mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'sleuthkit:develop' into develop

Browse Source
This commit is contained in:
Seb2lyon 2021-06-30 07:35:44 +02:00 committed by GitHub
commit 5367b90d96
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 464 additions and 148 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java
View File

@ -31,6 +31,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.logging.Level;
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTimeZone;
@ -52,6 +53,9 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifactTag;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentTag;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.OsAccountInstance;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData;
@ -71,9 +75,55 @@ public final class OtherOccurrences {
/**
* Determine what attributes can be used for correlation based on the node.
* If EamDB is not enabled, get the default Files correlation.
*
* @param node The node to correlate
* @param osAccount the osAccount to correlate
*
* @return A list of attributes that can be used for correlation
*/
public static Collection<CorrelationAttributeInstance> getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount) {
Collection<CorrelationAttributeInstance> ret = new ArrayList<>();
Optional<String> osAccountAddr = osAccount.getAddr();
if (osAccountAddr.isPresent()) {
try {
for (OsAccountInstance instance : osAccount.getOsAccountInstances()) {
DataSource osAccountDataSource = instance.getDataSource();
try {
CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID),
osAccountAddr.get(),
correlationCase,
CorrelationDataSource.fromTSKDataSource(correlationCase, instance.getDataSource()),
"",
"",
TskData.FileKnown.KNOWN,
osAccount.getId());
ret.add(correlationAttributeInstance);
} catch (CentralRepoException ex) {
logger.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", osAccountAddr.get()), ex); //NON-NLS
} catch (NoCurrentCaseException ex) {
logger.log(Level.WARNING, String.format("Exception while getting open case looking up osAccount %s.", osAccountAddr.get()), ex); //NON-NLS
} catch (CorrelationAttributeNormalizationException ex) {
logger.log(Level.SEVERE, String.format("Exception with Correlation Attribute Normalization for osAccount %s.", osAccountAddr.get()), ex); //NON-NLS
}
}
} catch (TskCoreException ex) {
logger.log(Level.INFO, String.format("Unable to check create CorrelationAttribtueInstance for osAccount %s.", osAccountAddr.get()), ex);
}
}
return ret;
}
/**
* Determine what attributes can be used for correlation based on the node.
* If EamDB is not enabled, get the default Files correlation.
*
* @param node The node to correlate.
* @param file The file to correlate.
*
* @return A list of attributes that can be used for correlation
*/
@ -195,6 +245,9 @@ public final class OtherOccurrences {
* artifact. If the central repo is not enabled, this will only return files
* from the current case with matching MD5 hashes.
*
* @param file The current file.
* @param deviceId The device ID for the current data source.
* @param dataSourceName The name of the current data source.
* @param corAttr CorrelationAttribute to query for
*
* @return A collection of correlated artifact instances

14
Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java
View File

@ -18,6 +18,7 @@
*/
package org.sleuthkit.autopsy.centralrepository.contentviewer;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
@ -37,6 +38,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.TskException;
/**
@ -60,7 +62,11 @@ class OtherOccurrencesNodeWorker extends SwingWorker<OtherOccurrencesData, Void>
@Override
protected OtherOccurrencesData doInBackground() throws Exception {
OsAccount osAccount = node.getLookup().lookup(OsAccount.class);
AbstractFile file = OtherOccurrences.getAbstractFileFromNode(node);
if (osAccount != null) {
file = node.getLookup().lookup(AbstractFile.class);
}
String deviceId = "";
String dataSourceName = "";
Map<String, CorrelationCase> caseNames = new HashMap<>();
@ -77,8 +83,12 @@ class OtherOccurrencesNodeWorker extends SwingWorker<OtherOccurrencesData, Void>
// @@@ Review this behavior
return null;
}
Collection<CorrelationAttributeInstance> correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file);
Collection<CorrelationAttributeInstance> correlationAttributes = new ArrayList<>();
if (osAccount != null) {
correlationAttributes = OtherOccurrences.getCorrelationAttributeFromOsAccount(node, osAccount);
} else {
correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file);
}
int totalCount = 0;
Set<String> dataSources = new HashSet<>();
for (CorrelationAttributeInstance corAttr : correlationAttributes) {

2
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED
View File

@ -25,7 +25,9 @@ CorrelationType.ICCID.displayName=ICCID Number
CorrelationType.IMEI.displayName=IMEI Number
CorrelationType.IMSI.displayName=IMSI Number
CorrelationType.MAC.displayName=MAC Addresses
CorrelationType.OS_ACCOUNT.displayName=Os Account
CorrelationType.PHONE.displayName=Phone Numbers
CorrelationType.PROG_NAME.displayName=Installed Programs
CorrelationType.SSID.displayName=Wireless Networks
CorrelationType.USBID.displayName=USB Devices
EamArtifactInstances.knownStatus.bad=Bad

