From dd38063bc4957bc852ffb32a7b75b5338351e4b6 Mon Sep 17 00:00:00 2001 From: William Schaefer Date: Fri, 22 Oct 2021 14:43:41 -0400 Subject: [PATCH] 7953 base changes for interesting item change --- .../datamodel/CorrelationAttributeUtil.java | 2 +- .../annotations/AnnotationUtils.java | 23 ++- .../annotations/AnnotationsContentViewer.java | 3 +- .../autopsy/datamodel/Artifacts.java | 3 + .../datamodel/BlackboardArtifactNode.java | 7 +- .../datamodel/AnalysisSummary.java | 2 +- .../ui/AnalysisSummaryGetter.java | 1 + .../ui/PastCasesSummaryGetter.java | 3 +- .../DirectoryTreeTopComponent.java | 8 +- .../discovery/search/DiscoveryAttributes.java | 4 +- .../discovery/search/SearchFiltering.java | 6 +- .../autopsy/discovery/ui/DiscoveryDialog.java | 3 +- .../ui/InterestingItemsFilterPanel.java | 2 +- .../dsp/AddLogicalImageTask.java | 2 +- .../SevenZipExtractor.java | 6 +- .../filetypeid/FileTypeIdIngestModule.java | 10 +- .../FilesIdentifierIngestModule.java | 6 +- ...PortableCaseInterestingItemsListPanel.java | 1 + .../infrastructure/TableReportGenerator.java | 59 +++++-- .../report/modules/html/HTMLReport.java | 38 +++-- .../PortableCaseReportModule.java | 154 ++++++++++-------- ...nterestingArtifactCreatorIngestModule.java | 4 +- .../autopsy/ingest/EmbeddedFileTest.java | 2 +- .../volatilityDSP/VolatilityProcessor.java | 4 +- docs/doxygen/modFileIngestTutorial.dox | 8 +- .../FindBigRoundFiles.py | 4 +- pythonExamples/dataSourceIngestModule.py | 6 +- pythonExamples/fileIngestModule.py | 6 +- 28 files changed, 226 insertions(+), 151 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java index 4243a36b51..20e519b1a0 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CorrelationAttributeUtil.java @@ -142,7 +142,7 @@ public class CorrelationAttributeUtil { if (CentralRepository.isEnabled()) { try { int artifactTypeID = analysisResult.getArtifactTypeID(); - if (artifactTypeID == ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()) { + if (ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() || artifactTypeID == ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID()) { //because this attribute retrieval is only occuring when the analysis result is an interesting artifact hit //and only one attribute is being retrieved the analysis result's own get attribute method can be used efficently BlackboardAttribute assocArtifactAttr = analysisResult.getAttribute(BlackboardAttribute.Type.TSK_ASSOCIATED_ARTIFACT); diff --git a/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationUtils.java b/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationUtils.java index 44924a0a30..af6fcc8047 100755 --- a/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationUtils.java +++ b/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationUtils.java @@ -73,6 +73,7 @@ public class AnnotationUtils { "AnnotationUtils.fileHitEntry.artifactCommentTitle=Artifact Comment", "AnnotationUtils.fileHitEntry.hashSetHitTitle=Hash Set Hit Comments", "AnnotationUtils.fileHitEntry.interestingFileHitTitle=Interesting File Hit Comments", + "AnnotationUtils.fileHitEntry.interestingItemTitle=Interesting Item Comments", "AnnotationUtils.fileHitEntry.setName=Set Name:", "AnnotationUtils.fileHitEntry.comment=Comment:", "AnnotationUtils.sourceFile.title=Source File", @@ -94,8 +95,8 @@ public class AnnotationUtils { private static final SectionConfig TAG_CONFIG = new SectionConfig<>(Bundle.AnnotationUtils_tagEntry_title(), TAG_ENTRIES); - // file set attributes and table configurations - private static final List> FILESET_HIT_ENTRIES = Arrays.asList( + // Item set attributes and table configurations + private static final List> ITEMSET_HIT_ENTRIES = Arrays.asList( new ItemEntry<>(Bundle.AnnotationUtils_fileHitEntry_setName(), (bba) -> tryGetAttribute(bba, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)), new ItemEntry<>(Bundle.AnnotationUtils_fileHitEntry_comment(), @@ -103,13 +104,16 @@ public class AnnotationUtils { ); private static final SectionConfig INTERESTING_FILE_CONFIG - = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_interestingFileHitTitle(), FILESET_HIT_ENTRIES); + = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_interestingFileHitTitle(), ITEMSET_HIT_ENTRIES); + + private static final SectionConfig INTERESTING_ITEM_CONFIG + = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_interestingItemTitle(), ITEMSET_HIT_ENTRIES); private static final SectionConfig HASHSET_CONFIG - = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_hashSetHitTitle(), FILESET_HIT_ENTRIES); + = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_hashSetHitTitle(), ITEMSET_HIT_ENTRIES); private static final SectionConfig ARTIFACT_COMMENT_CONFIG - = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_artifactCommentTitle(), FILESET_HIT_ENTRIES); + = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_artifactCommentTitle(), ITEMSET_HIT_ENTRIES); // central repository attributes and table configuration private static final List> CR_COMMENTS_ENTRIES = Arrays.asList( @@ -211,7 +215,7 @@ public class AnnotationUtils { // if artifact is a hashset hit or interesting file and has a non-blank comment if ((BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() == bba.getArtifactTypeID() - || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() == bba.getArtifactTypeID()) + || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() == bba.getArtifactTypeID() || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() == bba.getArtifactTypeID()) && (hasTskComment(bba))) { boolean filesetRendered = appendEntries(parent, ARTIFACT_COMMENT_CONFIG, Arrays.asList(bba), false, !contentRendered); @@ -266,7 +270,12 @@ public class AnnotationUtils { isSubheader, !contentRendered); - contentRendered = contentRendered || hashsetRendered || interestingFileRendered; + boolean interestingItemRendered = appendEntries(parent, INTERESTING_ITEM_CONFIG, + getFileSetHits(sourceFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM), + isSubheader, + !contentRendered); + + contentRendered = contentRendered || hashsetRendered || interestingFileRendered || interestingItemRendered; } return contentRendered; } diff --git a/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationsContentViewer.java b/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationsContentViewer.java index c01548026b..9e128c1470 100755 --- a/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationsContentViewer.java +++ b/Core/src/org/sleuthkit/autopsy/contentviewers/annotations/AnnotationsContentViewer.java @@ -75,7 +75,8 @@ public class AnnotationsContentViewer extends javax.swing.JPanel implements Data private static final Set ARTIFACT_TYPES_OF_INTEREST = ImmutableSet.of( BlackboardArtifact.Type.TSK_HASHSET_HIT, - BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT + BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, + BlackboardArtifact.Type.TSK_INTERESTING_ITEM ); private final PropertyChangeListener ingestEventListener = (evt) -> { diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java index 3f08b3f0bb..7fa44e4c44 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/Artifacts.java @@ -250,6 +250,9 @@ public class Artifacts { KeywordHits.RootNode keywordsNode = new KeywordHits(skCase, dsObjId).new RootNode(); return new TypeNodeKey(keywordsNode, TSK_KEYWORD_HIT); + } else