Merge branch 'sleuthkit:develop' into develop

Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java

@@ -31,6 +31,7 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
+import java.util.Optional;
 import java.util.logging.Level;
 import org.apache.commons.lang3.StringUtils;
 import org.joda.time.DateTimeZone;
@@ -52,6 +53,9 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
 import org.sleuthkit.datamodel.BlackboardArtifactTag;
 import org.sleuthkit.datamodel.Content;
 import org.sleuthkit.datamodel.ContentTag;
+import org.sleuthkit.datamodel.DataSource;
+import org.sleuthkit.datamodel.OsAccount;
+import org.sleuthkit.datamodel.OsAccountInstance;
 import org.sleuthkit.datamodel.SleuthkitCase;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskData;
@@ -71,9 +75,55 @@ public final class OtherOccurrences {
 
     /**
      * Determine what attributes can be used for correlation based on the node.
-     * If EamDB is not enabled, get the default Files correlation.
      *
      * @param node The node to correlate
+     * @param osAccount the osAccount to correlate
+     *
+     * @return A list of attributes that can be used for correlation
+     */
+    public static Collection<CorrelationAttributeInstance> getCorrelationAttributeFromOsAccount(Node node, OsAccount osAccount) {
+        Collection<CorrelationAttributeInstance> ret = new ArrayList<>();
+        Optional<String> osAccountAddr = osAccount.getAddr();
+
+        if (osAccountAddr.isPresent()) {
+            try {
+                for (OsAccountInstance instance : osAccount.getOsAccountInstances()) {
+                    DataSource osAccountDataSource = instance.getDataSource();
+                    try {
+                        CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
+                        CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
+                                CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID),
+                                osAccountAddr.get(),
+                                correlationCase,
+                                CorrelationDataSource.fromTSKDataSource(correlationCase, instance.getDataSource()),
+                                "",
+                                "",
+                                TskData.FileKnown.KNOWN,
+                                osAccount.getId());
+
+                            ret.add(correlationAttributeInstance);
+                    } catch (CentralRepoException ex) {
+                       logger.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", osAccountAddr.get()), ex);  //NON-NLS
+                    } catch (NoCurrentCaseException ex) {
+                       logger.log(Level.WARNING, String.format("Exception while getting open case looking up osAccount %s.", osAccountAddr.get()), ex);  //NON-NLS
+                    }  catch (CorrelationAttributeNormalizationException ex) {
+                       logger.log(Level.SEVERE, String.format("Exception with Correlation Attribute Normalization for osAccount %s.", osAccountAddr.get()), ex);  //NON-NLS
+                    }
+                }
+            } catch (TskCoreException ex) {
+                logger.log(Level.INFO, String.format("Unable to check create CorrelationAttribtueInstance for osAccount %s.", osAccountAddr.get()), ex);            
+            }
+        }
+        
+        return ret;        
+    }
+    
+    /**
+     * Determine what attributes can be used for correlation based on the node.
+     * If EamDB is not enabled, get the default Files correlation.
+     *
+     * @param node The node to correlate.
+     * @param file The file to correlate.
      *
      * @return A list of attributes that can be used for correlation
      */
@@ -195,6 +245,9 @@ public final class OtherOccurrences {
      * artifact. If the central repo is not enabled, this will only return files
      * from the current case with matching MD5 hashes.
      *
+     * @param file      The current file.
+     * @param deviceId  The device ID for the current data source. 
+     * @param dataSourceName The name of the current data source.
      * @param corAttr CorrelationAttribute to query for
      *
      * @return A collection of correlated artifact instances

Core/src/org/sleuthkit/autopsy/centralrepository/contentviewer/OtherOccurrencesNodeWorker.java

@@ -18,6 +18,7 @@
  */
 package org.sleuthkit.autopsy.centralrepository.contentviewer;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -37,6 +38,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase;
 import org.sleuthkit.autopsy.coreutils.Logger;
 import org.sleuthkit.datamodel.AbstractFile;
 import org.sleuthkit.datamodel.Content;
+import org.sleuthkit.datamodel.OsAccount;
 import org.sleuthkit.datamodel.TskException;
 
 /**
@@ -60,7 +62,11 @@ class OtherOccurrencesNodeWorker extends SwingWorker<OtherOccurrencesData, Void>
 
     @Override
     protected OtherOccurrencesData doInBackground() throws Exception {
+        OsAccount osAccount = node.getLookup().lookup(OsAccount.class);
         AbstractFile file = OtherOccurrences.getAbstractFileFromNode(node);
+        if (osAccount != null) {
+            file = node.getLookup().lookup(AbstractFile.class);
+        }
         String deviceId = "";
         String dataSourceName = "";
         Map<String, CorrelationCase> caseNames = new HashMap<>();
@@ -77,8 +83,12 @@ class OtherOccurrencesNodeWorker extends SwingWorker<OtherOccurrencesData, Void>
             // @@@ Review this behavior
             return null;
         }
-        Collection<CorrelationAttributeInstance> correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file);
+        Collection<CorrelationAttributeInstance> correlationAttributes = new ArrayList<>();
-
+        if (osAccount != null) {
+            correlationAttributes = OtherOccurrences.getCorrelationAttributeFromOsAccount(node, osAccount);    
+        } else {
+            correlationAttributes = OtherOccurrences.getCorrelationAttributesFromNode(node, file);
+        }
         int totalCount = 0;
         Set<String> dataSources = new HashSet<>();
         for (CorrelationAttributeInstance corAttr : correlationAttributes) {

Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED

@@ -25,7 +25,9 @@ CorrelationType.ICCID.displayName=ICCID Number
 CorrelationType.IMEI.displayName=IMEI Number
 CorrelationType.IMSI.displayName=IMSI Number
 CorrelationType.MAC.displayName=MAC Addresses
+CorrelationType.OS_ACCOUNT.displayName=Os Account
 CorrelationType.PHONE.displayName=Phone Numbers
+CorrelationType.PROG_NAME.displayName=Installed Programs
 CorrelationType.SSID.displayName=Wireless Networks
 CorrelationType.USBID.displayName=USB Devices
 EamArtifactInstances.knownStatus.bad=Bad

Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepoDbUpgrader15To16.java

@@ -0,0 +1,63 @@
+/*
+ * Central Repository
+ *
+ * Copyright 2021 Basis Technology Corp.
+ * Contact: carrier <at> sleuthkit <dot> org
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.autopsy.centralrepository.datamodel;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+import org.sleuthkit.datamodel.CaseDbSchemaVersionNumber;
+
+/**
+ * This class updates CR schema to 1.6
+ * 
+ */
+public class CentralRepoDbUpgrader15To16 implements CentralRepoDbUpgrader {
+    
+    @Override
+    public void upgradeSchema(CaseDbSchemaVersionNumber dbSchemaVersion, Connection connection) throws CentralRepoException, SQLException {
+
+        if (dbSchemaVersion.compareTo(new CaseDbSchemaVersionNumber(1, 6)) < 0) {
+          
+            try (Statement statement = connection.createStatement();) {
+
+                CentralRepoPlatforms selectedPlatform = CentralRepoDbManager.getSavedDbChoice().getDbPlatform();
+
+                for (CorrelationAttributeInstance.Type type : CorrelationAttributeInstance.getDefaultCorrelationTypes()) {
+                    String instance_type_dbname = CentralRepoDbUtil.correlationTypeToInstanceTableName(type);
+
+                    if ((type.getId() == CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID) ||
+                        (type.getId() == CorrelationAttributeInstance.OSACCOUNT_TYPE_ID)){
+
+                        // these are new Correlation types - new tables need to be created
+                        statement.execute(String.format(RdbmsCentralRepoFactory.getCreateAccountInstancesTableTemplate(selectedPlatform), instance_type_dbname, instance_type_dbname));
+                        statement.execute(String.format(RdbmsCentralRepoFactory.getAddCaseIdIndexTemplate(), instance_type_dbname, instance_type_dbname));
+                        statement.execute(String.format(RdbmsCentralRepoFactory.getAddDataSourceIdIndexTemplate(), instance_type_dbname, instance_type_dbname));
+                        statement.execute(String.format(RdbmsCentralRepoFactory.getAddValueIndexTemplate(), instance_type_dbname, instance_type_dbname));
+                        statement.execute(String.format(RdbmsCentralRepoFactory.getAddKnownStatusIndexTemplate(), instance_type_dbname, instance_type_dbname));
+                        statement.execute(String.format(RdbmsCentralRepoFactory.getAddObjectIdIndexTemplate(), instance_type_dbname, instance_type_dbname));
+
+                        // add new correlation type
+                        CentralRepoDbUtil.insertCorrelationType(connection, type);
+
+                    }
+                }
+            }
+        }
+    }
+}

Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeInstance.java

@@ -257,6 +257,8 @@ public class CorrelationAttributeInstance implements Serializable {
     public static final int IMEI_TYPE_ID = 7;
     public static final int IMSI_TYPE_ID = 8;
     public static final int ICCID_TYPE_ID = 9;
+    public static final int INSTALLED_PROGS_TYPE_ID = 10;
+    public static final int OSACCOUNT_TYPE_ID = 11;
     
     // An offset to assign Ids for additional  correlation types.
     public static final int ADDITIONAL_TYPES_BASE_ID = 1000;
@@ -276,7 +278,9 @@ public class CorrelationAttributeInstance implements Serializable {
         "CorrelationType.MAC.displayName=MAC Addresses",
         "CorrelationType.IMEI.displayName=IMEI Number",
         "CorrelationType.IMSI.displayName=IMSI Number",
-        "CorrelationType.ICCID.displayName=ICCID Number"})
+        "CorrelationType.PROG_NAME.displayName=Installed Programs",
+        "CorrelationType.ICCID.displayName=ICCID Number",
+        "CorrelationType.OS_ACCOUNT.displayName=Os Account"})
     public static List<CorrelationAttributeInstance.Type> getDefaultCorrelationTypes() throws CentralRepoException {
         List<CorrelationAttributeInstance.Type> defaultCorrelationTypes = new ArrayList<>();
         
@@ -290,6 +294,8 @@ public class CorrelationAttributeInstance implements Serializable {
         defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMEI_TYPE_ID, Bundle.CorrelationType_IMEI_displayName(), "imei_number", true, true)); //NON-NLS
         defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(IMSI_TYPE_ID, Bundle.CorrelationType_IMSI_displayName(), "imsi_number", true, true)); //NON-NLS
         defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(ICCID_TYPE_ID, Bundle.CorrelationType_ICCID_displayName(), "iccid_number", true, true)); //NON-NLS
+        defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(INSTALLED_PROGS_TYPE_ID, Bundle.CorrelationType_PROG_NAME_displayName(), "installed_programs", true, true)); //NON-NLS
+        defaultCorrelationTypes.add(new CorrelationAttributeInstance.Type(OSACCOUNT_TYPE_ID, Bundle.CorrelationType_OS_ACCOUNT_displayName(), "os_accounts", true, true)); //NON-NLS
         
         // Create Correlation Types for Accounts.
         int correlationTypeId = ADDITIONAL_TYPES_BASE_ID;

Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java

@@ -93,6 +93,7 @@ public class CorrelationAttributeUtil {
             add(ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID());
             add(ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID());
             add(ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID());
+            add(ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID());
         }
     };
 
@@ -189,6 +190,13 @@ public class CorrelationAttributeUtil {
                 } else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
                     makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact);
 
+                } else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
+                    BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
+                    if (setNameAttr != null) {
+                        makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);                        
+                    } else {
+                        makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
+                    }
                 } else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
                         || artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
                         || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
@@ -388,7 +396,18 @@ public class CorrelationAttributeUtil {
             }
 
             CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
-            return new CorrelationAttributeInstance(
+            if (artifact.getArtifactTypeID() == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
+                return new CorrelationAttributeInstance(
+                        correlationType,
+                        value,
+                        correlationCase,
+                        CorrelationDataSource.fromTSKDataSource(correlationCase, bbSourceFile.getDataSource()),
+                        "",
+                        "",
+                        TskData.FileKnown.UNKNOWN,
+                        bbSourceFile.getId());
+            } else {
+                return new CorrelationAttributeInstance(
                     correlationType,
                     value,
                     correlationCase,
@@ -397,7 +416,7 @@ public class CorrelationAttributeUtil {
                     "",
                     TskData.FileKnown.UNKNOWN,
                     bbSourceFile.getId());
-
+            }
         } catch (TskCoreException ex) {
             logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
             return null;

Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/RdbmsCentralRepo.java

@@ -69,7 +69,7 @@ abstract class RdbmsCentralRepo implements CentralRepository {
     static final String SCHEMA_MINOR_VERSION_KEY = "SCHEMA_MINOR_VERSION";
     static final String CREATION_SCHEMA_MAJOR_VERSION_KEY = "CREATION_SCHEMA_MAJOR_VERSION";
     static final String CREATION_SCHEMA_MINOR_VERSION_KEY = "CREATION_SCHEMA_MINOR_VERSION";
-    static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 5);
+    static final CaseDbSchemaVersionNumber SOFTWARE_CR_DB_SCHEMA_VERSION = new CaseDbSchemaVersionNumber(1, 6);
 
     protected final List<CorrelationAttributeInstance.Type> defaultCorrelationTypes;
 
@@ -3976,6 +3976,9 @@ abstract class RdbmsCentralRepo implements CentralRepository {
             // Upgrade to 1.5
             (new CentralRepoDbUpgrader14To15()).upgradeSchema(dbSchemaVersion, conn);
 
+            // Upgrade to 1.6
+            (new CentralRepoDbUpgrader15To16()).upgradeSchema(dbSchemaVersion, conn);
+
             updateSchemaVersion(conn);
             conn.commit();
             logger.log(Level.INFO, String.format("Central Repository schema updated to version %s", SOFTWARE_CR_DB_SCHEMA_VERSION));

Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED

@@ -1,4 +1,7 @@
 caseeventlistener.evidencetag=Evidence
+CaseEventsListener.module.name=Central Repository
+CaseEventsListener.prevCaseComment.text=Users seen in previous cases
+CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)
 CentralRepositoryNotificationDialog.bulletHeader=This data is used to:
 CentralRepositoryNotificationDialog.bulletOne=Ignore common items (files, domains, and accounts)
 CentralRepositoryNotificationDialog.bulletThree=Create personas that group accounts

Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java

@@ -21,13 +21,19 @@ package org.sleuthkit.autopsy.centralrepository.eventlisteners;
 import com.google.common.util.concurrent.ThreadFactoryBuilder;
 import java.beans.PropertyChangeEvent;
 import java.beans.PropertyChangeListener;
+import java.util.Arrays;
+import java.util.Collection;
 import java.util.EnumSet;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.logging.Level;
+import java.util.stream.Collectors;
 import org.apache.commons.lang.StringUtils;
+import org.openide.util.Exceptions;
+import org.openide.util.NbBundle;
 import org.openide.util.NbBundle.Messages;
 import org.sleuthkit.autopsy.casemodule.Case;
 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
@@ -55,9 +61,18 @@ import org.sleuthkit.datamodel.TagName;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskData;
 import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
+import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
 import org.sleuthkit.datamodel.Tag;
 import org.sleuthkit.autopsy.events.AutopsyEvent;
+import org.sleuthkit.datamodel.Blackboard;
+import org.sleuthkit.datamodel.BlackboardAttribute;
+import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT;
+import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT;
+import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME;
+import org.sleuthkit.datamodel.OsAccount;
 import org.sleuthkit.datamodel.OsAccountInstance;
+import org.sleuthkit.datamodel.Score;
+import org.sleuthkit.datamodel.SleuthkitCase;
 
 /**
  * Listen for case events and update entries in the Central Repository database
@@ -134,10 +149,8 @@ public final class CaseEventListener implements PropertyChangeListener {
             }
             break;
             case OS_ACCT_INSTANCES_ADDED: {
-                // STUB, TO BE REPLACED
+                if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) {
-                List<OsAccountInstance> osAcctInstances = ((OsAcctInstancesAddedEvent) evt).getOsAccountInstances();
+                    jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt));
-                for (OsAccountInstance instance : osAcctInstances) {
-                    LOGGER.log(Level.INFO, String.format("Received OS account instance added message (instance ID = %d)", instance.getInstanceId()));
                 }
             }
             break;
@@ -300,10 +313,10 @@ public final class CaseEventListener implements PropertyChangeListener {
          * Sets the known status for the correlation attribute instance for the
          * given abstract file.
          *
-         * @param af          The abstract file for which to set the correlation
+         * @param af The abstract file for which to set the correlation
-         *                    attribute instance.
+         * attribute instance.
          * @param knownStatus The new known status for the correlation attribute
-         *                    instance.
+         * instance.
          */
         private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) {
             final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af);
@@ -396,7 +409,7 @@ public final class CaseEventListener implements PropertyChangeListener {
          * for the item. If there are, set known status as notable. If not set
          * status as unknown.
          *
-         * @param content    The content for the tag that was added or deleted.
+         * @param content The content for the tag that was added or deleted.
          * @param bbArtifact The artifact for the tag that was added or deleted.
          */
         private void handleTagChange(Content content, BlackboardArtifact bbArtifact) {
@@ -441,7 +454,7 @@ public final class CaseEventListener implements PropertyChangeListener {
          * Sets the known status of a blackboard artifact in the central
          * repository.
          *
-         * @param bbArtifact  The blackboard artifact to set known status.
+         * @param bbArtifact The blackboard artifact to set known status.
          * @param knownStatus The new known status.
          */
         private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) {
@@ -646,6 +659,97 @@ public final class CaseEventListener implements PropertyChangeListener {
         } // CURRENT_CASE
     }
 
