @@ public class CorrelationAttributeUtil { } else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) { makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact); + } else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) { + BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)); + if (setNameAttr != null) { + makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID); + } else { + makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID); + } } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) { @@ -388,7 +396,18 @@ public class CorrelationAttributeUtil { } CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); - return new CorrelationAttributeInstance( + if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) { + return new CorrelationAttributeInstance( + correlationType, + value, + correlationCase, + CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()), + "", + "", + TskData.FileKnown.UNKNOWN, + bbSourceFile.getId()); + } else { + return new CorrelationAttributeInstance( correlationType, value, correlationCase, @@ -397,7 +416,7 @@ public class CorrelationAttributeUtil { "", TskData.FileKnown.UNKNOWN, bbSourceFile.getId()); - + } } catch (TskCoreException ex) { logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS return null; diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java index 1b4ce08c18..2e2dafbefd 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java @@ -69,7 +69,7 @@ abstract class RdbmsCentralRepo implements CentralRepository { static final String SCHEMA_MINOR_VERSION_KEY = "SCHEMA_MINOR_VERSION"; static final String CREATION_SCHEMA_MAJOR_VERSION_KEY = "CREATION_SCHEMA_MAJOR_VERSION"; static final String CREATION_SCHEMA_MINOR_VERSION_KEY = "CREATION_SCHEMA_MINOR_VERSION"; - static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 5); + static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 6); protected final List defaultCorrelationTypes; @@ -3976,6 +3976,9 @@ abstract class RdbmsCentralRepo implements CentralRepository { // Upgrade to 1.5 (new CentralRepoDbUpgrader14To15()).upgradeSchema(dbSchemaVersion, conn); + // Upgrade to 1.6 + (new CentralRepoDbUpgrader15To16()).upgradeSchema(dbSchemaVersion, conn); + updateSchemaVersion(conn); conn.commit(); logger.log(Level.INFO, String.format("Central Repository schema updated to version %s", SOFTWARE_CR_DB_SCHEMA_VERSION)); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index cd2eefc4f4..ec95e3e593 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -815,7 +815,7 @@ class ExtractRegistry extends Extract { try { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime)); - BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_DELETED_PROG), bbattributes); + BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_INSTALLED_PROG), bbattributes); newArtifacts.add(bbart); } catch (TskCoreException ex) { logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.", ex); //NON-NLS From 8a405ac9778250b8c31d02d33dc2a2f70a7df527 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Mon, 21 Jun 2021 13:51:54 -0400 Subject: [PATCH 03/13] Initial work on osaccount CR Initial work on osaccount cr --- .../CentralRepoDbUpgrader15To16.java | 3 +- .../CorrelationAttributeInstance.java | 1 + .../eventlisteners/CaseEventListener.java | 60 ++++++++++++++++++- 3 files changed, 62 insertions(+), 2 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java index 6294283f8e..c07a0acec5 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java @@ -41,7 +41,8 @@ public class CentralRepoDbUpgrader15To16 implements CentralRepoDbUpgrader { for (CorrelationAttributeInstance.Type type : CorrelationAttributeInstance.getDefaultCorrelationTypes()) { String instance_type_dbname = CentralRepoDbUtil.correlationTypeToInstanceTableName(type); - if (type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) { + if ((type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) || + (type.getId() == CorrelationAttributeInstance.OSACCOUNT_TYPE_ID)){ // these are new Correlation types - new tables need to be created statement.execute(String.format(RdbmsCentralRepoFactory.getCreateAccountInstancesTableTemplate(selectedPlatform), instance_type_dbname, instance_type_dbname)); diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java index e82eca8494..5fe6ae1fa6 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java @@ -258,6 +258,7 @@ public class CorrelationAttributeInstance implements Serializable { public static final int IMSI_TYPE_ID = 8; public static final int ICCID_TYPE_ID = 9; public static final int INSTALLED_PROGS_TYPE_ID = 10; + public static final int OSACCOUNT_TYPE_ID = 11; // An offset to assign Ids for additional correlation types. public static final int ADDITIONAL_TYPES_BASE_ID = 1000; diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java index 806d18c63f..da4280663c 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java @@ -23,6 +23,7 @@ import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeListener; import java.util.EnumSet; import java.util.List; +import java.util.Optional; import