mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Return a list of correlation artifacts when converting a blackboard artifact to capture more attributes

Browse Source
This commit is contained in:
Maxwell Koo 2017-06-29 12:22:26 -04:00
parent 1e4a790d00
commit d152d7a008
4 changed files with 33 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
CentralRepository/src/org/sleuthkit/autopsy/centralrepository/contentviewer/DataContentViewerOtherCases.java
View File

@ -358,8 +358,7 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
/** /**
* Scan a Node for blackboard artifacts / content that we can correlate on * Scan a Node for blackboard artifacts / content that we can correlate on
* and create the corresponding Central Repository artifacts for * and create the corresponding Central Repository artifacts for display
* display
* *
* @param node The node to view * @param node The node to view
* *
@ -380,10 +379,7 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
EamDb dbManager = EamDb.getInstance(); EamDb dbManager = EamDb.getInstance();
artifactTypes = dbManager.getCorrelationTypes(); artifactTypes = dbManager.getCorrelationTypes();
if (bbArtifact != null) { if (bbArtifact != null) {
EamArtifact eamArtifact = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, false, artifactTypes, false); ret.addAll(EamArtifactUtil.fromBlackboardArtifact(bbArtifact, false, artifactTypes, false));
if (eamArtifact != null) {
ret.add(eamArtifact);
}
} }
} catch (EamDbException ex) { } catch (EamDbException ex) {
LOGGER.log(Level.SEVERE, "Error retrieving correlation types", ex); // NON-NLS LOGGER.log(Level.SEVERE, "Error retrieving correlation types", ex); // NON-NLS
@ -475,8 +471,8 @@ public class DataContentViewerOtherCases extends javax.swing.JPanel implements D
* *
* @param eamArtifact Artifact to use for ArtifactTypeEnum matching * @param eamArtifact Artifact to use for ArtifactTypeEnum matching
* *
* @return List of Central Repository Artifact Instances, empty * @return List of Central Repository Artifact Instances, empty list if none
* list if none found * found
*/ */
public Collection<EamArtifactInstance> getReferenceInstancesAsArtifactInstances(EamArtifact eamArtifact) { public Collection<EamArtifactInstance> getReferenceInstancesAsArtifactInstances(EamArtifact eamArtifact) {
Collection<EamArtifactInstance> eamArtifactInstances = new ArrayList<>(); Collection<EamArtifactInstance> eamArtifactInstances = new ArrayList<>();

29
CentralRepository/src/org/sleuthkit/autopsy/centralrepository/datamodel/EamArtifactUtil.java
View File

@ -18,6 +18,7 @@
*/ */
package org.sleuthkit.autopsy.centralrepository.datamodel; package org.sleuthkit.autopsy.centralrepository.datamodel;
import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import org.openide.util.NbBundle.Messages; import org.openide.util.NbBundle.Messages;
@ -46,31 +47,32 @@ public class EamArtifactUtil {
return Bundle.EamArtifactUtil_emailaddresses_text(); return Bundle.EamArtifactUtil_emailaddresses_text();
} }
/* /**
* Static factory method to examine a BlackboardArtifact to determine if it * Static factory method to examine a BlackboardArtifact to determine if it
* has contents that can be used for Correlation. If so, return a * has contents that can be used for Correlation. If so, return a
* EamArtifact with a single EamArtifactInstance within. If not, return * EamArtifact with a single EamArtifactInstance within. If not, return
* null. * null.
* *
* @param bbArtifact BlackboardArtifact to examine @return EamArtifact or * @param bbArtifact BlackboardArtifact to examine
* null * @return List of EamArtifacts
*/ */
public static EamArtifact fromBlackboardArtifact(BlackboardArtifact bbArtifact, public static List<EamArtifact> fromBlackboardArtifact(BlackboardArtifact bbArtifact,
boolean includeInstances, boolean includeInstances,
List<EamArtifact.Type> artifactTypes, List<EamArtifact.Type> artifactTypes,
boolean checkEnabled) { boolean checkEnabled) {
EamArtifact eamArtifact = null; List<EamArtifact> eamArtifacts = new ArrayList<>();
for (EamArtifact.Type aType : artifactTypes) { for (EamArtifact.Type aType : artifactTypes) {
if ((checkEnabled && aType.isEnabled()) || !checkEnabled) { if ((checkEnabled && aType.isEnabled()) || !checkEnabled) {
eamArtifact = getTypeFromBlackboardArtifact(aType, bbArtifact); EamArtifact eamArtifact = getTypeFromBlackboardArtifact(aType, bbArtifact);
} if (eamArtifact != null) {
if (null != eamArtifact) { eamArtifacts.add(eamArtifact);
break; }
} }
} }
if (null != eamArtifact && includeInstances) { if (!eamArtifacts.isEmpty() && includeInstances) {
try { try {
AbstractFile af = Case.getCurrentCase().getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID()); AbstractFile af = Case.getCurrentCase().getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
if (null == af) { if (null == af) {
@ -92,14 +94,17 @@ public class EamArtifactUtil {
TskData.FileKnown.UNKNOWN, TskData.FileKnown.UNKNOWN,
EamArtifactInstance.GlobalStatus.LOCAL EamArtifactInstance.GlobalStatus.LOCAL
); );
eamArtifact.addInstance(eamInstance);
for (EamArtifact eamArtifact : eamArtifacts) {
eamArtifact.addInstance(eamInstance);
}
} catch (TskCoreException ex) { } catch (TskCoreException ex) {
LOGGER.log(Level.SEVERE, "Error creating artifact instance.", ex); // NON-NLS LOGGER.log(Level.SEVERE, "Error creating artifact instance.", ex); // NON-NLS
return null; return null;
} }
} }
return eamArtifact; return eamArtifacts;
} }
/** /**