+    @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository",
+        "CaseEventsListener.prevCaseComment.text=Users seen in previous cases",
+        "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"})
+    /**
+     * Add OsAccount Instance to CR and find interesting items based on the OsAccount
+     */
+    private final class OsAccountInstancesAddedTask implements Runnable {
+
+        private final CentralRepository dbManager;
+        private final PropertyChangeEvent event;
+        private final String MODULE_NAME = Bundle.CaseEventsListener_module_name();
+
+        private OsAccountInstancesAddedTask(CentralRepository db, PropertyChangeEvent evt) {
+            dbManager = db;
+            event = evt;
+        }
+
+        @Override
+        public void run() {
+            if (!CentralRepository.isEnabled()) {
+                return;
+            }
+
+            final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event;
+            List<OsAccountInstance> addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances();
+            for (OsAccountInstance osAccountInstance : addedOsAccountNew) {
+                try {
+                    OsAccount osAccount = osAccountInstance.getOsAccount();
+                    Optional<String> accountAddr = osAccount.getAddr();
+                    // Check address if it is null or one of the ones below we want to ignore it since they will always be one a windows system
+                    // and they are not unique
+                    if (!accountAddr.isPresent() || accountAddr.get().equals("S-1-5-18") || accountAddr.get().equals("S-1-5-19") || accountAddr.get().equals("S-1-5-20")) {
+                        return;
+                    }
+                    try {
+
+                        CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
+                        CorrelationAttributeInstance correlationAttributeInstance = new CorrelationAttributeInstance(
+                                CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID),
+                                accountAddr.get(),
+                                correlationCase,
+                                CorrelationDataSource.fromTSKDataSource(correlationCase, osAccountInstance.getDataSource()),
+                                "",
+                                "",
+                                TskData.FileKnown.KNOWN,
+                                osAccount.getId());
+
+                        dbManager.addArtifactInstance(correlationAttributeInstance);
+
+                        List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue());
+                        List<String> caseDisplayNames;
+                        for (CorrelationAttributeInstance instance : previousOccurences) {
+                            if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) {
+                                caseDisplayNames = dbManager.getListCasesHavingArtifactInstances(correlationAttributeInstance.getCorrelationType(), correlationAttributeInstance.getCorrelationValue());
+                                SleuthkitCase tskCase = osAccount.getSleuthkitCase();
+                                Blackboard blackboard = tskCase.getBlackboard();
+
+                                Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(
+                                        new BlackboardAttribute(
+                                                TSK_SET_NAME, MODULE_NAME,
+                                                Bundle.CaseEventsListener_prevExists_text()),
+                                        new BlackboardAttribute(
+                                                TSK_COMMENT, MODULE_NAME,
+                                                Bundle.CaseEventsListener_prevCaseComment_text()));
+                                BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult(
+                                        BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE,
+                                        null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult();
+                                try {
+                                    // index the artifact for keyword search
+                                    blackboard.postArtifact(newAnalysisResult, MODULE_NAME);
+                                } catch (Blackboard.BlackboardException ex) {
+                                    LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS
+                                }
+                            }
+                        }
+
+                    } catch (CentralRepoException ex) {
+                        LOGGER.log(Level.SEVERE, String.format("Cannot get central repository for OsAccount: %s.", accountAddr.get()), ex);  //NON-NLS
+                    } catch (NoCurrentCaseException ex) {
+                        LOGGER.log(Level.SEVERE, "Exception while getting open case.", ex);  //NON-NLS
+                    } catch (CorrelationAttributeNormalizationException ex) {
+                        LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex);  //NON-NLS
+                    }
+
+                } catch (TskCoreException ex) {
+                    LOGGER.log(Level.SEVERE, "Cannot get central repository for OsAccount: " + "OsAccount", ex);
+                }
+            }
+        }
+    }
+
     private final class DataSourceNameChangedTask implements Runnable {
 
         private final CentralRepository dbManager;

Core/src/org/sleuthkit/autopsy/communications/VisualizationPanel.java

@@ -1,7 +1,7 @@
 /*
  * Autopsy Forensic Browser
  *
- * Copyright 2017-2018 Basis Technology Corp.
+ * Copyright 2017-2021 Basis Technology Corp.
  * Contact: carrier <at> sleuthkit <dot> org
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -70,7 +70,6 @@ import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
-import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Future;
 import java.util.function.BiConsumer;
 import java.util.logging.Level;
@@ -583,30 +582,14 @@ final public class VisualizationPanel extends JPanel {
 
         ModalDialogProgressIndicator progressIndicator = new ModalDialogProgressIndicator(windowAncestor, Bundle.VisualizationPanel_computingLayout());
         progressIndicator.start(Bundle.VisualizationPanel_computingLayout());
-
+        graph.getModel().beginUpdate();
-        new SwingWorker<Void, Void>() {
+        try {    
-            @Override
+            layout.execute(graph.getDefaultParent());
-            protected Void doInBackground() {
+            fitGraph();
-                graph.getModel().beginUpdate();
+        } finally {
-                try {
+            graph.getModel().endUpdate();
-                    layout.execute(graph.getDefaultParent());
+            progressIndicator.finish();
-                    fitGraph();
+        }
-                } finally {
-                    graph.getModel().endUpdate();
-                    progressIndicator.finish();
-                }
-                return null;
-            }
-
-            @Override
-            protected void done() {
-                try {
-                    get();
-                } catch (InterruptedException | ExecutionException ex) {
-                    logger.log(Level.WARNING, "CVT graph layout failed.", ex);
-                }
-            }
-        }.execute();
     }
 
     private void clearVizButtonActionPerformed(ActionEvent evt) {//GEN-FIRST:event_clearVizButtonActionPerformed