java.util.Set; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; @@ -37,6 +38,7 @@ import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent; import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent; import org.sleuthkit.autopsy.casemodule.events.DataSourceAddedEvent; import org.sleuthkit.autopsy.casemodule.events.DataSourceNameChangedEvent; +import org.sleuthkit.autopsy.casemodule.events.OsAccountsAddedEvent; import org.sleuthkit.autopsy.casemodule.services.TagsManager; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance; @@ -56,6 +58,7 @@ import org.sleuthkit.datamodel.TskData; import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; import org.sleuthkit.datamodel.Tag; import org.sleuthkit.autopsy.events.AutopsyEvent; +import org.sleuthkit.datamodel.OsAccount; /** * Listen for case events and update entries in the Central Repository database @@ -75,7 +78,7 @@ public final class CaseEventListener implements PropertyChangeListener { Case.Events.DATA_SOURCE_ADDED, Case.Events.TAG_DEFINITION_CHANGED, Case.Events.CURRENT_CASE, - Case.Events.DATA_SOURCE_NAME_CHANGED); + Case.Events.DATA_SOURCE_NAME_CHANGED, Case.Events.OS_ACCOUNTS_ADDED); public CaseEventListener() { jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build()); @@ -130,6 +133,9 @@ public final class CaseEventListener implements PropertyChangeListener { jobProcessingExecutor.submit(new DataSourceNameChangedTask(dbManager, evt)); } break; + case OS_ACCOUNTS_ADDED: { + jobProcessingExecutor.submit(new OsAccountAddedTask(dbManager, evt)); + } } } @@ -635,6 +641,58 @@ public final class CaseEventListener implements PropertyChangeListener { } // CURRENT_CASE } + private final class OsAccountAddedTask implements Runnable { + + private final CentralRepository dbManager; + private final PropertyChangeEvent event; + + private OsAccountAddedTask(CentralRepository db, PropertyChangeEvent evt) { + dbManager = db; + event = evt; + } + + @Override + public void run() { + if (!CentralRepository.isEnabled()) { + return; + } + + final OsAccountsAddedEvent osAccountsAddedEvent = (OsAccountsAddedEvent) event; + List addedOsAccountNew = osAccountsAddedEvent.getNewValue(); + for (OsAccount osAccount: addedOsAccountNew) { + Optional accountAddr = osAccount.getAddr(); + // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system + // and they are not unique + if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) { + return; + } + try { + + CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); +// Type correlationType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID); +// CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( +// CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), +// accountAddr.get(), +// correlationCase, +// CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource), +// "", +// "", +// "", +// "", +// TskData.FileKnown, +// osAccount.getId()); + +// dbManager.addArtifactInstance(correlationAttributeInstance); + } catch (CentralRepoException ex) { + LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); //NON-NLS + } catch (NoCurrentCaseException ex) { + LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS + } + } + LOGGER.log(Level.INFO, "Error connecting to Central Repository database."); //NON-NLS + } + } + private final class DataSourceNameChangedTask implements Runnable { private final CentralRepository dbManager; From 475e8ecece346da7f31695aae8b48ec5ff810644 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Mon, 21 Jun 2021 21:24:34 -0400 Subject: [PATCH 04/13] Update CaseEventListener.java Added osAccountInstanceEvent --- .../eventlisteners/CaseEventListener.java | 83 +++++++++++-------- 1 file changed, 47 insertions(+), 36 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java index da4280663c..dd2b58a117 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java @@ -29,6 +29,7 @@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.logging.Level; import org.apache.commons.lang.StringUtils; +import org.openide.util.Exceptions; import org.openide.util.NbBundle.Messages; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; @@ -38,7 +39,7 @@ import org.sleuthkit.autopsy.casemodule.events.ContentTagAddedEvent; import org.sleuthkit.autopsy.casemodule.events.ContentTagDeletedEvent; import org.sleuthkit.autopsy.casemodule.events.DataSourceAddedEvent; import org.sleuthkit.autopsy.casemodule.events.DataSourceNameChangedEvent; -import org.sleuthkit.autopsy.casemodule.events.OsAccountsAddedEvent; +import org.sleuthkit.autopsy.casemodule.events.OsAcctInstancesAddedEvent; import org.sleuthkit.autopsy.casemodule.services.TagsManager; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance; @@ -56,9 +57,11 @@ import org.sleuthkit.datamodel.TagName; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; +import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException; import org.sleuthkit.datamodel.Tag; import org.sleuthkit.autopsy.events.AutopsyEvent; import org.sleuthkit.datamodel.OsAccount; +import org.sleuthkit.datamodel.OsAccountInstance; /** * Listen for case