63
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java Normal file
View File

@ -0,0 +1,63 @@
/*
* Central Repository
*
* Copyright 2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.centralrepository.datamodel;
import java.sql.Connection;
import java.sql.SQLException;
import java.sql.Statement;
import org.sleuthkit.datamodel.CaseDbSchemaVersionNumber;
/**
* This class updates CR schema to 1.6
*
*/
public class CentralRepoDbUpgrader15To16 implements CentralRepoDbUpgrader {
@Override
public void upgradeSchema(CaseDbSchemaVersionNumber dbSchemaVersion, Connection connection) throws CentralRepoException, SQLException {
if (dbSchemaVersion.compareTo(new CaseDbSchemaVersionNumber(1, 6)) < 0) {
try (Statement statement = connection.createStatement();) {
CentralRepoPlatforms selectedPlatform = CentralRepoDbManager.getSavedDbChoice().getDbPlatform();
for (CorrelationAttributeInstance.Type type : CorrelationAttributeInstance.getDefaultCorrelationTypes()) {
String instance_type_dbname = CentralRepoDbUtil.correlationTypeToInstanceTableName(type);
if ((type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) ||
(type.getId() == CorrelationAttributeInstance.OSACCOUNT_TYPE_ID)){
// these are new Correlation types - new tables need to be created
statement.execute(String.format(RdbmsCentralRepoFactory.getCreateAccountInstancesTableTemplate(selectedPlatform), instance_type_dbname, instance_type_dbname));
statement.execute(String.format(RdbmsCentralRepoFactory.getAddCaseIdIndexTemplate(), instance_type_dbname, instance_type_dbname));
statement.execute(String.format(RdbmsCentralRepoFactory.getAddDataSourceIdIndexTemplate(), instance_type_dbname, instance_type_dbname));
statement.execute(String.format(RdbmsCentralRepoFactory.getAddValueIndexTemplate(), instance_type_dbname, instance_type_dbname));
statement.execute(String.format(RdbmsCentralRepoFactory.getAddKnownStatusIndexTemplate(), instance_type_dbname, instance_type_dbname));
statement.execute(String.format(RdbmsCentralRepoFactory.getAddObjectIdIndexTemplate(), instance_type_dbname, instance_type_dbname));
// add new correlation type
CentralRepoDbUtil.insertCorrelationType(connection, type);
}
}
}
}
}
}

8
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java
View File

@ -257,6 +257,8 @@ public class CorrelationAttributeInstance implements Serializable {
public static final int IMEI_TYPE_ID = 7;
public static final int IMSI_TYPE_ID = 8;
public static final int ICCID_TYPE_ID = 9;
public static final int INSTALLED_PROGS_TYPE_ID = 10;
public static final int OSACCOUNT_TYPE_ID = 11;
// An offset to assign Ids for additional correlation types.
public static final int ADDITIONAL_TYPES_BASE_ID = 1000;
@ -276,7 +278,9 @@ public class CorrelationAttributeInstance implements Serializable {
"CorrelationType.MAC.displayName=MAC Addresses",
"CorrelationType.IMEI.displayName=IMEI Number",
"CorrelationType.IMSI.displayName=IMSI Number",
"CorrelationType.ICCID.displayName=ICCID Number"})
"CorrelationType.PROG_NAME.displayName=Installed Programs",
"CorrelationType.ICCID.displayName=ICCID Number",
"CorrelationType.OS_ACCOUNT.displayName=Os Account"})
public static List<CorrelationAttributeInstance.Type> getDefaultCorrelationTypes() throws CentralRepoException {
List<CorrelationAttributeInstance.Type> defaultCorrelationTypes = new ArrayList<>();
@ -290,6 +294,8 @@ public class CorrelationAttributeInstance implements Serializable {
defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMEI_TYPE_ID, Bundle.CorrelationType_IMEI_displayName(), "imei_number", true, true)); //NON-NLS
defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMSI_TYPE_ID, Bundle.CorrelationType_IMSI_displayName(), "imsi_number", true, true)); //NON-NLS
defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(ICCID_TYPE_ID, Bundle.CorrelationType_ICCID_displayName(), "iccid_number", true, true)); //NON-NLS
defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(INSTALLED_PROGS_TYPE_ID, Bundle.CorrelationType_PROG_NAME_displayName(), "installed_programs", true, true)); //NON-NLS
defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(OSACCOUNT_TYPE_ID, Bundle.CorrelationType_OS_ACCOUNT_displayName(), "os_accounts", true, true)); //NON-NLS
// Create Correlation Types for Accounts.
int correlationTypeId = ADDITIONAL_TYPES_BASE_ID;