if (TSK_INTERESTING_ITEM.getTypeID() == typeId) { + InterestingHits.RootNode interestingHitsNode = new InterestingHits(skCase, TSK_INTERESTING_ITEM, dsObjId).new RootNode(); + return new TypeNodeKey(interestingHitsNode, TSK_INTERESTING_ITEM); } else if (TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == typeId) { InterestingHits.RootNode interestingHitsNode = new InterestingHits(skCase, TSK_INTERESTING_ARTIFACT_HIT, dsObjId).new RootNode(); return new TypeNodeKey(interestingHitsNode, TSK_INTERESTING_ARTIFACT_HIT); diff --git a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java index fb71edf83a..a382cd6df0 100644 --- a/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java +++ b/Core/src/org/sleuthkit/autopsy/datamodel/BlackboardArtifactNode.java @@ -151,7 +151,8 @@ public class BlackboardArtifactNode extends AbstractContentNode> getInterestingItemCounts(DataSource dataSource) throws SleuthkitCaseProviderException, TskCoreException { - return getCountsData(dataSource, TYPE_SET_NAME, ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT); + return getCountsData(dataSource, TYPE_SET_NAME, ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT, ARTIFACT_TYPE.TSK_INTERESTING_ITEM); } /** diff --git a/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/AnalysisSummaryGetter.java b/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/AnalysisSummaryGetter.java index 135a5ef757..cc8f855c18 100644 --- a/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/AnalysisSummaryGetter.java +++ b/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/AnalysisSummaryGetter.java @@ -41,6 +41,7 @@ public class AnalysisSummaryGetter implements DefaultArtifactUpdateGovernor { private static final Set ARTIFACT_UPDATE_TYPE_IDS = new HashSet<>(Arrays.asList( ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID(), ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID(), + ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID(), ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID(), ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() )); diff --git a/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/PastCasesSummaryGetter.java b/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/PastCasesSummaryGetter.java index 2a2c0b8a55..a861b514f1 100644 --- a/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/PastCasesSummaryGetter.java +++ b/Core/src/org/sleuthkit/autopsy/datasourcesummary/ui/PastCasesSummaryGetter.java @@ -40,7 +40,8 @@ public class PastCasesSummaryGetter implements DefaultArtifactUpdateGovernor { private static final Set ARTIFACT_UPDATE_TYPE_IDS = new HashSet<>(Arrays.asList( ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID(), - ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() + ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID(), + ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() )); private final PastCasesSummary pastSummary; diff --git a/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java b/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java index ff1b497298..ba33c4433b 100644 --- a/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java +++ b/Core/src/org/sleuthkit/autopsy/directorytree/DirectoryTreeTopComponent.java @@ -1275,7 +1275,7 @@ public final class DirectoryTreeTopComponent extends TopComponent implements Dat return; } } - + final Set finalHosts = hosts; Optional osAccountListNodeOpt = Stream.of(em.getRootContext().getChildren().getNodes(true)) @@ -1358,6 +1358,8 @@ public final class DirectoryTreeTopComponent extends TopComponent implements Dat treeNode = getInterestingItemNode(typesChildren, BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, art); } else if (typeID == BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()) { treeNode = getInterestingItemNode(typesChildren, BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, art); + } else if (typeID == BlackboardArtifact.Type.TSK_INTERESTING_ITEM.getTypeID()) { + treeNode = getInterestingItemNode(typesChildren, BlackboardArtifact.Type.TSK_INTERESTING_ITEM, art); } else if (typeID == BlackboardArtifact.Type.TSK_EMAIL_MSG.getTypeID()) { treeNode = getEmailNode(typesChildren, art); } else if (typeID == BlackboardArtifact.Type.TSK_ACCOUNT.getTypeID()) { @@ -1495,12 +1497,12 @@ public final class DirectoryTreeTopComponent extends TopComponent implements Dat private Node getInterestingItemNode(Children typesChildren, BlackboardArtifact.Type artifactType, BlackboardArtifact art) { Node interestingItemsRootNode = typesChildren.findChild(artifactType.getDisplayName()); Children setNodeChildren = (interestingItemsRootNode == null) ? null : interestingItemsRootNode.getChildren(); - + // set node children for type could not be found, so return null. if (setNodeChildren == null) { return null; } - + String setName = null; try { setName = art.getAttributes().stream() diff --git a/Core/src/org/sleuthkit/autopsy/discovery/search/DiscoveryAttributes.java b/Core/src/org/sleuthkit/autopsy/discovery/search/DiscoveryAttributes.java index c1436ff890..806349175a 100644 --- a/Core/src/org/sleuthkit/autopsy/discovery/search/DiscoveryAttributes.java +++ b/Core/src/org/sleuthkit/autopsy/discovery/search/DiscoveryAttributes.java @@ -791,8 +791,8 @@ public class DiscoveryAttributes { CentralRepository centralRepoDb, SearchContext context) throws DiscoveryException, SearchCancellationException { // Get pairs of (object ID, interesting item set name) for all files in the list of files that have - // interesting file set hits. - String selectQuery = createSetNameClause(results, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID(), + // interesting item set hits. + String selectQuery = createSetNameClause(results, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()); InterestingFileSetNamesCallback callback = new InterestingFileSetNamesCallback(results); diff --git a/Core/src/org/sleuthkit/autopsy/discovery/search/SearchFiltering.java b/Core/src/org/sleuthkit/autopsy/discovery/search/SearchFiltering.java index eba1402ccf..5c2e203627 100644 --- a/Core/src/org/sleuthkit/autopsy/discovery/search/SearchFiltering.java +++ b/Core/src/org/sleuthkit/autopsy/discovery/search/SearchFiltering.java @@ -875,8 +875,9 @@ public class SearchFiltering { String intItemSetPart = concatenateNamesForSQL(setNames); String queryStr = "(obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_id IN " - + "(SELECT artifact_id FROM blackboard_attributes WHERE artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() - + " AND attribute_type_ID = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " " + + "(SELECT artifact_id FROM blackboard_attributes WHERE (artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() + +" OR artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() + + ") AND attribute_type_ID = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " " + "AND (" + intItemSetPart + "))))"; // NON-NLS return queryStr; @@ -964,6 +965,7 @@ public class SearchFiltering { if (scores.contains(Score.INTERESTING)) { // Matches interesting item artifact intItemQueryPart = " (obj_id IN (SELECT obj_id from blackboard_artifacts WHERE artifact_type_id = " + + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() + " OR artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() + ")) "; } diff --git a/Core/src/org/sleuthkit/autopsy/discovery/ui/DiscoveryDialog.java b/Core/src/org/sleuthkit/autopsy/discovery/ui/DiscoveryDialog.java index 63bbf673a8..183398118a 100644 --- a/Core/src/org/sleuthkit/autopsy/discovery/ui/DiscoveryDialog.java +++ b/Core/src/org/sleuthkit/autopsy/discovery/ui/DiscoveryDialog.java @@ -746,7 +746,8 @@ final class DiscoveryDialog extends javax.swing.JDialog { shouldUpdate = shouldUpdateFilters(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION.getTypeID(), eventData, objectsDetected); } else if (eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) { shouldUpdate = shouldUpdateFilters(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), eventData, hashSets); - } else if (eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() + } else if (eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() + || eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() || eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()) { shouldUpdate = shouldUpdateFilters(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), eventData, interestingItems); } diff --git a/Core/src/org/sleuthkit/autopsy/discovery/ui/InterestingItemsFilterPanel.java b/Core/src/org/sleuthkit/autopsy/discovery/ui/InterestingItemsFilterPanel.java index ed4a181ec1..4735e81c82 100644 --- a/Core/src/org/sleuthkit/autopsy/discovery/ui/InterestingItemsFilterPanel.java +++ b/Core/src/org/sleuthkit/autopsy/discovery/ui/InterestingItemsFilterPanel.java @@ -58,7 +58,7 @@ final class InterestingItemsFilterPanel extends AbstractDiscoveryFilterPanel { private void setUpInterestingItemsFilter() { try { interestingItemsList.clearList(); - List setNames = DiscoveryUiUtils.getSetNames(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, + List setNames = DiscoveryUiUtils.getSetNames(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME); for (String name : setNames) { interestingItemsList.addElement(name, null, name); diff --git a/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddLogicalImageTask.java b/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddLogicalImageTask.java index eb52c88baf..3257a3f009 100644 --- a/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddLogicalImageTask.java +++ b/Core/src/org/sleuthkit/autopsy/logicalimager/dsp/AddLogicalImageTask.java @@ -443,7 +443,7 @@ final class AddLogicalImageTask implements Runnable { BlackboardArtifact artifact; try { artifact = this.blackboard.newAnalysisResult( - BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, fileId, dataSourceId, + BlackboardArtifact.Type.TSK_INTERESTING_ITEM, fileId, dataSourceId, Score.SCORE_LIKELY_NOTABLE, null, ruleSetName, null, Arrays.asList( diff --git a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java index 75cef1a8f1..c4b707e837 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java +++ b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java @@ -69,7 +69,7 @@ import org.sleuthkit.autopsy.modules.filetypeid.FileTypeDetector; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; -import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM; import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION; @@ -327,10 +327,10 @@ class SevenZipExtractor { TSK_COMMENT, MODULE_NAME, details)); - if (!blackboard.artifactExists(archiveFile, TSK_INTERESTING_FILE_HIT, attributes)) { + if (!blackboard.artifactExists(archiveFile, TSK_INTERESTING_ITEM, attributes)) { BlackboardArtifact artifact = rootArchive.getArchiveFile().newAnalysisResult( - BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, null, setName, null, attributes) .getAnalysisResult(); diff --git a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java index 0288d5b463..ce18ef7b1a 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/filetypeid/FileTypeIdIngestModule.java @@ -36,7 +36,7 @@ import org.sleuthkit.autopsy.modules.filetypeid.CustomFileTypesManager.CustomFil import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; -import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM; import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; @@ -194,9 +194,9 @@ public class FileTypeIdIngestModule implements FileIngestModule { Blackboard tskBlackboard = currentCase.getSleuthkitCase().getBlackboard(); // Create artifact if it doesn't already exist. - if (!tskBlackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) { + if (!tskBlackboard.artifactExists(file, TSK_INTERESTING_ITEM, attributes)) { BlackboardArtifact artifact = file.newAnalysisResult( - BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, null, fileType.getInterestingFilesSetName(), null, attributes) .getAnalysisResult(); @@ -208,12 +208,12 @@ public class FileTypeIdIngestModule implements FileIngestModule { */ tskBlackboard.postArtifact(artifact, FileTypeIdModuleFactory.getModuleName()); } catch (Blackboard.BlackboardException ex) { - logger.log(Level.SEVERE, String.format("Unable to index TSK_INTERESTING_FILE_HIT blackboard artifact %d (file obj_id=%d)", artifact.getArtifactID(), file.getId()), ex); //NON-NLS + logger.log(Level.SEVERE, String.format("Unable to index TSK_INTERESTING_ITEM blackboard artifact %d (file obj_id=%d)", artifact.getArtifactID(), file.getId()), ex); //NON-NLS } } } catch (TskCoreException ex) { - logger.log(Level.SEVERE, String.format("Unable to create TSK_INTERESTING_FILE_HIT artifact for file (obj_id=%d)", file.getId()), ex); //NON-NLS + logger.log(Level.SEVERE, String.format("Unable to create TSK_INTERESTING_ITEM artifact for file (obj_id=%d)", file.getId()), ex); //NON-NLS } catch (NoCurrentCaseException ex) { logger.log(Level.SEVERE, "Exception while getting open case.", ex); //NON-NLS } diff --git a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java index d447f204d5..aeeebc7726 100644 --- a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java @@ -39,7 +39,7 @@ import org.sleuthkit.autopsy.ingest.IngestServices; import org.sleuthkit.datamodel.AbstractFile; import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardArtifact; -import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT; +import static org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM; import org.sleuthkit.datamodel.BlackboardAttribute; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY; import static org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME; @@ -142,9 +142,9 @@ final class FilesIdentifierIngestModule implements FileIngestModule { ); // Create artifact if it doesn't already exist. - if (!blackboard.artifactExists(file, TSK_INTERESTING_FILE_HIT, attributes)) { + if (!blackboard.artifactExists(file, TSK_INTERESTING_ITEM, attributes)) { BlackboardArtifact artifact = file.newAnalysisResult( - BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, null, filesSet.getName(), null, attributes) .getAnalysisResult(); diff --git a/Core/src/org/sleuthkit/autopsy/report/infrastructure/PortableCaseInterestingItemsListPanel.java b/Core/src/org/sleuthkit/autopsy/report/infrastructure/PortableCaseInterestingItemsListPanel.java index 7de12c20da..7fb55cde6a 100644 --- a/Core/src/org/sleuthkit/autopsy/report/infrastructure/PortableCaseInterestingItemsListPanel.java +++ b/Core/src/org/sleuthkit/autopsy/report/infrastructure/PortableCaseInterestingItemsListPanel.java @@ -108,6 +108,7 @@ class PortableCaseInterestingItemsListPanel extends