From 6bed444d249fc7304600de7acb5b273399551444 Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Fri, 5 Jan 2018 09:50:49 -0500 Subject: [PATCH] Update FileTypeDetector API --- .../modules/filetypeid/FileTypeDetector.java | 154 ++++++++---------- 1 file changed, 66 insertions(+), 88 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java index b24cc3e88a..79a3602cc2 100755 --- a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java +++ b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java @@ -179,39 +179,12 @@ public class FileTypeDetector { * * @param file The file to test. * - * @return A MIME type name. If file type could not be detected or results + * @return A MIME type name. If file type could not be detected, or results * were uncertain, octet-stream is returned. - * - * @throws TskCoreException if there is a problem writing the result to the - * case database. */ - public String detect(AbstractFile file) throws TskCoreException { - return detect(file, false); - } - - /** - * Detects the MIME type of a file. The result is saved to the case database - * only if the add to case database flag is set. - * - * Ingest modules should not set addToCaseDb to true - the ingest process - * handles the database save. - * - * @param file The file to test. - * @param addToCaseDb Whether the MIME type should be added to the case - * database. This flag is part of a partial workaround - * for a check-then-act-race condition (see notes in - * comments for details). - * - * @return A MIME type name. If file type could not be detected or results - * were uncertain, octet-stream is returned. - * - * @throws TskCoreException If there is a problem writing the result to the - * case database. - */ - private String detect(AbstractFile file, boolean addToCaseDb) throws TskCoreException { + public String detectMIMEType(AbstractFile file) { /* - * Check to see if the file has already been typed. This is the "check" - * part of a check-then-act race condition (see note below). + * Check to see if the file has already been typed. */ String mimeType = file.getMIMEType(); if (null != mimeType) { @@ -281,31 +254,6 @@ public class FileTypeDetector { } } - /* - * If adding the result to the case database, do so now. - * - * NOTE: This condtional is a way to deal with the check-then-act race - * condition created by the gap between querying the MIME type and - * recording it. It is not really a problem for the mime_type column of - * the tsk_files table, but it can lead to duplicate blackboard posts, - * and the posts are required to maintain backward compatibility. - * Various mitigation strategies were considered. It was decided to go - * with the policy that only ingest modules are allowed to add file - * types to the case database, at least until such time as file types - * are no longer posted to the blackboard. Of course, this is not a - * perfect solution. It's not really enforceable for community - * contributed plug ins and it does not handle the unlikely but possible - * scenario of multiple processes typing the same file for a multi-user - * case. - */ - if (addToCaseDb) { - /* - * Add the MIME type to the files table in the case database. - */ - Case.getCurrentCase().getSleuthkitCase().setFileMIMEType(file, mimeType); - } - - file.setMIMEType(mimeType); return mimeType; } @@ -327,7 +275,9 @@ public class FileTypeDetector { /** * Determines whether or not the a file matches a user-defined custom file - * type. + * type. If the file matches and corresponds to an interesting files type + * rule, this method has the side effect of creating an interesting files + * hit artifact and indexing that artifact for keyword search. * * @param file The file to test. * @@ -335,34 +285,36 @@ public class FileTypeDetector { * * @throws TskCoreException */ - private String detectUserDefinedType(AbstractFile file) throws TskCoreException { + private String detectUserDefinedType(AbstractFile file) { for (FileType fileType : userDefinedFileTypes) { if (fileType.matches(file)) { if (fileType.createInterestingFileHit()) { - BlackboardArtifact artifact; - artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); - Collection attributes = new ArrayList<>(); - BlackboardAttribute setNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, FileTypeIdModuleFactory.getModuleName(), fileType.getInterestingFilesSetName()); - attributes.add(setNameAttribute); - - /* - * Use the MIME type as the category attribute, i.e., the - * rule that determined this file belongs to the interesting - * files set. - */ - BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, FileTypeIdModuleFactory.getModuleName(), fileType.getMimeType()); - attributes.add(ruleNameAttribute); - - artifact.addAttributes(attributes); - /* - * Index the artifact for keyword search. - */ try { - Case.getCurrentCase().getServices().getBlackboard().indexArtifact(artifact); - } catch (Blackboard.BlackboardException ex) { - logger.log(Level.SEVERE, String.format("Unable to index blackboard artifact %d", artifact.getArtifactID()), ex); //NON-NLS - MessageNotifyUtil.Notify.error( - NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.exception.msg"), artifact.getDisplayName()); + BlackboardArtifact artifact; + artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); + Collection attributes = new ArrayList<>(); + BlackboardAttribute setNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, FileTypeIdModuleFactory.getModuleName(), fileType.getInterestingFilesSetName()); + attributes.add(setNameAttribute); + + /* + * Use the MIME type as the category attribute, i.e., + * the rule that determined this file belongs to the + * interesting files set. + */ + BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, FileTypeIdModuleFactory.getModuleName(), fileType.getMimeType()); + attributes.add(ruleNameAttribute); + + artifact.addAttributes(attributes); + try { + /* + * Index the artifact for keyword search. + */ + Case.getCurrentCase().getServices().getBlackboard().indexArtifact(artifact); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, String.format("Unable to index TSK_INTERESTING_FILE_HIT blackboard artifact %d (file obj_id=%d)", artifact.getArtifactID(), file.getId()), ex); //NON-NLS + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Unable to create TSK_INTERESTING_FILE_HIT artifact for file (obj_id=%d)", file.getId()), ex); //NON-NLS } } @@ -379,10 +331,8 @@ public class FileTypeDetector { * @param file The file to test. * * @return The file type name string or null, if no match is detected. - * - * @throws TskCoreException */ - private String detectAutopsyDefinedType(AbstractFile file) throws TskCoreException { + private String detectAutopsyDefinedType(AbstractFile file) { for (FileType fileType : autopsyDefinedFileTypes) { if (fileType.matches(file)) { return fileType.getMimeType(); @@ -452,12 +402,16 @@ public class FileTypeDetector { * * @throws TskCoreException if detection is required and there is a problem * writing the result to the case database. - * @deprecated Use getFileType instead and use AbstractFile.getMIMEType - * instead of querying the blackboard. + * @deprecated Use detectMIMEType instead, and call AbstractFile.setMIMEType + * and AbstractFile.save to save the result to the file object and the + * database. */ @Deprecated public String detectAndPostToBlackboard(AbstractFile file) throws TskCoreException { - return detect(file, true); + String fileType = detectMIMEType(file); + file.setMIMEType(fileType); + file.save(); + return fileType; } /** @@ -472,11 +426,35 @@ public class FileTypeDetector { * @throws TskCoreException if detection is required and there is a problem * writing the result to the case database. * - * @deprecated + * @deprecated Use detectMIMEType instead, and call AbstractFile.setMIMEType + * and AbstractFile.save to save the result to the file object and the + * database. */ @Deprecated public String getFileType(AbstractFile file) throws TskCoreException { - return detect(file, true); + String fileType = detectMIMEType(file); + file.setMIMEType(fileType); + file.save(); + return fileType; + } + + /** + * Detects the MIME type of a file. The result is not added to the case + * database. + * + * @param file The file to test. + * + * @return A MIME type name. If file type could not be detected or results + * were uncertain, octet-stream is returned. + * + * @throws TskCoreException + * @deprecated Use detectMIMEType instead. + */ + @Deprecated + public String detect(AbstractFile file) throws TskCoreException { + String fileType = detectMIMEType(file); + file.setMIMEType(fileType); // Retain side effect of setting value in file object. + return fileType; } }