From f2f3c98f51e2db38ccc29ca2959f93301a0cf0c9 Mon Sep 17 00:00:00 2001 From: Richard Cordovano Date: Mon, 1 Nov 2021 16:10:23 -0400 Subject: [PATCH] 7895 CR data artifact ingest module --- .../datamodel/Bundle.properties-MERGED | 1 + .../datamodel/CentralRepositoryService.java | 33 ++- .../eventlisteners/Bundle.properties-MERGED | 7 - .../eventlisteners/CaseEventListener.java | 258 +++++++++++------- .../ingestmodule/Bundle.properties-MERGED | 7 + .../CentralRepoDataArtifactIngestModule.java | 21 +- .../CentralRepoFileIngestModule.java | 4 - 7 files changed, 203 insertions(+), 128 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED index 724758847b..a1f1432a70 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/Bundle.properties-MERGED @@ -12,6 +12,7 @@ CentralRepoDbChoice.PostgreSQL.Text=Custom PostgreSQL CentralRepoDbChoice.PostgreSQL_Multiuser.Text=PostgreSQL using multi-user settings CentralRepoDbChoice.Sqlite.Text=SQLite CentralRepoDbManager.connectionErrorMsg.text=Failed to connect to central repository database. +CentralRepositoryService.progressMsg.startingListener=Starting events listener... CentralRepositoryService.progressMsg.updatingSchema=Checking for schema updates... CentralRepositoryService.progressMsg.waitingForListeners=Finishing adding data to central repository database.... CentralRepositoryService.serviceName=Central Repository Service diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepositoryService.java b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepositoryService.java index 649e9e5130..e2f20524e3 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepositoryService.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/datamodel/CentralRepositoryService.java @@ -1,7 +1,7 @@ /* * Central Repository * - * Copyright 2018-2020 Basis Technology Corp. + * Copyright 2018-2021 Basis Technology Corp. * Contact: carrier sleuthkit org * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -35,7 +35,7 @@ import org.sleuthkit.datamodel.TskCoreException; public class CentralRepositoryService implements AutopsyService { private CaseEventListener caseEventListener = new CaseEventListener(); - + @Override @NbBundle.Messages({ "CentralRepositoryService.serviceName=Central Repository Service" @@ -45,7 +45,8 @@ public class CentralRepositoryService implements AutopsyService { } @NbBundle.Messages({ - "CentralRepositoryService.progressMsg.updatingSchema=Checking for schema updates..." + "CentralRepositoryService.progressMsg.updatingSchema=Checking for schema updates...", + "CentralRepositoryService.progressMsg.startingListener=Starting events listener..." }) @Override public void openCaseResources(CaseContext context) throws AutopsyServiceException { @@ -56,17 +57,20 @@ public class CentralRepositoryService implements AutopsyService { ProgressIndicator progress = context.getProgressIndicator(); progress.progress(Bundle.CentralRepositoryService_progressMsg_updatingSchema()); updateSchema(); - if (context.cancelRequested()) { return; } dataUpgradeForVersion1dot2(context.getCase()); - + if (context.cancelRequested()) { + return; + } + + progress.progress(Bundle.CentralRepositoryService_progressMsg_startingListener()); caseEventListener = new CaseEventListener(); - caseEventListener.installListeners(); + caseEventListener.startUp(); } - + @NbBundle.Messages({ "CentralRepositoryService.progressMsg.waitingForListeners=Finishing adding data to central repository database...." }) @@ -74,18 +78,16 @@ public class CentralRepositoryService implements AutopsyService { public void closeCaseResources(CaseContext context) throws AutopsyServiceException { ProgressIndicator progress = context.getProgressIndicator(); progress.progress(Bundle.CentralRepositoryService_progressMsg_waitingForListeners()); - if (caseEventListener != null) { - caseEventListener.uninstallListeners(); caseEventListener.shutdown(); } - } /** - * Updates the central repository schema to the latest version. + * Updates the central repository database schema to the latest version. * - * @throws AutopsyServiceException + * @throws AutopsyServiceException The exception is thrown if there is an + * error updating the database schema. */ private void updateSchema() throws AutopsyServiceException { try { @@ -97,10 +99,11 @@ public class CentralRepositoryService implements AutopsyService { /** * Adds missing data source object IDs from data sources in this case to the - * corresponding records in the central repository. This