Core/src/org/sleuthkit/autopsy/datamodel/AutopsyTreeChildFactory.java

@@ -106,7 +106,7 @@ public final class AutopsyTreeChildFactory extends ChildFactory.Detachable<Objec
      * framework reacts. To avoid significant performance hits, all of the keys
      * need to be added at once.
      *
-     * @param keys A list to contain the keys.
+     * @param list A list to contain the keys.
      *
      * @return True, indicating that the list of keys is complete.
      */

Core/src/org/sleuthkit/autopsy/datamodel/Bundle.properties-MERGED

@@ -45,6 +45,7 @@ AttachmentNode.getActions.openInExtViewer.text=Open in External Viewer  Ctrl+E
 AttachmentNode.getActions.searchFilesSameMD5.text=Search for files with the same MD5 hash
 AttachmentNode.getActions.viewFileInDir.text=View File in Directory
 AttachmentNode.getActions.viewInNewWin.text=View in New Window
+# {0} - node name
 BaseChildFactory.NoSuchEventBusException.message=No event bus for node: {0}
 BlackboardArtifactNode.createSheet.artifactDetails.displayName=Result Details
 BlackboardArtifactNode.createSheet.artifactDetails.name=Result Details
@@ -170,6 +171,23 @@ KeywordHits.kwHits.text=Keyword Hits
 KeywordHits.simpleLiteralSearch.text=Single Literal Keyword Search
 KeywordHits.singleRegexSearch.text=Single Regular Expression Search
 LayoutFileNode.getActions.viewFileInDir.text=View File in Directory
+LocalFilesDataSourceNode.createSheet.deviceId.desc=Device ID of the image
+LocalFilesDataSourceNode.createSheet.deviceId.displayName=Device ID
+LocalFilesDataSourceNode.createSheet.deviceId.name=Device ID
+LocalFilesDataSourceNode.createSheet.name.desc=no description
+LocalFilesDataSourceNode.createSheet.name.displayName=Name
+LocalFilesDataSourceNode.createSheet.name.name=Name
+LocalFilesDataSourceNode.createSheet.noDesc=no description
+LocalFilesDataSourceNode.createSheet.size.desc=Size of the data source in bytes.
+LocalFilesDataSourceNode.createSheet.size.displayName=Size (Bytes)
+LocalFilesDataSourceNode.createSheet.size.name=Size (Bytes)
+LocalFilesDataSourceNode.createSheet.timezone.desc=Timezone of the image
+LocalFilesDataSourceNode.createSheet.timezone.displayName=Timezone
+LocalFilesDataSourceNode.createSheet.timezone.name=Timezone
+LocalFilesDataSourceNode.createSheet.type.desc=Type of the image.
+LocalFilesDataSourceNode.createSheet.type.displayName=Type
+LocalFilesDataSourceNode.createSheet.type.name=Type
+LocalFilesDataSourceNode.createSheet.type.text=Logical File Set
 OpenIDE-Module-Name=DataModel
 AbstractContentChildren.CreateTSKNodeVisitor.exception.noNodeMsg=No Node defined for the given SleuthkitItem
 AbstractContentChildren.createAutopsyNodeVisitor.exception.noNodeMsg=No Node defined for the given DisplayableItem
@@ -271,10 +289,10 @@ ImageNode.getActions.viewInNewWin.text=View in New Window
 ImageNode.createSheet.name.name=Name
 ImageNode.createSheet.name.displayName=Name
 ImageNode.createSheet.name.desc=no description
-Installer.exception.tskVerStringNull.msg=Sleuth Kit JNI test call returned without error, but version string was null!
+Installer.exception.tskVerStringNull.msg=Sleuth Kit JNI test call returned without error, but version string was null\!
-Installer.exception.taskVerStringBang.msg=Sleuth Kit JNI test call returned without error, but version string was ""!
+Installer.exception.taskVerStringBang.msg=Sleuth Kit JNI test call returned without error, but version string was ""\!
-Installer.tskLibErr.msg=Problem with Sleuth Kit JNI. Test call failed!\n\nDetails: {0}
+Installer.tskLibErr.msg=Problem with Sleuth Kit JNI. Test call failed\!\n\nDetails: {0}
-Installer.tskLibErr.err=Fatal Error!
+Installer.tskLibErr.err=Fatal Error\!
 InterestingHits.interestingItems.text=INTERESTING ITEMS
 InterestingHits.displayName.text=Interesting Items
 InterestingHits.createSheet.name.name=Name
@@ -377,19 +395,6 @@ ViewsNode.name.text=File Views
 ViewsNode.createSheet.name.name=Name
 ViewsNode.createSheet.name.displayName=Name
 ViewsNode.createSheet.name.desc=no description
-VirtualDirectoryNode.createSheet.deviceId.desc=Device ID of the image
-VirtualDirectoryNode.createSheet.deviceId.displayName=Device ID
-VirtualDirectoryNode.createSheet.deviceId.name=Device ID
-VirtualDirectoryNode.createSheet.size.desc=Size of the data source in bytes.
-VirtualDirectoryNode.createSheet.size.displayName=Size (Bytes)
-VirtualDirectoryNode.createSheet.size.name=Size (Bytes)
-VirtualDirectoryNode.createSheet.timezone.desc=Timezone of the image
-VirtualDirectoryNode.createSheet.timezone.displayName=Timezone
-VirtualDirectoryNode.createSheet.timezone.name=Timezone
-VirtualDirectoryNode.createSheet.type.desc=Type of the image.
-VirtualDirectoryNode.createSheet.type.displayName=Type
-VirtualDirectoryNode.createSheet.type.name=Type
-VirtualDirectoryNode.createSheet.type.text=Logical File Set
 VirtualDirectoryNode.getActions.viewInNewWin.text=View in New Window
 VirtualDirectoryNode.createSheet.name.name=Name
 VirtualDirectoryNode.createSheet.name.displayName=Name

