mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-14 17:06:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Saving data soirce imfo in CASE/UCO format

Browse Source
This commit is contained in:
Eugene Livis 2018-11-07 15:13:00 -05:00
parent dae83c62ac
commit 46f51c2c18
1 changed files with 76 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
Core/src/org/sleuthkit/autopsy/modules/case_uco/ReportCaseUco.java
View File

@ -133,10 +133,13 @@ class ReportCaseUco implements GeneralReportModule {
// instert \n after each field for more readable formatting
jsonGenerator.setPrettyPrinter(new DefaultPrettyPrinter().withObjectIndenter(new DefaultIndenter(" ", "\n")));
// create CASE/UCO data source entry
String dataSourceRelationshipName = getDataSourceInfo(selectedDataSourceId, skCase, jsonGenerator);
progressPanel.updateStatusLabel(NbBundle.getMessage(this.getClass(), "ReportCaseUco.progress.querying"));
// Run query to get all files, exclude directories
final String query = "select obj_id, name, size, crtime, atime, mtime, md5, parent_path, mime_type, extension from tsk_files where "
// Run getAllFilesQuery to get all files, exclude directories
final String getAllFilesQuery = "select obj_id, name, size, crtime, atime, mtime, md5, parent_path, mime_type, extension from tsk_files where "
+ "data_source_obj_id = " + Long.toString(selectedDataSourceId)
+ " AND ((meta_type = " + TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_UNDEF.getValue()
+ ") OR (meta_type = " + TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG.getValue()
@ -144,7 +147,7 @@ class ReportCaseUco implements GeneralReportModule {
progressPanel.updateStatusLabel(NbBundle.getMessage(this.getClass(), "ReportCaseUco.progress.loading"));
SleuthkitCase.CaseDbQuery queryResult = skCase.executeQuery(query);
SleuthkitCase.CaseDbQuery queryResult = skCase.executeQuery(getAllFilesQuery);
ResultSet resultSet = queryResult.getResultSet();
progressPanel.updateStatusLabel(NbBundle.getMessage(this.getClass(), "ReportCaseUco.progress.processing"));
@ -167,7 +170,7 @@ class ReportCaseUco implements GeneralReportModule {
String mime_type = resultSet.getString("mime_type");
String extension = resultSet.getString("extension");
addFile(objectId, fileName, parent_path, md5Hash, mime_type, size, crtime, atime, mtime, extension, jsonGenerator);
saveFileInCaseUcoFormat(objectId, fileName, parent_path, md5Hash, mime_type, size, crtime, atime, mtime, extension, jsonGenerator);
}
progressPanel.complete(ReportStatus.COMPLETE);
} catch (TskCoreException ex) {
@ -188,7 +191,74 @@ class ReportCaseUco implements GeneralReportModule {
}
}
private void addFile(Long objectId, String fileName, String parent_path, String md5Hash, String mime_type, long size, String ctime,
private String getDataSourceInfo(Long selectedDataSourceId, SleuthkitCase skCase, JsonGenerator jsonGenerator) throws TskCoreException, SQLException, IOException {
String getImageDataSourceQuery = "select size from tsk_image_info where obj_id = " + selectedDataSourceId;
SleuthkitCase.CaseDbQuery queryResult = skCase.executeQuery(getImageDataSourceQuery);
ResultSet resultSet = queryResult.getResultSet();
Long imageSize = (long) 0;
String imageName = "";
boolean isImageDataSource = false;
// check if we got a result
while (resultSet.next()) {
// we got a result so the data source was an image data source
imageSize = resultSet.getLong(1);
isImageDataSource = true;
break;
}
if (isImageDataSource) {
// get path to image file
String getPathToDataSourceQuery = "select name from tsk_image_names where obj_id = " + selectedDataSourceId;
queryResult = skCase.executeQuery(getPathToDataSourceQuery);
resultSet = queryResult.getResultSet();
while (resultSet.next()) {
imageName = resultSet.getString(1);
break;
}
} else {
// logical file data source
String getLogicalDataSourceQuery = "select name from tsk_files where obj_id = " + selectedDataSourceId;
queryResult = skCase.executeQuery(getLogicalDataSourceQuery);
resultSet = queryResult.getResultSet();
while (resultSet.next()) {
imageName = resultSet.getString(1);
break;
}
}
return saveDataSourceInCaseUcoFormat(jsonGenerator, imageName, imageSize, selectedDataSourceId);
}
private String saveDataSourceInCaseUcoFormat(JsonGenerator catalog, String imageName, Long imageSize, Long selectedDataSourceId) throws IOException {
String dataSourceTraceId = "data-source-"+selectedDataSourceId;
catalog.writeStartObject();
catalog.writeStringField("@id", dataSourceTraceId);
catalog.writeStringField("@type", "Trace");
catalog.writeFieldName("propertyBundle");
catalog.writeStartArray();
catalog.writeStartObject();
catalog.writeStringField("@type", "File");
catalog.writeStringField("filePath", imageName);
catalog.writeEndObject();
if (imageSize > 0) {
catalog.writeStartObject();
catalog.writeStringField("@type", "ContentData");
catalog.writeStringField("sizeInBytes", Long.toString(imageSize));
catalog.writeEndObject();
}
catalog.writeEndArray();
catalog.writeEndObject();
return dataSourceTraceId;
}
private void saveFileInCaseUcoFormat(Long objectId, String fileName, String parent_path, String md5Hash, String mime_type, long size, String ctime,
String atime, String mtime, String extension, JsonGenerator catalog) throws IOException {
catalog.writeStartObject();
@ -251,6 +321,7 @@ class ReportCaseUco implements GeneralReportModule {
configPanel = new ReportCaseUcoConfigPanel();
} catch (NoCurrentCaseException | TskCoreException | SQLException ex) {
logger.log(Level.SEVERE, "Failed to initialize CASE/UCO settings panel", ex); //NON-NLS
// ELTODO display error
configPanel = null;
}
return configPanel;