events and update entries in the Central Repository database @@ -133,8 +136,10 @@ public final class CaseEventListener implements PropertyChangeListener { jobProcessingExecutor.submit(new DataSourceNameChangedTask(dbManager, evt)); } break; - case OS_ACCOUNTS_ADDED: { - jobProcessingExecutor.submit(new OsAccountAddedTask(dbManager, evt)); + case OS_ACCT_INSTANCES_ADDED: { + if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) { + jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt)); + } } } } @@ -641,12 +646,12 @@ public final class CaseEventListener implements PropertyChangeListener { } // CURRENT_CASE } - private final class OsAccountAddedTask implements Runnable { + private final class OsAccountInstancesAddedTask implements Runnable { private final CentralRepository dbManager; private final PropertyChangeEvent event; - private OsAccountAddedTask(CentralRepository db, PropertyChangeEvent evt) { + private OsAccountInstancesAddedTask(CentralRepository db, PropertyChangeEvent evt) { dbManager = db; event = evt; } @@ -657,41 +662,46 @@ public final class CaseEventListener implements PropertyChangeListener { return; } - final OsAccountsAddedEvent osAccountsAddedEvent = (OsAccountsAddedEvent) event; - List addedOsAccountNew = osAccountsAddedEvent.getNewValue(); - for (OsAccount osAccount: addedOsAccountNew) { - Optional accountAddr = osAccount.getAddr(); - // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system - // and they are not unique - if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) { - return; - } + final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event; + List addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances(); + for (OsAccountInstance osAccountInstance: addedOsAccountNew) { try { - - CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); -// Type correlationType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID); -// CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( -// CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), -// accountAddr.get(), -// correlationCase, -// CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource), -// "", -// "", -// "", -// "", -// TskData.FileKnown, -// osAccount.getId()); - -// dbManager.addArtifactInstance(correlationAttributeInstance); - } catch (CentralRepoException ex) { - LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); //NON-NLS - } catch (NoCurrentCaseException ex) { - LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS - } - } + OsAccount osAccount = osAccountInstance.getOsAccount(); + Optional accountAddr = osAccount.getAddr(); + // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system + // and they are not unique + if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) { + return; + } + try { + + CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); + CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( + CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), + accountAddr.get(), + correlationCase, + CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()), + "", + "", + TskData.FileKnown.KNOWN, + osAccount.getId()); + + dbManager.addArtifactInstance(correlationAttributeInstance); + } catch (CentralRepoException ex) { + LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); //NON-NLS + } catch (NoCurrentCaseException ex) { + LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS + } catch (CorrelationAttributeNormalizationException ex) { + LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS + } + + } catch (TskCoreException ex) { + LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); + } LOGGER.log(Level.INFO, "Error connecting to Central Repository database."); //NON-NLS } } + } private final class DataSourceNameChangedTask implements Runnable { @@ -729,3 +739,4 @@ public final class CaseEventListener implements PropertyChangeListener { } // DATA_SOURCE_NAME_CHANGED } } + From 4a66ea26aed816e31ed7191ab29cd885647ddfe8 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Mon, 28 Jun 2021 13:21:04 -0400 Subject: [PATCH 05/13] Added OsAccount to CR Add OsAccount Code to CR --- .../application/OtherOccurrences.java | 41 ++++++ .../OtherOccurrencesNodeWorker.java | 14 +- .../datamodel/Bundle.properties-MERGED | 1 + .../CorrelationAttributeInstance.java | 4 +- .../eventlisteners/Bundle.properties-MERGED | 3 + .../eventlisteners/CaseEventListener.java | 131 ++++++++++++------ .../autopsy/datamodel/FileTypes.java | 10 ++ 7 files changed, 157 insertions(+), 47 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java index 934c8015a4..5adc34cc76 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java @@ -31,6 +31,7 @@ import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; +import java.util.Optional; import java.util.logging.Level; import org.apache.commons.lang3.StringUtils; import org.joda.time.DateTimeZone; @@ -52,6 +53,9 @@ import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardArtifactTag; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.ContentTag; +import org.sleuthkit.datamodel.DataSource; +import