Core/src/org/sleuthkit/autopsy/datamodel/ContentNodeVisitor.java

@@ -1,7 +1,7 @@
 /*
  * Autopsy Forensic Browser
  *
- * Copyright 2011 Basis Technology Corp.
+ * Copyright 2011-2021 Basis Technology Corp.
  * Contact: carrier <at> sleuthkit <dot> org
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -56,6 +56,8 @@ interface ContentNodeVisitor<T> {
 
     T visit(OsAccountNode bban);
     
+    T visit(LocalFilesDataSourceNode lfdsn);
+
     /**
      * Visitor with an implementable default behavior for all types. Override
      * specific visit types to not use the default behavior.
@@ -137,5 +139,10 @@ interface ContentNodeVisitor<T> {
         public T visit(OsAccountNode bban) {
             return defaultVisit(bban);
         }
+        
+        @Override
+        public T visit(LocalFilesDataSourceNode lfdsn) {
+            return defaultVisit(lfdsn);
+        }
     }
 }

Core/src/org/sleuthkit/autopsy/datamodel/CreateSleuthkitNodeVisitor.java

@@ -28,6 +28,7 @@ import org.sleuthkit.datamodel.Image;
 import org.sleuthkit.datamodel.LayoutFile;
 import org.sleuthkit.datamodel.LocalDirectory;
 import org.sleuthkit.datamodel.LocalFile;
+import org.sleuthkit.datamodel.LocalFilesDataSource;
 import org.sleuthkit.datamodel.Pool;
 import org.sleuthkit.datamodel.SlackFile;
 import org.sleuthkit.datamodel.SleuthkitItemVisitor;
@@ -111,4 +112,9 @@ public class CreateSleuthkitNodeVisitor extends SleuthkitItemVisitor.Default<Abs
         throw new UnsupportedOperationException(NbBundle.getMessage(this.getClass(),
                 "AbstractContentChildren.CreateTSKNodeVisitor.exception.noNodeMsg"));
     }
+    
+    @Override
+    public AbstractContentNode<? extends Content> visit(LocalFilesDataSource ld) {
+        return new LocalFilesDataSourceNode(ld);
+    }
 }

Core/src/org/sleuthkit/autopsy/datamodel/DisplayableItemNodeVisitor.java

@@ -1,7 +1,7 @@
 /*
  * Autopsy Forensic Browser
  *
- * Copyright 2011 - 2018 Basis Technology Corp.
+ * Copyright 2011 - 2021 Basis Technology Corp.
  * Contact: carrier <at> sleuthkit <dot> org
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -203,6 +203,8 @@ public interface DisplayableItemNodeVisitor<T> {
      */
     T visit(UnsupportedContentNode ucn);
     
+    T visit(LocalFilesDataSourceNode lfdsn);
+
     /**
      * Visitor with an implementable default behavior for all types. Override
      * specific visit types to not use the default behavior.
@@ -574,5 +576,10 @@ public interface DisplayableItemNodeVisitor<T> {
         public T visit(UnsupportedContentNode node) {
             return defaultVisit(node);
         }
+        
+        @Override
+        public T visit(LocalFilesDataSourceNode node) {
+            return defaultVisit(node);
+        }
     }
 }

Core/src/org/sleuthkit/autopsy/datamodel/FileTypes.java

@@ -397,6 +397,11 @@ public final class FileTypes implements AutopsyVisitableItem {
             return content.newDataArtifact(artifactType, attributesList, osAccountId);
         }
         
+        @Override
+        public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList, Long osAccountId, long dataSourceId) throws TskCoreException {
+            return content.newDataArtifact(artifactType, attributesList, osAccountId, dataSourceId);
+        }
+        
         @Override
         public DataArtifact newDataArtifact(BlackboardArtifact.Type artifactType, Collection<BlackboardAttribute> attributesList) throws TskCoreException {
             return content.newDataArtifact(artifactType, attributesList);
@@ -467,6 +472,11 @@ public final class FileTypes implements AutopsyVisitableItem {
             return content.newAnalysisResult(type, score, string, string1, string2, clctn);
         }
 
+        @Override
+        public AnalysisResultAdded newAnalysisResult(BlackboardArtifact.Type type, Score score, String string, String string1, String string2, Collection<BlackboardAttribute> clctn, long dataSourceId) throws TskCoreException {
+            return content.newAnalysisResult(type, score, string, string1, string2, clctn, dataSourceId);
+        }
+
         @Override
         public Score getAggregateScore() throws TskCoreException {
             return content.getAggregateScore();

