mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-15 01:07:42 +00:00
Merge pull request #7206 from eugene7646/cr_optimization_7923
CR optimization to perform fewer DB queries (7923)
This commit is contained in:
Ann Priestman
GitHub
commit
f250bf996a
@ -110,7 +110,7 @@ public class CorrelationAttributeUtil {
|
|||||||
* @param artifact An artifact.
|
* @param artifact An artifact.
|
||||||
*
|
*
|
||||||
* @return A list, possibly empty, of correlation attribute instances for
|
* @return A list, possibly empty, of correlation attribute instances for
|
||||||
* the artifact.
|
* the artifact.
|
||||||
*/
|
*/
|
||||||
public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(BlackboardArtifact artifact) {
|
public static List<CorrelationAttributeInstance> makeCorrAttrsToSave(BlackboardArtifact artifact) {
|
||||||
if (SOURCE_TYPES_FOR_CR_INSERT.contains(artifact.getArtifactTypeID())) {
|
if (SOURCE_TYPES_FOR_CR_INSERT.contains(artifact.getArtifactTypeID())) {
|
||||||
@ -145,68 +145,92 @@ public class CorrelationAttributeUtil {
|
|||||||
* @param artifact An artifact.
|
* @param artifact An artifact.
|
||||||
*
|
*
|
||||||
* @return A list, possibly empty, of correlation attribute instances for
|
* @return A list, possibly empty, of correlation attribute instances for
|
||||||
* the artifact.
|
* the artifact.
|
||||||
*/
|
*/
|
||||||
public static List<CorrelationAttributeInstance> makeCorrAttrsForCorrelation(BlackboardArtifact artifact) {
|
public static List<CorrelationAttributeInstance> makeCorrAttrsForCorrelation(BlackboardArtifact artifact) {
|
||||||
List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
|
List<CorrelationAttributeInstance> correlationAttrs = new ArrayList<>();
|
||||||
try {
|
try {
|
||||||
BlackboardArtifact sourceArtifact = getCorrAttrSourceArtifact(artifact);
|
BlackboardArtifact sourceArtifact = getCorrAttrSourceArtifact(artifact);
|
||||||
if (sourceArtifact != null) {
|
if (sourceArtifact != null) {
|
||||||
|
|
||||||
|
List<BlackboardAttribute> attributes = sourceArtifact.getAttributes();
|
||||||
|
|
||||||
int artifactTypeID = sourceArtifact.getArtifactTypeID();
|
int artifactTypeID = sourceArtifact.getArtifactTypeID();
|
||||||
if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
|
if (artifactTypeID == ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
|
||||||
BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
|
BlackboardAttribute setNameAttr = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
|
||||||
if (setNameAttr != null && CorrelationAttributeUtil.getEmailAddressAttrDisplayName().equals(setNameAttr.getValueString())) {
|
if (setNameAttr != null && CorrelationAttributeUtil.getEmailAddressAttrDisplayName().equals(setNameAttr.getValueString())) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, CorrelationAttributeInstance.EMAIL_TYPE_ID);
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD, CorrelationAttributeInstance.EMAIL_TYPE_ID, attributes);
|
||||||
}
|
}
|
||||||
} else if (DOMAIN_ARTIFACT_TYPE_IDS.contains(artifactTypeID)) {
|
} else if (DOMAIN_ARTIFACT_TYPE_IDS.contains(artifactTypeID)) {
|
||||||
BlackboardAttribute domainAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
|
BlackboardAttribute domainAttr = getAttribute(attributes, new BlackboardAttribute.Type(ATTRIBUTE_TYPE.TSK_DOMAIN));
|
||||||
if ((domainAttr != null)
|
if ((domainAttr != null)
|
||||||
&& !domainsToSkip.contains(domainAttr.getValueString())) {
|
&& !domainsToSkip.contains(domainAttr.getValueString())) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, CorrelationAttributeInstance.DOMAIN_TYPE_ID);
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN, CorrelationAttributeInstance.DOMAIN_TYPE_ID, attributes);
|
||||||
}
|
}
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID, CorrelationAttributeInstance.USBID_TYPE_ID);
|
// prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
|
Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(sourceArtifact.getObjectID());
|
||||||
|
Content dataSource = sourceContent.getDataSource();
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID, CorrelationAttributeInstance.USBID_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK.getTypeID()) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SSID, CorrelationAttributeInstance.SSID_TYPE_ID);
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SSID, CorrelationAttributeInstance.SSID_TYPE_ID, attributes);
|
||||||
|
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_WIFI_NETWORK_ADAPTER.getTypeID()
|
||||||
|| artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
|
|| artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
