Merge remote-tracking branch 'upstream/develop' into 7220-Replace-TSK_IP_DHCP-with-a-custom-type

Core/src/org/sleuthkit/autopsy/core/UserPreferences.java

@@ -84,6 +84,7 @@ public final class UserPreferences {
     private static final boolean DISPLAY_TRANSLATED_NAMES_DEFAULT = true;
     public static final String EXTERNAL_HEX_EDITOR_PATH = "ExternalHexEditorPath";
     public static final String SOLR_MAX_JVM_SIZE = "SolrMaxJVMSize";
+    private static final int DEFAULT_SOLR_HEAP_SIZE_MB = 2048;
     public static final String RESULTS_TABLE_PAGE_SIZE = "ResultsTablePageSize";
     private static final String GEO_TILE_OPTION = "GeolocationTileOption";
     private static final String GEO_OSM_TILE_ZIP_PATH = "GeolocationOsmZipPath";
@@ -535,10 +536,10 @@ public final class UserPreferences {
     /**
      * Get the maximum JVM heap size (in MB) for the embedded Solr server.
      *
-     * @return Saved value or default (512)
+     * @return Saved value or default (2 GB)
      */
     public static int getMaxSolrVMSize() {
-        return preferences.getInt(SOLR_MAX_JVM_SIZE, 512);
+        return preferences.getInt(SOLR_MAX_JVM_SIZE, DEFAULT_SOLR_HEAP_SIZE_MB);
     }
 
     /**

Core/src/org/sleuthkit/autopsy/corecomponents/AutopsyOptionsPanel.java

@@ -82,6 +82,7 @@ final class AutopsyOptionsPanel extends javax.swing.JPanel {
     private static final String CONFIG_FILE_EXTENSION = ".conf";
     private static final long ONE_BILLION = 1000000000L;  //used to roughly convert system memory from bytes to gigabytes
     private static final int MEGA_IN_GIGA = 1024; //used to convert memory settings saved as megabytes to gigabytes
+    private static final int DEFAULT_SOLR_HEAP_SIZE_MB = 2048;
     private static final int MIN_MEMORY_IN_GB = 2; //the enforced minimum memory in gigabytes
     private static final Logger logger = Logger.getLogger(AutopsyOptionsPanel.class.getName());
     private String initialMemValue = Long.toString(Runtime.getRuntime().maxMemory() / ONE_BILLION);
@@ -113,7 +114,7 @@ final class AutopsyOptionsPanel extends javax.swing.JPanel {
         // The cast to int in the following is to ensure that the correct SpinnerNumberModel
         // constructor is called.
         solrMaxHeapSpinner.setModel(new javax.swing.SpinnerNumberModel(UserPreferences.getMaxSolrVMSize(),
-                512, ((int) getSystemMemoryInGB()) * MEGA_IN_GIGA, 512));
+                DEFAULT_SOLR_HEAP_SIZE_MB, ((int) getSystemMemoryInGB()) * MEGA_IN_GIGA, DEFAULT_SOLR_HEAP_SIZE_MB));
 
         textFieldListener = new TextFieldListener();
         agencyLogoPathField.getDocument().addDocumentListener(textFieldListener);

Core/src/org/sleuthkit/autopsy/discovery/search/DiscoveryAttributes.java

@@ -142,7 +142,8 @@ public class DiscoveryAttributes {
     }
 
     /**
-     * Attribute for grouping/sorting by domain category (TSK_WEB_CATEGORY artifacts).
+     * Attribute for grouping/sorting by domain category (TSK_WEB_CATEGORY
+     * artifacts).
      */
     static class DomainCategoryAttribute extends AttributeType {
 
@@ -169,8 +170,9 @@ public class DiscoveryAttributes {
         }
 
         /**
-         * Loads all TSK_WEB_CATEGORY artifacts and maps the domain attribute to the category name attribute.
+         * Loads all TSK_WEB_CATEGORY artifacts and maps the domain attribute to
-         * Each ResultDomain is then parsed and matched against this map of values.
+         * the category name attribute. Each ResultDomain is then parsed and
+         * matched against this map of values.
          */
         private Map<String, String> getDomainsWithWebCategories(SleuthkitCase caseDb) throws TskCoreException, InterruptedException {
             Map<String, String> domainToCategory = new HashMap<>();
@@ -190,7 +192,7 @@ public class DiscoveryAttributes {
                 }
             }
 
