mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-14 17:06:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

7852 adjust makeCorrAttrsForSearch(AbstractFile)

Browse Source
This commit is contained in:
William Schaefer 2021-09-01 14:53:49 -04:00
parent 90bda71c1d
commit ab61ae6663
6 changed files with 50 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Core/src/org/sleuthkit/autopsy/centralrepository/AddEditCentralRepoCommentAction.java
View File

@ -19,6 +19,7 @@
package org.sleuthkit.autopsy.centralrepository;
import java.awt.event.ActionEvent;
import java.util.List;
import java.util.logging.Level;
import javax.swing.AbstractAction;
import javax.swing.Action;
@ -64,7 +65,13 @@ public final class AddEditCentralRepoCommentAction extends AbstractAction {
correlationAttributeInstance = CorrelationAttributeUtil.getCorrAttrForFile(file);
if (correlationAttributeInstance == null) {
addToDatabase = true;
correlationAttributeInstance = CorrelationAttributeUtil.makeCorrAttrFromFile(file);
final List<CorrelationAttributeInstance> md5CorrelationAttr = CorrelationAttributeUtil.makeCorrAttrsForSearch(file);
if (!md5CorrelationAttr.isEmpty()) {
//for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
correlationAttributeInstance = md5CorrelationAttr.get(0);
} else {
correlationAttributeInstance = null;
}
}
if (file.getSize() == 0) {
putValue(Action.NAME, Bundle.AddEditCentralRepoCommentAction_menuItemText_addEditCentralRepoCommentEmptyFile());

5
Core/src/org/sleuthkit/autopsy/centralrepository/Bundle.properties-MERGED
View File

@ -5,10 +5,7 @@ CentralRepoCommentDialog.title.addEditCentralRepoComment=Add/Edit Central Reposi
OpenIDE-Module-Name=Central Repository
OpenIDE-Module-Display-Category=Ingest Module
OpenIDE-Module-Short-Description=Central Repository Ingest Module
OpenIDE-Module-Long-Description=\
Central Repository ingest module and central database. \n\n\
The Central Repository ingest module stores attributes of artifacts matching selected correlation types into a central database.\n\
Stored attributes are used in future cases to correlate and analyzes files and artifacts during ingest.
OpenIDE-Module-Long-Description=Central Repository ingest module and central database. \n\nThe Central Repository ingest module stores attributes of artifacts matching selected correlation types into a central database.\nStored attributes are used in future cases to correlate and analyzes files and artifacts during ingest.
CentralRepoCommentDialog.commentLabel.text=Comment:
CentralRepoCommentDialog.okButton.text=&OK
CentralRepoCommentDialog.cancelButton.text=C&ancel

1
Core/src/org/sleuthkit/autopsy/centralrepository/application/OtherOccurrences.java
View File

@ -53,7 +53,6 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifactTag;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentTag;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.OsAccount;
import org.sleuthkit.datamodel.OsAccountInstance;
import org.sleuthkit.datamodel.SleuthkitCase;

16
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED
View File

@ -18,18 +18,18 @@ CentralRepositoryService.serviceName=Central Repository Service
CorrelationAttributeInstance.invalidName.message=Invalid database table name. Name must start with a lowercase letter and can only contain lowercase letters, numbers, and '_'.
CorrelationAttributeInstance.nullName.message=Database name is null.
CorrelationAttributeUtil.emailaddresses.text=Email Addresses
CorrelationType.DOMAIN.displayName=Domains
CorrelationType.EMAIL.displayName=Email Addresses
CorrelationType.FILES.displayName=Files
CorrelationType.DOMAIN.displayName=Domain
CorrelationType.EMAIL.displayName=Email Address
CorrelationType.FILES.displayName=File MD5
CorrelationType.ICCID.displayName=ICCID Number
CorrelationType.IMEI.displayName=IMEI Number
CorrelationType.IMSI.displayName=IMSI Number
CorrelationType.MAC.displayName=MAC Addresses
CorrelationType.MAC.displayName=MAC Address
CorrelationType.OS_ACCOUNT.displayName=Os Account
CorrelationType.PHONE.displayName=Phone Numbers
CorrelationType.PROG_NAME.displayName=Installed Programs
CorrelationType.SSID.displayName=Wireless Networks
CorrelationType.USBID.displayName=USB Devices
CorrelationType.PHONE.displayName=Phone Number
CorrelationType.PROG_NAME.displayName=Installed Program
CorrelationType.SSID.displayName=Wireless Network
CorrelationType.USBID.displayName=USB Device
EamArtifactInstances.knownStatus.bad=Bad
EamArtifactInstances.knownStatus.known=Known
EamArtifactInstances.knownStatus.unknown=Unknown