23
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java
View File

@ -93,6 +93,7 @@ public class CorrelationAttributeUtil {
add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID());
add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID());
add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID());
add(ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID());
}
};
@ -189,6 +190,13 @@ public class CorrelationAttributeUtil {
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact);
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
if (setNameAttr != null) {
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
} else {
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
}
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
|| artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
|| artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
@ -388,7 +396,18 @@ public class CorrelationAttributeUtil {
}
CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
return new CorrelationAttributeInstance(
if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
return new CorrelationAttributeInstance(
correlationType,
value,
correlationCase,
CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()),
"",
"",
TskData.FileKnown.UNKNOWN,
bbSourceFile.getId());
} else {
return new CorrelationAttributeInstance(
correlationType,
value,
correlationCase,
@ -397,7 +416,7 @@ public class CorrelationAttributeUtil {
"",
TskData.FileKnown.UNKNOWN,
bbSourceFile.getId());
}
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
return null;

5
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java
View File

@ -69,7 +69,7 @@ abstract class RdbmsCentralRepo implements CentralRepository {
static final String SCHEMA_MINOR_VERSION_KEY = "SCHEMA_MINOR_VERSION";
static final String CREATION_SCHEMA_MAJOR_VERSION_KEY = "CREATION_SCHEMA_MAJOR_VERSION";
static final String CREATION_SCHEMA_MINOR_VERSION_KEY = "CREATION_SCHEMA_MINOR_VERSION";
static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 5);
static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 6);
protected final List<CorrelationAttributeInstance.Type> defaultCorrelationTypes;
@ -3976,6 +3976,9 @@ abstract class RdbmsCentralRepo implements CentralRepository {
// Upgrade to 1.5
(new CentralRepoDbUpgrader14To15()).upgradeSchema(dbSchemaVersion, conn);
// Upgrade to 1.6
(new CentralRepoDbUpgrader15To16()).upgradeSchema(dbSchemaVersion, conn);
updateSchemaVersion(conn);
conn.commit();
logger.log(Level.INFO, String.format("Central Repository schema updated to version %s", SOFTWARE_CR_DB_SCHEMA_VERSION));

3
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED
View File

@ -1,4 +1,7 @@
caseeventlistener.evidencetag=Evidence
CaseEventsListener.module.name=Central Repository
CaseEventsListener.prevCaseComment.text=Users seen in previous cases
CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)
CentralRepositoryNotificationDialog.bulletHeader=This data is used to:
CentralRepositoryNotificationDialog.bulletOne=Ignore common items (files, domains, and accounts)
CentralRepositoryNotificationDialog.bulletThree=Create personas that group accounts

122
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
View File

@ -21,13 +21,19 @@ package org.sleuthkit.autopsy.centralrepository.eventlisteners;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.logging.Level;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.openide.util.Exceptions;
import org.openide.util.NbBundle;
import org.openide.util.NbBundle.Messages;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
@ -55,9 +61,18 @@ import org.sleuthkit.datamodel.TagName;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData;
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
import org.sleuthkit.datamodel.Tag;
import org.sleuthkit.autopsy.events.AutopsyEvent;
import org.sleuthkit.datamodel.Blackboard;
import org.sleuthkit.datamodel.BlackboardAttribute;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.OsAccountInstance;
import org.sleuthkit.datamodel.Score;
import org.sleuthkit.datamodel.SleuthkitCase;
/**
* Listen for case events and update entries in the Central Repository database
@ -134,10 +149,8 @@ public final class CaseEventListener implements PropertyChangeListener {
}
break;
case OS_ACCT_INSTANCES_ADDED: {
// STUB, TO BE REPLACED
List<OsAccountInstance> osAcctInstances = ((OsAcctInstancesAddedEvent) evt).getOsAccountInstances();
for (OsAccountInstance instance : osAcctInstances) {
LOGGER.log(Level.INFO, String.format("Received OS account instance added message (instance ID = %d)", instance.getInstanceId()));
if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) {
jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt));
}
}
break;
@ -300,10 +313,10 @@ public final class CaseEventListener implements PropertyChangeListener {
* Sets the known status for the correlation attribute instance for the
* given abstract file.
*
* @param af The abstract file for which to set the correlation
* attribute instance.
* @param af The abstract file for which to set the correlation
* attribute instance.
* @param knownStatus The new known status for the correlation attribute
* instance.
* instance.
*/
private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) {
final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af);
@ -396,7 +409,7 @@ public final class CaseEventListener implements PropertyChangeListener {
* for the item. If there are, set known status as notable. If not set
* status as unknown.
*
* @param content The content for the tag that was added or deleted.
* @param content The content for the tag that was added or deleted.
* @param bbArtifact The artifact for the tag that was added or deleted.
*/
private void handleTagChange(Content content, BlackboardArtifact bbArtifact) {
@ -441,7 +454,7 @@ public final class CaseEventListener implements PropertyChangeListener {
* Sets the known status of a blackboard artifact in the central
* repository.
*
* @param bbArtifact The blackboard artifact to set known status.
* @param bbArtifact The blackboard artifact to set known status.
* @param knownStatus The new known status.
*/
private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) {
@ -646,6 +659,97 @@ public final class CaseEventListener implements PropertyChangeListener {
} // CURRENT_CASE
}
@NbBundle.Messages({"CaseEventsListener.module.name=Central Repository",
"CaseEventsListener.prevCaseComment.text=Users seen in previous cases",
"CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"})
/**
* Add OsAccount Instance to CR and find interesting items based on the OsAccount
*/
private final class OsAccountInstancesAddedTask implements Runnable {
private final CentralRepository dbManager;
private final PropertyChangeEvent event;
private final String MODULE_NAME = Bundle.CaseEventsListener_module_name();
private OsAccountInstancesAddedTask(CentralRepository db, PropertyChangeEvent evt) {
dbManager = db;
event = evt;
}
@Override
public void run() {
if (!CentralRepository.isEnabled()) {
return;
}
final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event;
List<OsAccountInstance> addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances();
for (OsAccountInstance osAccountInstance : addedOsAccountNew) {
try {
OsAccount osAccount = osAccountInstance.getOsAccount();
Optional<String> accountAddr = osAccount.getAddr();
// Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system
// and they are not unique
if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) {
return;
}
try {
CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID),
accountAddr.get(),
correlationCase,
CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()),
"",
"",
TskData.FileKnown.KNOWN,
osAccount.getId());
dbManager.addArtifactInstance(correlationAttributeInstance);
List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue());
List<String> caseDisplayNames;
for (CorrelationAttributeInstance instance : previousOccurences) {
if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) {
caseDisplayNames = dbManager.getListCasesHavingArtifactInstances(correlationAttributeInstance.getCorrelationType(), correlationAttributeInstance.getCorrelationValue());
SleuthkitCase tskCase = osAccount.getSleuthkitCase();
Blackboard blackboard = tskCase.getBlackboard();
Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(
new BlackboardAttribute(
TSK_SET_NAME, MODULE_NAME,
Bundle.CaseEventsListener_prevExists_text()),
new BlackboardAttribute(
TSK_COMMENT, MODULE_NAME,
Bundle.CaseEventsListener_prevCaseComment_text()));
BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult(
BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE,
null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult();
try {
// index the artifact for keyword search
blackboard.postArtifact(newAnalysisResult, MODULE_NAME);
} catch (Blackboard.BlackboardException ex) {
LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS
}
}
}
} catch (CentralRepoException ex) {
LOGGER.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", accountAddr.get()), ex); //NON-NLS
} catch (NoCurrentCaseException ex) {
LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS
} catch (CorrelationAttributeNormalizationException ex) {
LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS
}
} catch (TskCoreException ex) {
LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex);
}
}
}
}
private final class DataSourceNameChangedTask implements Runnable {
private final CentralRepository dbManager;

35
Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java
View File

@ -1,7 +1,7 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2017-2018 Basis Technology Corp.
* Copyright 2017-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -70,7 +70,6 @@ import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import java.util.function.BiConsumer;
import java.util.logging.Level;
@ -583,30 +582,14 @@ final public class VisualizationPanel extends JPanel {
ModalDialogProgressIndicator progressIndicator = new ModalDialogProgressIndicator(windowAncestor, Bundle.VisualizationPanel_computingLayout());
progressIndicator.start(Bundle.VisualizationPanel_computingLayout());
new SwingWorker<Void, Void>() {
@Override
protected Void doInBackground() {
graph.getModel().beginUpdate();
try {
layout.execute(graph.getDefaultParent());
fitGraph();
} finally {
graph.getModel().endUpdate();
progressIndicator.finish();
}
return null;
}
@Override
protected void done() {
try {
get();
} catch (InterruptedException | ExecutionException ex) {
logger.log(Level.WARNING, "CVT graph layout failed.", ex);
}
}
}.execute();
graph.getModel().beginUpdate();
try {
layout.execute(graph.getDefaultParent());
fitGraph();
} finally {
graph.getModel().endUpdate();
progressIndicator.finish();
}
}
private void clearVizButtonActionPerformed(ActionEvent evt) {//GEN-FIRST:event_clearVizButtonActionPerformed

2
Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java
View File

@ -106,7 +106,7 @@ public final class AutopsyTreeChildFactory extends ChildFactory.Detachable<Objec
* framework reacts. To avoid significant performance hits, all of the keys
* need to be added at once.
*
* @param keys A list to contain the keys.
* @param list A list to contain the keys.
*
* @return True, indicating that the list of keys is complete.
*/