-           return domainToCategory;
+            return domainToCategory;
         }
     }
 
@@ -271,34 +273,34 @@ public class DiscoveryAttributes {
     }
 
     /**
-     * Organizes the domain instances by normalized domain value.
+     * Organizes the domain instances by normalized domain value. This helps
-     * This helps reduce the complexity of updating ResultDomain instances
+     * reduce the complexity of updating ResultDomain instances after the query
-     * after the query has been executed.
+     * has been executed.
      *
-     * Example: query for notable status of google.com. Result: notable
+     * Example: query for notable status of google.com. Result: notable With
-     * With this map, all domain instances that represent google.com can
+     * this map, all domain instances that represent google.com can be updated
-     * be updated after one simple lookup.
+     * after one simple lookup.
      */
     private static Map<String, List<ResultDomain>> organizeByValue(List<ResultDomain> domainsBatch, CorrelationAttributeInstance.Type attributeType) {
-            final Map<String, List<ResultDomain>> resultDomainTable = new HashMap<>();
+        final Map<String, List<ResultDomain>> resultDomainTable = new HashMap<>();
-            for (ResultDomain domainInstance : domainsBatch) {
+        for (ResultDomain domainInstance : domainsBatch) {
-                try {
+            try {
-                    final String domainValue = domainInstance.getDomain();
+                final String domainValue = domainInstance.getDomain();
-                    final String normalizedDomain = CorrelationAttributeNormalizer.normalize(attributeType, domainValue);
+                final String normalizedDomain = CorrelationAttributeNormalizer.normalize(attributeType, domainValue);
-                    final List<ResultDomain> bucket = resultDomainTable.getOrDefault(normalizedDomain, new ArrayList<>());
+                final List<ResultDomain> bucket = resultDomainTable.getOrDefault(normalizedDomain, new ArrayList<>());
-                    bucket.add(domainInstance);
+                bucket.add(domainInstance);
-                    resultDomainTable.put(normalizedDomain, bucket);
+                resultDomainTable.put(normalizedDomain, bucket);
-                } catch (CorrelationAttributeNormalizationException ex) {
+            } catch (CorrelationAttributeNormalizationException ex) {
-                    logger.log(Level.INFO, String.format("Domain [%s] failed normalization, skipping...", domainInstance.getDomain()));
+                logger.log(Level.INFO, String.format("Domain [%s] failed normalization, skipping...", domainInstance.getDomain()));
-                }
             }
-            return resultDomainTable;
+        }
+        return resultDomainTable;
     }
 
     /**
-     * Helper function to create a string of comma separated values.
+     * Helper function to create a string of comma separated values. Each value
-     * Each value is wrapped in `'`. This method is used to bundle up
+     * is wrapped in `'`. This method is used to bundle up a collection of
-     * a collection of values for use in a SQL WHERE IN (...) clause.
+     * values for use in a SQL WHERE IN (...) clause.
      */
     private static String createCSV(Set<String> values) {
         StringJoiner joiner = new StringJoiner(", ");
@@ -499,12 +501,13 @@ public class DiscoveryAttributes {
             final CorrelationAttributeInstance.Type attributeType = centralRepository.getCorrelationTypeById(CorrelationAttributeInstance.DOMAIN_TYPE_ID);
             final Map<String, List<ResultDomain>> resultDomainTable = organizeByValue(domainsToQuery, attributeType);
             final String values = createCSV(resultDomainTable.keySet());
-
             final String tableName = CentralRepoDbUtil.correlationTypeToInstanceTableName(attributeType);
-            final String domainFrequencyQuery = " value AS domain_name, COUNT(*) AS frequency "
+            final String domainFrequencyQuery = " value AS domain_name, COUNT(value) AS frequency FROM"
-                    + "FROM " + tableName + " "
+                    + "(SELECT DISTINCT case_id, value FROM "
-                    + "WHERE value IN (" + values + ") "
+                    + tableName
-                    + "GROUP BY value";
+                    + " WHERE value IN ("
+                    + values
+                    + ")) AS foo GROUP BY value";
 
             final DomainFrequencyCallback frequencyCallback = new DomainFrequencyCallback(resultDomainTable);
             centralRepository.processSelectClause(domainFrequencyQuery, frequencyCallback);
@@ -784,8 +787,8 @@ public class DiscoveryAttributes {
     }
 