49
Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java
View File

@ -80,7 +80,6 @@ public class CorrelationAttributeUtil {
return Bundle.CorrelationAttributeUtil_emailaddresses_text();
}
/**
* Makes zero to many correlation attribute instances from the attributes of
* artifacts that have correlatable data. The intention of this method is to
@ -106,23 +105,22 @@ public class CorrelationAttributeUtil {
return CorrelationAttributeUtil.makeCorrAttrsForSearch(artifact);
}
//public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(AbstactFile file) {
// @@@ TODO Call into makeCorrAttrsForSearch(file) when API changes
// AND move logic that perhaps in the ingest module into here.
// return makeCorrAttrsForSearch(file);
//}
public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(Content content) {
return new ArrayList<>();
}
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(Content content) {
return new ArrayList<>();
}
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AnalysisResult artifact) {
try {
try {
if (BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.equals(artifact.getType())) {
BlackboardAttribute assocArtifactAttr = artifact.getAttribute(BlackboardAttribute.Type.TSK_ASSOCIATED_ARTIFACT);
if (assocArtifactAttr != null) {
@ -131,9 +129,9 @@ public class CorrelationAttributeUtil {
}
}
Content content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
return CorrelationAttributeUtil.makeCorrAttrsForSearch(content);
// @@@ TODO ADD Error Handling
// @@@ TODO ADD Error Handling
} catch (TskCoreException ex) {
Exceptions.printStackTrace(ex);
} catch (NoCurrentCaseException ex) {
@ -141,8 +139,7 @@ public class CorrelationAttributeUtil {
}
return new ArrayList<>();
}
/**
* Makes zero to many correlation attribute instances from the attributes of
* artifacts that have correlatable data. The intention of this method is to
@ -170,7 +167,7 @@ public class CorrelationAttributeUtil {
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(DataArtifact artifact) {
List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
try {
List<BlackboardAttribute> attributes = artifact.getAttributes();
int artifactTypeID = artifact.getArtifactTypeID();
@ -336,8 +333,6 @@ public class CorrelationAttributeUtil {
}
}
/**
* Makes a correlation attribute instance for an account artifact.
*
@ -600,11 +595,10 @@ public class CorrelationAttributeUtil {
// @@@ BC: This seems like it should go into a DB-specific class because it is
// much different from the other methods in this class. It is going to the DB for data.
/**
* Gets the correlation attribute instance for a file. This method goes to the CR
* to get an actual instance. It does not simply package the data from file
* into a generic instance object.
* Gets the correlation attribute instance for a file. This method goes to
* the CR to get an actual instance. It does not simply package the data
* from file into a generic instance object.
*
* @param file The file.
*
@ -682,7 +676,8 @@ public class CorrelationAttributeUtil {
}
/**
* Makes a correlation attribute instance for a file. Will include the specific object ID.
* Makes a correlation attribute instance for a file. Will include the
* specific object ID.
*
* IMPORTANT: The correlation attribute instance is NOT added to the central
* repository by this method.
@ -700,23 +695,23 @@ public class CorrelationAttributeUtil {
* @return The correlation attribute instance or null, if an error occurred.
*/
// @@@ TODO: Make this look like other makeCorrAttrsForSearch and return a list
public static CorrelationAttributeInstance makeCorrAttrsForSearch(AbstractFile file) {
public static List<CorrelationAttributeInstance> makeCorrAttrsForSearch(AbstractFile file) {
List<CorrelationAttributeInstance> fileTypeList = new ArrayList<>(); // will be an empty or single element list as was decided in 7852
if (!isSupportedAbstractFileType(file)) {
return null;
return fileTypeList;
}
// We need a hash to make the correlation artifact instance.
String md5 = file.getMd5Hash();
if (md5 == null || md5.isEmpty() || HashUtility.isNoDataMd5(md5)) {
return null;
return fileTypeList;
}
try {
CorrelationAttributeInstance.Type filesType = CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.FILES_TYPE_ID);
CorrelationCase correlationCase = CentralRepository.getInstance().getCase(Case.getCurrentCaseThrows());
return new CorrelationAttributeInstance(
fileTypeList.add(new CorrelationAttributeInstance(
filesType,
file.getMd5Hash(),
correlationCase,
@ -724,21 +719,17 @@ public class CorrelationAttributeUtil {
file.getParentPath() + file.getName(),
"",
TskData.FileKnown.UNKNOWN,
file.getId());
file.getId()));
} catch (TskCoreException ex) {
logger.log(Level.SEVERE, String.format("Error querying case database (%s)", file), ex); // NON-NLS
return null;
} catch (CentralRepoException ex) {
logger.log(Level.SEVERE, String.format("Error querying central repository (%s)", file), ex); // NON-NLS
return null;
} catch (CorrelationAttributeNormalizationException ex) {
logger.log(Level.WARNING, String.format("Error creating correlation attribute instance (%s)", file), ex); // NON-NLS
return null;
} catch (NoCurrentCaseException ex) {
logger.log(Level.SEVERE, "Error getting current case", ex); // NON-NLS
return null;
}
return fileTypeList;
}
/**