|
||||||
|| artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
|
|| artifactTypeID == ARTIFACT_TYPE.TSK_BLUETOOTH_ADAPTER.getTypeID()) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID);
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MAC_ADDRESS, CorrelationAttributeInstance.MAC_TYPE_ID, attributes);
|
||||||
|
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_DEVICE_INFO.getTypeID()) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI, CorrelationAttributeInstance.IMEI_TYPE_ID);
|
// prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
|
Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(sourceArtifact.getObjectID());
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
|
Content dataSource = sourceContent.getDataSource();
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMEI, CorrelationAttributeInstance.IMEI_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_SIM_ATTACHED.getTypeID()) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID);
|
// prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID);
|
Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(sourceArtifact.getObjectID());
|
||||||
|
Content dataSource = sourceContent.getDataSource();
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_IMSI, CorrelationAttributeInstance.IMSI_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ICCID, CorrelationAttributeInstance.ICCID_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_WEB_FORM_ADDRESS.getTypeID()) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, CorrelationAttributeInstance.PHONE_TYPE_ID);
|
// prefetch all the information as we will be calling makeCorrAttrFromArtifactAttr() multiple times
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, CorrelationAttributeInstance.EMAIL_TYPE_ID);
|
Content sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(sourceArtifact.getObjectID());
|
||||||
|
Content dataSource = sourceContent.getDataSource();
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, CorrelationAttributeInstance.PHONE_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, CorrelationAttributeInstance.EMAIL_TYPE_ID,
|
||||||
|
attributes, sourceContent, dataSource);
|
||||||
|
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
|
||||||
makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact);
|
makeCorrAttrFromAcctArtifact(correlationAttrs, sourceArtifact);
|
||||||
|
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()) {
|
||||||
BlackboardAttribute setNameAttr = sourceArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
|
BlackboardAttribute setNameAttr = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH));
|
||||||
String pathAttrString = null;
|
String pathAttrString = null;
|
||||||
if (setNameAttr != null) {
|
if (setNameAttr != null) {
|
||||||
pathAttrString = setNameAttr.getValueString();
|
pathAttrString = setNameAttr.getValueString();
|
||||||
}
|
}
|
||||||
if (pathAttrString != null && !pathAttrString.isEmpty()) {
|
if (pathAttrString != null && !pathAttrString.isEmpty()) {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID, attributes);
|
||||||
} else {
|
} else {
|
||||||
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID);
|
makeCorrAttrFromArtifactAttr(correlationAttrs, sourceArtifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME, CorrelationAttributeInstance.INSTALLED_PROGS_TYPE_ID, attributes);
|
||||||
}
|
}
|
||||||
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
|
} else if (artifactTypeID == ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
|
||||||
|| artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
|
|| artifactTypeID == ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
|
||||||
|| artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
|
|| artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()) {
|
||||||
makeCorrAttrsFromCommunicationArtifacts(correlationAttrs, sourceArtifact);
|
makeCorrAttrsFromCommunicationArtifacts(correlationAttrs, sourceArtifact, attributes);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} catch (CorrelationAttributeNormalizationException ex) {
|
} catch (CorrelationAttributeNormalizationException ex) {
|
||||||
@ -228,32 +252,56 @@ public class CorrelationAttributeUtil {
|
|||||||
return correlationAttrs;
|
return correlationAttrs;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gets a specific attribute from a list of attributes.
|
||||||
|
*
|
||||||
|
* @param attributes List of attributes
|
||||||
|
* @param attributeType Attribute type of interest
|
||||||
|
*
|
||||||
|
* @return Attribute of interest, null if not found.