     /**
-     * Attribute for grouping/sorting domains by number of page views.
+     * Attribute for grouping/sorting domains by number of page views. Page
-     * Page views is defined at the number of TSK_WEB_HISTORY artifacts.
+     * views is defined at the number of TSK_WEB_HISTORY artifacts.
      */
     static class PageViewsAttribute extends AttributeType {
 
@@ -1074,4 +1077,4 @@ public class DiscoveryAttributes {
     private DiscoveryAttributes() {
         // Class should not be instantiated
     }
-    }
+}

Core/src/org/sleuthkit/autopsy/geolocation/datamodel/Waypoint.java

@@ -198,8 +198,13 @@ public class Waypoint {
         try {
             List<BlackboardAttribute> attributeList = artifact.getAttributes();
             for (BlackboardAttribute attribute : attributeList) {
-                BlackboardAttribute.ATTRIBUTE_TYPE type = BlackboardAttribute.ATTRIBUTE_TYPE.fromID(attribute.getAttributeType().getTypeID());
+                try{
-                attributeMap.put(type, attribute);
+                    BlackboardAttribute.ATTRIBUTE_TYPE type = BlackboardAttribute.ATTRIBUTE_TYPE.fromID(attribute.getAttributeType().getTypeID());
+                    attributeMap.put(type, attribute);
+                } catch(IllegalArgumentException ex) {
+                    // This was thrown due to a custom attribute that geolocation
+                    // does not currently support.
+                }
             }
         } catch (TskCoreException ex) {
             throw new GeoLocationDataException("Unable to get attributes from artifact", ex);

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ALeappAnalyzerIngestModule.java

@@ -155,7 +155,7 @@ public class ALeappAnalyzerIngestModule implements DataSourceIngestModule {
             statusHelper.switchToDeterminate(aLeappFilesToProcess.size());
             processALeappFs(dataSource, currentCase, statusHelper, tempOutputPath.toString());
         } else {
-            aLeappFilesToProcess = findaLeappFilesToProcess(dataSource);
+            aLeappFilesToProcess = LeappFileProcessor.findLeappFilesToProcess(dataSource);
             statusHelper.switchToDeterminate(aLeappFilesToProcess.size());
 
             Integer filesProcessedCount = 0;
@@ -268,40 +268,7 @@ public class ALeappAnalyzerIngestModule implements DataSourceIngestModule {
 
     }
 
-    /**
-     * Find the files that will be processed by the aLeapp program
-     *
-     * @param dataSource
-     *
-     * @return List of abstract files to process.
-     */
-    private List<AbstractFile> findaLeappFilesToProcess(Content dataSource) {
 
-        List<AbstractFile> aLeappFiles = new ArrayList<>();
-
-        FileManager fileManager = getCurrentCase().getServices().getFileManager();
-
-        // findFiles use the SQL wildcard % in the file name
-        try {
-            aLeappFiles = fileManager.findFiles(dataSource, "%", "/"); //NON-NLS
-        } catch (TskCoreException ex) {
-            logger.log(Level.WARNING, "No files found to process"); //NON-NLS
-            return aLeappFiles;
-        }
-
-        List<AbstractFile> aLeappFilesToProcess = new ArrayList<>();
-        for (AbstractFile aLeappFile : aLeappFiles) {
-            if (((aLeappFile.getLocalAbsPath() != null)
-                    && (!aLeappFile.getNameExtension().isEmpty() && (!aLeappFile.isVirtual())))
-                    && ((aLeappFile.getName().toLowerCase().contains(".zip") || (aLeappFile.getName().toLowerCase().contains(".tar")))
-                    || aLeappFile.getName().toLowerCase().contains(".tgz"))) {
-                aLeappFilesToProcess.add(aLeappFile);
-
-            }
-        }
-
-        return aLeappFilesToProcess;
-    }
 
     /**
      * Build the aLeapp command to run

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ILeappAnalyzerIngestModule.java