Core/src/org/sleuthkit/autopsy/datamodel/LocalFilesDataSourceNode.java

@@ -0,0 +1,99 @@
+/*
+ * Autopsy Forensic Browser
+ *
+ * Copyright 2021 Basis Technology Corp.
+ * Contact: carrier <at> sleuthkit <dot> org
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.sleuthkit.autopsy.datamodel;
+
+import org.openide.nodes.Sheet;
+import org.openide.util.NbBundle;
+import org.sleuthkit.datamodel.LocalFilesDataSource;
+
+/**
+ *
+ *
+ */
+public class LocalFilesDataSourceNode extends VirtualDirectoryNode {
+
+    private final LocalFilesDataSource localFileDataSource;
+
+    public LocalFilesDataSourceNode(LocalFilesDataSource ld) {
+        super(ld);
+        localFileDataSource = ld;
+        this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS
+    }
+
+    @Override
+    @NbBundle.Messages({"LocalFilesDataSourceNode.createSheet.size.name=Size (Bytes)",
+        "LocalFilesDataSourceNode.createSheet.size.displayName=Size (Bytes)",
+        "LocalFilesDataSourceNode.createSheet.size.desc=Size of the data source in bytes.",
+        "LocalFilesDataSourceNode.createSheet.type.name=Type",
+        "LocalFilesDataSourceNode.createSheet.type.displayName=Type",
+        "LocalFilesDataSourceNode.createSheet.type.desc=Type of the image.",
+        "LocalFilesDataSourceNode.createSheet.type.text=Logical File Set",
+        "LocalFilesDataSourceNode.createSheet.timezone.name=Timezone",
+        "LocalFilesDataSourceNode.createSheet.timezone.displayName=Timezone",
+        "LocalFilesDataSourceNode.createSheet.timezone.desc=Timezone of the image",
+        "LocalFilesDataSourceNode.createSheet.deviceId.name=Device ID",
+        "LocalFilesDataSourceNode.createSheet.deviceId.displayName=Device ID",
+        "LocalFilesDataSourceNode.createSheet.deviceId.desc=Device ID of the image",
+        "LocalFilesDataSourceNode.createSheet.name.name=Name",
+        "LocalFilesDataSourceNode.createSheet.name.displayName=Name",
+        "LocalFilesDataSourceNode.createSheet.name.desc=no description",
+        "LocalFilesDataSourceNode.createSheet.noDesc=no description",})
+    protected Sheet createSheet() {
+        Sheet sheet = new Sheet();
+        Sheet.Set sheetSet = Sheet.createPropertiesSet();
+        sheet.put(sheetSet);
+
+        sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_name_name(),
+                Bundle.LocalFilesDataSourceNode_createSheet_name_displayName(),
+                Bundle.LocalFilesDataSourceNode_createSheet_name_desc(),
+                getName()));
+
+        sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_type_name(),
+                Bundle.LocalFilesDataSourceNode_createSheet_type_displayName(),
+                Bundle.LocalFilesDataSourceNode_createSheet_type_desc(),
+                Bundle.LocalFilesDataSourceNode_createSheet_type_text()));
+
+        sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_size_name(),
+                Bundle.LocalFilesDataSourceNode_createSheet_size_displayName(),
+                Bundle.LocalFilesDataSourceNode_createSheet_size_desc(),
+                this.content.getSize()));
+
+        sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_timezone_name(),
+                Bundle.LocalFilesDataSourceNode_createSheet_timezone_displayName(),
+                Bundle.LocalFilesDataSourceNode_createSheet_timezone_desc(),
+                ""));
+
+        sheetSet.put(new NodeProperty<>(Bundle.LocalFilesDataSourceNode_createSheet_deviceId_name(),
+                Bundle.LocalFilesDataSourceNode_createSheet_deviceId_displayName(),
+                Bundle.LocalFilesDataSourceNode_createSheet_deviceId_desc(),
+                localFileDataSource.getDeviceId()));
+
+        return sheet;
+    }
+
+    @Override
+    public <T> T accept(ContentNodeVisitor<T> visitor) {
+        return visitor.visit(this);
+    }
+
+    @Override
+    public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {
+        return visitor.visit(this);
+    }
+}

Core/src/org/sleuthkit/autopsy/datamodel/VirtualDirectoryNode.java

@@ -1,7 +1,7 @@
 /*
  * Autopsy Forensic Browser
  *
- * Copyright 2011-2019 Basis Technology Corp.
+ * Copyright 2011-2021 Basis Technology Corp.
  * Contact: carrier <at> sleuthkit <dot> org
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -18,16 +18,9 @@
  */
 package org.sleuthkit.autopsy.datamodel;
 
-import java.sql.ResultSet;
-import java.sql.SQLException;
-import java.util.logging.Level;
 import org.openide.nodes.Sheet;
 import org.openide.util.NbBundle;
-import org.sleuthkit.autopsy.casemodule.Case;
-import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
 import org.sleuthkit.autopsy.coreutils.Logger;
-import org.sleuthkit.datamodel.SleuthkitCase;
-import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.VirtualDirectory;
 
 /**
@@ -48,75 +41,11 @@ public class VirtualDirectoryNode extends SpecialDirectoryNode {
 
         this.setDisplayName(nameForVirtualDirectory(ld));
         
-        //set icon for name, special case for logical file set
+        this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS
-        if (ld.isDataSource()) {
-            this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/fileset-icon-16.png"); //NON-NLS
-        } else {
-            this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/folder-icon-virtual.png"); //TODO NON-NLS
-        }
     }
 