org.sleuthkit.datamodel.OsAccount; +import org.sleuthkit.datamodel.OsAccountInstance; import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -69,6 +73,43 @@ public final class OtherOccurrences { private OtherOccurrences() { } + public static Collection getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount) { + Collection ret = new ArrayList<>(); + Optional osAccountAddr = osAccount.getAddr(); + + if (osAccountAddr.isPresent()) { + try { + for (OsAccountInstance instance : osAccount.getOsAccountInstances()) { + DataSource osAccountDataSource = instance.getDataSource(); + try { + CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); + CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( + CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), + osAccountAddr.get(), + correlationCase, + CorrelationDataSource.fromTSKDataSource(correlationCase, instance.getDataSource()), + "", + "", + TskData.FileKnown.KNOWN, + osAccount.getId()); + + ret.add(correlationAttributeInstance); + } catch (CentralRepoException ex) { + logger.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", osAccountAddr.get()), ex); //NON-NLS + } catch (NoCurrentCaseException ex) { + logger.log(Level.WARNING, String.format("Exception while getting open case looking up osAccount %s.", osAccountAddr.get()), ex); //NON-NLS + } catch (CorrelationAttributeNormalizationException ex) { + logger.log(Level.SEVERE, String.format("Exception with Correlation Attribute Normalization for osAccount %s.", osAccountAddr.get()), ex); //NON-NLS + } + } + } catch (TskCoreException ex) { + logger.log(Level.INFO, String.format("Unable to check create CorrelationAttribtueInstance for osAccount %s.", osAccountAddr.get()), ex); + } + } + + return ret; + } + /** * Determine what attributes can be used for correlation based on the node. * If EamDB is not enabled, get the default Files correlation. diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java index 0654002f6f..ab8821931a 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java @@ -18,6 +18,7 @@ */ package org.sleuthkit.autopsy.centralrepository.contentviewer; +import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; import java.util.HashSet; @@ -37,6 +38,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Content; +import org.sleuthkit.datamodel.OsAccount; import org.sleuthkit.datamodel.TskException; /** @@ -60,7 +62,11 @@ class OtherOccurrencesNodeWorker extends SwingWorker @Override protected OtherOccurrencesData doInBackground() throws Exception { + OsAccount osAccount = node.getLookup().lookup(OsAccount.class); AbstractFile file = OtherOccurrences.getAbstractFileFromNode(node); + if (osAccount != null) { + file = node.getLookup().lookup(AbstractFile.class); + } String deviceId = ""; String dataSourceName = ""; Map caseNames = new HashMap<>(); @@ -77,8 +83,12 @@ class OtherOccurrencesNodeWorker extends SwingWorker // @@@ Review this behavior return null; } - Collection correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file); - + Collection correlationAttributes = new ArrayList<>(); + if (osAccount != null) { + correlationAttributes = OtherOccurrences.getCorrelationAttributeFromOsAccount(node, osAccount); + } else { + correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file); + } int totalCount = 0; Set dataSources = new HashSet<>(); for (CorrelationAttributeInstance corAttr : correlationAttributes) { diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED index d18133dac4..a80f1f7d86 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED @@ -25,6 +25,7 @@ CorrelationType.ICCID.displayName=ICCID Number CorrelationType.IMEI.displayName=IMEI Number CorrelationType.IMSI.displayName=IMSI Number CorrelationType.MAC.displayName=MAC Addresses +CorrelationType.OS_ACCOUNT.displayName=Os Account CorrelationType.PHONE.displayName=Phone Numbers CorrelationType.PROG_NAME.displayName=Installed Programs CorrelationType.SSID.displayName=Wireless Networks diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java index 5fe6ae1fa6..64d41dcf25 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java @@ -279,7 +279,8 @@ public class CorrelationAttributeInstance implements Serializable { "CorrelationType.IMEI.displayName=IMEI Number", "CorrelationType.IMSI.displayName=IMSI Number", "CorrelationType.PROG_NAME.displayName=Installed Programs", - "CorrelationType.ICCID.displayName=ICCID Number"}) + "CorrelationType.ICCID.displayName=ICCID Number", + "CorrelationType.OS_ACCOUNT.displayName=Os Account"}) public static List getDefaultCorrelationTypes() throws CentralRepoException { List defaultCorrelationTypes = new ArrayList<>(); @@ -294,6 +295,7 @@ public class CorrelationAttributeInstance implements Serializable { defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMSI_TYPE_ID, Bundle.CorrelationType_IMSI_displayName(), "imsi_number", true, true)); //NON-NLS defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(ICCID_TYPE_ID, Bundle.CorrelationType_ICCID_displayName(), "iccid_number", true, true)); //NON-NLS defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(INSTALLED_PROGS_TYPE_ID, Bundle.CorrelationType_PROG_NAME_displayName(), "installed_programs", true, true)); //NON-NLS + defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(OSACCOUNT_TYPE_ID, Bundle.CorrelationType_OS_ACCOUNT_displayName(), "os_accounts", true, true)); //NON-NLS // Create Correlation Types for Accounts. int correlationTypeId = ADDITIONAL_TYPES_BASE_ID; diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED index e95a759c4f..d71782c0ee 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED @@ -1,4 +1,7 @@ caseeventlistener.evidencetag=Evidence +CaseEventsListener.module.name=Central Repository +CaseEventsListener.prevCaseComment.text=Users seen in previous cases +CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository) CentralRepositoryNotificationDialog.bulletHeader=This data is used to: CentralRepositoryNotificationDialog.bulletOne=Ignore common items (files, domains, and accounts) CentralRepositoryNotificationDialog.bulletThree=Create personas that group accounts diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java index dd2b58a117..ee8fbdb0e6 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java @@ -21,6 +21,8 @@ package org.sleuthkit.autopsy.centralrepository.eventlisteners; import com.google.common.util.concurrent.ThreadFactoryBuilder; import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeListener; +import java.util.Arrays; +import java.util.Collection; import java.util.EnumSet; import java.util.List; import java.util.Optional; @@ -28,8 +30,10 @@ import java.util.Set; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import java.util.logging.Level; +import java.util.stream.Collectors; import org.apache.commons.lang.StringUtils; import org.openide.util.Exceptions; +import org.openide.util.NbBundle; import org.openide.util.NbBundle.Messages; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException; @@ -60,8 +64,15 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException; import org.sleuthkit.datamodel.Tag; import org.sleuthkit.autopsy.events.AutopsyEvent; +import org.sleuthkit.datamodel.Blackboard; +import org.sleuthkit.datamodel.BlackboardAttribute; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT; +import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; import org.sleuthkit.datamodel.OsAccount; import org.sleuthkit.datamodel.OsAccountInstance; +import org.sleuthkit.datamodel.Score; +import org.sleuthkit.datamodel.SleuthkitCase; /** * Listen for case events and update entries in the Central Repository database @@ -81,7 +92,8 @@ public final class CaseEventListener implements PropertyChangeListener { Case.Events.DATA_SOURCE_ADDED, Case.Events.TAG_DEFINITION_CHANGED, Case.Events.CURRENT_CASE, - Case.Events.DATA_SOURCE_NAME_CHANGED, Case.Events.OS_ACCOUNTS_ADDED); + Case.Events.DATA_SOURCE_NAME_CHANGED, + Case.Events.OS_ACCT_INSTANCES_ADDED); public CaseEventListener() { jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build()); @@ -138,9 +150,10 @@ public final class CaseEventListener implements PropertyChangeListener { break; case OS_ACCT_INSTANCES_ADDED: { if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) { - jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt)); + jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt)); } } + break; } } @@ -300,10 +313,10 @@ public final class CaseEventListener implements PropertyChangeListener { * Sets the known status for the correlation attribute instance for the * given abstract file. * - * @param af The abstract file for which to set the correlation - * attribute instance. + * @param af The abstract file for which to set the correlation + * attribute instance. * @param knownStatus The new known status for the correlation attribute - * instance. + * instance. */ private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) { final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af); @@ -396,7 +409,7 @@ public final class CaseEventListener implements PropertyChangeListener { * for the item. If there are, set known status as notable. If not set * status as unknown. * - * @param content The content for the tag that was added or deleted. + * @param content The content for the tag that was added or deleted. * @param bbArtifact The artifact for the tag that was added or deleted. */ private void handleTagChange(Content content, BlackboardArtifact bbArtifact) { @@ -441,7 +454,7 @@ public final class CaseEventListener implements PropertyChangeListener { * Sets the known status of a blackboard artifact in the central * repository. * - * @param bbArtifact The blackboard artifact to set known status. + * @param bbArtifact The blackboard artifact to set known status. * @param knownStatus The new known status. */ private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) { @@ -646,11 +659,15 @@ public final class CaseEventListener implements PropertyChangeListener { } // CURRENT_CASE } + @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository", + "CaseEventsListener.prevCaseComment.text=Users seen in previous cases", + "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"}) private