mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 09:17:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update FileTypeDetector API

Browse Source
This commit is contained in:
Richard Cordovano 2018-01-05 09:50:49 -05:00
parent 00750c1079
commit 6bed444d24
1 changed files with 66 additions and 88 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java
View File

@ -179,39 +179,12 @@ public class FileTypeDetector {
* *
* @param file The file to test. * @param file The file to test.
* *
* @return A MIME type name. If file type could not be detected or results * @return A MIME type name. If file type could not be detected, or results
* were uncertain, octet-stream is returned. * were uncertain, octet-stream is returned.
*
* @throws TskCoreException if there is a problem writing the result to the
* case database.
*/ */
public String detect(AbstractFile file) throws TskCoreException { public String detectMIMEType(AbstractFile file) {
return detect(file, false);
}
/**
* Detects the MIME type of a file. The result is saved to the case database
* only if the add to case database flag is set.
*
* Ingest modules should not set addToCaseDb to true - the ingest process
* handles the database save.
*
* @param file The file to test.
* @param addToCaseDb Whether the MIME type should be added to the case
* database. This flag is part of a partial workaround
* for a check-then-act-race condition (see notes in
* comments for details).
*
* @return A MIME type name. If file type could not be detected or results
* were uncertain, octet-stream is returned.
*
* @throws TskCoreException If there is a problem writing the result to the
* case database.
*/
private String detect(AbstractFile file, boolean addToCaseDb) throws TskCoreException {
/* /*
* Check to see if the file has already been typed. This is the "check" * Check to see if the file has already been typed.
* part of a check-then-act race condition (see note below).
*/ */
String mimeType = file.getMIMEType(); String mimeType = file.getMIMEType();
if (null != mimeType) { if (null != mimeType) {
@ -281,31 +254,6 @@ public class FileTypeDetector {
} }
} }
/*
* If adding the result to the case database, do so now.
*
* NOTE: This condtional is a way to deal with the check-then-act race
* condition created by the gap between querying the MIME type and
* recording it. It is not really a problem for the mime_type column of
* the tsk_files table, but it can lead to duplicate blackboard posts,
* and the posts are required to maintain backward compatibility.
* Various mitigation strategies were considered. It was decided to go
* with the policy that only ingest modules are allowed to add file
* types to the case database, at least until such time as file types
* are no longer posted to the blackboard. Of course, this is not a
* perfect solution. It's not really enforceable for community
* contributed plug ins and it does not handle the unlikely but possible
* scenario of multiple processes typing the same file for a multi-user
* case.
*/
if (addToCaseDb) {
/*
* Add the MIME type to the files table in the case database.
*/
Case.getCurrentCase().getSleuthkitCase().setFileMIMEType(file, mimeType);
}
file.setMIMEType(mimeType);
return mimeType; return mimeType;
} }
@ -327,7 +275,9 @@ public class FileTypeDetector {
/** /**
* Determines whether or not the a file matches a user-defined custom file * Determines whether or not the a file matches a user-defined custom file
* type. * type. If the file matches and corresponds to an interesting files type
* rule, this method has the side effect of creating an interesting files
* hit artifact and indexing that artifact for keyword search.
* *
* @param file The file to test. * @param file The file to test.
* *
@ -335,10 +285,11 @@ public class FileTypeDetector {
* *
* @throws TskCoreException * @throws TskCoreException
*/ */
private String detectUserDefinedType(AbstractFile file) throws TskCoreException { private String detectUserDefinedType(AbstractFile file) {
for (FileType fileType : userDefinedFileTypes) { for (FileType fileType : userDefinedFileTypes) {
if (fileType.matches(file)) { if (fileType.matches(file)) {
if (fileType.createInterestingFileHit()) { if (fileType.createInterestingFileHit()) {
try {
BlackboardArtifact artifact; BlackboardArtifact artifact;
artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
Collection<BlackboardAttribute> attributes = new ArrayList<>(); Collection<BlackboardAttribute> attributes = new ArrayList<>();
@ -346,23 +297,24 @@ public class FileTypeDetector {
attributes.add(setNameAttribute); attributes.add(setNameAttribute);
/* /*
* Use the MIME type as the category attribute, i.e., the * Use the MIME type as the category attribute, i.e.,
* rule that determined this file belongs to the interesting * the rule that determined this file belongs to the
* files set. * interesting files set.