@@ -155,7 +155,7 @@ public class ILeappAnalyzerIngestModule implements DataSourceIngestModule {
             statusHelper.switchToDeterminate(iLeappFilesToProcess.size());
             processILeappFs(dataSource, currentCase, statusHelper, tempOutputPath.toString());
         } else {
-            iLeappFilesToProcess = findiLeappFilesToProcess(dataSource);
+            iLeappFilesToProcess = LeappFileProcessor.findLeappFilesToProcess(dataSource);
             statusHelper.switchToDeterminate(iLeappFilesToProcess.size());
 
             Integer filesProcessedCount = 0;
@@ -268,41 +268,6 @@ public class ILeappAnalyzerIngestModule implements DataSourceIngestModule {
 
     }
 
-    /**
-     * Find the files that will be processed by the iLeapp program
-     *
-     * @param dataSource
-     *
-     * @return List of abstract files to process.
-     */
-    private List<AbstractFile> findiLeappFilesToProcess(Content dataSource) {
-
-        List<AbstractFile> iLeappFiles = new ArrayList<>();
-
-        FileManager fileManager = getCurrentCase().getServices().getFileManager();
-
-        // findFiles use the SQL wildcard % in the file name
-        try {
-            iLeappFiles = fileManager.findFiles(dataSource, "%", "/"); //NON-NLS
-        } catch (TskCoreException ex) {
-            logger.log(Level.WARNING, "No files found to process"); //NON-NLS
-            return iLeappFiles;
-        }
-
-        List<AbstractFile> iLeappFilesToProcess = new ArrayList<>();
-        for (AbstractFile iLeappFile : iLeappFiles) {
-            if (((iLeappFile.getLocalAbsPath() != null)
-                    && (!iLeappFile.getNameExtension().isEmpty() && (!iLeappFile.isVirtual())))
-                    && ((iLeappFile.getName().toLowerCase().contains(".zip") || (iLeappFile.getName().toLowerCase().contains(".tar")))
-                    || iLeappFile.getName().toLowerCase().contains(".tgz"))) {
-                iLeappFilesToProcess.add(iLeappFile);
-
-            }
-        }
-
-        return iLeappFilesToProcess;
-    }
-
     /**
      * Build the command to run xLeapp
      * @param moduleOutputPath output path for xLeapp

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/LeappFileProcessor.java

@@ -36,8 +36,10 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
+import java.util.HashSet;
 import static java.util.Locale.US;
 import java.util.Map;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
@@ -49,7 +51,9 @@ import org.apache.commons.collections4.MapUtils;
 import org.apache.commons.io.FilenameUtils;
 import org.openide.util.NbBundle;
 import org.sleuthkit.autopsy.casemodule.Case;
+import static org.sleuthkit.autopsy.casemodule.Case.getCurrentCase;
 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
+import org.sleuthkit.autopsy.casemodule.services.FileManager;
 import org.sleuthkit.autopsy.coreutils.Logger;
 import org.sleuthkit.autopsy.coreutils.PlatformUtil;
 import org.sleuthkit.autopsy.ingest.IngestModule.IngestModuleException;
@@ -705,23 +709,40 @@ public final class LeappFileProcessor {
                 xmlFile, true);
     }
 
+    
+    private static final Set<String> ALLOWED_EXTENSIONS = new HashSet<>(Arrays.asList("zip", "tar", "tgz")); 
+        
     /**
-     * Create custom artifacts that are defined in the xLeapp xml file(s).
+     * Find the files that will be processed by the iLeapp program
      *
+     * @param dataSource
+     *
+     * @return List of abstract files to process.
      */
-    private void createCustomArtifacts(Blackboard blkBoard) {
+    static List<AbstractFile> findLeappFilesToProcess(Content dataSource) {
 
-        for (Map.Entry<String, String> customArtifact : CUSTOM_ARTIFACT_MAP.entrySet()) {
+        List<AbstractFile> leappFiles = new ArrayList<>();
-            String artifactName = customArtifact.getKey();
-            String artifactDescription = customArtifact.getValue();
 
-            try {
+        FileManager fileManager = getCurrentCase().getServices().getFileManager();
-                BlackboardArtifact.Type customArtifactType = blkBoard.getOrAddArtifactType(artifactName, artifactDescription);
-            } catch (Blackboard.BlackboardException ex) {
-                logger.log(Level.WARNING, String.format("Failed to create custom artifact type %s.", artifactName), ex);
-            }  
 
+        // findFiles use the SQL wildcard % in the file name
+        try {
+            leappFiles = fileManager.findFiles(dataSource, "%", "/"); //NON-NLS
+        } catch (TskCoreException ex) {
+            logger.log(Level.WARNING, "No files found to process"); //NON-NLS
+            return leappFiles;
         }
-    }
 
+        List<AbstractFile> leappFilesToProcess = new ArrayList<>();
+        for (AbstractFile leappFile : leappFiles) {
+            if (((leappFile.getLocalAbsPath() != null)
+                    && !leappFile.isVirtual())
+                    && leappFile.getNameExtension() != null 
+                    && ALLOWED_EXTENSIONS.contains(leappFile.getNameExtension().toLowerCase())) {
+                leappFilesToProcess.add(leappFile);
+            }
+        }
+
+        return leappFilesToProcess;
+    }
 }

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/aleap-artifact-attribute-reference.xml

@@ -39,7 +39,7 @@
         <FileName filename="authtokens 0.tsv" description="Authtokens">
             <ArtifactName artifactname="TSK_SERVICE_ACCOUNT" comment="Authtokens">
                 <AttributeName attributename="null" columnName="ID" required="no" />
-                <AttributeName attributename="TSK_USER_ID" columnName=" Name" required="yes" />
+                <AttributeName attributename="TSK_USER_ID" columnName="Name" required="yes" />
                 <AttributeName attributename="TSK_PROG_NAME" columnName="Account Type" required="yes" />
                 <AttributeName attributename="null" columnName="Authtoken Type" required="no" />
                 <AttributeName attributename="TSK_PASSWORD" columnName="Authtoken" required="yes" />

Core/src/org/sleuthkit/autopsy/modules/leappanalyzers/ileap-artifact-attribute-reference.xml

@@ -42,8 +42,8 @@
         <FileName filename="Application State.tsv" description="Application State">
             <ArtifactName artifactname="TSK_INSTALLED_PROG" comment="Application State">
                 <AttributeName attributename="TSK_PROG_NAME" columnName="Bundle ID" required="no" />
-                <AttributeName attributename="TSK_INSTALLED_PATH" columnName="Bundle Path" required="yes" />
+                <AttributeName attributename="TSK_PATH" columnName="Bundle Path" required="yes" />
-                <AttributeName attributename="TSK_INSTALLED_SOURCE" columnName="Sandbox Path" required="yes" />
+                <AttributeName attributename="TSK_PATH_SOURCE" columnName="Sandbox Path" required="yes" />
             </ArtifactName>
         </FileName>
 
@@ -84,7 +84,7 @@
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End Date" required="yes" />
                 <AttributeName attributename="null" columnName="End Timezone" required="no" />
                 <AttributeName attributename="null" columnName="All Day?" required="no" />
-                <AttributeName attributename="TSK_CALENDAR_ENTRY" columnName="Summary" required="yes" />
+                <AttributeName attributename="TSK_CALENDAR_ENTRY_TYPE" columnName="Summary" required="yes" />
                 <AttributeName attributename="null" columnName="Calendar ID" required="no" />
                 <AttributeName attributename="null" columnName="Last Modified" required="no" />
             </ArtifactName>
@@ -113,7 +113,7 @@
                 <AttributeName attributename="null" columnName="Process Name" required="no" />
                 <AttributeName attributename="null" columnName="WIFI In" required="no" />
                 <AttributeName attributename="null" columnName="WIFI Out" required="no" />
-                <AttributeName attributename="TSK_BYTES_RCVD" columnName="WWAN IN" required="yes" />
+                <AttributeName attributename="TSK_BYTES_RECEIVED" columnName="WWAN IN" required="yes" />
                 <AttributeName attributename="TSK_BYTES_SENT" columnName="WWAN Out" required="yes" />
                 <AttributeName attributename="null" columnName="Table ID" required="no" />
             </ArtifactName>
@@ -143,13 +143,13 @@
                 <AttributeName attributename="null" columnName="Start" required="no" />
                 <AttributeName attributename="null" columnName="End" required="no" />
                 <AttributeName attributename="null" columnName="ZSTREAMNAME" required="no" />
-                <AttributeName attributename="TSK_PROG_NAME" columnName=" ZVALUESTRING" required="no" />
+                <AttributeName attributename="TSK_PROG_NAME" columnName="ZVALUESTRING" required="no" />
-                <AttributeName attributename="null" columnName=" Activity Type" required="no" />
+                <AttributeName attributename="null" columnName="Activity Type" required="no" />
-                <AttributeName attributename="null" columnName=" Title" required="no" />
+                <AttributeName attributename="null" columnName="Title" required="no" />
-                <AttributeName attributename="null" columnName=" Expiration Date" required="no" />
+                <AttributeName attributename="null" columnName="Expiration Date" required="no" />
-                <AttributeName attributename="null" columnName=" Content URL" required="no" />
+                <AttributeName attributename="null" columnName="Content URL" required="no" />
-                <AttributeName attributename="null" columnName=" Calendar Date" required="no" />
+                <AttributeName attributename="null" columnName="Calendar Date" required="no" />
-                <AttributeName attributename="null" columnName=" Calendar End Date" required="no" />
+                <AttributeName attributename="null" columnName="Calendar End Date" required="no" />
             </ArtifactName>
         </FileName>
 