39
Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED
View File

@ -45,6 +45,7 @@ AttachmentNode.getActions.openInExtViewer.text=Open in External Viewer Ctrl+E
AttachmentNode.getActions.searchFilesSameMD5.text=Search for files with the same MD5 hash
AttachmentNode.getActions.viewFileInDir.text=View File in Directory
AttachmentNode.getActions.viewInNewWin.text=View in New Window
# {0} - node name
BaseChildFactory.NoSuchEventBusException.message=No event bus for node: {0}
BlackboardArtifactNode.createSheet.artifactDetails.displayName=Result Details
BlackboardArtifactNode.createSheet.artifactDetails.name=Result Details
@ -170,6 +171,23 @@ KeywordHits.kwHits.text=Keyword Hits
KeywordHits.simpleLiteralSearch.text=Single Literal Keyword Search
KeywordHits.singleRegexSearch.text=Single Regular Expression Search
LayoutFileNode.getActions.viewFileInDir.text=View File in Directory
LocalFilesDataSourceNode.createSheet.deviceId.desc=Device ID of the image
LocalFilesDataSourceNode.createSheet.deviceId.displayName=Device ID
LocalFilesDataSourceNode.createSheet.deviceId.name=Device ID
LocalFilesDataSourceNode.createSheet.name.desc=no description
LocalFilesDataSourceNode.createSheet.name.displayName=Name
LocalFilesDataSourceNode.createSheet.name.name=Name
LocalFilesDataSourceNode.createSheet.noDesc=no description
LocalFilesDataSourceNode.createSheet.size.desc=Size of the data source in bytes.
LocalFilesDataSourceNode.createSheet.size.displayName=Size (Bytes)
LocalFilesDataSourceNode.createSheet.size.name=Size (Bytes)
LocalFilesDataSourceNode.createSheet.timezone.desc=Timezone of the image
LocalFilesDataSourceNode.createSheet.timezone.displayName=Timezone
LocalFilesDataSourceNode.createSheet.timezone.name=Timezone
LocalFilesDataSourceNode.createSheet.type.desc=Type of the image.
LocalFilesDataSourceNode.createSheet.type.displayName=Type
LocalFilesDataSourceNode.createSheet.type.name=Type
LocalFilesDataSourceNode.createSheet.type.text=Logical File Set
OpenIDE-Module-Name=DataModel
AbstractContentChildren.CreateTSKNodeVisitor.exception.noNodeMsg=No Node defined for the given SleuthkitItem
AbstractContentChildren.createAutopsyNodeVisitor.exception.noNodeMsg=No Node defined for the given DisplayableItem
@ -271,10 +289,10 @@ ImageNode.getActions.viewInNewWin.text=View in New Window
ImageNode.createSheet.name.name=Name
ImageNode.createSheet.name.displayName=Name
ImageNode.createSheet.name.desc=no description
Installer.exception.tskVerStringNull.msg=Sleuth Kit JNI test call returned without error, but version string was null!
Installer.exception.taskVerStringBang.msg=Sleuth Kit JNI test call returned without error, but version string was ""!
Installer.tskLibErr.msg=Problem with Sleuth Kit JNI. Test call failed!\n\nDetails: {0}
Installer.tskLibErr.err=Fatal Error!
Installer.exception.tskVerStringNull.msg=Sleuth Kit JNI test call returned without error, but version string was null\!
Installer.exception.taskVerStringBang.msg=Sleuth Kit JNI test call returned without error, but version string was ""\!
Installer.tskLibErr.msg=Problem with Sleuth Kit JNI. Test call failed\!\n\nDetails: {0}
Installer.tskLibErr.err=Fatal Error\!
InterestingHits.interestingItems.text=INTERESTING ITEMS
InterestingHits.displayName.text=Interesting Items
InterestingHits.createSheet.name.name=Name
@ -377,19 +395,6 @@ ViewsNode.name.text=File Views
ViewsNode.createSheet.name.name=Name
ViewsNode.createSheet.name.displayName=Name
ViewsNode.createSheet.name.desc=no description
VirtualDirectoryNode.createSheet.deviceId.desc=Device ID of the image
VirtualDirectoryNode.createSheet.deviceId.displayName=Device ID
VirtualDirectoryNode.createSheet.deviceId.name=Device ID
VirtualDirectoryNode.createSheet.size.desc=Size of the data source in bytes.
VirtualDirectoryNode.createSheet.size.displayName=Size (Bytes)
VirtualDirectoryNode.createSheet.size.name=Size (Bytes)
VirtualDirectoryNode.createSheet.timezone.desc=Timezone of the image
VirtualDirectoryNode.createSheet.timezone.displayName=Timezone
VirtualDirectoryNode.createSheet.timezone.name=Timezone
VirtualDirectoryNode.createSheet.type.desc=Type of the image.
VirtualDirectoryNode.createSheet.type.displayName=Type
VirtualDirectoryNode.createSheet.type.name=Type
VirtualDirectoryNode.createSheet.type.text=Logical File Set
VirtualDirectoryNode.getActions.viewInNewWin.text=View in New Window
VirtualDirectoryNode.createSheet.name.name=Name
VirtualDirectoryNode.createSheet.name.displayName=Name