|
||||||
|
*
|
||||||
|
* @throws TskCoreException
|
||||||
|
*/
|
||||||
|
private static BlackboardAttribute getAttribute(List<BlackboardAttribute> attributes, BlackboardAttribute.Type attributeType) throws TskCoreException {
|
||||||
|
for (BlackboardAttribute attribute : attributes) {
|
||||||
|
if (attribute.getAttributeType().equals(attributeType)) {
|
||||||
|
return attribute;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Makes a correlation attribute instance from a phone number attribute of
|
* Makes a correlation attribute instance from a phone number attribute of
|
||||||
* an artifact.
|
* an artifact.
|
||||||
*
|
*
|
||||||
* @param corrAttrInstances Correlation attributes will be added to this.
|
* @param corrAttrInstances Correlation attributes will be added to this.
|
||||||
* @param artifact An artifact with a phone number attribute.
|
* @param artifact An artifact with a phone number attribute.
|
||||||
*
|
*
|
||||||
* @throws TskCoreException If there is an error querying the case database.
|
* @throws TskCoreException If there is an error
|
||||||
* @throws CentralRepoException If there is an error querying the central
|
* querying the case
|
||||||
* repository.
|
* database.
|
||||||
|
* @throws CentralRepoException If there is an error
|
||||||
|
* querying the central
|
||||||
|
* repository.
|
||||||
* @throws CorrelationAttributeNormalizationException If there is an error
|
* @throws CorrelationAttributeNormalizationException If there is an error
|
||||||
* in normalizing the attribute.
|
* in normalizing the
|
||||||
|
* attribute.
|
||||||
*/
|
*/
|
||||||
private static void makeCorrAttrsFromCommunicationArtifacts(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact) throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException {
|
private static void makeCorrAttrsFromCommunicationArtifacts(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact,
|
||||||
|
List<BlackboardAttribute> attributes) throws TskCoreException, CentralRepoException, CorrelationAttributeNormalizationException {
|
||||||
CorrelationAttributeInstance corrAttr = null;
|
CorrelationAttributeInstance corrAttr = null;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Extract the phone number from the artifact attribute.
|
* Extract the phone number from the artifact attribute.
|
||||||
*/
|
*/
|
||||||
String value = null;
|
String value = null;
|
||||||
if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
|
if (null != getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER))) {
|
||||||
value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
|
value = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)).getValueString();
|
||||||
} else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
|
} else if (null != getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM))) {
|
||||||
value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
|
value = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)).getValueString();
|
||||||
} else if (null != artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
|
} else if (null != getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO))) {
|
||||||
value = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
|
value = getAttribute(attributes, new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)).getValueString();
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -277,11 +325,11 @@ public class CorrelationAttributeUtil {
|
|||||||
* @param artifact An artifact.
|
* @param artifact An artifact.
|
||||||
*
|
*
|
||||||
* @return The associated artifact if the input artifact is a
|
* @return The associated artifact if the input artifact is a
|
||||||
* "meta-artifact", otherwise the input artifact.
|
* "meta-artifact", otherwise the input artifact.
|
||||||
*
|
*
|
||||||
* @throws NoCurrentCaseException If there is no open case.
|
* @throws NoCurrentCaseException If there is no open case.
|
||||||
* @throws TskCoreException If there is an error querying thew case
|
* @throws TskCoreException If there is an error querying thew case
|
||||||
* database.
|
* database.
|
||||||
*/
|
*/
|
||||||
private static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact) throws NoCurrentCaseException, TskCoreException {
|
private static BlackboardArtifact getCorrAttrSourceArtifact(BlackboardArtifact artifact) throws NoCurrentCaseException, TskCoreException {
|
||||||
BlackboardArtifact sourceArtifact = null;
|
BlackboardArtifact sourceArtifact = null;
|
||||||
@ -290,7 +338,9 @@ public class CorrelationAttributeUtil {
|
|||||||
if (assocArtifactAttr != null) {
|
if (assocArtifactAttr != null) {
|
||||||
sourceArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(assocArtifactAttr.getValueLong());
|
sourceArtifact = Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboardArtifact(assocArtifactAttr.getValueLong());
|
||||||
}
|
}
|
||||||
} else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_PREVIOUSLY_SEEN.getTypeID() == artifact.getArtifactTypeID()) {
|
} else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_PREVIOUSLY_SEEN.getTypeID() == artifact.getArtifactTypeID()
|
||||||
|
|| BlackboardArtifact.ARTIFACT_TYPE.TSK_PREVIOUSLY_NOTABLE.getTypeID() == artifact.getArtifactTypeID()
|
||||||
|
|| BlackboardArtifact.ARTIFACT_TYPE.TSK_PREVIOUSLY_UNSEEN.getTypeID() == artifact.getArtifactTypeID()) {
|
||||||
Content content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
|
Content content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
|
||||||
if (content instanceof DataArtifact) {
|
if (content instanceof DataArtifact) {
|
||||||
sourceArtifact = (BlackboardArtifact) content;
|
sourceArtifact = (BlackboardArtifact) content;
|
||||||
@ -312,7 +362,7 @@ public class CorrelationAttributeUtil {
|
|||||||
* repository by this method.
