diff --git a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java index 9117b32a14..795afd0838 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java +++ b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeDetector.java @@ -19,22 +19,16 @@ package org.sleuthkit.autopsy.modules.filetypeid; import java.util.ArrayList; -import java.util.Collection; import java.util.Collections; import java.util.List; import java.util.SortedSet; import java.util.TreeSet; -import java.util.logging.Level; import java.util.stream.Collectors; import org.apache.tika.Tika; import org.apache.tika.io.TikaInputStream; import org.apache.tika.mime.MimeTypes; -import org.sleuthkit.autopsy.casemodule.Case; -import org.sleuthkit.autopsy.casemodule.services.Blackboard; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.datamodel.AbstractFile; -import org.sleuthkit.datamodel.BlackboardArtifact; -import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.ReadContentInputStream; import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskData; @@ -278,52 +272,30 @@ public class FileTypeDetector { } /** - * Determines whether or not the a file matches a user-defined custom file - * type. If the file matches and corresponds to an interesting files type - * rule, this method has the side effect of creating an interesting files - * hit artifact and indexing that artifact for keyword search. + * Determines whether or not a file matches a user-defined custom file type. * * @param file The file to test. * - * @return The file type name string or null, if no match is detected. - * - * @throws TskCoreException + * @return The MIME type as a string if a match is found; otherwise null. */ private String detectUserDefinedType(AbstractFile file) { + String retValue = null; + for (FileType fileType : userDefinedFileTypes) { if (fileType.matches(file)) { - if (fileType.createInterestingFileHit()) { - try { - BlackboardArtifact artifact; - artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); - Collection attributes = new ArrayList<>(); - BlackboardAttribute setNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, FileTypeIdModuleFactory.getModuleName(), fileType.getInterestingFilesSetName()); - attributes.add(setNameAttribute); - BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, FileTypeIdModuleFactory.getModuleName(), fileType.getMimeType()); - attributes.add(ruleNameAttribute); - artifact.addAttributes(attributes); - try { - Case.getCurrentCase().getServices().getBlackboard().indexArtifact(artifact); - } catch (Blackboard.BlackboardException ex) { - logger.log(Level.SEVERE, String.format("Unable to index TSK_INTERESTING_FILE_HIT blackboard artifact %d (file obj_id=%d)", artifact.getArtifactID(), file.getId()), ex); //NON-NLS - } - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, String.format("Unable to create TSK_INTERESTING_FILE_HIT artifact for file (obj_id=%d)", file.getId()), ex); //NON-NLS - } - } - return fileType.getMimeType(); + retValue = fileType.getMimeType(); + break; } } - return null; + return retValue; } /** - * Determines whether or not the a file matches a custom file type defined - * by Autopsy. + * Determines whether or not a file matches a custom file type defined by Autopsy. * * @param file The file to test. * - * @return The file type name string or null, if no match is detected. + * @return The MIME type as a string if a match is found; otherwise null. */ private String detectAutopsyDefinedType(AbstractFile file) { for (FileType fileType : autopsyDefinedFileTypes) { @@ -395,7 +367,7 @@ public class FileTypeDetector { * * @throws TskCoreException if detection is required and there is a problem * writing the result to the case database. - * @deprecated Use detectMIMEType instead, and call AbstractFile.setMIMEType + * @deprecated Use getMIMEType instead, and call AbstractFile.setMIMEType * and AbstractFile.save to save the result to the file object and the * database. */ @@ -419,7 +391,7 @@ public class FileTypeDetector { * @throws TskCoreException if detection is required and there is a problem * writing the result to the case database. * - * @deprecated Use detectMIMEType instead, and call AbstractFile.setMIMEType + * @deprecated Use getMIMEType instead, and call AbstractFile.setMIMEType * and AbstractFile.save to save the result to the file object and the * database. */ @@ -441,7 +413,7 @@ public class FileTypeDetector { * were uncertain, octet-stream is returned. * * @throws TskCoreException - * @deprecated Use detectMIMEType instead. + * @deprecated Use getMIMEType instead. */ @Deprecated public String detect(AbstractFile file) throws TskCoreException { diff --git a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java index 8e6b3a58b2..be0bcdfbb3 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java @@ -1,15 +1,15 @@ /* * Autopsy Forensic Browser - * - * Copyright 2013-2015 Basis Technology Corp. + * + * Copyright 2013-2018 Basis Technology Corp. * Contact: carrier sleuthkit org - * + * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -18,9 +18,14 @@ */ package org.sleuthkit.autopsy.modules.filetypeid; +import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; +import java.util.List; import java.util.logging.Level; import org.openide.util.NbBundle; +import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.autopsy.casemodule.services.Blackboard; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.FileIngestModule; import org.sleuthkit.autopsy.ingest.IngestJobContext; @@ -29,13 +34,16 @@ import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.autopsy.ingest.IngestModule.ProcessResult; import org.sleuthkit.autopsy.ingest.IngestModuleReferenceCounter; +import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.TskCoreException; /** * Detects the type of a file based on signature (magic) values. Posts results * to the blackboard. */ @NbBundle.Messages({ - "CannotRunFileTypeDetection=Unable to run file type detection." + "CannotRunFileTypeDetection=Unable to run file type detection." }) public class FileTypeIdIngestModule implements FileIngestModule { @@ -91,7 +99,12 @@ public class FileTypeIdIngestModule implements FileIngestModule { */ try { long startTime = System.currentTimeMillis(); - fileTypeDetector.getMIMEType(file); + String mimeType = fileTypeDetector.getMIMEType(file); + file.setMIMEType(mimeType); + FileType fileType = detectUserDefinedFileType(file); + if (fileType != null && fileType.createInterestingFileHit()) { + createInterestingFileHit(file, fileType); + } addToTotals(jobId, (System.currentTimeMillis() - startTime)); return ProcessResult.OK; } catch (Exception e) { @@ -100,6 +113,57 @@ public class FileTypeIdIngestModule implements FileIngestModule { } } + /** + * Determines whether or not a file matches a user-defined custom file type. + * + * @param file The file to test. + * + * @return The file type if a match is found; otherwise null. + * + * @throws CustomFileTypesException If there is an issue getting an instance + * of CustomFileTypesManager. + */ + private FileType detectUserDefinedFileType(AbstractFile file) throws CustomFileTypesManager.CustomFileTypesException { + FileType retValue = null; + + CustomFileTypesManager customFileTypesManager = CustomFileTypesManager.getInstance(); + List fileTypesList = customFileTypesManager.getUserDefinedFileTypes(); + for (FileType fileType : fileTypesList) { + if (fileType.matches(file)) { + retValue = fileType; + break; + } + } + + return retValue; + } + + /** + * Create an Interesting File hit using the specified file type rule. + * + * @param file The file from which to generate an artifact. + * @param fileType The file type rule for categorizing the hit. + */ + private void createInterestingFileHit(AbstractFile file, FileType fileType) { + try { + BlackboardArtifact artifact; + artifact = file.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); + Collection attributes = new ArrayList<>(); + BlackboardAttribute setNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, FileTypeIdModuleFactory.getModuleName(), fileType.getInterestingFilesSetName()); + attributes.add(setNameAttribute); + BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY, FileTypeIdModuleFactory.getModuleName(), fileType.getMimeType()); + attributes.add(ruleNameAttribute); + artifact.addAttributes(attributes); + try { + Case.getCurrentCase().getServices().getBlackboard().indexArtifact(artifact); + } catch (Blackboard.BlackboardException ex) { + logger.log(Level.SEVERE, String.format("Unable to index TSK_INTERESTING_FILE_HIT blackboard artifact %d (file obj_id=%d)", artifact.getArtifactID(), file.getId()), ex); //NON-NLS + } + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Unable to create TSK_INTERESTING_FILE_HIT artifact for file (obj_id=%d)", file.getId()), ex); //NON-NLS + } + } + @Override public void shutDown() { /**