From 92b522a713927546ae87e2202821a8be6eca6017 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 7 Dec 2018 18:22:28 -0500 Subject: [PATCH 1/2] 4487 add setting to allow users not to add results to central repository --- .../eventlisteners/IngestEventsListener.java | 42 +++++++++++---- .../ingestmodule/Bundle.properties | 1 + .../ingestmodule/CentralRepoIngestModule.java | 54 +++++++++++-------- .../ingestmodule/IngestSettings.java | 21 ++++++-- .../ingestmodule/IngestSettingsPanel.form | 20 +++++-- .../ingestmodule/IngestSettingsPanel.java | 20 ++++--- 6 files changed, 112 insertions(+), 46 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java index 31c6cf00f6..1dc66b0bf6 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/IngestEventsListener.java @@ -62,6 +62,7 @@ public class IngestEventsListener { private static int correlationModuleInstanceCount; private static boolean flagNotableItems; private static boolean flagSeenDevices; + private static boolean createCrProperties; private final ExecutorService jobProcessingExecutor; private static final String INGEST_EVENT_THREAD_NAME = "Ingest-Event-Listener-%d"; private final PropertyChangeListener pcl1 = new IngestModuleEventListener(); @@ -145,6 +146,15 @@ public class IngestEventsListener { return flagSeenDevices; } + /** + * Are correlation properties being created + * + * @return True if creating correlation properties; otherwise false. + */ + public synchronized static boolean shouldCreateCrProperties() { + return createCrProperties; + } + /** * Configure the listener to flag notable items or not. * @@ -163,6 +173,15 @@ public class IngestEventsListener { flagSeenDevices = value; } + /** + * Configure the listener to create correlation properties + * + * @param value True to create properties; otherwise false. + */ + public synchronized static void setCreateCrProperties(boolean value) { + createCrProperties = value; + } + @NbBundle.Messages({"IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository)", "IngestEventsListener.prevCaseComment.text=Previous Case: ", "IngestEventsListener.ingestmodule.name=Correlation Engine"}) @@ -170,14 +189,14 @@ public class IngestEventsListener { try { String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name(); - + Collection attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, Bundle.IngestEventsListener_prevTaggedSet_text())); attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, Bundle.IngestEventsListener_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(",", "", "")))); attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID())); - + SleuthkitCase tskCase = bbArtifact.getSleuthkitCase(); AbstractFile abstractFile = tskCase.getAbstractFileById(bbArtifact.getObjectID()); org.sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard(); @@ -185,7 +204,7 @@ public class IngestEventsListener { if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT, attributes)) { BlackboardArtifact tifArtifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT); tifArtifact.addAttributes(attributes); - + try { // index the artifact for keyword search Blackboard blackboard = Case.getCurrentCaseThrows().getServices().getBlackboard(); @@ -218,13 +237,13 @@ public class IngestEventsListener { try { String MODULE_NAME = Bundle.IngestEventsListener_ingestmodule_name(); - + Collection attributes = new ArrayList<>(); BlackboardAttribute att = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, Bundle.IngestEventsListener_prevExists_text()); attributes.add(att); attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT, MODULE_NAME, bbArtifact.getArtifactID())); - + SleuthkitCase tskCase = bbArtifact.getSleuthkitCase(); AbstractFile abstractFile = bbArtifact.getSleuthkitCase().getAbstractFileById(bbArtifact.getObjectID()); org.sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard(); @@ -232,7 +251,7 @@ public class IngestEventsListener { if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT, attributes)) { BlackboardArtifact tifArtifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT); tifArtifact.addAttributes(attributes); - + try { // index the artifact for keyword search Blackboard blackboard = Case.getCurrentCaseThrows().getServices().getBlackboard(); @@ -271,7 +290,8 @@ public class IngestEventsListener { //if ingest isn't running create the interesting items otherwise use the ingest module setting to determine if we create interesting items boolean flagNotable = !IngestManager.getInstance().isIngestRunning() || isFlagNotableItems(); boolean flagPrevious = !IngestManager.getInstance().isIngestRunning() || isFlagSeenDevices(); - jobProcessingExecutor.submit(new DataAddedTask(dbManager, evt, flagNotable, flagPrevious)); + boolean