javax.swing.JPanel { try { // Get all SET_NAMEs from interesting item artifacts String innerSelect = "SELECT (value_text) AS set_name FROM blackboard_attributes WHERE (artifact_type_id = '" + + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() + "' OR artifact_type_id = '" + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() + "' OR artifact_type_id = '" + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() + "') AND attribute_type_id = '" + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + "'"; // NON-NLS diff --git a/Core/src/org/sleuthkit/autopsy/report/infrastructure/TableReportGenerator.java b/Core/src/org/sleuthkit/autopsy/report/infrastructure/TableReportGenerator.java index bdb895bec6..3b11dbde38 100644 --- a/Core/src/org/sleuthkit/autopsy/report/infrastructure/TableReportGenerator.java +++ b/Core/src/org/sleuthkit/autopsy/report/infrastructure/TableReportGenerator.java @@ -358,7 +358,7 @@ class TableReportGenerator { // Give the modules the rows for the content tags. for (ContentTag tag : tags) { try { - if(shouldFilterFromReport(tag.getContent())) { + if (shouldFilterFromReport(tag.getContent())) { continue; } } catch (TskCoreException ex) { @@ -366,7 +366,7 @@ class TableReportGenerator { logger.log(Level.SEVERE, "Failed to access content data from the case database.", ex); //NON-NLS return; } - + // skip tags that we are not reporting on String notableString = tag.getName().getKnownStatus() == TskData.FileKnown.BAD ? TagsManager.getNotableTagLabel() : ""; if (passesTagNamesFilter(tag.getName().getDisplayName() + notableString) == false) { @@ -451,15 +451,15 @@ class TableReportGenerator { // Give the modules the rows for the content tags. for (BlackboardArtifactTag tag : tags) { try { - if(shouldFilterFromReport(tag.getContent())) { + if (shouldFilterFromReport(tag.getContent())) { continue; } - } catch (TskCoreException ex) { + } catch (TskCoreException ex) { errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetBBArtifactTags")); logger.log(Level.SEVERE, "Failed to access content data from the case database.", ex); //NON-NLS return; } - + String notableString = tag.getName().getKnownStatus() == TskData.FileKnown.BAD ? TagsManager.getNotableTagLabel() : ""; if (passesTagNamesFilter(tag.getName().getDisplayName() + notableString) == false) { continue; @@ -813,7 +813,7 @@ class TableReportGenerator { AbstractFile f = openCase.getSleuthkitCase().getAbstractFileById(objId); if (f != null) { uniquePath = openCase.getSleuthkitCase().getAbstractFileById(objId).getUniquePath(); - if(shouldFilterFromReport(f)) { + if (shouldFilterFromReport(f)) { continue; } } @@ -973,7 +973,7 @@ class TableReportGenerator { AbstractFile f = openCase.getSleuthkitCase().getAbstractFileById(objId); if (f != null) { uniquePath = openCase.getSleuthkitCase().getAbstractFileById(objId).getUniquePath(); - if(shouldFilterFromReport(f)) { + if (shouldFilterFromReport(f)) { continue; } } @@ -1161,8 +1161,9 @@ class TableReportGenerator { } orderedRowData.add(makeCommaSeparatedList(getTags())); - } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() == getArtifact().getArtifactTypeID()) { - String[] attributeDataArray = new String[5]; + } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() == getArtifact().getArtifactTypeID() + || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() == getArtifact().getArtifactTypeID()) { + String[] attributeDataArray = new String[7]; // Array is used so that order of the attributes is maintained. for (BlackboardAttribute attr : attributes) { if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME))) { @@ -1173,6 +1174,10 @@ class TableReportGenerator { attributeDataArray[3] = attr.getDisplayString(); } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION))) { attributeDataArray[4] = attr.getDisplayString(); + } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT))) { + attributeDataArray[5] = attr.getDisplayString(); + } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME))) { + attributeDataArray[6] = attr.getDisplayString(); } } @@ -1218,10 +1223,10 @@ class TableReportGenerator { List artifacts = new ArrayList<>(); try { for (BlackboardArtifact artifact : Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifacts(type.getTypeID())) { - if(shouldFilterFromReport(artifact)) { + if (shouldFilterFromReport(artifact)) { continue; } - + List tags = Case.getCurrentCaseThrows().getServices().getTagsManager().getBlackboardArtifactTagsByArtifact(artifact); HashSet uniqueTagNames = new HashSet<>(); for (BlackboardArtifactTag tag : tags) { @@ -1339,7 +1344,7 @@ class TableReportGenerator { new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH))); columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"), - new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED ))); + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED))); attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID)); } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID() == artifactTypeId) { @@ -1708,6 +1713,28 @@ class TableReportGenerator { columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"), new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME))); + } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() == artifactTypeId) { + columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSetName"), + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME))); + + columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.associatedArtifact"), + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT))); + + columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"), + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME))); + + columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskInterestingFilesCategory"), + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY))); + + columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskPath"), + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH))); + + columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.comment"), + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT))); + + columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.description"), + new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION))); + } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_PROG_RUN.getTypeID() == artifactTypeId) { columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"), new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME))); @@ -1817,19 +1844,19 @@ class TableReportGenerator { return ""; } - + /** * Indicates if the content should be filtered from the report. */ private boolean shouldFilterFromReport(Content content) throws TskCoreException { - if(this.settings.getSelectedDataSources() == null) { + if (this.settings.getSelectedDataSources() == null) { return false; } - + if (content.getDataSource() == null) { return false; } - + long dataSourceId = content.getDataSource().getId(); return !this.settings.getSelectedDataSources().contains(dataSourceId); } diff --git a/Core/src/org/sleuthkit/autopsy/report/modules/html/HTMLReport.java b/Core/src/org/sleuthkit/autopsy/report/modules/html/HTMLReport.java index 31323800b0..bafa7b4da1 100644 --- a/Core/src/org/sleuthkit/autopsy/report/modules/html/HTMLReport.java +++ b/Core/src/org/sleuthkit/autopsy/report/modules/html/HTMLReport.java @@ -213,7 +213,7 @@ public class HTMLReport implements TableReportModule { * Copies a suitable icon for the given data type in the output directory * and returns the icon file name to use for the given data type. */ - @SuppressWarnings( "deprecation" ) + @SuppressWarnings("deprecation") private String useDataTypeIcon(String dataType) { String iconFilePath; String iconFileName; @@ -326,9 +326,10 @@ public class HTMLReport implements TableReportModule { in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/mismatch-16.png"); //NON-NLS break; case TSK_INTERESTING_ARTIFACT_HIT: - in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS - break; + //fall through deprecated type to TSK_INTERESTING_ITEM case TSK_INTERESTING_FILE_HIT: + //fall through deprecated type to TSK_INTERESTING_ITEM + case TSK_INTERESTING_ITEM: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS break; case TSK_PROG_RUN: @@ -339,25 +340,25 @@ public class HTMLReport implements TableReportModule { break; case TSK_OS_ACCOUNT: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/os-account.png"); //NON-NLS - break; + break; case TSK_OBJECT_DETECTED: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/objects.png"); //NON-NLS - break; + break; case TSK_WEB_FORM_AUTOFILL: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/web-form.png"); //NON-NLS - break; + break; case TSK_WEB_CACHE: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/cache.png"); //NON-NLS - break; + break; case TSK_USER_CONTENT_SUSPECTED: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/user-content.png"); //NON-NLS - break; + break; case TSK_METADATA: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/metadata.png"); //NON-NLS - break; + break; case TSK_CLIPBOARD_CONTENT: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/images/clipboard.png"); //NON-NLS - break; + break; case TSK_ACCOUNT: in = getClass().getResourceAsStream("/org/sleuthkit/autopsy/report/images/accounts.png"); //NON-NLS break; @@ -506,7 +507,7 @@ public class HTMLReport implements TableReportModule { * to this page, and setup the web page header. Note: This method is a * temporary workaround to avoid modifying the TableReportModule interface. * - * @param name Name of the data type + * @param name Name of the data type * @param description Comment on the data type, may be the empty string */ @Override @@ -738,9 +739,9 @@ public class HTMLReport implements TableReportModule { /** * Add a row to the current table. * - * @param row values for each cell in the row + * @param row values for each cell in the row * @param escapeText whether or not the text of the row should be escaped, - * true for escaped, false for not escaped + * true for escaped, false for not escaped */ private void addRow(List row, boolean escapeText) { StringBuilder builder = new StringBuilder(); @@ -763,9 +764,9 @@ public class HTMLReport implements TableReportModule { /** * Saves a local copy of a tagged file and adds a row with a hyper link to - * the file. + * the file. * - * @param row Values for each data cell in the row + * @param row Values for each data cell in the row * @param contentTag The tag */ public void addRowWithTaggedContentHyperlink(List row, ContentTag contentTag) { @@ -825,6 +826,7 @@ public class HTMLReport implements TableReportModule { * Finds all associated image tags. * * @param contentTags + * * @return */ private List getTaggedRegions(List contentTags) { @@ -1029,9 +1031,9 @@ public class HTMLReport implements TableReportModule { /** * Save a local copy of the given file in the reports folder. * - * @param file File to save + * @param file File to save * @param dirName Custom top-level folder to use to store the files in (tag - * name, etc.) + * name, etc.) * * @return Path to where file was stored (relative to root of HTML folder) */ @@ -1574,7 +1576,7 @@ public class HTMLReport implements TableReportModule { * @param file The file from which to create the thumbnail. * * @return The path to the thumbnail file, or null if a thumbnail couldn't - * be created. + * be created. */ private String prepareThumbnail(AbstractFile file) { BufferedImage bufferedThumb = ImageUtils.getThumbnail(file, ImageUtils.ICON_SIZE_MEDIUM); diff --git a/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java b/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java index 3eb07b45f6..0ebd858bd2 100644 --- a/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java +++ b/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java @@ -111,7 +111,7 @@ public class PortableCaseReportModule implements ReportModule { // These are the types for the exported file subfolders private static final List FILE_TYPE_CATEGORIES = Arrays.asList(FileTypeCategory.AUDIO, FileTypeCategory.DOCUMENTS, FileTypeCategory.EXECUTABLE, FileTypeCategory.IMAGE, FileTypeCategory.VIDEO); - + // These are attribute types that have special handling and should not be copied // into the new artifact directly. private static final List SPECIALLY_HANDLED_ATTRS = Arrays.asList(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID(), @@ -140,13 +140,13 @@ public class PortableCaseReportModule implements ReportModule { // Map of old artifact ID to new artifact private final Map oldArtifactIdToNewArtifact = new HashMap<>(); - + // Map of old OS account id to new OS account private final Map oldOsAccountIdToNewOsAccount = new HashMap<>(); - - // Map of old OS account realm id to new OS account ream id - private final Map oldRealmIdToNewRealm = new HashMap<>(); - + + // Map of old OS account realm id to new OS account ream id + private final Map oldRealmIdToNewRealm = new HashMap<>(); + // Map of the old host id to the new host private final Map oldHostIdToNewHost = new HashMap<>(); @@ -444,6 +444,24 @@ public class PortableCaseReportModule implements ReportModule { handleError("Error copying interesting results", Bundle.PortableCaseReportModule_generateReport_errorCopyingInterestingResults(), ex, progressPanel); // NON-NLS return; } + + try { + List interestingResults = currentCase.getSleuthkitCase().getBlackboard().getAnalysisResultsByType(BlackboardArtifact.Type.TSK_INTERESTING_ITEM.getTypeID()); + for (AnalysisResult art : interestingResults) { + // Check for cancellation + if (progressPanel.getStatus() == ReportProgressPanel.ReportStatus.CANCELED) { + handleCancellation(progressPanel); + return; + } + BlackboardAttribute setAttr = art.