From 2fef207333b50d69a1a337ae13bf6eee8dae67a2 Mon Sep 17 00:00:00 2001
From: "Samuel H. Kenyon" <skenyon@basistech.com>
Date: Thu, 12 Dec 2013 18:57:46 -0500
Subject: [PATCH] FileExtMismatchIngestModule now has its own artifact type.
 Also moved file type id detector up in the pipeline.

---
 .../sleuthkit/autopsy/ingest/pipeline_config.xml  | 10 +++++-----
 .../FileExtMismatchIngestModule.java              | 15 +++++++++------
 2 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/Core/src/org/sleuthkit/autopsy/ingest/pipeline_config.xml b/Core/src/org/sleuthkit/autopsy/ingest/pipeline_config.xml
index 1bba161799..9c931c27e3 100644
--- a/Core/src/org/sleuthkit/autopsy/ingest/pipeline_config.xml
+++ b/Core/src/org/sleuthkit/autopsy/ingest/pipeline_config.xml
@@ -4,11 +4,11 @@ Contains only the core ingest modules that ship with Autopsy -->
 <PIPELINE_CONFIG>
     <PIPELINE type="FileAnalysis">
       <MODULE order="1" type="plugin" location="org.sleuthkit.autopsy.hashdatabase.HashDbIngestModule" arguments="" />
-      <MODULE order="2" type="plugin" location="org.sleuthkit.autopsy.sevenzip.SevenZipIngestModule" arguments="" />
-      <MODULE order="3" type="plugin" location="org.sleuthkit.autopsy.exifparser.ExifParserFileIngestModule"/>
-      <MODULE order="4" type="plugin" location="org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule"/>
-      <MODULE order="5" type="plugin" location="org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule" arguments=""/>
-      <MODULE order="6" type="plugin" location="org.sleuthkit.autopsy.filetypeid.FileTypeIdIngestModule" arguments=""/>
+      <MODULE order="2" type="plugin" location="org.sleuthkit.autopsy.filetypeid.FileTypeIdIngestModule" arguments=""/>
+      <MODULE order="3" type="plugin" location="org.sleuthkit.autopsy.sevenzip.SevenZipIngestModule" arguments="" />
+      <MODULE order="4" type="plugin" location="org.sleuthkit.autopsy.exifparser.ExifParserFileIngestModule"/>
+      <MODULE order="5" type="plugin" location="org.sleuthkit.autopsy.keywordsearch.KeywordSearchIngestModule"/>
+      <MODULE order="6" type="plugin" location="org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule" arguments=""/>
       <MODULE order="7" type="plugin" location="org.sleuthkit.autopsy.fileextmismatch.FileExtMismatchIngestModule" arguments=""/>
     </PIPELINE>
 
diff --git a/FileExtMismatch/src/org/sleuthkit/autopsy/fileextmismatch/FileExtMismatchIngestModule.java b/FileExtMismatch/src/org/sleuthkit/autopsy/fileextmismatch/FileExtMismatchIngestModule.java
index 757c7f02fb..771db99e5b 100644
--- a/FileExtMismatch/src/org/sleuthkit/autopsy/fileextmismatch/FileExtMismatchIngestModule.java
+++ b/FileExtMismatch/src/org/sleuthkit/autopsy/fileextmismatch/FileExtMismatchIngestModule.java
@@ -63,6 +63,7 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
     public final static String MODULE_NAME = "File Extension Mismatch Detection";
     public final static String MODULE_DESCRIPTION = "Flags mismatched filename extensions based on file signature.";
     public final static String MODULE_VERSION = Version.getVersion();    
+    private static final String ART_NAME = "TSK_MISMATCH";
     private static final String ATTR_NAME = "TSK_FILE_TYPE_EXT_WRONG";
     private static final byte[] ATTR_VALUE_WRONG = {1};
     private static final Logger logger = Logger.getLogger(FileExtMismatchIngestModule.class.getName());
@@ -72,7 +73,8 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
     private static long numFiles = 0;
     private static boolean skipKnown = false;
     
-    private int attrId = -1;    
+    private int artId = -1;
+    private int attrId = -1;
     private FileExtMismatchSimpleConfigPanel simpleConfigPanel;
     private IngestServices services;
     private HashMap<String, String[]> SigTypeToExtMap = new HashMap<>();
@@ -96,7 +98,7 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
     public void init(IngestModuleInit initContext) {
         services = IngestServices.getDefault();
         
-        // Add a new attribute type
+        // Add a new artifact and attribute type
         
         SleuthkitCase sleuthkitCase = Case.getCurrentCase().getSleuthkitCase();        
         
@@ -106,13 +108,14 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
         } catch (TskCoreException ex) {
             // create it if not
             try {
+                artId = sleuthkitCase.addArtifactType(ART_NAME, "A filename extension mismatch detection hit.");
                 attrId = sleuthkitCase.addAttrType(ATTR_NAME, "Flag for detected mismatch between filename extension and file signature.");
             } catch (TskCoreException ex1) {
-                logger.log(Level.SEVERE, "Error adding attribute type: " + ex1.getLocalizedMessage());
+                logger.log(Level.SEVERE, "Error adding artifact and attribute types: " + ex1.getLocalizedMessage());
                 attrId = -1;
             }
         }        
-        
+
         // Set up default mapping (eventually this will be loaded from a config file)  
         
         // MS Office: For now, since we don't detect specific MS office openxml formats, we just assume that 
@@ -197,11 +200,11 @@ public class FileExtMismatchIngestModule extends org.sleuthkit.autopsy.ingest.In
                         
             if (flag) {
                 // add artifact
-                BlackboardArtifact bart = abstractFile.newArtifact(ARTIFACT_TYPE.TSK_GEN_INFO);
+                BlackboardArtifact bart = abstractFile.newArtifact(artId);
                 BlackboardAttribute batt = new BlackboardAttribute(attrId, MODULE_NAME, "", ATTR_VALUE_WRONG);
                 bart.addAttribute(batt);
 
-                services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, ARTIFACT_TYPE.TSK_GEN_INFO, Collections.singletonList(bart)));
+                services.fireModuleDataEvent(new ModuleDataEvent(MODULE_NAME, ARTIFACT_TYPE.fromID(artId), Collections.singletonList(bart)));
             }
             return ProcessResult.OK;
         } catch (TskException ex) {