@@ -160,7 +160,7 @@
                 <AttributeName attributename="null" columnName="Bundle ID" required="no" />
                 <AttributeName attributename="TSK_CALENDAR_ENTRY_TYPE" columnName="Activity Type" required="yes" />
                 <AttributeName attributename="TSK_DESCRIPTION" columnName="User Activity Required String" required="yes" />
-                <AttributeName attributename="null" columnName=" Title" required="no" />
+                <AttributeName attributename="null" columnName="Title" required="no" />
                 <AttributeName attributename="null" columnName="Calendar Date" required="no" />
                 <AttributeName attributename="null" columnName="Calendar End Date" required="no" />
                 <AttributeName attributename="TSK_LOCATION" columnName="Source ID" required="yes" />
@@ -209,7 +209,7 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Device Backlit">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Screen is Backlit" required="yes" />
+                <AttributeName attributename="null" columnName="Screen is Backlit" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Minutes" required="no" />
                 <AttributeName attributename="null" columnName="Day of Week" required="no" />
@@ -226,12 +226,12 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Battery Level">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Battery Level" required="yes" />
+                <AttributeName attributename="null" columnName="Battery Level" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Day of the Week" required="no" />
                 <AttributeName attributename="null" columnName="GMT Offset" required="no" />
                 <AttributeName attributename="null" columnName="Entry Creation" required="no" />
-                <AttributeName attributename="null" columnName=" ZOBJECT Table ID" required="no" />
+                <AttributeName attributename="null" columnName="ZOBJECT Table ID" required="no" />
             </ArtifactName>
         </FileName>
 
@@ -255,7 +255,7 @@
             <ArtifactName artifactname="TSK_DEVICE_INFO" comment="KnowledgeC Car Play Connections">
                 <AttributeName attributename="TSK_DATETIME" columnName="Start" required="yes" />
                 <AttributeName attributename="null" columnName="End" required="no" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Car Play Connected" required="yes" />
+                <AttributeName attributename="null" columnName="Car Play Connected" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Minutes" required="no" />
                 <AttributeName attributename="null" columnName="Day of Week" required="no" />
@@ -271,7 +271,7 @@
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
                 <AttributeName attributename="TSK_PROG_NAME" columnName="Bundle ID" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Value String" required="yes" />
+                <AttributeName attributename="null" columnName="Value String" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Minutes" required="no" />
                 <AttributeName attributename="null" columnName="Day of Week" required="no" />
@@ -286,7 +286,7 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Do Not Disturb">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Value" required="yes" />
+                <AttributeName attributename="null" columnName="Value" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Minutes" required="no" />
                 <AttributeName attributename="null" columnName="Day of Week" required="no" />
@@ -301,7 +301,7 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Inferred Motion">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Value" required="yes" />
+                <AttributeName attributename="null" columnName="Value" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Minutes" required="no" />
                 <AttributeName attributename="null" columnName="Day of Week" required="no" />
@@ -344,12 +344,12 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Device Locked">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Is Locked?" required="yes" />
+                <AttributeName attributename="null" columnName="Is Locked?" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Day of the Week" required="no" />
                 <AttributeName attributename="null" columnName="GMT Offset" required="no" />
                 <AttributeName attributename="null" columnName="Entry Creation" required="no" />
-                <AttributeName attributename="null" columnName=" ZOBJECT Table ID" required="no" />
+                <AttributeName attributename="null" columnName="ZOBJECT Table ID" required="no" />
             </ArtifactName>
         </FileName>
 