*/ */
BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, FileTypeIdModuleFactory.getModuleName(), fileType.getMimeType()); BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, FileTypeIdModuleFactory.getModuleName(), fileType.getMimeType());
attributes.add(ruleNameAttribute); attributes.add(ruleNameAttribute);
artifact.addAttributes(attributes); artifact.addAttributes(attributes);
try {
/* /*
* Index the artifact for keyword search. * Index the artifact for keyword search.
*/ */
try {
Case.getCurrentCase().getServices().getBlackboard().indexArtifact(artifact); Case.getCurrentCase().getServices().getBlackboard().indexArtifact(artifact);
} catch (Blackboard.BlackboardException ex) { } catch (Blackboard.BlackboardException ex) {
logger.log(Level.SEVERE, String.format("Unable to index blackboard artifact %d", artifact.getArtifactID()), ex); //NON-NLS logger.log(Level.SEVERE, String.format("Unable to index TSK_INTERESTING_FILE_HIT blackboard artifact %d (file obj_id=%d)", artifact.getArtifactID(), file.getId()), ex); //NON-NLS
MessageNotifyUtil.Notify.error( }
NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.exception.msg"), artifact.getDisplayName()); } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Unable to create TSK_INTERESTING_FILE_HIT artifact for file (obj_id=%d)", file.getId()), ex); //NON-NLS
} }
} }
@ -379,10 +331,8 @@ public class FileTypeDetector {
* @param file The file to test. * @param file The file to test.
* *
* @return The file type name string or null, if no match is detected. * @return The file type name string or null, if no match is detected.
*
* @throws TskCoreException
*/ */
private String detectAutopsyDefinedType(AbstractFile file) throws TskCoreException { private String detectAutopsyDefinedType(AbstractFile file) {
for (FileType fileType : autopsyDefinedFileTypes) { for (FileType fileType : autopsyDefinedFileTypes) {
if (fileType.matches(file)) { if (fileType.matches(file)) {
return fileType.getMimeType(); return fileType.getMimeType();
@ -452,12 +402,16 @@ public class FileTypeDetector {
* *
* @throws TskCoreException if detection is required and there is a problem * @throws TskCoreException if detection is required and there is a problem
* writing the result to the case database. * writing the result to the case database.
* @deprecated Use getFileType instead and use AbstractFile.getMIMEType * @deprecated Use detectMIMEType instead, and call AbstractFile.setMIMEType
* instead of querying the blackboard. * and AbstractFile.save to save the result to the file object and the
* database.
*/ */
@Deprecated @Deprecated
public String detectAndPostToBlackboard(AbstractFile file) throws TskCoreException { public String detectAndPostToBlackboard(AbstractFile file) throws TskCoreException {
return detect(file, true); String fileType = detectMIMEType(file);
file.setMIMEType(fileType);
file.save();
return fileType;
} }
/** /**
@ -472,11 +426,35 @@ public class FileTypeDetector {
* @throws TskCoreException if detection is required and there is a problem * @throws TskCoreException if detection is required and there is a problem
* writing the result to the case database. * writing the result to the case database.
* *
* @deprecated * @deprecated Use detectMIMEType instead, and call AbstractFile.setMIMEType
* and AbstractFile.save to save the result to the file object and the
* database.
*/ */
@Deprecated @Deprecated
public String getFileType(AbstractFile file) throws TskCoreException { public String getFileType(AbstractFile file) throws TskCoreException {
return detect(file, true); String fileType = detectMIMEType(file);
file.setMIMEType(fileType);
file.save();
return fileType;
}
/**
* Detects the MIME type of a file. The result is not added to the case
* database.
*
* @param file The file to test.
*
* @return A MIME type name. If file type could not be detected or results
* were uncertain, octet-stream is returned.
*
* @throws TskCoreException
* @deprecated Use detectMIMEType instead.
*/
@Deprecated
public String detect(AbstractFile file) throws TskCoreException {
String fileType = detectMIMEType(file);
file.setMIMEType(fileType); // Retain side effect of setting value in file object.
return fileType;
} }
} }