|
* repository by this method.
|
||||||
*
|
*
|
||||||
* @param corrAttrInstances A list of correlation attribute instances.
|
* @param corrAttrInstances A list of correlation attribute instances.
|
||||||
* @param acctArtifact An account artifact.
|
* @param acctArtifact An account artifact.
|
||||||
*
|
*
|
||||||
* @return The correlation attribute instance.
|
* @return The correlation attribute instance.
|
||||||
*/
|
*/
|
||||||
@ -360,21 +410,28 @@ public class CorrelationAttributeUtil {
|
|||||||
* artifact. The correlation attribute instance is added to an input list.
|
* artifact. The correlation attribute instance is added to an input list.
|
||||||
*
|
*
|
||||||
* @param corrAttrInstances A list of correlation attribute instances.
|
* @param corrAttrInstances A list of correlation attribute instances.
|
||||||
* @param artifact An artifact.
|
* @param artifact An artifact.
|
||||||
* @param artAttrType The type of the atrribute of the artifact that is to
|
* @param artAttrType The type of the atrribute of the artifact that
|
||||||
* be made into a correlatin attribute instance.
|
* is to be made into a correlatin attribute
|
||||||
* @param typeId The type ID for the desired correlation attribute instance.
|
* instance.
|
||||||
|
* @param typeId The type ID for the desired correlation
|
||||||
|
* attribute instance.
|
||||||
|
* @param sourceContent The source content object.
|
||||||
|
* @param dataSource The data source content object.
|
||||||
*
|
*
|
||||||
* @throws CentralRepoException If there is an error querying the central
|
* @throws CentralRepoException If there is an error querying the central
|
||||||
* repository.
|
* repository.
|
||||||
* @throws TskCoreException If there is an error querying the case database.
|
* @throws TskCoreException If there is an error querying the case
|
||||||
|
* database.
|
||||||
*/
|
*/
|
||||||
private static void makeCorrAttrFromArtifactAttr(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId) throws CentralRepoException, TskCoreException {
|
private static void makeCorrAttrFromArtifactAttr(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId,
|
||||||
BlackboardAttribute attribute = artifact.getAttribute(new BlackboardAttribute.Type(artAttrType));
|
List<BlackboardAttribute> attributes, Content sourceContent, Content dataSource) throws CentralRepoException, TskCoreException {
|
||||||
|
|
||||||
|
BlackboardAttribute attribute = getAttribute(attributes, new BlackboardAttribute.Type(artAttrType));
|
||||||
if (attribute != null) {
|
if (attribute != null) {
|
||||||
String value = attribute.getValueString();
|
String value = attribute.getValueString();
|
||||||
if ((null != value) && (value.isEmpty() == false)) {
|
if ((null != value) && (value.isEmpty() == false)) {
|
||||||
CorrelationAttributeInstance inst = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(typeId), value);
|
CorrelationAttributeInstance inst = makeCorrAttr(artifact, CentralRepository.getInstance().getCorrelationTypeById(typeId), value, sourceContent, dataSource);
|
||||||
if (inst != null) {
|
if (inst != null) {
|
||||||
corrAttrInstances.add(inst);
|
corrAttrInstances.add(inst);
|
||||||
}
|
}
|
||||||
@ -382,12 +439,35 @@ public class CorrelationAttributeUtil {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Makes a correlation attribute instance from a specified attribute of an
|
||||||
|
* artifact. The correlation attribute instance is added to an input list.
|
||||||
|
*
|
||||||
|
* @param corrAttrInstances A list of correlation attribute instances.
|
||||||
|
* @param artifact An artifact.
|
||||||
|
* @param artAttrType The type of the atrribute of the artifact that
|
||||||
|
* is to be made into a correlatin attribute
|
||||||
|
* instance.
|
||||||
|
* @param typeId The type ID for the desired correlation
|
||||||
|
* attribute instance.
|
||||||
|
*
|
||||||
|
* @throws CentralRepoException If there is an error querying the central
|
||||||
|
* repository.
|
||||||
|
* @throws TskCoreException If there is an error querying the case
|
||||||
|
* database.
|
||||||
|
*/
|
||||||
|
private static void makeCorrAttrFromArtifactAttr(List<CorrelationAttributeInstance> corrAttrInstances, BlackboardArtifact artifact, ATTRIBUTE_TYPE artAttrType, int typeId,
|
||||||
|
List<BlackboardAttribute> attributes) throws CentralRepoException, TskCoreException {
|
||||||
|
|
||||||
|
makeCorrAttrFromArtifactAttr(corrAttrInstances, artifact, artAttrType, typeId, attributes, null, null);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Makes a correlation attribute instance of a given type from an artifact.
|
* Makes a correlation attribute instance of a given type from an artifact.
|
||||||
*
|
*
|
||||||
* @param artifact The artifact.
|
* @param artifact The artifact.
|
||||||
* @param correlationType the correlation attribute type.
|
* @param correlationType the correlation attribute type.
|
||||||
* @param value The correlation attribute value.
|
* @param value The correlation attribute value.
|
||||||
*
|
*
|
||||||
* TODO (Jira-6088): The methods in this low-level, utility class should
|
* TODO (Jira-6088): The methods in this low-level, utility class should
|
||||||
* throw exceptions instead of logging them. The reason for this is that the
|
* throw exceptions instead of logging them. The reason for this is that the
|
||||||
@ -400,17 +480,45 @@ public class CorrelationAttributeUtil {
|
|||||||
* @return The correlation attribute instance or null, if an error occurred.
|
* @return The correlation attribute instance or null, if an error occurred.
|
||||||
*/
|
*/
|
||||||
private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) {
|
private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value) {
|
||||||
|
return makeCorrAttr(artifact, correlationType, value, null, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Makes a correlation attribute instance of a given type from an artifact.
|
||||||
|
*
|
||||||
|
* @param artifact The artifact.
|
||||||
|
* @param correlationType the correlation attribute type.
|
||||||
|
* @param value The correlation attribute value.
|
||||||
|
* @param sourceContent The source content object.
|
||||||
|
* @param dataSource The data source content object.
|
||||||
|
*
|
||||||
|
* TODO (Jira-6088): The methods in this low-level, utility class should
|
||||||
|
* throw exceptions instead of logging them. The reason for this is that the
|
||||||
|
* clients of the utility class, not the utility class itself, should be in
|
||||||
|
* charge of error handling policy, per the Autopsy Coding Standard. Note
|
||||||
|
* that clients of several of these methods currently cannot determine
|
||||||
|
* whether receiving a null return value is an error or not, plus null
|
||||||
|
* checking is easy to forget, while catching exceptions is enforced.
|
||||||
|
*
|
||||||
|
* @return The correlation attribute instance or null, if an error occurred.
