diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java index 7b26373132..af6939f119 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java @@ -398,14 +398,11 @@ public final class KeywordSearchIngestService implements IngestServiceFsContent if (query.isLiteral()) { del = new LuceneQuery(queryStr); + del.escape(); } else { del = new TermComponentQuery(queryStr); } - if (query.isLiteral()) { - del.escape(); - } - List queryResult = null; try { @@ -447,14 +444,16 @@ public final class KeywordSearchIngestService implements IngestServiceFsContent //write results to BB for (FsContent hitFile : newResults) { - BlackboardArtifact bba = null; - try { - bba = hitFile.newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT); - } catch (Exception e) { - logger.log(Level.INFO, "Error adding bb artifact for keyword hit", e); - continue; - } + Collection attributes = new ArrayList(); if (query.isLiteral()) { + BlackboardArtifact bba = null; + try { + bba = hitFile.newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT); + } catch (Exception e) { + logger.log(Level.INFO, "Error adding bb artifact for keyword hit", e); + continue; + } + String snippet = null; try { snippet = LuceneQuery.getSnippet(queryStr, hitFile.getId()); @@ -462,77 +461,89 @@ public final class KeywordSearchIngestService implements IngestServiceFsContent logger.log(Level.INFO, "Error querying snippet: " + queryStr, e); } if (snippet != null) { + //first try to add attr not in bulk so we can catch sql exception and encode the string try { bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID(), MODULE_NAME, "keyword", snippet)); } catch (Exception e1) { - logger.log(Level.INFO, "Error adding bb snippet attribute, will encode and retry", e1); try { //escape in case of garbage so that sql accepts it snippet = URLEncoder.encode(snippet, "UTF-8"); - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID(), MODULE_NAME, "keyword", snippet)); - } - catch (Exception e2) { + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID(), MODULE_NAME, "keyword", snippet)); + } catch (Exception e2) { logger.log(Level.INFO, "Error adding bb snippet attribute", e2); } } } try { //keyword - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID(), MODULE_NAME, "keyword", queryStr)); + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID(), MODULE_NAME, "keyword", queryStr)); //bogus - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID(), MODULE_NAME, "keyword", "")); + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID(), MODULE_NAME, "keyword", "")); } catch (Exception e) { logger.log(Level.INFO, "Error adding bb attribute", e); } + + try { + bba.addAttributes(attributes); + } catch (TskException e) { + logger.log(Level.INFO, "Error adding bb attributes to artifact", e); + } + } else { //regex case - try { - //regex keyword - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID(), MODULE_NAME, "keyword", queryStr)); - //bogus - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID(), MODULE_NAME, "keyword", "")); - } catch (Exception e) { - logger.log(Level.INFO, "Error adding bb attribute", e); - } - //build preview query from terms - StringBuilder termSb = new StringBuilder(); - Collection terms = del.getTerms(); - int i = 0; - final int total = terms.size(); + //create a separate artifact per regex hit + + final Collection terms = del.getTerms(); for (Term term : terms) { - termSb.append(term.getTerm()); - if (i < total - 1) { - termSb.append(" "); //OR - } - ++i; - } - final String termSnipQuery = termSb.toString(); - String snippet = null; - try { - snippet = LuceneQuery.getSnippet(termSnipQuery, hitFile.getId()); - } catch (Exception e) { - logger.log(Level.INFO, "Error querying snippet: " + termSnipQuery, e); - } - - if (snippet != null) { + final String regexMatch = term.getTerm(); + //snippet + String snippet = null; try { - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID(), MODULE_NAME, "keyword", snippet)); + snippet = LuceneQuery.getSnippet(regexMatch, hitFile.getId()); } catch (Exception e) { - logger.log(Level.INFO, "Error adding bb snippet attribute, will encode and retry", e); - try { - //escape in case of garbage so that sql accepts it - snippet = URLEncoder.encode(snippet, "UTF-8"); - bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID(), MODULE_NAME, "keyword", snippet)); - } catch (Exception e2) { - logger.log(Level.INFO, "Error adding bb snippet attribute", e2); - } + logger.log(Level.INFO, "Error querying snippet: " + regexMatch, e); + continue; } - } - //TODO add all terms that matched to attribute - } + if (snippet != null && ! snippet.equals("")) { + //there is match actually in this file, create artifact only then + BlackboardArtifact bba = null; + try { + bba = hitFile.newArtifact(ARTIFACT_TYPE.TSK_KEYWORD_HIT); + } catch (Exception e) { + logger.log(Level.INFO, "Error adding bb artifact for keyword hit", e); + continue; + } - } + try { + //regex keyword + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID(), MODULE_NAME, "keyword", queryStr)); + //regex match + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID(), MODULE_NAME, "keyword", regexMatch)); + } catch (Exception e) { + logger.log(Level.INFO, "Error adding bb attribute", e); + } + + try { + //first try to add attr not in bulk so we can catch sql exception and encode the string + bba.addAttribute(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID(), MODULE_NAME, "keyword", snippet)); + } catch (Exception e) { + try { + //escape in case of garbage so that sql accepts it + snippet = URLEncoder.encode(snippet, "UTF-8"); + attributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID(), MODULE_NAME, "keyword", snippet)); + } catch (Exception e2) { + logger.log(Level.INFO, "Error adding bb snippet attribute", e2); + } + } + bba.addAttributes(attributes); + } + + } //for each term + + } //end regex case + + } //for each file hit //update artifact browser //TODO use has data evt