9
Core/src/org/sleuthkit/autopsy/datamodel/ContentNodeVisitor.java
View File

@ -1,7 +1,7 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2011 Basis Technology Corp.
* Copyright 2011-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -55,6 +55,8 @@ interface ContentNodeVisitor<T> {
T visit(UnsupportedContentNode ucn);
T visit(OsAccountNode bban);
T visit(LocalFilesDataSourceNode lfdsn);
/**
* Visitor with an implementable default behavior for all types. Override
@ -137,5 +139,10 @@ interface ContentNodeVisitor<T> {
public T visit(OsAccountNode bban) {
return defaultVisit(bban);
}
@Override
public T visit(LocalFilesDataSourceNode lfdsn) {
return defaultVisit(lfdsn);
}
}
}

6
Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java
View File

@ -28,6 +28,7 @@ import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.LayoutFile;
import org.sleuthkit.datamodel.LocalDirectory;
import org.sleuthkit.datamodel.LocalFile;
import org.sleuthkit.datamodel.LocalFilesDataSource;
import org.sleuthkit.datamodel.Pool;
import org.sleuthkit.datamodel.SlackFile;
import org.sleuthkit.datamodel.SleuthkitItemVisitor;
@ -111,4 +112,9 @@ public class CreateSleuthkitNodeVisitor extends SleuthkitItemVisitor.Default<Abs
throw new UnsupportedOperationException(NbBundle.getMessage(this.getClass(),
"AbstractContentChildren.CreateTSKNodeVisitor.exception.noNodeMsg"));
}
@Override
public AbstractContentNode<? extends Content> visit(LocalFilesDataSource ld) {
return new LocalFilesDataSourceNode(ld);
}
}

9
Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java
View File

@ -1,7 +1,7 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2011 - 2018 Basis Technology Corp.
* Copyright 2011 - 2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -202,6 +202,8 @@ public interface DisplayableItemNodeVisitor<T> {
* Unsupported node
*/
T visit(UnsupportedContentNode ucn);
T visit(LocalFilesDataSourceNode lfdsn);
/**
* Visitor with an implementable default behavior for all types. Override
@ -574,5 +576,10 @@ public interface DisplayableItemNodeVisitor<T> {
public T visit(UnsupportedContentNode node) {
return defaultVisit(node);
}
@Override
public T visit(LocalFilesDataSourceNode node) {
return defaultVisit(node);
}
}
}

10
Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java
View File

@ -397,6 +397,11 @@ public final class FileTypes implements AutopsyVisitableItem {
return content.newDataArtifact(artifactType, attributesList, osAccountId);
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList, Long osAccountId, long dataSourceId) throws TskCoreException {
return content.newDataArtifact(artifactType, attributesList, osAccountId, dataSourceId);
}
@Override
public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
return content.newDataArtifact(artifactType, attributesList);
@ -467,6 +472,11 @@ public final class FileTypes implements AutopsyVisitableItem {
return content.newAnalysisResult(type, score, string, string1, string2, clctn);
}
@Override
public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type type, Score score, String string, String string1, String string2, Collection<BlackboardAttribute> clctn, long dataSourceId) throws TskCoreException {
return content.newAnalysisResult(type, score, string, string1, string2, clctn, dataSourceId);
}
@Override
public Score getAggregateScore() throws TskCoreException {
return content.getAggregateScore();

99
Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java Executable file
View File