is a data update to - * go with the v1.2 schema update. + * corresponding records in the central repository database. This is a data + * update to go with the v1.2 schema update. * - * @throws AutopsyServiceException + * @throws AutopsyServiceException The exception is thrown if there is an + * error updating the database. */ private void dataUpgradeForVersion1dot2(Case currentCase) throws AutopsyServiceException { try { diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED index d71782c0ee..3b1dde1896 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/Bundle.properties-MERGED @@ -8,11 +8,4 @@ CentralRepositoryNotificationDialog.bulletThree=Create personas that group accou CentralRepositoryNotificationDialog.bulletTwo=Identify where an item was previously seen CentralRepositoryNotificationDialog.finalRemarks=To limit what is stored, use the Central Repository options panel. CentralRepositoryNotificationDialog.header=Autopsy stores data about each case in its Central Repository. -IngestEventsListener.ingestmodule.name=Central Repository -IngestEventsListener.prevCaseComment.text=Previous Case: -# {0} - typeName -# {1} - count -IngestEventsListener.prevCount.text=Number of previous {0}: {1} -IngestEventsListener.prevExists.text=Previously Seen Devices (Central Repository) -IngestEventsListener.prevTaggedSet.text=Previously Tagged As Notable (Central Repository) Installer.centralRepoUpgradeFailed.title=Central repository disabled diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java index 53fb9454af..92cfcde595 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java @@ -30,6 +30,7 @@ import java.util.Optional; import java.util.Set; import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; +import java.util.concurrent.atomic.AtomicBoolean; import java.util.logging.Level; import java.util.stream.Collectors; import org.apache.commons.lang.StringUtils; @@ -64,7 +65,6 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException; import org.sleuthkit.datamodel.Tag; import org.sleuthkit.autopsy.events.AutopsyEvent; -import org.sleuthkit.autopsy.ingest.IngestManager; import org.sleuthkit.datamodel.AnalysisResult; import org.sleuthkit.datamodel.Blackboard; import org.sleuthkit.datamodel.BlackboardAttribute; @@ -79,16 +79,14 @@ import org.sleuthkit.datamodel.Score; import org.sleuthkit.datamodel.SleuthkitCase; /** - * Listen for case events and update entries in the Central Repository database - * accordingly + * An Autopsy events listener for case events relevant to the central + * repository. */ @Messages({"caseeventlistener.evidencetag=Evidence"}) public final class CaseEventListener implements PropertyChangeListener { private static final Logger LOGGER = Logger.getLogger(CaseEventListener.class.getName()); - private final ExecutorService jobProcessingExecutor; - private static final String CASE_EVENT_THREAD_NAME = "Case-Event-Listener-%d"; - + private static final String CASE_EVENT_THREAD_NAME = "CR-Case-Event-Listener-%d"; private static final Set CASE_EVENTS_OF_INTEREST = EnumSet.of( Case.Events.CONTENT_TAG_ADDED, Case.Events.CONTENT_TAG_DELETED, Case.Events.BLACKBOARD_ARTIFACT_TAG_DELETED, Case.Events.BLACKBOARD_ARTIFACT_TAG_ADDED, @@ -98,12 +96,72 @@ public final class CaseEventListener implements PropertyChangeListener { Case.Events.CURRENT_CASE, Case.Events.DATA_SOURCE_NAME_CHANGED, Case.Events.OS_ACCT_INSTANCES_ADDED); + private static final int MAX_PREV_CASES_FOR_NOTABLE_SCORE = 10; + private static final int MAX_PREV_CASES_FOR_PREV_SEEN = 20; + private static final AtomicBoolean createOSAcctCorrAttrs = new AtomicBoolean(); + private static final AtomicBoolean flagPreviouslySeenOSAccts = new AtomicBoolean(); + private final ExecutorService jobProcessingExecutor; + /** + * Set whether or not central repository case event listeners should create + * correlation attributes for new OS Accounts. + * + * @param flag True or false. + */ + public static void setCreateOsAcctCorrAttrs(boolean flag) { + createOSAcctCorrAttrs.set(flag); + } + + /** + * Gets whether or not central repository case event listeners should create + * correlation attributes for new OS Accounts. + * + * @return flag True or false. + */ + public static boolean createOsAcctCorrAttrs() { + return createOSAcctCorrAttrs.get(); + } + + /** + * Sets whether or not central repository case event listeners should create + * previously seen analyis results for OS accounts. + * + * @param flag True or false. + */ + public static void setFlagPrevSeenOsAccts(boolean flag) { + flagPreviouslySeenOSAccts.set(flag); + } + + /** + * Gets whether or not central repository case event listeners should create + * previously seen analyis results for OS accounts. + * + * @return flag True or false. + */ + public static boolean flagPrevSeenOsAccts() { + return flagPreviouslySeenOSAccts.get(); + } + + /** + * Contructs an Autopsy events listener for case events relevant to the + * central repository. + */ public CaseEventListener() { jobProcessingExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(CASE_EVENT_THREAD_NAME).build()); } + /** + * Starts up the listener. + */ + public void startUp() { + Case.addEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this); + } + + /** + * Shuts down the listener. + */ public void shutdown() { + Case.removeEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this); ThreadUtils.shutDownTaskExecutor(jobProcessingExecutor); } @@ -113,92 +171,75 @@ public final class CaseEventListener implements PropertyChangeListener { return; } - CentralRepository dbManager; - try { - dbManager = CentralRepository.getInstance(); - } catch (CentralRepoException ex) { - LOGGER.log(Level.SEVERE, "Failed to get instance of db manager.", ex); + if (!CentralRepository.isEnabled()) { return; } - // If any changes are made to which event types are handled the change - // must also be made to CASE_EVENTS_OF_INTEREST. + CentralRepository centralRepo; + try { + centralRepo = CentralRepository.getInstance(); + } catch (CentralRepoException ex) { + LOGGER.log(Level.SEVERE, "Failed to access central repository", ex); + return; + } + + /* + * IMPORTANT: If any changes are made to which event types are handled, + * the change must also be made to the contents of the + * CASE_EVENTS_OF_INTEREST set. + */ switch (Case.Events.valueOf(evt.getPropertyName())) { case CONTENT_TAG_ADDED: - case CONTENT_TAG_DELETED: { - jobProcessingExecutor.submit(new ContentTagTask(dbManager, evt)); - } - break; - + case CONTENT_TAG_DELETED: + jobProcessingExecutor.submit(new ContentTagTask(centralRepo, evt)); + break; case BLACKBOARD_ARTIFACT_TAG_DELETED: - case BLACKBOARD_ARTIFACT_TAG_ADDED: { - jobProcessingExecutor.submit(new BlackboardTagTask(dbManager, evt)); - } - break; - - case DATA_SOURCE_ADDED: { - jobProcessingExecutor.submit(new DataSourceAddedTask(dbManager, evt)); - } - break; - case TAG_DEFINITION_CHANGED: { + case BLACKBOARD_ARTIFACT_TAG_ADDED: + jobProcessingExecutor.submit(new ArtifactTagTask(centralRepo, evt)); + break; + case DATA_SOURCE_ADDED: + jobProcessingExecutor.submit(new DataSourceAddedTask(centralRepo, evt)); + break; + case TAG_DEFINITION_CHANGED: jobProcessingExecutor.submit(new TagDefinitionChangeTask(evt)); - } - break; - case CURRENT_CASE: { - jobProcessingExecutor.submit(new CurrentCaseTask(dbManager, evt)); - } - break; - case DATA_SOURCE_NAME_CHANGED: { - jobProcessingExecutor.submit(new DataSourceNameChangedTask(dbManager, evt)); - } - break; + break; + case CURRENT_CASE: + jobProcessingExecutor.submit(new CurrentCaseTask(centralRepo, evt)); + break; + case DATA_SOURCE_NAME_CHANGED: + jobProcessingExecutor.submit(new DataSourceNameChangedTask(centralRepo, evt)); + break; case OS_ACCT_INSTANCES_ADDED: { - if (((AutopsyEvent) evt).getSourceType() == AutopsyEvent.SourceType.LOCAL) { - jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(dbManager, evt)); - } + jobProcessingExecutor.submit(new OsAccountInstancesAddedTask(centralRepo, evt)); } break; } } - /* - * Add all of our Case Event Listeners to the case. + /** + * Determines whether or not a tag has notable status. + * + * @param tag The tag. + * + * @return True or false. */ - public void installListeners() { - Case.addEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this); - } - - /* - * Remove all of our Case Event Listeners from the case. - */ - public void uninstallListeners() { - Case.removeEventTypeSubscriber(CASE_EVENTS_OF_INTEREST, this); + private static boolean isNotableTag(Tag tag) { + return (tag != null && isNotableTagDefinition(tag.getName())); } /** - * Returns true if the tag has a notable status. + * Determines whether or not a tag definition has notable status. * - * @param t The tag to use in determination. + * @param tagDef The tag definition. * - * @return Whether or not it is a notable tag. + * @return True or false. */ - private static boolean isNotableTag(Tag t) { - return (t != null && isNotableTagName(t.getName())); + private