mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-15 01:07:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

Added communication accounts to the list of artifacts flagged for previously seen

Browse Source
This commit is contained in:
Eugene Livis 2021-07-29 16:11:15 -04:00
parent 89347d2b7d
commit c6531498d5
2 changed files with 14 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java
View File

@ -541,13 +541,15 @@ public class IngestEventsListener {
}
}
// flag previously seen devices
// flag previously seen devices and communication accounts (emails, phones, etc)
if (flagPreviousItemsEnabled
&& (eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.USBID_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.ICCID_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMEI_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.IMSI_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID)) {
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.MAC_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.EMAIL_TYPE_ID
|| eamArtifact.getCorrelationType().getId() == CorrelationAttributeInstance.PHONE_TYPE_ID)) {
try {
// only alert to previous instances when they were in another case
List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(eamArtifact.getCorrelationType(), eamArtifact.getCorrelationValue());

21
Core/src/org/sleuthkit/autopsy/datasourcesummary/datamodel/PastCasesSummary.java
View File

@ -37,33 +37,32 @@ import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_OTHER_CASES;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
/**
* Provides information about how a data source relates to a previous case. NOTE:
* This code is fragile and has certain expectations about how the central
* Provides information about how a data source relates to a previous case.
* NOTE: This code is fragile and has certain expectations about how the central
* repository handles creating artifacts. So, if the central repository changes
* ingest process, this code could break. This code expects that the central
* repository ingest module:
*
* a) Creates a TSK_PREVIOUSLY_NOTABLE artifact for a file whose hash is in
* the central repository as a notable file.
* a) Creates a TSK_PREVIOUSLY_NOTABLE artifact for a file whose hash is in the
* central repository as a notable file.
*
* b) Creates a TSK_PREVIOUSLY_SEEN artifact for a matching id in the
* central repository.
* b) Creates a TSK_PREVIOUSLY_SEEN artifact for a matching id in the central
* repository.
*
* c) The created artifact will have a TSK_COMMENT attribute attached where one
* of the sources for the attribute matches
* c) The created artifact will have a TSK_OTHER_CASES attribute attached where
* one of the sources for the attribute matches
* CentralRepoIngestModuleFactory.getModuleName(). The module display name at
* time of ingest will match CentralRepoIngestModuleFactory.getModuleName() as
* well.
*
* d) The content of that TSK_COMMENT attribute will be of the form "Previous
* Case: case1,case2...caseN"
* d) The content of that TSK_OTHER_CASES attribute will be of the form
* "case1,case2...caseN"
*/
public class PastCasesSummary implements DefaultArtifactUpdateGovernor {