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)); + if (setNames.contains(setAttr.getValueString())) { + copyContentToPortableCase(art, progressPanel); + } + } + } catch (TskCoreException ex) { + handleError("Error copying interesting items", Bundle.PortableCaseReportModule_generateReport_errorCopyingInterestingResults(), ex, progressPanel); // NON-NLS + return; + } } // Check for cancellation @@ -469,7 +487,7 @@ public class PortableCaseReportModule implements ReportModule { if (options.shouldCompress()) { progressPanel.updateStatusLabel(Bundle.PortableCaseReportModule_generateReport_compressingCase()); - if(!compressCase(progressPanel, options.includeApplication() ? outputDir.getAbsolutePath() : caseFolder.getAbsolutePath())){ + if (!compressCase(progressPanel, options.includeApplication() ? outputDir.getAbsolutePath() : caseFolder.getAbsolutePath())) { // Errors have been handled already return; } @@ -594,6 +612,8 @@ public class PortableCaseReportModule implements ReportModule { BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT); allArtifacts.addAll(skCase.getBlackboardArtifacts( BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT)); + allArtifacts.addAll(skCase.getBlackboardArtifacts( + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM)); for (BlackboardArtifact bArt : allArtifacts) { BlackboardAttribute setAttr = bArt.getAttribute( @@ -660,6 +680,7 @@ public class PortableCaseReportModule implements ReportModule { // Get all SET_NAMEs from interesting item artifacts String innerSelect = "SELECT (value_text) AS set_name FROM blackboard_attributes WHERE (artifact_type_id = '" + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() + "' OR artifact_type_id = '" + + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() + "' OR artifact_type_id = '" + BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() + "') AND attribute_type_id = '" + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + "'"; // NON-NLS @@ -910,10 +931,10 @@ public class PortableCaseReportModule implements ReportModule { // Copy the artifact BlackboardArtifact newArtifact = copyArtifact(newContentId, tag.getArtifact()); - + // Copy any attachments copyAttachments(newArtifact, tag.getArtifact(), portableSkCase.getAbstractFileById(newContentId)); - + // Copy any files associated with this artifact through the TSK_PATH_ID attribute copyPathID(newArtifact, tag.getArtifact()); @@ -991,7 +1012,7 @@ public class PortableCaseReportModule implements ReportModule { throw new TskCoreException("Unexpected attribute value type found: " + oldAttr.getValueType().getLabel()); // NON-NLS } } - + // Figure out the data source ID. We can't always get it from newContent because it could be null // for OS accounts, which means we also can't assume it's been added to the case already. Long newDataSourceId; @@ -1007,13 +1028,12 @@ public class PortableCaseReportModule implements ReportModule { } newDataSourceId = copyContent(artifactToCopy.getDataSource()); } - - + // Create the new artifact int newArtifactTypeId = getNewArtifactTypeId(artifactToCopy); BlackboardArtifact.Type newArtifactType = portableSkCase.getBlackboard().getArtifactType(newArtifactTypeId); BlackboardArtifact newArtifact; - + // First, check if the artifact being copied is an AnalysisResult or a DataArtifact. If it // is neither, attempt to reload it as the appropriate subclass. if (!((artifactToCopy instanceof AnalysisResult) || (artifactToCopy instanceof DataArtifact))) { @@ -1033,13 +1053,13 @@ public class PortableCaseReportModule implements ReportModule { // If the lookup failed, just use the orginal BlackboardArtifact } } - + try { if (artifactToCopy instanceof AnalysisResult) { AnalysisResult analysisResultToCopy = (AnalysisResult) artifactToCopy; newArtifact = portableSkCase.getBlackboard().newAnalysisResult(newArtifactType, newContentId, - newDataSourceId, analysisResultToCopy.getScore(), - analysisResultToCopy.getConclusion(), analysisResultToCopy.getConfiguration(), + newDataSourceId, analysisResultToCopy.getScore(), + analysisResultToCopy.getConclusion(), analysisResultToCopy.getConfiguration(), analysisResultToCopy.getJustification(), newAttrs).getAnalysisResult(); } else if (artifactToCopy instanceof DataArtifact) { DataArtifact dataArtifactToCopy = (DataArtifact) artifactToCopy; @@ -1048,20 +1068,20 @@ public class PortableCaseReportModule implements ReportModule { copyOsAccount(dataArtifactToCopy.getOsAccountObjectId().get()); newOsAccountId = oldOsAccountIdToNewOsAccount.get((dataArtifactToCopy.getOsAccountObjectId().get())).getId(); } - newArtifact = portableSkCase.getBlackboard().newDataArtifact(newArtifactType, newContentId, - newDataSourceId, + newArtifact = portableSkCase.getBlackboard().newDataArtifact(newArtifactType, newContentId, + newDataSourceId, newAttrs, newOsAccountId); } else { if (newArtifactType.getCategory().equals(BlackboardArtifact.Category.ANALYSIS_RESULT)) { newArtifact = portableSkCase.getBlackboard().newAnalysisResult(newArtifactType, newContentId, - newDataSourceId, Score.SCORE_NONE, - null, null, null, newAttrs).getAnalysisResult(); + newDataSourceId, Score.SCORE_NONE, + null, null, null, newAttrs).getAnalysisResult(); } else { - newArtifact = portableSkCase.getBlackboard().newDataArtifact(newArtifactType, newContentId, - newDataSourceId, - newAttrs, null); + newArtifact = portableSkCase.getBlackboard().newDataArtifact(newArtifactType, newContentId, + newDataSourceId, + newAttrs, null); } - } + } } catch (BlackboardException ex) { throw new TskCoreException("Error copying artifact with ID: " + artifactToCopy.getId()); } @@ -1171,17 +1191,17 @@ public class PortableCaseReportModule implements ReportModule { // Get or create the host (if needed) before beginning transaction. Host newHost = null; if (content instanceof DataSource) { - newHost = copyHost(((DataSource)content).getHost()); + newHost = copyHost(((DataSource) content).getHost()); } - + // Copy the associated OS account (if needed) before beginning transaction. if (content instanceof AbstractFile) { AbstractFile file = (AbstractFile) content; - if (file.getOsAccountObjectId().isPresent()) { + if (file.getOsAccountObjectId().isPresent()) { copyOsAccount(file.getOsAccountObjectId().get()); } } - + // Load the hashes if we have an image to avoid getting new connections with an open transaction. String md5 = ""; String sha1 = ""; @@ -1191,7 +1211,7 @@ public class PortableCaseReportModule implements ReportModule { sha1 = ((Image) content).getSha1(); sha256 = ((Image) content).getSha256(); } - + CaseDbTransaction trans = portableSkCase.beginTransaction(); try { if (content instanceof Image) { @@ -1248,11 +1268,11 @@ public class PortableCaseReportModule implements ReportModule { if (abstractFile.getOsAccountObjectId().isPresent()) { newOsAccountId = oldOsAccountIdToNewOsAccount.get(abstractFile.getOsAccountObjectId().get()).getId(); } - + newContent = portableSkCase.addLocalFile(abstractFile.getName(), relativePath, abstractFile.getSize(), abstractFile.getCtime(), abstractFile.getCrtime(), abstractFile.getAtime(), abstractFile.getMtime(), abstractFile.getMd5Hash(), abstractFile.getSha256Hash(), abstractFile.getKnown(), abstractFile.getMIMEType(), - true, TskData.EncodingType.NONE, + true, TskData.EncodingType.NONE, newOsAccountId, abstractFile.getOwnerUid().orElse(null), newParent, trans); } catch (IOException ex) { @@ -1276,14 +1296,16 @@ public class PortableCaseReportModule implements ReportModule { newIdToContent.put(newContent.getId(), newContent); return oldIdToNewContent.get(content.getId()).getId(); } - + /** - * Copy a host into the portable case and add it to the oldHostIdToNewHost map. - * + * Copy a host into the portable case and add it to the oldHostIdToNewHost + * map. + * * @param oldHost The host to copy - * + * * @return The new host - * @throws TskCoreException + * + * @throws TskCoreException */ private Host copyHost(Host oldHost) throws TskCoreException { Host newHost; @@ -1295,11 +1317,11 @@ public class PortableCaseReportModule implements ReportModule { } return newHost; } - + /** - * Copy an OS Account to the new case and add it to the oldOsAccountIdToNewOsAccountId map. - * Will also copy the associated realm. - * + * Copy an OS Account to the new case and add it to the + * oldOsAccountIdToNewOsAccountId map. Will also copy the associated realm. + * * @param oldOsAccountId The OS account id in the current case. */ private OsAccount copyOsAccount(Long oldOsAccountId) throws TskCoreException { @@ -1307,19 +1329,19 @@ public class PortableCaseReportModule implements ReportModule { if (oldOsAccountIdToNewOsAccount.containsKey(oldOsAccountId)) { return oldOsAccountIdToNewOsAccount.get(oldOsAccountId); } - + // Load the OS account from the current case. OsAccountManager oldOsAcctManager = currentCase.getSleuthkitCase().getOsAccountManager(); OsAccount oldOsAccount = oldOsAcctManager.getOsAccountByObjectId(oldOsAccountId); - + // Load the realm associated with the OS account. OsAccountRealmManager oldRealmManager = currentCase.getSleuthkitCase().getOsAccountRealmManager(); OsAccountRealm oldRealm = oldRealmManager.getRealmByRealmId(oldOsAccount.getRealmId()); - + // Copy the realm to the portable case if necessary. if (!oldRealmIdToNewRealm.containsKey(oldOsAccount.getRealmId())) { OsAccountRealmManager newRealmManager = portableSkCase.getOsAccountRealmManager(); - + Host newHost = null; if (oldRealm.getScopeHost().isPresent()) { Host host = oldRealm.getScopeHost().get(); @@ -1334,7 +1356,7 @@ public class PortableCaseReportModule implements ReportModule { throw new TskCoreException("Failed to copy OsAccountRealm with ID=" + oldOsAccount.getRealmId() + " because it is non-domain scoped but has no scope host"); } } - + // We currently only support one realm name. String realmName = null; List names = oldRealm.getRealmNames(); @@ -1349,11 +1371,11 @@ public class PortableCaseReportModule implements ReportModule { throw new TskCoreException("Failed to copy OsAccountRealm with ID=" + oldOsAccount.getRealmId(), ex); } } - + OsAccountManager newOsAcctManager = portableSkCase.getOsAccountManager(); try { - OsAccount newOsAccount = newOsAcctManager.newWindowsOsAccount(oldOsAccount.getAddr().orElse(null), - oldOsAccount.getLoginName().orElse(null), oldRealmIdToNewRealm.get(oldOsAccount.getRealmId())); + OsAccount newOsAccount = newOsAcctManager.newWindowsOsAccount(oldOsAccount.getAddr().orElse(null), + oldOsAccount.getLoginName().orElse(null), oldRealmIdToNewRealm.get(oldOsAccount.getRealmId())); oldOsAccountIdToNewOsAccount.put(oldOsAccountId, newOsAccount); return newOsAccount; } catch (NotUserSIDException ex) { @@ -1363,12 +1385,13 @@ public class PortableCaseReportModule implements ReportModule { /** * Copy path ID attribute to new case along with the referenced file. - * - * @param newArtifact The new artifact in the portable case. Should not have a TSK_PATH_ID attribute. + * + * @param newArtifact The new artifact in the portable case. Should not have + * a TSK_PATH_ID attribute. * @param oldArtifact The old artifact. - * - * @throws TskCoreException - */ + * + * @throws TskCoreException + */ private void copyPathID(BlackboardArtifact newArtifact, BlackboardArtifact oldArtifact) throws TskCoreException { // Get the path ID attribute BlackboardAttribute oldPathIdAttr = oldArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID)); @@ -1383,15 +1406,17 @@ public class PortableCaseReportModule implements ReportModule { } } } - + /** * Copy attachments to the portable case. - * - * @param newArtifact The new artifact in the portable case. Should not have a TSK_ATTACHMENTS attribute. + * + * @param newArtifact The new artifact in the portable case. Should not have + * a TSK_ATTACHMENTS attribute. * @param oldArtifact The old artifact. - * @param newFile The new file in the portable case associated with the artifact. - * - * @throws TskCoreException + * @param newFile The new file in the portable case associated with the + * artifact. + * + * @throws TskCoreException */ private void copyAttachments(BlackboardArtifact newArtifact, BlackboardArtifact oldArtifact, AbstractFile newFile) throws TskCoreException { // Get the attachments from TSK_ATTACHMENTS attribute. @@ -1414,20 +1439,19 @@ public class PortableCaseReportModule implements ReportModule { newFileAttachments.add(new MessageAttachments.FileAttachment(portableSkCase.getAbstractFileById(newFileID))); } } - + // Get the name of the module(s) that created the attachment String newSourceStr = ""; List oldSources = attachmentsAttr.getSources(); - if (! oldSources.isEmpty()) { + if (!oldSources.isEmpty()) { newSourceStr = String.join(",", oldSources); } - + // Add the attachment. The account type specified in the constructor will not be used. CommunicationArtifactsHelper communicationArtifactsHelper = new CommunicationArtifactsHelper(currentCase.getSleuthkitCase(), newSourceStr, newFile, Account.Type.EMAIL); communicationArtifactsHelper.addAttachments(newArtifact, new MessageAttachments(newFileAttachments, msgAttachments.getUrlAttachments())); - } - catch (BlackboardJsonAttrUtil.InvalidJsonException ex) { + } catch (BlackboardJsonAttrUtil.InvalidJsonException ex) { throw new TskCoreException(String.format("Unable to parse json for MessageAttachments object in artifact: %s", oldArtifact.getName()), ex); } } else { // backward compatibility - email message attachments are derived files, children of the message. @@ -1601,7 +1625,7 @@ public class PortableCaseReportModule implements ReportModule { "PortableCaseReportModule.compressCase.errorCompressingCase=Error compressing case", "PortableCaseReportModule.compressCase.canceled=Compression canceled by user",}) private boolean compressCase(ReportProgressPanel progressPanel, String folderToCompress) { - + closePortableCaseDatabase(); // Make a temporary folder for the compressed case diff --git a/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java b/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java index 03e3bb5d00..7d383b500d 100644 --- a/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/test/InterestingArtifactCreatorIngestModule.java @@ -48,8 +48,8 @@ final class InterestingArtifactCreatorIngestModule extends FileIngestModuleAdapt private static final String MODULE_NAME = InterestingArtifactCreatorIngestModuleFactory.getModuleName(); private static final String[] ARTIFACT_TYPE_NAMES = {"TSK_WEB_BOOKMARK", "TSK_KEYWORD_HIT", "TSK_CALLLOG"}; private static final String[] ARTIFACT_DISPLAY_NAMES = {"Web Bookmarks", "Keyword Hits", "Call Logs"}; - private static final String INT_ARTIFACT_TYPE_NAME = BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getLabel(); - private static final String INT_ARTIFACT_DISPLAY_NAME = BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getDisplayName(); + private static final String INT_ARTIFACT_TYPE_NAME = BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getLabel(); + private static final String INT_ARTIFACT_DISPLAY_NAME = BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getDisplayName(); private BlackboardArtifact.Type artifactType; @Override diff --git a/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java b/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java index c81d62a8ce..5a9a27d8e5 100755 --- a/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java +++ b/Core/test/qa-functional/src/org/sleuthkit/autopsy/ingest/EmbeddedFileTest.java @@ -134,7 +134,7 @@ public class EmbeddedFileTest extends NbTestCase { ArrayList artifacts = file.getAllArtifacts(); assertEquals("Zip bomb " + file.getName() + " has