     @Override
-    @NbBundle.Messages({"VirtualDirectoryNode.createSheet.size.name=Size (Bytes)",
-        "VirtualDirectoryNode.createSheet.size.displayName=Size (Bytes)",
-        "VirtualDirectoryNode.createSheet.size.desc=Size of the data source in bytes.",
-        "VirtualDirectoryNode.createSheet.type.name=Type",
-        "VirtualDirectoryNode.createSheet.type.displayName=Type",
-        "VirtualDirectoryNode.createSheet.type.desc=Type of the image.",
-        "VirtualDirectoryNode.createSheet.type.text=Logical File Set",
-        "VirtualDirectoryNode.createSheet.timezone.name=Timezone",
-        "VirtualDirectoryNode.createSheet.timezone.displayName=Timezone",
-        "VirtualDirectoryNode.createSheet.timezone.desc=Timezone of the image",
-        "VirtualDirectoryNode.createSheet.deviceId.name=Device ID",
-        "VirtualDirectoryNode.createSheet.deviceId.displayName=Device ID",
-        "VirtualDirectoryNode.createSheet.deviceId.desc=Device ID of the image"})
     protected Sheet createSheet() {
-        //Do a special strategy for virtual directories..
-        if(this.content.isDataSource()){
-            Sheet sheet = new Sheet();
-            Sheet.Set sheetSet = Sheet.createPropertiesSet();
-            sheet.put(sheetSet);
-            
-            sheetSet.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.name"),
-                NbBundle.getMessage(this.getClass(),
-                        "VirtualDirectoryNode.createSheet.name.displayName"),
-                NbBundle.getMessage(this.getClass(), "VirtualDirectoryNode.createSheet.name.desc"),
-                getName()));
-        
-            sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_type_name(),
-                    Bundle.VirtualDirectoryNode_createSheet_type_displayName(),
-                    Bundle.VirtualDirectoryNode_createSheet_type_desc(),
-                    Bundle.VirtualDirectoryNode_createSheet_type_text()));
-            sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_size_name(),
-                    Bundle.VirtualDirectoryNode_createSheet_size_displayName(),
-                    Bundle.VirtualDirectoryNode_createSheet_size_desc(),
-                    this.content.getSize()));
-            try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT time_zone FROM data_source_info WHERE obj_id = " + this.content.getId())) {
-                ResultSet timeZoneSet = query.getResultSet();
-                if (timeZoneSet.next()) {
-                    sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_timezone_name(),
-                            Bundle.VirtualDirectoryNode_createSheet_timezone_displayName(),
-                            Bundle.VirtualDirectoryNode_createSheet_timezone_desc(),
-                            timeZoneSet.getString("time_zone")));
-                }
-            } catch (SQLException | TskCoreException | NoCurrentCaseException ex) {
-                logger.log(Level.SEVERE, "Failed to get time zone for the following image: " + this.content.getId(), ex);
-            }
-            try (SleuthkitCase.CaseDbQuery query = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery("SELECT device_id FROM data_source_info WHERE obj_id = " + this.content.getId());) {
-                ResultSet deviceIdSet = query.getResultSet();
-                if (deviceIdSet.next()) {
-                    sheetSet.put(new NodeProperty<>(Bundle.VirtualDirectoryNode_createSheet_deviceId_name(),
-                            Bundle.VirtualDirectoryNode_createSheet_deviceId_displayName(),
-                            Bundle.VirtualDirectoryNode_createSheet_deviceId_desc(),
-                            deviceIdSet.getString("device_id")));
-                }
-            } catch (SQLException | TskCoreException | NoCurrentCaseException ex) {
-                logger.log(Level.SEVERE, "Failed to get device id for the following image: " + this.content.getId(), ex);
-            }
-            return sheet;
-        }
-
-        //Otherwise default to the AAFN createSheet method.
         Sheet defaultSheet = super.createSheet();
         Sheet.Set defaultSheetSet = defaultSheet.get(Sheet.PROPERTIES);
         

Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java

@@ -1517,9 +1517,8 @@ public final class DirectoryTreeTopComponent extends TopComponent implements Dat
      * Returns the credit card artifact's parent node or null if cannot be
      * found.
      *
-     * @param typesChildren The children object of the same category as credit
+     * @param accountRootChildren
-     *                      card.
+     * @param ccNumberName
-     * @param art           The artifact.
      *
      * @return The credit card artifact's parent node or null if cannot be
      *         found.

Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java

@@ -1450,6 +1450,9 @@ class SevenZipExtractor {
          *                        updating
          * @param statusMap       - the map of existing files and their status
          * @param archiveFilePath - the archive file path for the unpacked node
+         * @param parentAr        - the parent archive as an Archive object
+         * @param archiveFile     - the parent archive as an AbstractFile
+         * @param depthMap        - the depth map (to prevent zip bombs)
          *
          * @throws TskCoreException
          */

Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java

@@ -361,6 +361,8 @@ public class FileTypeDetector {
      * Determines whether or not a file matches a user-defined custom file type.
      *
      * @param file The file to test.
+     * @param startOfFileBuffer  The beginning of the file data.
+     * @param bufLen The length of startOfFileBuffer.
      *
      * @return The MIME type as a string if a match is found; otherwise null.
      */
@@ -381,6 +383,8 @@ public class FileTypeDetector {
      * Autopsy.
      *
      * @param file The file to test.
+     * @param startOfFileBuffer  The beginning of the file data.
+     * @param bufLen The length of startOfFileBuffer.
      * 
      * @return The MIME type as a string if a match is found; otherwise null.
      */

Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java

@@ -151,6 +151,8 @@ public class FileTypeIdIngestModule implements FileIngestModule {
      * Determines whether or not a file matches a user-defined custom file type.
      *
      * @param file The file to test.
+     * @param startOfFileBuffer  The beginning of the file data.
+     * @param bufLen The length of startOfFileBuffer.
      *
      * @return The file type if a match is found; otherwise null.
      *

RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java

@@ -817,7 +817,7 @@ class ExtractRegistry extends Extract {
                                         try {
                                             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME, parentModuleName, value));
                                             bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME, parentModuleName, itemMtime));
-                                            BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_DELETED_PROG), bbattributes);
+                                            BlackboardArtifact bbart = regFile.newDataArtifact(new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_INSTALLED_PROG), bbattributes);
                                             newArtifacts.add(bbart);
                                         } catch (TskCoreException ex) {
                                             logger.log(Level.SEVERE, "Error adding installed program artifact to blackboard.", ex); //NON-NLS

docs/doxygen-user/multi-user/installSystems.dox

@@ -26,14 +26,13 @@ We recommend:
 
 \subsection multiuser_system_hw Suggested Hardware
 
-TODO
+- PostgreSQL/ActiveMQ (Server 1):
+ - RAM: 16GB or more
+ - Local Storage: 500GB SSD
 
-- PostgreSQL/ActiveMQ (server 1):
+- Solr (Server 2):
- - RAM: 
+ - RAM: 32GB or more
- - Local Storage: Enough for databases
+ - Local Storage: A single index will be roughly the size of the data source being ingested. For example 128GB E01 will usually generate  a 128 GB index.
-- Solr (server 2):
- - RAM: 
- - Local Storage: Minimal 
 
 \subsection multiuser_system_back Backups