static boolean isNotableTagDefinition(TagName tagDef) { + return (tagDef != null && TagsManager.getNotableTagDisplayNames().contains(tagDef.getDisplayName())); } /** - * Returns true if the tag name has a notable status. - * - * @param t The tag name to use in determination. - * - * @return Whether or not it is a notable tag name. - */ - private static boolean isNotableTagName(TagName t) { - return (t != null && TagsManager.getNotableTagDisplayNames().contains(t.getDisplayName())); - } - - /** - * Searches a list of tags for a tag with a notable status. + * Searches a list of tags for a tag with notable status. * * @param tags The tags to search. * @@ -208,7 +249,6 @@ public final class CaseEventListener implements PropertyChangeListener { if (tags == null) { return false; } - return tags.stream() .filter(CaseEventListener::isNotableTag) .findFirst() @@ -216,28 +256,32 @@ public final class CaseEventListener implements PropertyChangeListener { } /** - * Sets the known status of a blackboard artifact in the central repository. + * Sets the notable (known) status of a central repository correlation + * attribute corresponding to an artifact. * - * @param dbManager The central repo database. - * @param bbArtifact The blackboard artifact to set known status. - * @param knownStatus The new known status. + * @param centralRepo The central repository. + * @param artifact The artifact. + * @param knownStatus The new notable status. */ - private static void setArtifactKnownStatus(CentralRepository dbManager, BlackboardArtifact bbArtifact, TskData.FileKnown knownStatus) { - List convertedArtifacts = new ArrayList<>(); - if (bbArtifact instanceof DataArtifact) { - convertedArtifacts.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((DataArtifact) bbArtifact)); - } else if (bbArtifact instanceof AnalysisResult) { - convertedArtifacts.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((AnalysisResult) bbArtifact)); + private static void setArtifactKnownStatus(CentralRepository centralRepo, BlackboardArtifact artifact, TskData.FileKnown knownStatus) { + List corrAttrInstances = new ArrayList<>(); + if (artifact instanceof DataArtifact) { + corrAttrInstances.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((DataArtifact) artifact)); + } else if (artifact instanceof AnalysisResult) { + corrAttrInstances.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((AnalysisResult) artifact)); } - for (CorrelationAttributeInstance eamArtifact : convertedArtifacts) { + for (CorrelationAttributeInstance corrAttrInstance : corrAttrInstances) { try { - dbManager.setAttributeInstanceKnownStatus(eamArtifact, knownStatus); + centralRepo.setAttributeInstanceKnownStatus(corrAttrInstance, knownStatus); } catch (CentralRepoException ex) { - LOGGER.log(Level.SEVERE, "Error connecting to Central Repository database while setting artifact known status.", ex); //NON-NLS + LOGGER.log(Level.SEVERE, String.format("Error setting correlation attribute instance known status", corrAttrInstance), ex); //NON-NLS } } } + /** + * A task RJCTODO + */ private final class ContentTagTask implements Runnable { private final CentralRepository dbManager; @@ -359,12 +403,15 @@ public final class CaseEventListener implements PropertyChangeListener { } } - private final class BlackboardTagTask implements Runnable { + /** + * A task RJCTODO + */ + private final class ArtifactTagTask implements Runnable { private final CentralRepository dbManager; private final PropertyChangeEvent event; - private BlackboardTagTask(CentralRepository db, PropertyChangeEvent evt) { + private ArtifactTagTask(CentralRepository db, PropertyChangeEvent evt) { dbManager = db; event = evt; } @@ -478,6 +525,9 @@ public final class CaseEventListener implements PropertyChangeListener { } + /** + * A task RJCTODO + */ private final class TagDefinitionChangeTask implements Runnable { private final PropertyChangeEvent event; @@ -589,6 +639,9 @@ public final class CaseEventListener implements PropertyChangeListener { } //TAG_STATUS_CHANGED } + /** + * A task RJCTODO + */ private final class DataSourceAddedTask implements Runnable { private final CentralRepository dbManager; @@ -626,6 +679,9 @@ public final class CaseEventListener implements PropertyChangeListener { } // DATA_SOURCE_ADDED } + /** + * A task RJCTODO + */ private final class CurrentCaseTask implements Runnable { private final CentralRepository dbManager; @@ -662,13 +718,15 @@ public final