|
||||||
|
*/
|
||||||
|
private static CorrelationAttributeInstance makeCorrAttr(BlackboardArtifact artifact, CorrelationAttributeInstance.Type correlationType, String value,
|
||||||
|
Content sourceContent, Content dataSource) {
|
||||||
try {
|
try {
|
||||||
Case currentCase = Case.getCurrentCaseThrows();
|
|
||||||
Content sourceContent = currentCase.getSleuthkitCase().getContentById(artifact.getObjectID());
|
if (sourceContent == null) {
|
||||||
|
sourceContent = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
|
||||||
|
}
|
||||||
if (null == sourceContent) {
|
if (null == sourceContent) {
|
||||||
logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load content with ID: {1} associated with artifact with ID: {2}",
|
logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load content with ID: {1} associated with artifact with ID: {2}",
|
||||||
new Object[]{correlationType.getDisplayName(), artifact.getObjectID(), artifact.getId()}); // NON-NLS
|
new Object[]{correlationType.getDisplayName(), artifact.getObjectID(), artifact.getId()}); // NON-NLS
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
Content ds = sourceContent.getDataSource();
|
if (dataSource == null) {
|
||||||
if (ds == null) {
|
dataSource = sourceContent.getDataSource();
|
||||||
|
}
|
||||||
|
if (dataSource == null) {
|
||||||
logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load data source for content with ID: {1}",
|
logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Failed to load data source for content with ID: {1}",
|
||||||
new Object[]{correlationType.getDisplayName(), artifact.getObjectID()}); // NON-NLS
|
new Object[]{correlationType.getDisplayName(), artifact.getObjectID()}); // NON-NLS
|
||||||
return null;
|
return null;
|
||||||
@ -422,13 +530,13 @@ public class CorrelationAttributeUtil {
|
|||||||
correlationType,
|
correlationType,
|
||||||
value,
|
value,
|
||||||
correlationCase,
|
correlationCase,
|
||||||
CorrelationDataSource.fromTSKDataSource(correlationCase, ds),
|
CorrelationDataSource.fromTSKDataSource(correlationCase, dataSource),
|
||||||
"",
|
"",
|
||||||
"",
|
"",
|
||||||
TskData.FileKnown.UNKNOWN,
|
TskData.FileKnown.UNKNOWN,
|
||||||
sourceContent.getId());
|
sourceContent.getId());
|
||||||
} else {
|
} else {
|
||||||
if (! (sourceContent instanceof AbstractFile)) {
|
if (!(sourceContent instanceof AbstractFile)) {
|
||||||
logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Source content of artifact with ID: {1} is not an AbstractFile",
|
logger.log(Level.SEVERE, "Error creating artifact instance of type {0}. Source content of artifact with ID: {1} is not an AbstractFile",
|
||||||
new Object[]{correlationType.getDisplayName(), artifact.getId()});
|
new Object[]{correlationType.getDisplayName(), artifact.getId()});
|
||||||
return null;
|
return null;
|
||||||
@ -436,14 +544,14 @@ public class CorrelationAttributeUtil {
|
|||||||
AbstractFile bbSourceFile = (AbstractFile) sourceContent;
|
AbstractFile bbSourceFile = (AbstractFile) sourceContent;
|
||||||
|
|
||||||
return new CorrelationAttributeInstance(
|
return new CorrelationAttributeInstance(
|
||||||
correlationType,
|
correlationType,
|
||||||
value,
|
value,
|
||||||
correlationCase,
|
correlationCase,
|
||||||
CorrelationDataSource.fromTSKDataSource(correlationCase, ds),
|
CorrelationDataSource.fromTSKDataSource(correlationCase, dataSource),
|
||||||
bbSourceFile.getParentPath() + bbSourceFile.getName(),
|
bbSourceFile.getParentPath() + bbSourceFile.getName(),
|
||||||
"",
|
"",
|
||||||
TskData.FileKnown.UNKNOWN,
|
TskData.FileKnown.UNKNOWN,
|
||||||
bbSourceFile.getId());
|
bbSourceFile.getId());
|
||||||
}
|
}
|
||||||
} catch (TskCoreException ex) {
|
} catch (TskCoreException ex) {
|
||||||
logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
|
logger.log(Level.SEVERE, String.format("Error getting querying case database (%s)", artifact), ex); // NON-NLS
|
||||||
@ -474,7 +582,7 @@ public class CorrelationAttributeUtil {
|
|||||||
* checking is easy to forget, while catching exceptions is enforced.
|
* checking is easy to forget, while catching exceptions is enforced.
|
||||||
*
|
*
|
||||||
* @return The correlation attribute instance or null, if no such
|
* @return The correlation attribute instance or null, if no such
|
||||||
* correlation attribute instance was found or an error occurred.
|
* correlation attribute instance was found or an error occurred.
|
||||||
*/
|
*/
|
||||||
public static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file) {
|
public static CorrelationAttributeInstance getCorrAttrForFile(AbstractFile file) {
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user