incorrect number of artifacts", 1, artifacts.size()); for (BlackboardArtifact artifact : artifacts) { - assertEquals("Artifact for Zip bomb " + file.getName() + " has incorrect type ID", artifact.getArtifactTypeID(), BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID()); + assertEquals("Artifact for Zip bomb " + file.getName() + " has incorrect type ID", artifact.getArtifactTypeID(), BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID()); BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)); assertNotNull("No attribute found for artifact on zip bomb " + file.getName(), attribute); assertEquals("Interesting artifact on file, " + file.getName() + ", does not reflect it being a zip bomb", zipBombSetName, attribute.getDisplayString()); diff --git a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java index 5cd15156a1..000349dcf8 100644 --- a/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java +++ b/Experimental/src/org/sleuthkit/autopsy/experimental/volatilityDSP/VolatilityProcessor.java @@ -381,9 +381,9 @@ class VolatilityProcessor { Collection attributes = singleton(new BlackboardAttribute(TSK_SET_NAME, VOLATILITY, setName)); // Create artifact if it doesn't already exist. - if (!blackboard.artifactExists(resolvedFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, attributes)) { + if (!blackboard.artifactExists(resolvedFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM, attributes)) { BlackboardArtifact volArtifact = resolvedFile.newAnalysisResult( - BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, null, setName, null, attributes) .getAnalysisResult(); diff --git a/docs/doxygen/modFileIngestTutorial.dox b/docs/doxygen/modFileIngestTutorial.dox index dadc31305b..2fd1957d7a 100644 --- a/docs/doxygen/modFileIngestTutorial.dox +++ b/docs/doxygen/modFileIngestTutorial.dox @@ -82,9 +82,9 @@ Now that we have found the files, we want to do something with them. In our situ A list of standard artifact types can be found in the artifact catalog. It is important to note the catagory for the artifact you want to since this affects which method you will use to create the artifact. -For our example, we are going to make an artifact of type "TSK_INTERESTING_FILE", which is an analysis result, whenever we find a big and round file. These are one of the most generic artifact types and are simply a way of alerting the user that a file is interesting for some reason. Once you make the artifact, it will be shown in the UI. The below code makes an artifact for the file and puts it into the set of "Big and Round Files". You can create whatever set names you want. The Autopsy GUI organizes Interesting Files by their set name. +For our example, we are going to make an artifact of type "TSK_INTERESTING_ITEM", which is an analysis result, whenever we find a big and round file. These are one of the most generic artifact types and are simply a way of alerting the user that a file is interesting for some reason. Once you make the artifact, it will be shown in the UI. The below code makes an artifact for the file and puts it into the set of "Big and Round Files". You can create whatever set names you want. The Autopsy GUI organizes Interesting Files by their set name. \verbatim - art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, None, "Big and Round Files", None, Arrays.asList( BlackboardAttribute(BlackboardAttribute.Type.TSK_SET_NAME, @@ -111,9 +111,9 @@ That's it. Your process() method should look something like this: # Look for files bigger than 10MB that are a multiple of 4096 if ((file.getSize() > 10485760) and ((file.getSize() % 4096) == 0)): - # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of + # Make an artifact on the blackboard. TSK_INTERESTING_ITEM is a generic type of # artifact. Refer to the developer docs for other examples. - art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, None, "Big and Round Files", None, Arrays.asList( BlackboardAttribute(BlackboardAttribute.Type.TSK_SET_NAME, diff --git a/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py b/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py index 5bf710e9d5..bfaa51c2dc 100644 --- a/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py +++ b/pythonExamples/July2015FileTutorial_BigRound/FindBigRoundFiles.py @@ -120,9 +120,9 @@ class FindBigRoundFilesIngestModule(FileIngestModule): # Look for files bigger than 10MB that are a multiple of 4096 if ((file.getSize() > 10485760) and ((file.getSize() % 4096) == 0)): - # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of + # Make an artifact on the blackboard. TSK_INTERESTING_ITEM is a generic type of # artifact. Refer to the developer docs for other examples. - art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, None, "Big and Round Files", None, Arrays.asList( BlackboardAttribute(BlackboardAttribute.Type.TSK_SET_NAME, diff --git a/pythonExamples/dataSourceIngestModule.py b/pythonExamples/dataSourceIngestModule.py index ecb4f01477..37857947d4 100644 --- a/pythonExamples/dataSourceIngestModule.py +++ b/pythonExamples/dataSourceIngestModule.py @@ -137,12 +137,12 @@ class SampleJythonDataSourceIngestModule(DataSourceIngestModule): self.log(Level.INFO, "Processing file: " + file.getName()) fileCount += 1 - # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of - # artfiact. Refer to the developer docs for other examples. + # Make an artifact on the blackboard. TSK_INTERESTING_ITEM is a generic type of + # artifact. Refer to the developer docs for other examples. attrs = Arrays.asList(BlackboardAttribute(BlackboardAttribute.Type.TSK_SET_NAME, SampleJythonDataSourceIngestModuleFactory.moduleName, "Test file")) - art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, None, "Test file", None, attrs).getAnalysisResult() try: diff --git a/pythonExamples/fileIngestModule.py b/pythonExamples/fileIngestModule.py index f72f1c4792..5cc82629ed 100644 --- a/pythonExamples/fileIngestModule.py +++ b/pythonExamples/fileIngestModule.py @@ -125,12 +125,12 @@ class SampleJythonFileIngestModule(FileIngestModule): self.log(Level.INFO, "Found a text file: " + file.getName()) self.filesFound+=1 - # Make an artifact on the blackboard. TSK_INTERESTING_FILE_HIT is a generic type of + # Make an artifact on the blackboard. TSK_INTERESTING_ITEM is a generic type of # artifact. Refer to the developer docs for other examples. attrs = Arrays.asList(BlackboardAttribute(BlackboardAttribute.Type.TSK_SET_NAME, SampleJythonFileIngestModuleFactory.moduleName, "Text Files")) - art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_FILE_HIT, Score.SCORE_LIKELY_NOTABLE, + art = file.newAnalysisResult(BlackboardArtifact.Type.TSK_INTERESTING_ITEM, Score.SCORE_LIKELY_NOTABLE, None, "Text Files", None, attrs).getAnalysisResult() try: @@ -142,7 +142,7 @@ class SampleJythonFileIngestModule(FileIngestModule): # For the example (this wouldn't be needed normally), we'll query the blackboard for data that was added # by other modules. We then iterate over its attributes. We'll just print them, but you would probably # want to do something with them. - artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT) + artifactList = file.getArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM) for artifact in artifactList: attributeList = artifact.getAttributes() for attrib in attributeList: