mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-14 17:06:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

7852 adjust makeCorrAttrsForSearch(AbstractFile)

Browse Source
This commit is contained in:
William Schaefer 2021-09-01 14:53:49 -04:00
parent 90bda71c1d
commit ab61ae6663
6 changed files with 50 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Core/src/org/sleuthkit/autopsy/centralrepository/AddEditCentralRepoCommentAction.java
View File

@ -19,6 +19,7 @@
package org.sleuthkit.autopsy.centralrepository; package org.sleuthkit.autopsy.centralrepository;
import java.awt.event.ActionEvent; import java.awt.event.ActionEvent;
import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import javax.swing.AbstractAction; import javax.swing.AbstractAction;
import javax.swing.Action; import javax.swing.Action;
@ -64,7 +65,13 @@ public final class AddEditCentralRepoCommentAction extends AbstractAction {
correlationAttributeInstance = CorrelationAttributeUtil.getCorrAttrForFile(file); correlationAttributeInstance = CorrelationAttributeUtil.getCorrAttrForFile(file);
if (correlationAttributeInstance == null) { if (correlationAttributeInstance == null) {
addToDatabase = true; addToDatabase = true;
correlationAttributeInstance = CorrelationAttributeUtil.makeCorrAttrFromFile(file); final List<CorrelationAttributeInstance> md5CorrelationAttr = CorrelationAttributeUtil.makeCorrAttrsForSearch(file);
if (!md5CorrelationAttr.isEmpty()) {
//for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
correlationAttributeInstance = md5CorrelationAttr.get(0);
} else {
correlationAttributeInstance = null;
}
} }
if (file.getSize() == 0) { if (file.getSize() == 0) {
putValue(Action.NAME, Bundle.AddEditCentralRepoCommentAction_menuItemText_addEditCentralRepoCommentEmptyFile()); putValue(Action.NAME, Bundle.AddEditCentralRepoCommentAction_menuItemText_addEditCentralRepoCommentEmptyFile());

5
Core/src/org/sleuthkit/autopsy/centralrepository/Bundle.properties-MERGED
View File

@ -5,10 +5,7 @@ CentralRepoCommentDialog.title.addEditCentralRepoComment=Add/Edit Central Reposi
OpenIDE-Module-Name=Central Repository OpenIDE-Module-Name=Central Repository
OpenIDE-Module-Display-Category=Ingest Module OpenIDE-Module-Display-Category=Ingest Module
OpenIDE-Module-Short-Description=Central Repository Ingest Module OpenIDE-Module-Short-Description=Central Repository Ingest Module
OpenIDE-Module-Long-Description=\ OpenIDE-Module-Long-Description=Central Repository ingest module and central database. \n\nThe Central Repository ingest module stores attributes of artifacts matching selected correlation types into a central database.\nStored attributes are used in future cases to correlate and analyzes files and artifacts during ingest.
Central Repository ingest module and central database. \n\n\
The Central Repository ingest module stores attributes of artifacts matching selected correlation types into a central database.\n\
Stored attributes are used in future cases to correlate and analyzes files and artifacts during ingest.
CentralRepoCommentDialog.commentLabel.text=Comment: CentralRepoCommentDialog.commentLabel.text=Comment:
CentralRepoCommentDialog.okButton.text=&OK CentralRepoCommentDialog.okButton.text=&OK
CentralRepoCommentDialog.cancelButton.text=C&ancel CentralRepoCommentDialog.cancelButton.text=C&ancel

1
Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java
View File

@ -53,7 +53,6 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifactTag; import org.sleuthkit.datamodel.BlackboardArtifactTag;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentTag; import org.sleuthkit.datamodel.ContentTag;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.OsAccount; import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.OsAccountInstance; import org.sleuthkit.datamodel.OsAccountInstance;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;

16
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED
View File

@ -18,18 +18,18 @@ CentralRepositoryService.serviceName=Central Repository Service
CorrelationAttributeInstance.invalidName.message=Invalid database table name. Name must start with a lowercase letter and can only contain lowercase letters, numbers, and '_'. CorrelationAttributeInstance.invalidName.message=Invalid database table name. Name must start with a lowercase letter and can only contain lowercase letters, numbers, and '_'.
CorrelationAttributeInstance.nullName.message=Database name is null. CorrelationAttributeInstance.nullName.message=Database name is null.
CorrelationAttributeUtil.emailaddresses.text=Email Addresses CorrelationAttributeUtil.emailaddresses.text=Email Addresses
CorrelationType.DOMAIN.displayName=Domains CorrelationType.DOMAIN.displayName=Domain
CorrelationType.EMAIL.displayName=Email Addresses CorrelationType.EMAIL.displayName=Email Address
CorrelationType.FILES.displayName=Files CorrelationType.FILES.displayName=File MD5
CorrelationType.ICCID.displayName=ICCID Number CorrelationType.ICCID.displayName=ICCID Number
CorrelationType.IMEI.displayName=IMEI Number CorrelationType.IMEI.displayName=IMEI Number
CorrelationType.IMSI.displayName=IMSI Number CorrelationType.IMSI.displayName=IMSI Number
CorrelationType.MAC.displayName=MAC Addresses CorrelationType.MAC.displayName=MAC Address
CorrelationType.OS_ACCOUNT.displayName=Os Account CorrelationType.OS_ACCOUNT.displayName=Os Account
CorrelationType.PHONE.displayName=Phone Numbers CorrelationType.PHONE.displayName=Phone Number
CorrelationType.PROG_NAME.displayName=Installed Programs CorrelationType.PROG_NAME.displayName=Installed Program
CorrelationType.SSID.displayName=Wireless Networks CorrelationType.SSID.displayName=Wireless Network
CorrelationType.USBID.displayName=USB Devices CorrelationType.USBID.displayName=USB Device
EamArtifactInstances.knownStatus.bad=Bad EamArtifactInstances.knownStatus.bad=Bad
EamArtifactInstances.knownStatus.known=Known EamArtifactInstances.knownStatus.known=Known
EamArtifactInstances.knownStatus.unknown=Unknown EamArtifactInstances.knownStatus.unknown=Unknown

49
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java
View File

@ -80,7 +80,6 @@ public class CorrelationAttributeUtil {
return Bundle.CorrelationAttributeUtil_emailaddresses_text(); return Bundle.CorrelationAttributeUtil_emailaddresses_text();
} }
/** /**
* Makes zero to many correlation attribute instances from the attributes of * Makes zero to many correlation attribute instances from the attributes of
* artifacts that have correlatable data. The intention of this method is to * artifacts that have correlatable data. The intention of this method is to
@ -106,23 +105,22 @@ public class CorrelationAttributeUtil {
return CorrelationAttributeUtil.makeCorrAttrsForSearch(artifact); return CorrelationAttributeUtil.makeCorrAttrsForSearch(artifact);
} }
//public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(AbstactFile file) { //public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(AbstactFile file) {
// @@@ TODO Call into makeCorrAttrsForSearch(file) when API changes // @@@ TODO Call into makeCorrAttrsForSearch(file) when API changes
// AND move logic that perhaps in the ingest module into here. // AND move logic that perhaps in the ingest module into here.
// return makeCorrAttrsForSearch(file); // return makeCorrAttrsForSearch(file);
//} //}
public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(Content content) { public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(Content content) {
return new ArrayList<>(); return new ArrayList<>();
} }
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(Content content) { public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(Content content) {
return new ArrayList<>(); return new ArrayList<>();
} }
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AnalysisResult artifact) { public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AnalysisResult artifact) {
try { try {
if (BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.equals(artifact.getType())) { if (BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.equals(artifact.getType())) {
BlackboardAttribute assocArtifactAttr = artifact.getAttribute(BlackboardAttribute.Type.TSK_ASSOCIATED_ARTIFACT); BlackboardAttribute assocArtifactAttr = artifact.getAttribute(BlackboardAttribute.Type.TSK_ASSOCIATED_ARTIFACT);
if (assocArtifactAttr != null) { if (assocArtifactAttr != null) {
@ -131,9 +129,9 @@ public class CorrelationAttributeUtil {
} }
} }
Content content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID()); Content content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
return CorrelationAttributeUtil.makeCorrAttrsForSearch(content); return CorrelationAttributeUtil.makeCorrAttrsForSearch(content);
// @@@ TODO ADD Error Handling // @@@ TODO ADD Error Handling
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
Exceptions.printStackTrace(ex); Exceptions.printStackTrace(ex);
} catch (NoCurrentCaseException ex) { } catch (NoCurrentCaseException ex) {
@ -141,8 +139,7 @@ public class CorrelationAttributeUtil {
} }
return new ArrayList<>(); return new ArrayList<>();
} }
/** /**
* Makes zero to many correlation attribute instances from the attributes of * Makes zero to many correlation attribute instances from the attributes of
* artifacts that have correlatable data. The intention of this method is to * artifacts that have correlatable data. The intention of this method is to
@ -170,7 +167,7 @@ public class CorrelationAttributeUtil {
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(DataArtifact artifact) { public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(DataArtifact artifact) {
List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>(); List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
try { try {
List<BlackboardAttribute> attributes = artifact.getAttributes(); List<BlackboardAttribute> attributes = artifact.getAttributes();
int artifactTypeID = artifact.getArtifactTypeID(); int artifactTypeID = artifact.getArtifactTypeID();
@ -336,8 +333,6 @@ public class CorrelationAttributeUtil {
} }
} }
/** /**
* Makes a correlation attribute instance for an account artifact. * Makes a correlation attribute instance for an account artifact.
* *
@ -600,11 +595,10 @@ public class CorrelationAttributeUtil {
// @@@ BC: This seems like it should go into a DB-specific class because it is // @@@ BC: This seems like it should go into a DB-specific class because it is
// much different from the other methods in this class. It is going to the DB for data. // much different from the other methods in this class. It is going to the DB for data.
/** /**
* Gets the correlation attribute instance for a file. This method goes to the CR * Gets the correlation attribute instance for a file. This method goes to
* to get an actual instance. It does not simply package the data from file * the CR to get an actual instance. It does not simply package the data
* into a generic instance object. * from file into a generic instance object.
* *
* @param file The file. * @param file The file.
* *
@ -682,7 +676,8 @@ public class CorrelationAttributeUtil {
} }
/** /**
* Makes a correlation attribute instance for a file. Will include the specific object ID. * Makes a correlation attribute instance for a file. Will include the
* specific object ID.
* *
* IMPORTANT: The correlation attribute instance is NOT added to the central * IMPORTANT: The correlation attribute instance is NOT added to the central
* repository by this method. * repository by this method.
@ -700,23 +695,23 @@ public class CorrelationAttributeUtil {
* @return The correlation attribute instance or null, if an error occurred. * @return The correlation attribute instance or null, if an error occurred.
*/ */
// @@@ TODO: Make this look like other makeCorrAttrsForSearch and return a list // @@@ TODO: Make this look like other makeCorrAttrsForSearch and return a list
public static CorrelationAttributeInstance makeCorrAttrsForSearch(AbstractFile file) { public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AbstractFile file) {
List<CorrelationAttributeInstance> fileTypeList = new ArrayList<>(); // will be an empty or single element list as was decided in 7852
if (!isSupportedAbstractFileType(file)) { if (!isSupportedAbstractFileType(file)) {
return null; return fileTypeList;
} }
// We need a hash to make the correlation artifact instance. // We need a hash to make the correlation artifact instance.
String md5 = file.getMd5Hash(); String md5 = file.getMd5Hash();
if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) { if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
return null; return fileTypeList;
} }
try { try {
CorrelationAttributeInstance.Type filesType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID); CorrelationAttributeInstance.Type filesType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows()); CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
return new CorrelationAttributeInstance( fileTypeList.add(new CorrelationAttributeInstance(
filesType, filesType,
file.getMd5Hash(), file.getMd5Hash(),
correlationCase, correlationCase,
@ -724,21 +719,17 @@ public class CorrelationAttributeUtil {
file.getParentPath() + file.getName(), file.getParentPath() + file.getName(),
"", "",
TskData.FileKnown.UNKNOWN, TskData.FileKnown.UNKNOWN,
file.getId()); file.getId()));
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS
return null;
} catch (CentralRepoException ex) { } catch (CentralRepoException ex) {
logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
return null;
} catch (CorrelationAttributeNormalizationException ex) { } catch (CorrelationAttributeNormalizationException ex) {
logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
return null;
} catch (NoCurrentCaseException ex) { } catch (NoCurrentCaseException ex) {
logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
return null;
} }
return fileTypeList;
} }
/** /**

