mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-13 00:16:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7134 from APriestman/7816_osAccountCR

Browse Source 
7816 Fix logic around adding OS accounts to the CR / making previously see…
This commit is contained in:
Richard Cordovano 2021-07-14 13:11:09 -04:00 committed by GitHub
commit f3e25d8ccc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 31 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Core/src/org/sleuthkit/autopsy/centralrepository/eventlisteners/CaseEventListener.java
View File

@ -676,8 +676,9 @@ public final class CaseEventListener implements PropertyChangeListener {
@Override @Override
public void run() { public void run() {
//Nothing to do here if the central repo is not enabled or the ingest is running and the setting to flag previously seen devices and users is not set to true //Nothing to do here if the central repo is not enabled or if ingest is running but is set to not save data/make artifacts
if (!CentralRepository.isEnabled() || (IngestManager.getInstance().isIngestRunning() && !IngestEventsListener.isFlagSeenDevices())) { if (!CentralRepository.isEnabled()
|| (IngestManager.getInstance().isIngestRunning() && !(IngestEventsListener.isFlagSeenDevices() || IngestEventsListener.shouldCreateCrProperties()))) {
return; return;
} }
@ -705,30 +706,36 @@ public final class CaseEventListener implements PropertyChangeListener {
TskData.FileKnown.KNOWN, TskData.FileKnown.KNOWN,
osAccount.getId()); osAccount.getId());
dbManager.addArtifactInstance(correlationAttributeInstance); // Save to the database if requested
if(IngestEventsListener.shouldCreateCrProperties()) {
dbManager.addArtifactInstance(correlationAttributeInstance);
}
List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue()); // Look up and create artifacts for previously seen accounts if requested
for (CorrelationAttributeInstance instance : previousOccurences) { if (IngestEventsListener.isFlagSeenDevices()) {
if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) { List<CorrelationAttributeInstance> previousOccurences = dbManager.getArtifactInstancesByTypeValue(CentralRepository.getInstance().getCorrelationTypeById(CorrelationAttributeInstance.OSACCOUNT_TYPE_ID), correlationAttributeInstance.getCorrelationValue());
SleuthkitCase tskCase = osAccount.getSleuthkitCase(); for (CorrelationAttributeInstance instance : previousOccurences) {
Blackboard blackboard = tskCase.getBlackboard(); if (!instance.getCorrelationCase().getCaseUUID().equals(correlationAttributeInstance.getCorrelationCase().getCaseUUID())) {
SleuthkitCase tskCase = osAccount.getSleuthkitCase();
Blackboard blackboard = tskCase.getBlackboard();
Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList( Collection<BlackboardAttribute> attributesForNewArtifact = Arrays.asList(
new BlackboardAttribute( new BlackboardAttribute(
TSK_SET_NAME, MODULE_NAME, TSK_SET_NAME, MODULE_NAME,
Bundle.CaseEventsListener_prevExists_text()), Bundle.CaseEventsListener_prevExists_text()),
new BlackboardAttribute( new BlackboardAttribute(
TSK_COMMENT, MODULE_NAME, TSK_COMMENT, MODULE_NAME,
Bundle.CaseEventsListener_prevCaseComment_text())); Bundle.CaseEventsListener_prevCaseComment_text()));
BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult( BlackboardArtifact newAnalysisResult = osAccount.newAnalysisResult(
BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE, BlackboardArtifact.Type.TSK_INTERESTING_ARTIFACT_HIT, Score.SCORE_LIKELY_NOTABLE,
null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult(); null, Bundle.CaseEventsListener_prevExists_text(), null, attributesForNewArtifact, osAccountInstance.getDataSource().getId()).getAnalysisResult();
try { try {
// index the artifact for keyword search // index the artifact for keyword search
blackboard.postArtifact(newAnalysisResult, MODULE_NAME); blackboard.postArtifact(newAnalysisResult, MODULE_NAME);
break; break;
} catch (Blackboard.BlackboardException ex) { } catch (Blackboard.BlackboardException ex) {
LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS LOGGER.log(Level.SEVERE, "Unable to index blackboard artifact " + newAnalysisResult.getArtifactID(), ex); //NON-NLS
}
} }
} }
} }