From 7ad21efaa66100f208e2990dc0adf174dce344cc Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Fri, 19 Nov 2021 13:47:57 -0500 Subject: [PATCH] 7895 CR data artifact ingest module --- .../ingestmodule/CentralRepoIngestModule.java | 120 +++++++++--------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java index fec61caa42..1d30b2f9bf 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java @@ -58,6 +58,66 @@ final class CentralRepoIngestModule implements FileIngestModule { private CentralRepository centralRepo; private CorrelationAttributeInstance.Type filesType; + @Override + public ProcessResult process(AbstractFile abstractFile) { + if (!flagNotableItems && !saveCorrAttrInstances) { + return ProcessResult.OK; + } + + if (!filesType.isEnabled()) { + return ProcessResult.OK; + } + + if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) { + return ProcessResult.OK; + } + + if (!CorrelationAttributeUtil.isSupportedAbstractFileType(abstractFile)) { + return ProcessResult.OK; + } + + /* + * The correlation attribute value for a file is its MD5 hash. This + * module cannot do anything with a file if the hash calculation has not + * been done, but the decision has been made to not do a hash + * calculation here if the file hashing and lookup module is not in this + * pipeline ahead of this module (affirmed per BC, 11/8/21). + */ + String md5 = abstractFile.getMd5Hash(); + if ((md5 == null) || (HashUtility.isNoDataMd5(md5))) { + return ProcessResult.OK; + } + + if (flagNotableItems) { + try { + TimingMetric timingMetric = HealthMonitor.getTimingMetric("Central Repository: Notable artifact query"); + Set otherCases = new HashSet<>(); + otherCases.addAll(centralRepo.getListCasesHavingArtifactInstancesKnownBad(filesType, md5)); + HealthMonitor.submitTimingMetric(timingMetric); + if (!otherCases.isEmpty()) { + makePrevNotableAnalysisResult(abstractFile, otherCases, filesType, md5, context.getDataSource().getId(), context.getJobId()); + } + } catch (CentralRepoException ex) { + logger.log(Level.SEVERE, "Error searching database for artifact.", ex); // NON-NLS + } catch (CorrelationAttributeNormalizationException ex) { + logger.log(Level.INFO, "Error searching database for artifact.", ex); // NON-NLS + } + } + + if (saveCorrAttrInstances) { + List corrAttrs = CorrelationAttributeUtil.makeCorrAttrsToSave(abstractFile); + for (CorrelationAttributeInstance corrAttr : corrAttrs) { + try { + centralRepo.addAttributeInstanceBulk(corrAttr); + } catch (CentralRepoException ex) { + logger.log(Level.SEVERE, "Error adding artifact to bulk artifacts.", ex); // NON-NLS + } + } + } + + return ProcessResult.OK; + } + /** * Constructs a file ingest module that adds correlation attributes for * files to the central repository, and makes previously notable analysis @@ -128,66 +188,6 @@ final class CentralRepoIngestModule implements FileIngestModule { } } - @Override - public ProcessResult process(AbstractFile abstractFile) { - if (!flagNotableItems && !saveCorrAttrInstances) { - return ProcessResult.OK; - } - - if (!filesType.isEnabled()) { - return ProcessResult.OK; - } - - if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) { - return ProcessResult.OK; - } - - if (!CorrelationAttributeUtil.isSupportedAbstractFileType(abstractFile)) { - return ProcessResult.OK; - } - - /* - * The correlation attribute value for a file is its MD5 hash. This - * module cannot do anything with a file if the hash calculation has not - * been done, but the decision has been made to not do a hash - * calculation here if the file hashing and lookup module is not in this - * pipeline ahead of this module (affirmed per BC, 11/8/21). - */ - String md5 = abstractFile.getMd5Hash(); - if ((md5 == null) || (HashUtility.isNoDataMd5(md5))) { - return ProcessResult.OK; - } - - if (flagNotableItems) { - try { - TimingMetric timingMetric = HealthMonitor.getTimingMetric("Central Repository: Notable artifact query"); - Set otherCases = new HashSet<>(); - otherCases.addAll(centralRepo.getListCasesHavingArtifactInstancesKnownBad(filesType, md5)); - HealthMonitor.submitTimingMetric(timingMetric); - if (!otherCases.isEmpty()) { - makePrevNotableAnalysisResult(abstractFile, otherCases, filesType, md5, context.getDataSource().getId(), context.getJobId()); - } - } catch (CentralRepoException ex) { - logger.log(Level.SEVERE, "Error searching database for artifact.", ex); // NON-NLS - } catch (CorrelationAttributeNormalizationException ex) { - logger.log(Level.INFO, "Error searching database for artifact.", ex); // NON-NLS - } - } - - if (saveCorrAttrInstances) { - List corrAttrs = CorrelationAttributeUtil.makeCorrAttrsToSave(abstractFile); - for (CorrelationAttributeInstance corrAttr : corrAttrs) { - try { - centralRepo.addAttributeInstanceBulk(corrAttr); - } catch (CentralRepoException ex) { - logger.log(Level.SEVERE, "Error adding artifact to bulk artifacts.", ex); // NON-NLS - } - } - } - - return ProcessResult.OK; - } - @Override public void shutDown() { if (refCounter.decrementAndGet(context.getJobId()) == 0) {