25
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
View File

@ -311,18 +311,18 @@ public final class CaseEventListener implements PropertyChangeListener {
* Sets the known status for the correlation attribute instance for the * Sets the known status for the correlation attribute instance for the
* given abstract file. * given abstract file.
* *
* @param af The abstract file for which to set the correlation * @param af The abstract file for which to set the correlation
* attribute instance. * attribute instance.
* @param knownStatus The new known status for the correlation attribute * @param knownStatus The new known status for the correlation attribute
* instance. * instance.
*/ */
private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) { private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) {
final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af); final List<CorrelationAttributeInstance> md5CorrelationAttr = CorrelationAttributeUtil.makeCorrAttrsForSearch(af);
if (!md5CorrelationAttr.isEmpty()) {
if (eamArtifact != null) { //for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
// send update to Central Repository db // send update to Central Repository db
try { try {
dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus); dbManager.setAttributeInstanceKnownStatus(md5CorrelationAttr.get(0), knownStatus);
} catch (CentralRepoException ex) { } catch (CentralRepoException ex) {
LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS
} }
@ -407,7 +407,7 @@ public final class CaseEventListener implements PropertyChangeListener {
* for the item. If there are, set known status as notable. If not set * for the item. If there are, set known status as notable. If not set
* status as unknown. * status as unknown.
* *
* @param content The content for the tag that was added or deleted. * @param content The content for the tag that was added or deleted.
* @param bbArtifact The artifact for the tag that was added or deleted. * @param bbArtifact The artifact for the tag that was added or deleted.
*/ */
private void handleTagChange(Content content, BlackboardArtifact bbArtifact) { private void handleTagChange(Content content, BlackboardArtifact bbArtifact) {
@ -452,7 +452,7 @@ public final class CaseEventListener implements PropertyChangeListener {
* Sets the known status of a blackboard artifact in the central * Sets the known status of a blackboard artifact in the central
* repository. * repository.
* *
* @param bbArtifact The blackboard artifact to set known status. * @param bbArtifact The blackboard artifact to set known status.
* @param knownStatus The new known status. * @param knownStatus The new known status.
*/ */
private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) { private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) {
@ -566,9 +566,10 @@ public final class CaseEventListener implements PropertyChangeListener {
if (!hasTagWithConflictingKnownStatus) { if (!hasTagWithConflictingKnownStatus) {
Content taggedContent = contentTag.getContent(); Content taggedContent = contentTag.getContent();
if (taggedContent instanceof AbstractFile) { if (taggedContent instanceof AbstractFile) {
final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile((AbstractFile) taggedContent); final List<CorrelationAttributeInstance> eamArtifact = CorrelationAttributeUtil.makeCorrAttrsForSearch((AbstractFile) taggedContent);
if (eamArtifact != null) { if (!eamArtifact.isEmpty()) {
CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact, tagName.getKnownStatus()); //for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact.get(0), tagName.getKnownStatus());
} }
} }
} }