final class OsAccountInstancesAddedTask implements Runnable { private final CentralRepository dbManager; private final PropertyChangeEvent event; - + private final String MODULE_NAME = Bundle.CaseEventsListener_module_name(); + private OsAccountInstancesAddedTask(CentralRepository db, PropertyChangeEvent evt) { dbManager = db; event = evt; @@ -661,48 +678,75 @@ public final class CaseEventListener implements PropertyChangeListener { if (!CentralRepository.isEnabled()) { return; } - - final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event; - List addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances(); - for (OsAccountInstance osAccountInstance: addedOsAccountNew) { - try { - OsAccount osAccount = osAccountInstance.getOsAccount(); - Optional accountAddr = osAccount.getAddr(); - // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system - // and they are not unique - if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) { - return; - } + + final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event; + List addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances(); + for (OsAccountInstance osAccountInstance : addedOsAccountNew) { try { + OsAccount osAccount = osAccountInstance.getOsAccount(); + Optional accountAddr = osAccount.getAddr(); + // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system + // and they are not unique + if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) { + return; + } + try { - CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); - CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( - CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), - accountAddr.get(), - correlationCase, - CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()), - "", - "", - TskData.FileKnown.KNOWN, - osAccount.getId()); + CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); + CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance( + CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), + accountAddr.get(), + correlationCase, + CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()), + "", + "", + TskData.FileKnown.KNOWN, + osAccount.getId()); - dbManager.addArtifactInstance(correlationAttributeInstance); - } catch (CentralRepoException ex) { - LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); //NON-NLS - } catch (NoCurrentCaseException ex) { - LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS - } catch (CorrelationAttributeNormalizationException ex) { - LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS + dbManager.addArtifactInstance(correlationAttributeInstance); + + List previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue()); + List caseDisplayNames; + for (CorrelationAttributeInstance instance : previousOccurences) { + if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) { + caseDisplayNames = dbManager.getListCasesHavingArtifactInstances(correlationAttributeInstance.getCorrelationType(), correlationAttributeInstance.getCorrelationValue()); + SleuthkitCase tskCase = osAccount.getSleuthkitCase(); + Blackboard blackboard = tskCase.getBlackboard(); + + Collection attributesForNewArtifact = Arrays.asList( + new BlackboardAttribute( + TSK_SET_NAME, MODULE_NAME, + Bundle.CaseEventsListener_prevExists_text()), + new BlackboardAttribute( + TSK_COMMENT, MODULE_NAME, + Bundle.CaseEventsListener_prevCaseComment_text())); + BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult( + BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE, + null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult(); + try { + // index the artifact for keyword search + blackboard.postArtifact(newAnalysisResult, MODULE_NAME); + } catch (Blackboard.BlackboardException ex) { + LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS + } + } + } + + } catch (CentralRepoException ex) { + LOGGER.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", accountAddr.get()), ex); //NON-NLS + } catch (NoCurrentCaseException ex) { + LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS + } catch (CorrelationAttributeNormalizationException ex) { + LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS + } + + } catch (TskCoreException ex) { + LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); } - - } catch (TskCoreException ex) { - LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex); } - LOGGER.log(Level.INFO, "Error connecting to Central Repository database."); //NON-NLS } } - } - + private final class DataSourceNameChangedTask implements Runnable { private final CentralRepository dbManager; @@ -739,4 +783,3 @@ public final class CaseEventListener implements PropertyChangeListener { } // DATA_SOURCE_NAME_CHANGED } } - diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java b/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java index 742d656a82..9404362218 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java @@ -397,6 +397,11 @@ public final class FileTypes implements AutopsyVisitableItem { return content.newDataArtifact(artifactType, attributesList, osAccountId); } + @Override + public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection attributesList, Long osAccountId, long dataSourceId) throws TskCoreException { + return content.newDataArtifact(artifactType, attributesList, osAccountId, dataSourceId); + } + @Override public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection attributesList) throws TskCoreException { return content.newDataArtifact(artifactType, attributesList); @@ -467,6 +472,11 @@ public final class FileTypes implements AutopsyVisitableItem { return content.newAnalysisResult(type, score, string, string1, string2, clctn); } + @Override + public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type type, Score score, String string, String string1, String string2, Collection clctn, long dataSourceId) throws TskCoreException { + return content.newAnalysisResult(type, score, string, string1, string2, clctn, dataSourceId); + } + @Override public Score getAggregateScore() throws TskCoreException { return content.getAggregateScore(); From ba6a035540bcc1df697b72a9840002856d61278c Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Mon, 28 Jun 2021 14:57:30 -0400 Subject: [PATCH 06/13] Fixed NPE issue --- .../communications/VisualizationPanel.java | 33 +++++-------------- 1 file changed, 8 insertions(+), 25 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java index 0fb2beac00..00e90f402a 100644 --- a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java +++ b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java @@ -1,7 +1,7 @@ /* * Autopsy Forensic Browser * - * Copyright 2017-2018 Basis Technology Corp. + * Copyright 2017-2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -70,7 +70,6 @@ import java.util.HashMap; import java.util.HashSet; import java.util.Map; import java.util.Set; -import java.util.concurrent.ExecutionException; import java.util.concurrent.Future; import java.util.function.BiConsumer; import java.util.logging.Level; @@ -584,29 +583,13 @@ final public class VisualizationPanel extends JPanel { ModalDialogProgressIndicator progressIndicator = new ModalDialogProgressIndicator(windowAncestor, Bundle.VisualizationPanel_computingLayout()); progressIndicator.start(Bundle.VisualizationPanel_computingLayout()); - new SwingWorker() { - @Override - protected Void doInBackground() { - graph.getModel().beginUpdate(); - try { - layout.execute(graph.getDefaultParent()); - fitGraph(); - } finally { - graph.getModel().endUpdate(); - progressIndicator.finish(); - } - return null; - } - - @Override - protected void done() { - try { - get(); - } catch (InterruptedException | ExecutionException ex) { - logger.log(Level.WARNING, "CVT graph layout failed.", ex); - } - } - }.execute(); + try { + layout.execute(graph.getDefaultParent()); + fitGraph(); + } finally { + graph.getModel().endUpdate(); + progressIndicator.finish(); + } } private void clearVizButtonActionPerformed(ActionEvent evt) {//GEN-FIRST:event_clearVizButtonActionPerformed From 2e918f5aba563b8ac338f71db47b2df3f47669e1 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 29 Jun 2021 10:18:11 -0400 Subject: [PATCH 07/13] Added back removed beginUpdate --- .../org/sleuthkit/autopsy/communications/VisualizationPanel.java | 1 + 1 file changed, 1 insertion(+) diff --git a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java index 00e90f402a..5804163838 100644 --- a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java +++ b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java @@ -584,6 +584,7 @@ final public class VisualizationPanel extends JPanel { progressIndicator.start(Bundle.VisualizationPanel_computingLayout()); try { + graph.getModel().beginUpdate(); layout.execute(graph.getDefaultParent()); fitGraph(); } finally { From 0a48ff1e469e4303f2f3f50b4d00785e7d6f04d3 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 29 Jun 2021 10:19:04 -0400 Subject: [PATCH 08/13] Added back removed beginUpdate --- .../sleuthkit/autopsy/communications/VisualizationPanel.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java index 5804163838..9e13769730 100644 --- a/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java +++ b/Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java @@ -582,9 +582,8 @@ final public class VisualizationPanel extends JPanel { ModalDialogProgressIndicator progressIndicator = new ModalDialogProgressIndicator(windowAncestor, Bundle.VisualizationPanel_computingLayout()); progressIndicator.start(Bundle.VisualizationPanel_computingLayout()); - - try { - graph.getModel().beginUpdate(); + graph.getModel().beginUpdate(); + try { layout.execute(graph.getDefaultParent()); fitGraph(); } finally { From aeac0a6eadcae6c597bbb720f103aa14e6a01fdc Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 29 Jun 2021 12:51:45 -0400 Subject: [PATCH 09/13] Update CentralRepoDbUpgrader15To16.java Address reviewer comments. --- .../datamodel/CentralRepoDbUpgrader15To16.