class CaseEventListener implements PropertyChangeListener { } // CURRENT_CASE } - @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository", - "CaseEventsListener.prevCaseComment.text=Users seen in previous cases", - "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"}) /** + * A task RJCTODO + * * Add OsAccount Instance to CR and find interesting items based on the * OsAccount */ + @NbBundle.Messages({"CaseEventsListener.module.name=Central Repository", + "CaseEventsListener.prevCaseComment.text=Users seen in previous cases", + "CaseEventsListener.prevExists.text=Previously Seen Users (Central Repository)"}) private final class OsAccountInstancesAddedTask implements Runnable { private final CentralRepository dbManager; @@ -682,12 +740,9 @@ public final class CaseEventListener implements PropertyChangeListener { @Override public void run() { - //Nothing to do here if the central repo is not enabled or if ingest is running but is set to not save data/make artifacts - if (!CentralRepository.isEnabled() - || (IngestManager.getInstance().isIngestRunning() && !(IngestEventsListener.isFlagSeenDevices() || IngestEventsListener.shouldCreateCrProperties()))) { + if (!createOsAcctCorrAttrs() && !flagPrevSeenOsAccts()) { return; } - final OsAcctInstancesAddedEvent osAcctInstancesAddedEvent = (OsAcctInstancesAddedEvent) event; List addedOsAccountNew = osAcctInstancesAddedEvent.getOsAccountInstances(); for (OsAccountInstance osAccountInstance : addedOsAccountNew) { @@ -700,16 +755,13 @@ public final class CaseEventListener implements PropertyChangeListener { Optional accountAddr = osAccount.getAddr(); try { - // Save to the database if requested - if (IngestEventsListener.shouldCreateCrProperties()) { + if (createOsAcctCorrAttrs()) { for (CorrelationAttributeInstance correlationAttributeInstance : correlationAttributeInstances) { dbManager.addArtifactInstance(correlationAttributeInstance); } } - // Look up and create artifacts for previously seen accounts if requested - if (IngestEventsListener.isFlagSeenDevices()) { - + if (flagPrevSeenOsAccts()) { CorrelationAttributeInstance instanceWithTypeValue = null; for (CorrelationAttributeInstance instance : correlationAttributeInstances) { if (instance.getCorrelationType().getId() == CorrelationAttributeInstance.OSACCOUNT_TYPE_ID) { @@ -732,9 +784,10 @@ public final class CaseEventListener implements PropertyChangeListener { // calculate score Score score; int numCases = caseDisplayNames.size(); - if (numCases <= IngestEventsListener.MAX_NUM_PREVIOUS_CASES_FOR_LIKELY_NOTABLE_SCORE) { + // RJCTODO: Centralize constants (consider) + if (numCases <= MAX_PREV_CASES_FOR_NOTABLE_SCORE) { score = Score.SCORE_LIKELY_NOTABLE; - } else if (numCases > IngestEventsListener.MAX_NUM_PREVIOUS_CASES_FOR_LIKELY_NOTABLE_SCORE && numCases <= IngestEventsListener.MAX_NUM_PREVIOUS_CASES_FOR_PREV_SEEN_ARTIFACT_CREATION) { + } else if (numCases > MAX_PREV_CASES_FOR_NOTABLE_SCORE && numCases <= MAX_PREV_CASES_FOR_PREV_SEEN) { score = Score.SCORE_NONE; } else { // don't make an Analysis Result, the artifact is too common. @@ -769,7 +822,6 @@ public final class CaseEventListener implements PropertyChangeListener { } } } - } catch (CorrelationAttributeNormalizationException ex) { LOGGER.log(Level.SEVERE, "Exception with Correlation Attribute Normalization.", ex); //NON-NLS } catch (CentralRepoException ex) { @@ -782,6 +834,9 @@ public final class CaseEventListener implements PropertyChangeListener { } } + /** + * RJCTODO + */ private final class DataSourceNameChangedTask implements Runnable { private final CentralRepository dbManager; @@ -815,6 +870,7 @@ public final class CaseEventListener implements PropertyChangeListener { LOGGER.log(Level.SEVERE, "No open case", ex); } } - } // DATA_SOURCE_NAME_CHANGED + } } + } diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties-MERGED b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties-MERGED index d15eb90cb2..179469aae4 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties-MERGED +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/Bundle.properties-MERGED @@ -9,6 +9,13 @@ CentralRepoIngestModule_notable_message_header=A file in this data source CentralRepoIngestModule_postToBB_knownBadMsg=Notable: {0} CentralRepoIngestModuleFactory.ingestmodule.desc=Saves properties to the central repository for later correlation CentralRepoIngestModuleFactory.ingestmodule.name=Central Repository +# {0} - list of cases +CrDataArtifactIngestModule_notableJustification=Previously marked as notable in cases {0} +CrDataArtifactIngestModule_notableSetName=Previously Tagged As Notable (Central Repository) +# {0} - list of cases +CrDataArtifactIngestModule_prevSeenJustification=Previously seen in cases {0} +CrDataArtifactIngestModule_prevSeenSetName=Previously Seen (Central Repository) +CrDataArtifactIngestModule_prevUnseenJustification=Previously seen in zero cases IngestSettingsPanel.ingestSettingsLabel.text=Ingest Settings IngestSettingsPanel.flagTaggedNotableItemsCheckbox.text=Flag items previously tagged as notable IngestSettingsPanel.flagPreviouslySeenDevicesCheckbox.text=Flag devices and users previously seen in other cases diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoDataArtifactIngestModule.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoDataArtifactIngestModule.java index cd3aad8298..f90a74dd83 100755 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoDataArtifactIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoDataArtifactIngestModule.java @@ -38,6 +38,7 @@ import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNor import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationCase; import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationDataSource; +import org.sleuthkit.autopsy.centralrepository.eventlisteners.CaseEventListener; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.autopsy.ingest.DataArtifactIngestModule; import org.sleuthkit.autopsy.ingest.IngestJobContext; @@ -112,6 +113,15 @@ public class CentralRepoDataArtifactIngestModule implements DataArtifactIngestMo } catch (CentralRepoException ex) { throw new IngestModuleException("Error accessing central repository", ex); } + /* + * Pass the relevant ingest job settings on to the case events listener + * for the central repository. Note that the listener's dependency on + * these settings currently means that it can only react to new OS + * account instances events when an ingest job with this module enabled + * is running. + */ + CaseEventListener.setCreateOsAcctCorrAttrs(saveCorrelationAttrs); + CaseEventListener.setFlagPrevSeenOsAccts(flagSeenDevices); } @Override @@ -307,7 +317,7 @@ public class CentralRepoDataArtifactIngestModule implements DataArtifactIngestMo new BlackboardAttribute( TSK_CORRELATION_VALUE, MODULE_NAME, corrAttrValue)); - makeAndPostAnalysisResult(artifact, BlackboardArtifact.Type.TSK_PREVIOUSLY_UNSEEN, attributesForNewArtifact, "", Score.SCORE_LIKELY_NOTABLE, Bundle.CrDataArtifactIngestModule_prevUnseenJustification); + makeAndPostAnalysisResult(artifact, BlackboardArtifact.Type.TSK_PREVIOUSLY_UNSEEN, attributesForNewArtifact, "", Score.SCORE_LIKELY_NOTABLE, Bundle.CrDataArtifactIngestModule_prevUnseenJustification()); } /** @@ -350,6 +360,15 @@ public class CentralRepoDataArtifactIngestModule implements DataArtifactIngestMo * job has hash values that match those in the case database. */ syncDataSourceHashes(); + /* + * Clear the relevant ingest job settings that were passed on to the + * case events listener for the central repository. Note that the + * listener's dependency on these settings currently means that it can + * only react to new OS account instances events when an ingest job with + * this module enabled is running. + */ + CaseEventListener.setCreateOsAcctCorrAttrs(saveCorrelationAttrs); + CaseEventListener.setFlagPrevSeenOsAccts(flagSeenDevices); } /** diff --git a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoFileIngestModule.java b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoFileIngestModule.java index 7bac3a73a6..bdcb0afece 100644 --- a/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoFileIngestModule.java +++ b/Core/src/org/sleuthkit/autopsy/centralrepository/ingestmodule/CentralRepoFileIngestModule.java @@ -190,8 +190,6 @@ final class CentralRepoFileIngestModule implements FileIngestModule { @Override public void shutDown() { - IngestEventsListener.decrementCorrelationEngineModuleCount(); - if ((CentralRepository.isEnabled() == false) || (eamCase == null) || (eamDataSource == null)) { return; } @@ -227,8 +225,6 @@ final class CentralRepoFileIngestModule implements FileIngestModule { public void startUp(IngestJobContext context) throws IngestModuleException { this.context = context; - IngestEventsListener.incrementCorrelationEngineModuleCount(); - if (CentralRepository.isEnabled() == false) { /* * Not throwing the customary exception for now. This is a