@ -0,0 +1,99 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.sleuthkit.autopsy.datamodel;
import org.openide.nodes.Sheet;
import org.openide.util.NbBundle;
import org.sleuthkit.datamodel.LocalFilesDataSource;
/**
*
*
*/
public class LocalFilesDataSourceNode extends VirtualDirectoryNode {
private final LocalFilesDataSource localFileDataSource;
public LocalFilesDataSourceNode(LocalFilesDataSource ld) {
super(ld);
localFileDataSource = ld;
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS
}
@Override
@NbBundle.Messages({"LocalFilesDataSourceNode.createSheet.size.name=Size (Bytes)",
"LocalFilesDataSourceNode.createSheet.size.displayName=Size (Bytes)",
"LocalFilesDataSourceNode.createSheet.size.desc=Size of the data source in bytes.",
"LocalFilesDataSourceNode.createSheet.type.name=Type",
"LocalFilesDataSourceNode.createSheet.type.displayName=Type",
"LocalFilesDataSourceNode.createSheet.type.desc=Type of the image.",
"LocalFilesDataSourceNode.createSheet.type.text=Logical File Set",
"LocalFilesDataSourceNode.createSheet.timezone.name=Timezone",
"LocalFilesDataSourceNode.createSheet.timezone.displayName=Timezone",
"LocalFilesDataSourceNode.createSheet.timezone.desc=Timezone of the image",
"LocalFilesDataSourceNode.createSheet.deviceId.name=Device ID",
"LocalFilesDataSourceNode.createSheet.deviceId.displayName=Device ID",
"LocalFilesDataSourceNode.createSheet.deviceId.desc=Device ID of the image",
"LocalFilesDataSourceNode.createSheet.name.name=Name",
"LocalFilesDataSourceNode.createSheet.name.displayName=Name",
"LocalFilesDataSourceNode.createSheet.name.desc=no description",
"LocalFilesDataSourceNode.createSheet.noDesc=no description",})
protected Sheet createSheet() {
Sheet sheet = new Sheet();
Sheet.Set sheetSet = Sheet.createPropertiesSet();
sheet.put(sheetSet);
sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_name_name(),
Bundle.LocalFilesDataSourceNode_createSheet_name_displayName(),
Bundle.LocalFilesDataSourceNode_createSheet_name_desc(),
getName()));
sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_type_name(),
Bundle.LocalFilesDataSourceNode_createSheet_type_displayName(),
Bundle.LocalFilesDataSourceNode_createSheet_type_desc(),
Bundle.LocalFilesDataSourceNode_createSheet_type_text()));
sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_size_name(),
Bundle.LocalFilesDataSourceNode_createSheet_size_displayName(),
Bundle.LocalFilesDataSourceNode_createSheet_size_desc(),
this.content.getSize()));
sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_timezone_name(),
Bundle.LocalFilesDataSourceNode_createSheet_timezone_displayName(),
Bundle.LocalFilesDataSourceNode_createSheet_timezone_desc(),
""));
sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_deviceId_name(),
Bundle.LocalFilesDataSourceNode_createSheet_deviceId_displayName(),
Bundle.LocalFilesDataSourceNode_createSheet_deviceId_desc(),
localFileDataSource.getDeviceId()));
return sheet;
}
@Override
public <T> T accept(ContentNodeVisitor<T> visitor) {
return visitor.visit(this);
}
@Override
public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {
return visitor.visit(this);
}
}

77
Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java
View File

@ -1,7 +1,7 @@
/*
* Autopsy Forensic Browser
*
* Copyright 2011-2019 Basis Technology Corp.
* Copyright 2011-2021 Basis Technology Corp.
* Contact: carrier <at> sleuthkit <dot> org
*
* Licensed under the Apache License, Version 2.0 (the "License");
@ -18,16 +18,9 @@
*/
package org.sleuthkit.autopsy.datamodel;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.logging.Level;
import org.openide.nodes.Sheet;
import org.openide.util.NbBundle;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.VirtualDirectory;
/**
@ -47,76 +40,12 @@ public class VirtualDirectoryNode extends SpecialDirectoryNode {
super(ld);
this.setDisplayName(nameForVirtualDirectory(ld));
//set icon for name, special case for logical file set
if (ld.isDataSource()) {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS
} else {
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS
}
this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS
}
@Override
@NbBundle.Messages({"VirtualDirectoryNode.createSheet.size.name=Size (Bytes)",
"VirtualDirectoryNode.createSheet.size.displayName=Size (Bytes)",
"VirtualDirectoryNode.createSheet.size.desc=Size of the data source in bytes.",
"VirtualDirectoryNode.createSheet.type.name=Type",
"VirtualDirectoryNode.createSheet.type.displayName=Type",
"VirtualDirectoryNode.createSheet.type.desc=Type of the image.",
"VirtualDirectoryNode.createSheet.type.text=Logical File Set",
"VirtualDirectoryNode.createSheet.timezone.name=Timezone",
"VirtualDirectoryNode.createSheet.timezone.displayName=Timezone",
"VirtualDirectoryNode.createSheet.timezone.desc=Timezone of the image",
"VirtualDirectoryNode.createSheet.deviceId.name=Device ID",
"VirtualDirectoryNode.createSheet.deviceId.displayName=Device ID",
"VirtualDirectoryNode.createSheet.deviceId.desc=Device ID of the image"})
protected Sheet createSheet() {
//Do a special strategy for virtual directories..
if(this.content.isDataSource()){
Sheet sheet = new Sheet();
Sheet.Set sheetSet = Sheet.createPropertiesSet();
sheet.put(sheetSet);
sheetSet.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.name"),
NbBundle.getMessage(this.getClass(),
"VirtualDirectoryNode.createSheet.name.displayName"),
NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.desc"),
getName()));
sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_type_name(),
Bundle.VirtualDirectoryNode_createSheet_type_displayName(),
Bundle.VirtualDirectoryNode_createSheet_type_desc(),
Bundle.VirtualDirectoryNode_createSheet_type_text()));
sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_size_name(),
Bundle.VirtualDirectoryNode_createSheet_size_displayName(),
Bundle.VirtualDirectoryNode_createSheet_size_desc(),
this.content.getSize()));
try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT time_zone FROM data_source_info WHERE obj_id = " + this.content.getId())) {
ResultSet timeZoneSet = query.getResultSet();
if (timeZoneSet.next()) {
sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_timezone_name(),
Bundle.VirtualDirectoryNode_createSheet_timezone_displayName(),
Bundle.VirtualDirectoryNode_createSheet_timezone_desc(),
timeZoneSet.getString("time_zone")));
}
} catch (SQLException | TskCoreException | NoCurrentCaseException ex) {
logger.log(Level.SEVERE, "Failed to get time zone for the following image: " + this.content.getId(), ex);
}
try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT device_id FROM data_source_info WHERE obj_id = " + this.content.getId());) {
ResultSet deviceIdSet = query.getResultSet();
if (deviceIdSet.next()) {
sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_deviceId_name(),
Bundle.VirtualDirectoryNode_createSheet_deviceId_displayName(),
Bundle.VirtualDirectoryNode_createSheet_deviceId_desc(),
deviceIdSet.getString("device_id")));
}
} catch (SQLException | TskCoreException | NoCurrentCaseException ex) {
logger.log(Level.SEVERE, "Failed to get device id for the following image: " + this.content.getId(), ex);
}
return sheet;
}
//Otherwise default to the AAFN createSheet method.
Sheet defaultSheet = super.createSheet();
Sheet.Set defaultSheetSet = defaultSheet.get(Sheet.PROPERTIES);

