mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-14 17:06:16 +00:00
7852 adjust makeCorrAttrsForSearch(AbstractFile)
This commit is contained in:
William Schaefer
parent
90bda71c1d
commit
ab61ae6663
@ -19,6 +19,7 @@
|
||||
package org.sleuthkit.autopsy.centralrepository;
|
||||
|
||||
import java.awt.event.ActionEvent;
|
||||
import java.util.List;
|
||||
import java.util.logging.Level;
|
||||
import javax.swing.AbstractAction;
|
||||
import javax.swing.Action;
|
||||
@ -64,7 +65,13 @@ public final class AddEditCentralRepoCommentAction extends AbstractAction {
|
||||
correlationAttributeInstance = CorrelationAttributeUtil.getCorrAttrForFile(file);
|
||||
if (correlationAttributeInstance == null) {
|
||||
addToDatabase = true;
|
||||
correlationAttributeInstance = CorrelationAttributeUtil.makeCorrAttrFromFile(file);
|
||||
final List<CorrelationAttributeInstance> md5CorrelationAttr = CorrelationAttributeUtil.makeCorrAttrsForSearch(file);
|
||||
if (!md5CorrelationAttr.isEmpty()) {
|
||||
//for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
|
||||
correlationAttributeInstance = md5CorrelationAttr.get(0);
|
||||
} else {
|
||||
correlationAttributeInstance = null;
|
||||
}
|
||||
}
|
||||
if (file.getSize() == 0) {
|
||||
putValue(Action.NAME, Bundle.AddEditCentralRepoCommentAction_menuItemText_addEditCentralRepoCommentEmptyFile());
|
||||
|
||||
@ -5,10 +5,7 @@ CentralRepoCommentDialog.title.addEditCentralRepoComment=Add/Edit Central Reposi
|
||||
OpenIDE-Module-Name=Central Repository
|
||||
OpenIDE-Module-Display-Category=Ingest Module
|
||||
OpenIDE-Module-Short-Description=Central Repository Ingest Module
|
||||
OpenIDE-Module-Long-Description=\
|
||||
Central Repository ingest module and central database. \n\n\
|
||||
The Central Repository ingest module stores attributes of artifacts matching selected correlation types into a central database.\n\
|
||||
Stored attributes are used in future cases to correlate and analyzes files and artifacts during ingest.
|
||||
OpenIDE-Module-Long-Description=Central Repository ingest module and central database. \n\nThe Central Repository ingest module stores attributes of artifacts matching selected correlation types into a central database.\nStored attributes are used in future cases to correlate and analyzes files and artifacts during ingest.
|
||||
CentralRepoCommentDialog.commentLabel.text=Comment:
|
||||
CentralRepoCommentDialog.okButton.text=&OK
|
||||
CentralRepoCommentDialog.cancelButton.text=C&ancel
|
||||
|
||||
@ -53,7 +53,6 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
|
||||
import org.sleuthkit.datamodel.BlackboardArtifactTag;
|
||||
import org.sleuthkit.datamodel.Content;
|
||||
import org.sleuthkit.datamodel.ContentTag;
|
||||
import org.sleuthkit.datamodel.DataSource;
|
||||
import org.sleuthkit.datamodel.OsAccount;
|
||||
import org.sleuthkit.datamodel.OsAccountInstance;
|
||||
import org.sleuthkit.datamodel.SleuthkitCase;
|
||||
|
||||
@ -18,18 +18,18 @@ CentralRepositoryService.serviceName=Central Repository Service
|
||||
CorrelationAttributeInstance.invalidName.message=Invalid database table name. Name must start with a lowercase letter and can only contain lowercase letters, numbers, and '_'.
|
||||
CorrelationAttributeInstance.nullName.message=Database name is null.
|
||||
CorrelationAttributeUtil.emailaddresses.text=Email Addresses
|
||||
CorrelationType.DOMAIN.displayName=Domains
|
||||
CorrelationType.EMAIL.displayName=Email Addresses
|
||||
CorrelationType.FILES.displayName=Files
|
||||
CorrelationType.DOMAIN.displayName=Domain
|
||||
CorrelationType.EMAIL.displayName=Email Address
|
||||
CorrelationType.FILES.displayName=File MD5
|
||||
CorrelationType.ICCID.displayName=ICCID Number
|
||||
CorrelationType.IMEI.displayName=IMEI Number
|
||||
CorrelationType.IMSI.displayName=IMSI Number
|
||||
CorrelationType.MAC.displayName=MAC Addresses
|
||||
CorrelationType.MAC.displayName=MAC Address
|
||||
CorrelationType.OS_ACCOUNT.displayName=Os Account
|
||||
CorrelationType.PHONE.displayName=Phone Numbers
|
||||
CorrelationType.PROG_NAME.displayName=Installed Programs
|
||||
CorrelationType.SSID.displayName=Wireless Networks
|
||||
CorrelationType.USBID.displayName=USB Devices
|
||||
CorrelationType.PHONE.displayName=Phone Number
|
||||
CorrelationType.PROG_NAME.displayName=Installed Program
|
||||
CorrelationType.SSID.displayName=Wireless Network
|
||||
CorrelationType.USBID.displayName=USB Device
|
||||
EamArtifactInstances.knownStatus.bad=Bad
|
||||
EamArtifactInstances.knownStatus.known=Known
|
||||
EamArtifactInstances.knownStatus.unknown=Unknown
|
||||
|
||||
@ -80,7 +80,6 @@ public class CorrelationAttributeUtil {
|
||||
return Bundle.CorrelationAttributeUtil_emailaddresses_text();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Makes zero to many correlation attribute instances from the attributes of
|
||||
* artifacts that have correlatable data. The intention of this method is to
|
||||
@ -112,7 +111,6 @@ public class CorrelationAttributeUtil {
|
||||
// AND move logic that perhaps in the ingest module into here.
|
||||
// return makeCorrAttrsForSearch(file);
|
||||
//}
|
||||
|
||||
public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(Content content) {
|
||||
return new ArrayList<>();
|
||||
}
|
||||
@ -142,7 +140,6 @@ public class CorrelationAttributeUtil {
|
||||
return new ArrayList<>();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Makes zero to many correlation attribute instances from the attributes of
|
||||
* artifacts that have correlatable data. The intention of this method is to
|
||||
@ -336,8 +333,6 @@ public class CorrelationAttributeUtil {
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Makes a correlation attribute instance for an account artifact.
|
||||
*
|
||||
@ -600,11 +595,10 @@ public class CorrelationAttributeUtil {
|
||||
|
||||
// @@@ BC: This seems like it should go into a DB-specific class because it is
|
||||
// much different from the other methods in this class. It is going to the DB for data.
|
||||
|
||||
/**
|
||||
* Gets the correlation attribute instance for a file. This method goes to the CR
|
||||
* to get an actual instance. It does not simply package the data from file
|
||||
* into a generic instance object.
|
||||
* Gets the correlation attribute instance for a file. This method goes to
|
||||
* the CR to get an actual instance. It does not simply package the data
|
||||
* from file into a generic instance object.
|
||||
*
|
||||
* @param file The file.
|
||||
*
|
||||
@ -682,7 +676,8 @@ public class CorrelationAttributeUtil {
|
||||
}
|
||||
|
||||
/**
|
||||
* Makes a correlation attribute instance for a file. Will include the specific object ID.
|
||||
* Makes a correlation attribute instance for a file. Will include the
|
||||
* specific object ID.
|
||||
*
|
||||
* IMPORTANT: The correlation attribute instance is NOT added to the central
|
||||
* repository by this method.
|
||||
@ -700,23 +695,23 @@ public class CorrelationAttributeUtil {
|
||||
* @return The correlation attribute instance or null, if an error occurred.
|
||||
*/
|
||||
// @@@ TODO: Make this look like other makeCorrAttrsForSearch and return a list
|
||||
public static CorrelationAttributeInstance makeCorrAttrsForSearch(AbstractFile file) {
|
||||
|
||||
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AbstractFile file) {
|
||||
List<CorrelationAttributeInstance> fileTypeList = new ArrayList<>(); // will be an empty or single element list as was decided in 7852
|
||||
if (!isSupportedAbstractFileType(file)) {
|
||||
return null;
|
||||
return fileTypeList;
|
||||
}
|
||||
|
||||
// We need a hash to make the correlation artifact instance.
|
||||
String md5 = file.getMd5Hash();
|
||||
if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
|
||||
return null;
|
||||
return fileTypeList;
|
||||
}
|
||||
|
||||
try {
|
||||
CorrelationAttributeInstance.Type filesType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
|
||||
|
||||
CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
|
||||
return new CorrelationAttributeInstance(
|
||||
fileTypeList.add(new CorrelationAttributeInstance(
|
||||
filesType,
|
||||
file.getMd5Hash(),
|
||||
correlationCase,
|
||||
@ -724,21 +719,17 @@ public class CorrelationAttributeUtil {
|
||||
file.getParentPath() + file.getName(),
|
||||
"",
|
||||
TskData.FileKnown.UNKNOWN,
|
||||
file.getId());
|
||||
|
||||
file.getId()));
|
||||
} catch (TskCoreException ex) {
|
||||
logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS
|
||||
return null;
|
||||
} catch (CentralRepoException ex) {
|
||||
logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
|
||||
return null;
|
||||
} catch (CorrelationAttributeNormalizationException ex) {
|
||||
logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
|
||||
return null;
|
||||
} catch (NoCurrentCaseException ex) {
|
||||
logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
|
||||
return null;
|
||||
}
|
||||
return fileTypeList;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -317,12 +317,12 @@ public final class CaseEventListener implements PropertyChangeListener {
|
||||
* instance.
|
||||
*/
|
||||
private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) {
|
||||
final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af);
|
||||
|
||||
if (eamArtifact != null) {
|
||||
final List<CorrelationAttributeInstance> md5CorrelationAttr = CorrelationAttributeUtil.makeCorrAttrsForSearch(af);
|
||||
if (!md5CorrelationAttr.isEmpty()) {
|
||||
//for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
|
||||
// send update to Central Repository db
|
||||
try {
|
||||
dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus);
|
||||
dbManager.setAttributeInstanceKnownStatus(md5CorrelationAttr.get(0), knownStatus);
|
||||
} catch (CentralRepoException ex) {
|
||||
LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS
|
||||
}
|
||||
@ -566,9 +566,10 @@ public final class CaseEventListener implements PropertyChangeListener {
|
||||
if (!hasTagWithConflictingKnownStatus) {
|
||||
Content taggedContent = contentTag.getContent();
|
||||
if (taggedContent instanceof AbstractFile) {
|
||||
final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile((AbstractFile) taggedContent);
|
||||
if (eamArtifact != null) {
|
||||
CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact, tagName.getKnownStatus());
|
||||
final List<CorrelationAttributeInstance> eamArtifact = CorrelationAttributeUtil.makeCorrAttrsForSearch((AbstractFile) taggedContent);
|
||||
if (!eamArtifact.isEmpty()) {
|
||||
//for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
|
||||
CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact.get(0), tagName.getKnownStatus());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user