mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 01:07:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added communication accounts to the list of artifacts flagged for previously seen

Browse Source
This commit is contained in:
Eugene Livis 2021-07-29 16:11:15 -04:00
parent 89347d2b7d
commit c6531498d5
2 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java
View File

@ -541,13 +541,15 @@ public class IngestEventsListener {
} }
} }
// flag previously seen devices // flag previously seen devices and communication accounts (emails, phones, etc)
if (flagPreviousItemsEnabled if (flagPreviousItemsEnabled
&& (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID && (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID)) { || eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.EMAIL_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.PHONE_TYPE_ID)) {
try { try {
// only alert to previous instances when they were in another case // only alert to previous instances when they were in another case
List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue()); List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());

21
Core/src/org/sleuthkit/autopsy/datasourcesummary/datamodel/PastCasesSummary.java
View File

@ -37,33 +37,32 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE; import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_OTHER_CASES;
import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.DataSource; import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.SleuthkitCase; import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException; import org.sleuthkit.datamodel.TskCoreException;
/** /**
* Provides information about how a data source relates to a previous case. NOTE: * Provides information about how a data source relates to a previous case.
* This code is fragile and has certain expectations about how the central * NOTE: This code is fragile and has certain expectations about how the central
* repository handles creating artifacts. So, if the central repository changes * repository handles creating artifacts. So, if the central repository changes
* ingest process, this code could break. This code expects that the central * ingest process, this code could break. This code expects that the central
* repository ingest module: * repository ingest module:
* *
* a) Creates a TSK_PREVIOUSLY_NOTABLE artifact for a file whose hash is in * a) Creates a TSK_PREVIOUSLY_NOTABLE artifact for a file whose hash is in the
* the central repository as a notable file. * central repository as a notable file.
* *
* b) Creates a TSK_PREVIOUSLY_SEEN artifact for a matching id in the * b) Creates a TSK_PREVIOUSLY_SEEN artifact for a matching id in the central
* central repository. * repository.
* *
* c) The created artifact will have a TSK_COMMENT attribute attached where one * c) The created artifact will have a TSK_OTHER_CASES attribute attached where
* of the sources for the attribute matches * one of the sources for the attribute matches
* CentralRepoIngestModuleFactory.getModuleName(). The module display name at * CentralRepoIngestModuleFactory.getModuleName(). The module display name at
* time of ingest will match CentralRepoIngestModuleFactory.getModuleName() as * time of ingest will match CentralRepoIngestModuleFactory.getModuleName() as
* well. * well.
* *
* d) The content of that TSK_COMMENT attribute will be of the form "Previous * d) The content of that TSK_OTHER_CASES attribute will be of the form
* Case: case1,case2...caseN" * "case1,case2...caseN"
*/ */
public class PastCasesSummary implements DefaultArtifactUpdateGovernor { public class PastCasesSummary implements DefaultArtifactUpdateGovernor {