createAttributes = !IngestManager.getInstance().isIngestRunning() || shouldCreateCrProperties(); + jobProcessingExecutor.submit(new DataAddedTask(dbManager, evt, flagNotable, flagPrevious, createAttributes)); break; } } @@ -311,12 +331,14 @@ public class IngestEventsListener { private final PropertyChangeEvent event; private final boolean flagNotableItemsEnabled; private final boolean flagPreviousItemsEnabled; + private final boolean createCorrelationAttributes; - private DataAddedTask(EamDb db, PropertyChangeEvent evt, boolean flagNotableItemsEnabled, boolean flagPreviousItemsEnabled) { + private DataAddedTask(EamDb db, PropertyChangeEvent evt, boolean flagNotableItemsEnabled, boolean flagPreviousItemsEnabled, boolean createCorrelationAttributes) { dbManager = db; event = evt; this.flagNotableItemsEnabled = flagNotableItemsEnabled; this.flagPreviousItemsEnabled = flagPreviousItemsEnabled; + this.createCorrelationAttributes = createCorrelationAttributes; } @Override @@ -369,7 +391,9 @@ public class IngestEventsListener { LOGGER.log(Level.INFO, String.format("Unable to flag notable item: %s.", eamArtifact.toString()), ex); } } - eamArtifacts.add(eamArtifact); + if (createCorrelationAttributes) { + eamArtifacts.add(eamArtifact); + } } } catch (EamDbException ex) { LOGGER.log(Level.SEVERE, "Error counting notable artifacts.", ex); diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties index f99db1edb6..ff9241750f 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties @@ -1,3 +1,4 @@ IngestSettingsPanel.ingestSettingsLabel.text=Ingest Settings IngestSettingsPanel.flagTaggedNotableItemsCheckbox.text=Flag items previously tagged as notable IngestSettingsPanel.flagPreviouslySeenDevicesCheckbox.text=Flag previously seen devices +IngestSettingsPanel.createCorrelationPropertiesCheckbox.text=Create correlation properties diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java index ec37397536..ac74964b27 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoIngestModule.java @@ -65,6 +65,7 @@ final class CentralRepoIngestModule implements FileIngestModule { static final boolean DEFAULT_FLAG_TAGGED_NOTABLE_ITEMS = true; static final boolean DEFAULT_FLAG_PREVIOUS_DEVICES = true; + static final boolean DEFAULT_CREATE_CR_PROPERTIES = true; private final static Logger logger = Logger.getLogger(CentralRepoIngestModule.class.getName()); private final IngestServices services = IngestServices.getInstance(); @@ -77,6 +78,7 @@ final class CentralRepoIngestModule implements FileIngestModule { private CorrelationAttributeInstance.Type filesType; private final boolean flagTaggedNotableItems; private final boolean flagPreviouslySeenDevices; + private final boolean createCorrelationProperties; /** * Instantiate the Correlation Engine ingest module. @@ -86,6 +88,7 @@ final class CentralRepoIngestModule implements FileIngestModule { CentralRepoIngestModule(IngestSettings settings) { flagTaggedNotableItems = settings.isFlagTaggedNotableItems(); flagPreviouslySeenDevices = settings.isFlagPreviousDevices(); + createCorrelationProperties = settings.shouldCreateCorrelationProperties(); } @Override @@ -114,7 +117,7 @@ final class CentralRepoIngestModule implements FileIngestModule { if (abstractFile.getKnown() == TskData.FileKnown.KNOWN) { return ProcessResult.OK; } - + EamDb dbManager; try { dbManager = EamDb.getInstance(); @@ -149,32 +152,34 @@ final class CentralRepoIngestModule implements FileIngestModule { } catch (EamDbException ex) { logger.log(Level.SEVERE, "Error searching database for artifact.", ex); // NON-NLS return ProcessResult.ERROR; - } catch (CorrelationAttributeNormalizationException ex){ + } catch (CorrelationAttributeNormalizationException ex) { logger.log(Level.INFO, "Error searching database for artifact.", ex); // NON-NLS return ProcessResult.ERROR; } } // insert this file into the central repository - try { - CorrelationAttributeInstance cefi = new CorrelationAttributeInstance( - filesType, - md5, - eamCase, - eamDataSource, - abstractFile.getParentPath() + abstractFile.getName(), - null, - TskData.FileKnown.UNKNOWN // NOTE: Known status in the CR is based on tagging, not hashes like the Case Database. -, abstractFile.getId()); - dbManager.addAttributeInstanceBulk(cefi); - } catch (EamDbException ex) { - logger.log(Level.SEVERE, "Error adding artifact to bulk artifacts.", ex); // NON-NLS - return ProcessResult.ERROR; - } catch (CorrelationAttributeNormalizationException ex) { - logger.log(Level.INFO, "Error adding artifact to bulk artifacts.", ex); // NON-NLS - return ProcessResult.ERROR; + if (createCorrelationProperties) { + try { + CorrelationAttributeInstance cefi = new