5
CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
View File

@ -20,6 +20,7 @@ package org.sleuthkit.autopsy.centralrepository.eventlisteners;
import java.beans.PropertyChangeEvent; import java.beans.PropertyChangeEvent;
import java.beans.PropertyChangeListener; import java.beans.PropertyChangeListener;
import java.util.List;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.stream.Collectors; import java.util.stream.Collectors;
import org.openide.util.NbBundle.Messages; import org.openide.util.NbBundle.Messages;
@ -142,8 +143,8 @@ public class CaseEventListener implements PropertyChangeListener {
if (dbManager.getBadTags().contains(tagName.getDisplayName())) { if (dbManager.getBadTags().contains(tagName.getDisplayName())) {
try { try {
EamArtifact eamArtifact = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true); List<EamArtifact> convertedArtifacts = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true);
if (null != eamArtifact) { for (EamArtifact eamArtifact : convertedArtifacts) {
eamArtifact.getInstances().get(0).setComment(bbTagAdded.getComment()); eamArtifact.getInstances().get(0).setComment(bbTagAdded.getComment());
Runnable r = new BadFileTagRunner(eamArtifact); Runnable r = new BadFileTagRunner(eamArtifact);
// TODO: send r into a thread pool instead // TODO: send r into a thread pool instead

18
CentralRepository/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java
View File

@ -44,14 +44,15 @@ import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb; import org.sleuthkit.autopsy.centralrepository.datamodel.EamDb;
/** /**
* Listen for ingest events and update entries in the Central Repository database accordingly * Listen for ingest events and update entries in the Central Repository
* database accordingly
*/ */
public class IngestEventsListener { public class IngestEventsListener {
private static final Logger LOGGER = Logger.getLogger(EamArtifact.class.getName()); private static final Logger LOGGER = Logger.getLogger(EamArtifact.class.getName());
final Collection<String> addedCeArtifactTrackerSet = new LinkedHashSet<>(); final Collection<String> addedCeArtifactTrackerSet = new LinkedHashSet<>();
private final PropertyChangeListener pcl1 = new IngestModuleEventListener(); private final PropertyChangeListener pcl1 = new IngestModuleEventListener();
private final PropertyChangeListener pcl2 = new IngestJobEventListener(); private final PropertyChangeListener pcl2 = new IngestJobEventListener();
@ -92,9 +93,8 @@ public class IngestEventsListener {
try { try {
for (BlackboardArtifact bbArtifact : bbArtifacts) { for (BlackboardArtifact bbArtifact : bbArtifacts) {
// eamArtifact will be null OR a EamArtifact containing one EamArtifactInstance. // eamArtifact will be null OR a EamArtifact containing one EamArtifactInstance.
EamArtifact eamArtifact = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true); List<EamArtifact> convertedArtifacts = EamArtifactUtil.fromBlackboardArtifact(bbArtifact, true, dbManager.getCorrelationTypes(), true);
if (null != eamArtifact) { for (EamArtifact eamArtifact : convertedArtifacts) {
try { try {
// Only do something with this artifact if it's unique within the job // Only do something with this artifact if it's unique within the job
if (addedCeArtifactTrackerSet.add(eamArtifact.toString())) { if (addedCeArtifactTrackerSet.add(eamArtifact.toString())) {
@ -105,7 +105,7 @@ public class IngestEventsListener {
List<String> caseDisplayNames = dbManager.getListCasesHavingArtifactInstancesKnownBad(eamArtifact); List<String> caseDisplayNames = dbManager.getListCasesHavingArtifactInstancesKnownBad(eamArtifact);
if (!caseDisplayNames.isEmpty()) { if (!caseDisplayNames.isEmpty()) {
postCorrelatedBadArtifactToBlackboard(bbArtifact, postCorrelatedBadArtifactToBlackboard(bbArtifact,
caseDisplayNames); caseDisplayNames);
} }
eamArtifacts.add(eamArtifact); eamArtifacts.add(eamArtifact);
} }
@ -140,7 +140,7 @@ public class IngestEventsListener {
// @@@ This isnt' entirely accurate to do here. We could have multiple // @@@ This isnt' entirely accurate to do here. We could have multiple
// ingest jobs at the same time // ingest jobs at the same time
addedCeArtifactTrackerSet.clear(); addedCeArtifactTrackerSet.clear();
} // DATA_SOURCE_ANALYSIS_COMPLETED } // DATA_SOURCE_ANALYSIS_COMPLETED
break; break;
} }
@ -153,7 +153,7 @@ public class IngestEventsListener {
try { try {
AbstractFile af = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID()); AbstractFile af = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID());
String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name(); String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name();
BlackboardArtifact tifArtifact = af.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT); BlackboardArtifact tifArtifact = af.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
BlackboardAttribute att = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, BlackboardAttribute att = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME,
@ -163,7 +163,7 @@ public class IngestEventsListener {
tifArtifact.addAttribute(att); tifArtifact.addAttribute(att);
tifArtifact.addAttribute(att2); tifArtifact.addAttribute(att2);
tifArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID())); tifArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID()));
try { try {
// index the artifact for keyword search // index the artifact for keyword search
Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard(); Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard();