More indexing of blackboard artifacts

2025-07-15 09:17:42 +00:00 · 2015-11-09 16:47:43 -05:00 · 2015-11-09 16:47:43 -05:00 · fc6d01db90
commit fc6d01db90
parent a884525cda
2 changed files with 33 additions and 4 deletions
--- a/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/interestingitems/FilesIdentifierIngestModule.java
@ -24,7 +24,11 @@ import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.logging.Level;
+import org.openide.util.NbBundle;
+import org.sleuthkit.autopsy.casemodule.Case;
+import org.sleuthkit.autopsy.casemodule.services.Blackboard;
 import org.sleuthkit.autopsy.coreutils.Logger;
+import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
 import org.sleuthkit.autopsy.ingest.FileIngestModule;
 import org.sleuthkit.autopsy.ingest.IngestJobContext;
 import org.sleuthkit.autopsy.ingest.IngestModuleReferenceCounter;
@ -47,6 +51,7 @@ final class FilesIdentifierIngestModule implements FileIngestModule {
    private static final Map<Long, List<FilesSet>> interestingFileSetsByJob = new ConcurrentHashMap<>();
    private final FilesIdentifierIngestJobSettings settings;
    private IngestJobContext context;
+    private Blackboard blackboard;

    /**
     * Construct an interesting files identifier ingest module for an ingest
@ -87,6 +92,8 @@ final class FilesIdentifierIngestModule implements FileIngestModule {
     */
    @Override
    public ProcessResult process(AbstractFile file) {
+        blackboard = Case.getCurrentCase().getServices().getBlackboard();
+        
        // See if the file belongs to any defined interesting files set.
        List<FilesSet> filesSets = FilesIdentifierIngestModule.interestingFileSetsByJob.get(this.context.getJobId());
        for (FilesSet filesSet : filesSets) {
@ -111,6 +118,15 @@ final class FilesIdentifierIngestModule implements FileIngestModule {
                    BlackboardAttribute ruleNameAttribute = new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), moduleName, ruleSatisfied);
                    artifact.addAttribute(ruleNameAttribute);
                    
+                    try {
+                        // index the artifact for keyword search
+                        blackboard.indexArtifact(artifact);
+                    } catch (Blackboard.BlackboardException ex) {
+                        logger.log(Level.SEVERE, NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.error.msg", artifact.getDisplayName()), ex); //NON-NLS
+                        MessageNotifyUtil.Notify.error(
+                                NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.exception.msg"), artifact.getDisplayName());
+                    }
+                    
                    IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(moduleName, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT, Collections.singletonList(artifact)));

                } catch (TskCoreException ex) {
--- a/Core/src/org/sleuthkit/autopsy/modules/stix/StixArtifactData.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/stix/StixArtifactData.java
@ -18,9 +18,12 @@
 */
 package org.sleuthkit.autopsy.modules.stix;

-import java.util.ArrayList;
-import java.util.Collection;
+import java.util.logging.Level;
+import org.openide.util.NbBundle;
 import org.sleuthkit.autopsy.casemodule.Case;
+import org.sleuthkit.autopsy.casemodule.services.Blackboard;
+import org.sleuthkit.autopsy.coreutils.Logger;
+import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
 import org.sleuthkit.datamodel.AbstractFile;
 import org.sleuthkit.datamodel.BlackboardArtifact;
 import org.sleuthkit.datamodel.BlackboardAttribute;
@ -35,6 +38,7 @@ class StixArtifactData {
    private AbstractFile file;
    private final String observableId;
    private final String objType;
+    private static final Logger logger = Logger.getLogger(StixArtifactData.class.getName());

    public StixArtifactData(AbstractFile a_file, String a_observableId, String a_objType) {
        file = a_file;
@ -55,7 +59,7 @@ class StixArtifactData {
    }

    public void createArtifact(String a_title) throws TskCoreException {
-        Collection<BlackboardAttribute> attrs = new ArrayList<BlackboardAttribute>();
+        Blackboard blackboard = Case.getCurrentCase().getServices().getBlackboard();

        String setName;
        if (a_title != null) {
@ -68,6 +72,15 @@ class StixArtifactData {
        bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID(), "Stix", setName)); //NON-NLS
        bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE.getTypeID(), "Stix", observableId)); //NON-NLS
        bba.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY.getTypeID(), "Stix", objType)); //NON-NLS
+        
+        try {
+            // index the artifact for keyword search
+            blackboard.indexArtifact(bba);
+        } catch (Blackboard.BlackboardException ex) {
+            logger.log(Level.SEVERE, NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.error.msg", bba.getDisplayName()), ex); //NON-NLS
+            MessageNotifyUtil.Notify.error(
+                    NbBundle.getMessage(Blackboard.class, "Blackboard.unableToIndexArtifact.exception.msg"), bba.getDisplayName());
+        }
    }

    public void print() {