CorrelationAttributeInstance( + filesType, + md5, + eamCase, + eamDataSource, + abstractFile.getParentPath() + abstractFile.getName(), + null, + TskData.FileKnown.UNKNOWN // NOTE: Known status in the CR is based on tagging, not hashes like the Case Database. + , + abstractFile.getId()); + dbManager.addAttributeInstanceBulk(cefi); + } catch (EamDbException ex) { + logger.log(Level.SEVERE, "Error adding artifact to bulk artifacts.", ex); // NON-NLS + return ProcessResult.ERROR; + } catch (CorrelationAttributeNormalizationException ex) { + logger.log(Level.INFO, "Error adding artifact to bulk artifacts.", ex); // NON-NLS + return ProcessResult.ERROR; + } } - return ProcessResult.OK; } @@ -237,6 +242,9 @@ final class CentralRepoIngestModule implements FileIngestModule { if (IngestEventsListener.getCeModuleInstanceCount() == 1 || !IngestEventsListener.isFlagSeenDevices()) { IngestEventsListener.setFlagSeenDevices(flagPreviouslySeenDevices); } + if (IngestEventsListener.getCeModuleInstanceCount() == 1 || !IngestEventsListener.shouldCreateCrProperties()) { + IngestEventsListener.setCreateCrProperties(createCorrelationProperties); + } if (EamDb.isEnabled() == false) { /* @@ -325,7 +333,7 @@ final class CentralRepoIngestModule implements FileIngestModule { /** * Post a new interesting artifact for the file marked bad. - * + * * @param abstractFile The file from which to create an artifact. * @param caseDisplayNames Case names to be added to a TSK_COMMON attribute. */ @@ -333,13 +341,13 @@ final class CentralRepoIngestModule implements FileIngestModule { try { String MODULE_NAME = CentralRepoIngestModuleFactory.getModuleName(); - + Collection attributes = new ArrayList<>(); attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME, MODULE_NAME, Bundle.CentralRepoIngestModule_prevTaggedSet_text())); attributes.add(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT, MODULE_NAME, Bundle.CentralRepoIngestModule_prevCaseComment_text() + caseDisplayNames.stream().distinct().collect(Collectors.joining(",", "", "")))); - + SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase(); org.sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard(); // Create artifact if it doesn't already exist. diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java index 74ad3537d8..34169a0cc7 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java @@ -29,6 +29,7 @@ final class IngestSettings implements IngestModuleIngestJobSettings { private boolean flagTaggedNotableItems; private boolean flagPreviousDevices; + private boolean createCorrelationProperties; /** * Instantiate the ingest job settings with default values. @@ -36,17 +37,22 @@ final class IngestSettings implements IngestModuleIngestJobSettings { IngestSettings() { this.flagTaggedNotableItems = CentralRepoIngestModule.DEFAULT_FLAG_TAGGED_NOTABLE_ITEMS; this.flagPreviousDevices = CentralRepoIngestModule.DEFAULT_FLAG_PREVIOUS_DEVICES; + this.createCorrelationProperties = CentralRepoIngestModule.DEFAULT_CREATE_CR_PROPERTIES; } /** * Instantiate the ingest job settings. * - * @param flagTaggedNotableItems Flag previously tagged notable items. - * @param flagPreviousDevices Flag devices which exist already in the Central Repository + * @param flagTaggedNotableItems Flag previously tagged notable items. + * @param flagPreviousDevices Flag devices which exist already in + * the Central Repository + * @param createCorrelationProperties Create correlation properties in the + * central repository */ - IngestSettings(boolean flagTaggedNotableItems, boolean flagPreviousDevices) { + IngestSettings(boolean flagTaggedNotableItems, boolean flagPreviousDevices, boolean createCorrelationProperties) { this.flagTaggedNotableItems = flagTaggedNotableItems; this.flagPreviousDevices = flagPreviousDevices; + this.createCorrelationProperties = createCorrelationProperties; } @Override @@ -71,4 +77,13 @@ final class IngestSettings implements IngestModuleIngestJobSettings { boolean isFlagPreviousDevices() { return flagPreviousDevices; } + + /** + * Should correlation properties be created + * + * @return True if creating; otherwise false. + */ + boolean shouldCreateCorrelationProperties() { + return createCorrelationProperties; + } } diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.form b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.form index 3c2fddca0f..82383f135f 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.form +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.form @@ -22,9 +22,10 @@ - - - + + + + @@ -37,11 +38,13 @@ - + + + - + @@ -71,5 +74,12 @@ + + + + + + + diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.java index 159f925355..6438b399e7 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettingsPanel.java @@ -43,11 +43,12 @@ final class IngestSettingsPanel extends IngestModuleIngestJobSettingsPanel { private void customizeComponents(IngestSettings settings) { flagTaggedNotableItemsCheckbox.setSelected(settings.isFlagTaggedNotableItems()); flagPreviouslySeenDevicesCheckbox.setSelected(settings.isFlagPreviousDevices()); + createCorrelationPropertiesCheckbox.setSelected(settings.shouldCreateCorrelationProperties()); } @Override public IngestModuleIngestJobSettings getSettings() { - return new IngestSettings(flagTaggedNotableItemsCheckbox.isSelected(), flagPreviouslySeenDevicesCheckbox.isSelected()); + return new IngestSettings(flagTaggedNotableItemsCheckbox.isSelected(), flagPreviouslySeenDevicesCheckbox.isSelected(), createCorrelationPropertiesCheckbox.isSelected()); } /** @@ -62,6 +63,7 @@ final class IngestSettingsPanel extends IngestModuleIngestJobSettingsPanel { ingestSettingsLabel = new javax.swing.JLabel(); flagTaggedNotableItemsCheckbox = new javax.swing.JCheckBox(); flagPreviouslySeenDevicesCheckbox = new javax.swing.JCheckBox(); + createCorrelationPropertiesCheckbox = new javax.swing.JCheckBox(); ingestSettingsLabel.setFont(new java.awt.Font("Tahoma", 1, 11)); // NOI18N org.openide.awt.Mnemonics.setLocalizedText(ingestSettingsLabel, org.openide.util.NbBundle.getMessage(IngestSettingsPanel.class, "IngestSettingsPanel.ingestSettingsLabel.text")); // NOI18N @@ -70,6 +72,8 @@ final class IngestSettingsPanel extends IngestModuleIngestJobSettingsPanel { org.openide.awt.Mnemonics.setLocalizedText(flagPreviouslySeenDevicesCheckbox, org.openide.util.NbBundle.getMessage(IngestSettingsPanel.class, "IngestSettingsPanel.flagPreviouslySeenDevicesCheckbox.text")); // NOI18N + org.openide.awt.Mnemonics.setLocalizedText(createCorrelationPropertiesCheckbox, org.openide.util.NbBundle.getMessage(IngestSettingsPanel.class, "IngestSettingsPanel.createCorrelationPropertiesCheckbox.text")); // NOI18N + javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this); this.setLayout(layout); layout.setHorizontalGroup( @@ -80,9 +84,10 @@ final class IngestSettingsPanel extends IngestModuleIngestJobSettingsPanel { .addComponent(ingestSettingsLabel) .addGroup(layout.createSequentialGroup() .addGap(10, 10, 10) - .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) - .addComponent(flagPreviouslySeenDevicesCheckbox) - .addComponent(flagTaggedNotableItemsCheckbox)))) + .addGroup(layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING, false) + .addComponent(flagTaggedNotableItemsCheckbox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) + .addComponent(flagPreviouslySeenDevicesCheckbox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE) + .addComponent(createCorrelationPropertiesCheckbox, javax.swing.GroupLayout.DEFAULT_SIZE, javax.swing.GroupLayout.DEFAULT_SIZE, Short.MAX_VALUE)))) .addContainerGap(65, Short.MAX_VALUE)) ); layout.setVerticalGroup( @@ -90,15 +95,18 @@ final class IngestSettingsPanel extends IngestModuleIngestJobSettingsPanel { .addGroup(layout.createSequentialGroup() .addContainerGap() .addComponent(ingestSettingsLabel) - .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) + .addGap(9, 9, 9) + .addComponent(createCorrelationPropertiesCheckbox) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(flagTaggedNotableItemsCheckbox) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED) .addComponent(flagPreviouslySeenDevicesCheckbox) - .addContainerGap(222, Short.MAX_VALUE)) + .addContainerGap(197, Short.MAX_VALUE)) ); }// //GEN-END:initComponents // Variables declaration - do not modify//GEN-BEGIN:variables + private javax.swing.JCheckBox createCorrelationPropertiesCheckbox; private javax.swing.JCheckBox flagPreviouslySeenDevicesCheckbox; private javax.swing.JCheckBox flagTaggedNotableItemsCheckbox; private javax.swing.JLabel ingestSettingsLabel; From ee8b2931e57c3cd2780dcb5eba3e213bcef23615 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Mon, 10 Dec 2018 10:21:35 -0500 Subject: [PATCH 2/2] 4487 address codacy complain about variables not final --- .../centralrepository/ingestmodule/IngestSettings.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java index 34169a0cc7..454a2c3628 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/IngestSettings.java @@ -27,9 +27,9 @@ final class IngestSettings implements IngestModuleIngestJobSettings { private static final long serialVersionUID = 1L; - private boolean flagTaggedNotableItems; - private boolean flagPreviousDevices; - private boolean createCorrelationProperties; + private final boolean flagTaggedNotableItems; + private final boolean flagPreviousDevices; + private final boolean createCorrelationProperties; /** * Instantiate the ingest job settings with default values.