5
Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java
View File

@ -1517,9 +1517,8 @@ public final class DirectoryTreeTopComponent extends TopComponent implements Dat
* Returns the credit card artifact's parent node or null if cannot be
* found.
*
* @param typesChildren The children object of the same category as credit
* card.
* @param art The artifact.
* @param accountRootChildren
* @param ccNumberName
*
* @return The credit card artifact's parent node or null if cannot be
* found.

3
Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java
View File

@ -1450,6 +1450,9 @@ class SevenZipExtractor {
* updating
* @param statusMap - the map of existing files and their status
* @param archiveFilePath - the archive file path for the unpacked node
* @param parentAr - the parent archive as an Archive object
* @param archiveFile - the parent archive as an AbstractFile
* @param depthMap - the depth map (to prevent zip bombs)
*
* @throws TskCoreException
*/

6
Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java
View File

@ -361,6 +361,8 @@ public class FileTypeDetector {
* Determines whether or not a file matches a user-defined custom file type.
*
* @param file The file to test.
* @param startOfFileBuffer The beginning of the file data.
* @param bufLen The length of startOfFileBuffer.
*
* @return The MIME type as a string if a match is found; otherwise null.
*/
@ -381,7 +383,9 @@ public class FileTypeDetector {
* Autopsy.
*
* @param file The file to test.
*
* @param startOfFileBuffer The beginning of the file data.
* @param bufLen The length of startOfFileBuffer.
*
* @return The MIME type as a string if a match is found; otherwise null.
*/
private String detectAutopsyDefinedType(AbstractFile file, byte[] startOfFileBuffer, int bufLen) {

2
Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java
View File

@ -151,6 +151,8 @@ public class FileTypeIdIngestModule implements FileIngestModule {
* Determines whether or not a file matches a user-defined custom file type.
*
* @param file The file to test.
* @param startOfFileBuffer The beginning of the file data.
* @param bufLen The length of startOfFileBuffer.
*
* @return The file type if a match is found; otherwise null.
*

2
RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java
View File

@ -817,7 +817,7 @@ class ExtractRegistry extends Extract {
try {
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value));
bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime));
BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_DELETED_PROG), bbattributes);
BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_INSTALLED_PROG), bbattributes);
newArtifacts.add(bbart);
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.", ex); //NON-NLS

13
docs/doxygen-user/multi-user/installSystems.dox
View File

@ -26,14 +26,13 @@ We recommend:
\subsection multiuser_system_hw Suggested Hardware
TODO
- PostgreSQL/ActiveMQ (Server 1):
- RAM: 16GB or more
- Local Storage: 500GB SSD
- PostgreSQL/ActiveMQ (server 1):
- RAM:
- Local Storage: Enough for databases
- Solr (server 2):
- RAM:
- Local Storage: Minimal
- Solr (Server 2):
- RAM: 32GB or more
- Local Storage: A single index will be roughly the size of the data source being ingested. For example 128GB E01 will usually generate a 128 GB index.
\subsection multiuser_system_back Backups