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java index c07a0acec5..e19cfd8155 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java @@ -1,7 +1,7 @@ /* * Central Repository * - * Copyright 2020 Basis Technology Corp. + * Copyright 2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -24,7 +24,7 @@ import java.sql.Statement; import org.sleuthkit.datamodel.CaseDbSchemaVersionNumber; /** - * This class updates CR schema to 1.5 + * This class updates CR schema to 1.6 * */ public class CentralRepoDbUpgrader15To16 implements CentralRepoDbUpgrader { From d6e592e59e06c5be2d266e153ebf14d2c4fa1d5f Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 29 Jun 2021 12:58:22 -0400 Subject: [PATCH 10/13] Update OtherOccurrences.java Add comment for method --- .../centralrepository/application/OtherOccurrences.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java index 1218956f9e..c8416e2d35 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java @@ -73,6 +73,14 @@ public final class OtherOccurrences { private OtherOccurrences() { } + /** + * Determine what attributes can be used for correlation based on the node. + * + * @param node The node to correlate + * @param osAccount the osAccount to correlate + * + * @return A list of attributes that can be used for correlation + */ public static Collection getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount) { Collection ret = new ArrayList<>(); Optional osAccountAddr = osAccount.getAddr(); From 672aff2a0bc8f52a984d216c3ce5b39157717e95 Mon Sep 17 00:00:00 2001 From: Mark McKinnon Date: Tue, 29 Jun 2021 13:05:55 -0400 Subject: [PATCH 11/13] Update CaseEventListener.java Added class comment --- .../centralrepository/eventlisteners/CaseEventListener.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java index ee8fbdb0e6..71dff36eaf 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java @@ -662,6 +662,9 @@ public final class CaseEventListener implements PropertyChangeListener { @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository", "CaseEventsListener.prevCaseComment.text=Users seen in previous cases", "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"}) + /** + * Add OsAccount Instance to CR and find interesting items based on the OsAccount + */ private final class OsAccountInstancesAddedTask implements Runnable { private final CentralRepository dbManager; From 8ad6b8983220d3b724c76492d1a7d4ba9c242054 Mon Sep 17 00:00:00 2001 From: apriestman Date: Tue, 29 Jun 2021 13:36:02 -0400 Subject: [PATCH 12/13] Doxygen fixes --- .../centralrepository/application/OtherOccurrences.java | 6 +++++- .../autopsy/datamodel/AutopsyTreeChildFactory.java | 2 +- .../autopsy/directorytree/DirectoryTreeTopComponent.java | 5 ++--- .../modules/embeddedfileextractor/SevenZipExtractor.java | 3 +++ .../autopsy/modules/filetypeid/FileTypeDetector.java | 6 +++++- .../autopsy/modules/filetypeid/FileTypeIdIngestModule.java | 2 ++ 6 files changed, 18 insertions(+), 6 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java index dde124dde9..6aecbf5546 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java @@ -73,7 +73,8 @@ public final class OtherOccurrences { * Determine what attributes can be used for correlation based on the node. * If EamDB is not enabled, get the default Files correlation. * - * @param node The node to correlate + * @param node The node to correlate. + * @param file The file to correlate. * * @return A list of attributes that can be used for correlation */ @@ -195,6 +196,9 @@ public final class OtherOccurrences { * artifact. If the central repo is not enabled, this will only return files * from the current case with matching MD5 hashes. * + * @param file The current file. + * @param deviceId The device ID for the current data source. + * @param dataSourceName The name of the current data source. * @param corAttr CorrelationAttribute to query for * * @return A collection of correlated artifact instances diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java b/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java index 8321b8816a..d4becd5d63 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java @@ -106,7 +106,7 @@ public final class AutopsyTreeChildFactory extends ChildFactory.Detachable Date: Tue, 29 Jun 2021 14:29:23 -0400 Subject: [PATCH 13/13] Update suggested hardware section --- docs/doxygen-user/multi-user/installSystems.dox | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/doxygen-user/multi-user/installSystems.dox b/docs/doxygen-user/multi-user/installSystems.dox index a583aeee93..7c46ce926f 100644 --- a/docs/doxygen-user/multi-user/installSystems.dox +++ b/docs/doxygen-user/multi-user/installSystems.dox @@ -26,14 +26,13 @@ We recommend: \subsection multiuser_system_hw Suggested Hardware -TODO +- PostgreSQL/ActiveMQ (Server 1): + - RAM: 16GB or more + - Local Storage: 500GB SSD -- PostgreSQL/ActiveMQ (server 1): - - RAM: - - Local Storage: Enough for databases -- Solr (server 2): - - RAM: - - Local Storage: Minimal +- Solr (Server 2): + - RAM: 32GB or more + - Local Storage: A single index will be roughly the size of the data source being ingested. For example 128GB E01 will usually generate a 128 GB index. \subsection multiuser_system_back Backups