@@ -362,7 +362,7 @@
                 <AttributeName attributename="null" columnName="Now Playing Artists" required="no" />
                 <AttributeName attributename="null" columnName="Playing Genre" required="no" />
                 <AttributeName attributename="TSK_NAME" columnName="Playing Title" required="yes" />
-                <AttributeName attributename="null" columnName=" Now Playing Duration" required="no" />
+                <AttributeName attributename="null" columnName="Now Playing Duration" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Minutes" required="no" />
                 <AttributeName attributename="null" columnName="Day of Week" required="no" />
@@ -388,7 +388,7 @@
                 <AttributeName attributename="null" columnName="GMT Offset" required="no" />
                 <AttributeName attributename="null" columnName="Entry Creation" required="no" />
                 <AttributeName attributename="null" columnName="Expiration Date" required="no" />
-                <AttributeName attributename="null" columnName=" UUID" required="no" />
+                <AttributeName attributename="null" columnName="UUID" required="no" />
                 <AttributeName attributename="null" columnName="ZOBJECT Table ID" required="no" />
             </ArtifactName>
         </FileName>
@@ -397,7 +397,7 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Screen Orientation">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Orientation" required="yes" />
+                <AttributeName attributename="null" columnName="Orientation" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Usage in Minutes" required="no" />
                 <AttributeName attributename="null" columnName="Day of Week" required="no" />
@@ -412,14 +412,14 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Plugged In">
                 <AttributeName attributename="TSK_DATETIME_START" columnName="Start" required="yes" />
                 <AttributeName attributename="TSK_DATETIME_END" columnName="End" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Is Plugged In?" required="yes" />
+                <AttributeName attributename="null" columnName="Is Plugged In?" required="yes" />
                 <AttributeName attributename="null" columnName="Usage in Seconds" required="no" />
                 <AttributeName attributename="null" columnName="Day of the Week" required="no" />
                 <AttributeName attributename="null" columnName="GMT Offset" required="no" />
                 <AttributeName attributename="null" columnName="Start" required="no" />
                 <AttributeName attributename="null" columnName="End" required="no" />
                 <AttributeName attributename="null" columnName="Entry Creation" required="no" />
-                <AttributeName attributename="null" columnName=" ZOBJECT Table ID" required="no" />
+                <AttributeName attributename="null" columnName="ZOBJECT Table ID" required="no" />
             </ArtifactName>
         </FileName>
 
@@ -528,8 +528,8 @@
                 <AttributeName attributename="null" columnName="Location Date" required="no" />
                 <AttributeName attributename="null" columnName="Coordinates" required="no" />
                 <AttributeName attributename="null" columnName="Vehicle Identifier" required="no" />
-                <AttributeName attributename="null" columnName=" Location Identifier" required="no" />
+                <AttributeName attributename="null" columnName="Location Identifier" required="no" />
-                <AttributeName attributename="null" columnName=" Identifier" required="no" />
+                <AttributeName attributename="null" columnName="Identifier" required="no" />
                 <AttributeName attributename="null" columnName="Location Quality" required="no" />
                 <AttributeName attributename="null" columnName="User Set Location" required="no" />
                 <AttributeName attributename="null" columnName="Usual Location" required="no" />
@@ -584,11 +584,11 @@
                 <AttributeName attributename="TSK_EMAIL_FROM" columnName="Address" required="yes" />
                 <AttributeName attributename="null" columnName="Comment" required="no" />
                 <AttributeName attributename="TSK_SUBJECT" columnName="Subject" required="yes" />
-                <AttributeName attributename="TSK_EMAIL_CONTENT_PLAIN" columnName=" Summary" required="yes" />
+                <AttributeName attributename="TSK_EMAIL_CONTENT_PLAIN" columnName="Summary" required="yes" />
-                <AttributeName attributename="TSK_READ_STATUS" columnName=" Read?" required="yes" />
+                <AttributeName attributename="TSK_READ_STATUS" columnName="Read?" required="yes" />
-                <AttributeName attributename="TSK_FLAG" columnName=" Flagged?" required="yes" />
+                <AttributeName attributename="TSK_FLAG" columnName="Flagged?" required="yes" />
-                <AttributeName attributename="TSK_ISDELETED" columnName=" Deleted" required="yes" />
+                <AttributeName attributename="TSK_ISDELETED" columnName="Deleted" required="yes" />
-                <AttributeName attributename="null" columnName=" Mailbox" required="no" />
+                <AttributeName attributename="null" columnName="Mailbox" required="no" />
             </ArtifactName>
         </FileName>
 -->
@@ -596,10 +596,10 @@
         <FileName filename="Notifications.tsv" description="iOS Notificatons">
             <ArtifactName artifactname="TSK_PROG_NOTIFICATIONS" comment="iOS Notificatons">
                 <AttributeName attributename="TSK_DATETIME" columnName="Creation Time" required="yes" />
-                <AttributeName attributename="TSK_PROG_NAME" columnName=" Bundle" required="yes" />
+                <AttributeName attributename="TSK_PROG_NAME" columnName="Bundle" required="yes" />
-                <AttributeName attributename="TSK_TITLE" columnName=" Title[Subtitle]" required="yes" />
+                <AttributeName attributename="TSK_TITLE" columnName="Title[Subtitle]" required="yes" />
-                <AttributeName attributename="TSK_VALUE" columnName=" Message" required="yes" />
+                <AttributeName attributename="TSK_VALUE" columnName="Message" required="yes" />
-                <AttributeName attributename="null" columnName=" Other Details" required="no" />
+                <AttributeName attributename="null" columnName="Other Details" required="no" />
             </ArtifactName>
         </FileName>
 
@@ -651,7 +651,7 @@
         <FileName filename="Powerlog Lightning Connector.tsv" description="Powerlog Lightning Connector Status">
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Powerlog Lightning Connector Status">
                 <AttributeName attributename="TSK_DATETIME" columnName="Adjusted Timestamp" required="yes" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Accesory Power Mode" required="yes" />
+                <AttributeName attributename="null" columnName="Accesory Power Mode" required="yes" />
                 <AttributeName attributename="null" columnName="Original Lightnint Connector Timestamp" required="no" />
                 <AttributeName attributename="null" columnName="Offset Timestamp" required="no" />
                 <AttributeName attributename="null" columnName="Table ID" required="no" />
@@ -680,7 +680,7 @@
             <ArtifactName artifactname="TSK_USER_DEVICE_EVENT" comment="Powerlog Torch">
                 <AttributeName attributename="TSK_DATETIME" columnName="Adjusted Timestamp" required="yes" />
                 <AttributeName attributename="null" columnName="Bundle ID" required="no" />
-                <AttributeName attributename="TSK_USER_DEVICE_EVENT_TYPE" columnName="Status" required="yes" />
+                <AttributeName attributename="null" columnName="Status" required="yes" />
                 <AttributeName attributename="null" columnName="Original Torch Timestamp" required="no" />
                 <AttributeName attributename="null" columnName="Offset Timestamp" required="no" />
                 <AttributeName attributename="null" columnName="Time Offset" required="no" />
@@ -705,7 +705,7 @@
                 <AttributeName attributename="TSK_PROG_NAME" columnName="App Name" required="yes" />
                 <AttributeName attributename="null" columnName="App Executable Name" required="no" />
                 <AttributeName attributename="TSK_PATH" columnName="Bundle ID" required="yes" />
-                <AttributeName attributename="TSK_BUILD_VERSION" columnName="App Build Version" required="yes" />
+                <AttributeName attributename="null" columnName="App Build Version" required="yes" />
                 <AttributeName attributename="TSK_VERSION" columnName="App Bundle Version" required="yes" />
                 <AttributeName attributename="null" columnName="App TYpe" required="no" />
                 <AttributeName attributename="null" columnName="App Deleted Date" required="no" />