25
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
View File

@ -311,18 +311,18 @@ public final class CaseEventListener implements PropertyChangeListener {
* Sets the known status for the correlation attribute instance for the
* given abstract file.
*
* @param af The abstract file for which to set the correlation
* attribute instance.
* @param af The abstract file for which to set the correlation
* attribute instance.
* @param knownStatus The new known status for the correlation attribute
* instance.
* instance.
*/
private void setContentKnownStatus(AbstractFile af, TskData.FileKnown knownStatus) {
final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile(af);
if (eamArtifact != null) {
final List<CorrelationAttributeInstance> md5CorrelationAttr = CorrelationAttributeUtil.makeCorrAttrsForSearch(af);
if (!md5CorrelationAttr.isEmpty()) {
//for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
// send update to Central Repository db
try {
dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus);
dbManager.setAttributeInstanceKnownStatus(md5CorrelationAttr.get(0), knownStatus);
} catch (CentralRepoException ex) {
LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS
}
@ -407,7 +407,7 @@ public final class CaseEventListener implements PropertyChangeListener {
* for the item. If there are, set known status as notable. If not set
* status as unknown.
*
* @param content The content for the tag that was added or deleted.
* @param content The content for the tag that was added or deleted.
* @param bbArtifact The artifact for the tag that was added or deleted.
*/
private void handleTagChange(Content content, BlackboardArtifact bbArtifact) {
@ -452,7 +452,7 @@ public final class CaseEventListener implements PropertyChangeListener {
* Sets the known status of a blackboard artifact in the central
* repository.
*
* @param bbArtifact The blackboard artifact to set known status.
* @param bbArtifact The blackboard artifact to set known status.
* @param knownStatus The new known status.
*/
private void setArtifactKnownStatus(BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) {
@ -566,9 +566,10 @@ public final class CaseEventListener implements PropertyChangeListener {
if (!hasTagWithConflictingKnownStatus) {
Content taggedContent = contentTag.getContent();
if (taggedContent instanceof AbstractFile) {
final CorrelationAttributeInstance eamArtifact = CorrelationAttributeUtil.makeCorrAttrFromFile((AbstractFile) taggedContent);
if (eamArtifact != null) {
CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact, tagName.getKnownStatus());
final List<CorrelationAttributeInstance> eamArtifact = CorrelationAttributeUtil.makeCorrAttrsForSearch((AbstractFile) taggedContent);
if (!eamArtifact.isEmpty()) {
//for an abstract file the 'list' of attributes will be a single attribute or empty and is returning a list for consistancy with other makeCorrAttrsForSearch methods per 7852
CentralRepository.getInstance().setAttributeInstanceKnownStatus(eamArtifact.get(0), tagName.getKnownStatus());
}
}
}