Merge pull request #6583 from APriestman/7169_pcPathId

Copy content in TSK_PATH_ID to portable case and update attribute.
2025-07-12 16:06:15 +00:00 · 2021-01-04 12:11:31 -05:00 · 2021-01-04 12:11:31 -05:00 · ff58091366
commit ff58091366
parent 33dc19b4f1 38d86697bc
1 changed files with 35 additions and 11 deletions
--- a/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java
+++ b/Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java
@ -42,7 +42,6 @@ import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collection;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@ -80,7 +79,6 @@ import org.sleuthkit.datamodel.SleuthkitCase.CaseDbTransaction;
 import org.sleuthkit.datamodel.TagName;
 import org.sleuthkit.datamodel.TaggingManager.ContentTagChange;
 import org.sleuthkit.datamodel.TskCoreException;
-import org.sleuthkit.datamodel.TskDataException;
 import org.sleuthkit.datamodel.TskData;
 import org.sleuthkit.datamodel.Volume;
 import org.sleuthkit.datamodel.VolumeSystem;
@ -105,6 +103,11 @@ public class PortableCaseReportModule implements ReportModule {
    private static final List<FileTypeCategory> FILE_TYPE_CATEGORIES = Arrays.asList(FileTypeCategory.AUDIO, FileTypeCategory.DOCUMENTS,
            FileTypeCategory.EXECUTABLE, FileTypeCategory.IMAGE, FileTypeCategory.VIDEO);
    
+    // These are attribute types that have special handling and should not be copied
+    // into the new artifact directly.
+    private static final List<Integer> SPECIALLY_HANDLED_ATTRS = Arrays.asList(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID(),
+            BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ATTACHMENTS.getTypeID(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID());
+
    private Case currentCase = null;
    private SleuthkitCase portableSkCase = null;
    private String caseName = "";
@ -893,6 +896,9 @@ public class PortableCaseReportModule implements ReportModule {
            // Copy any attachments
            copyAttachments(newArtifact, tag.getArtifact(), portableSkCase.getAbstractFileById(newContentId));
            
+            // Copy any files associated with this artifact through the TSK_PATH_ID attribute
+            copyPathID(newArtifact, tag.getArtifact());
+
            // Tag the artfiact
            if (!oldTagNameToNewTagName.containsKey(tag.getName())) {
                throw new TskCoreException("TagName map is missing entry for ID " + tag.getName().getId() + " with display name " + tag.getName().getDisplayName()); // NON-NLS
@ -937,13 +943,8 @@ public class PortableCaseReportModule implements ReportModule {
        // Copy over each attribute, making sure the type is in the new case.
        for (BlackboardAttribute oldAttr : oldAttrs) {

-            // The associated artifact has already been handled
-            if (oldAttr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT.getTypeID()) {
-                continue;
-            }
-            
-            // Attachments will be handled later
-            if (oldAttr.getAttributeType().getTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ATTACHMENTS.getTypeID()) {
+            // Skip attributes that are handled elsewhere
+            if (SPECIALLY_HANDLED_ATTRS.contains(oldAttr.getAttributeType().getTypeID())) {
                continue;
            }

@ -1157,10 +1158,33 @@ public class PortableCaseReportModule implements ReportModule {
        return oldIdToNewContent.get(content.getId()).getId();
    }

+    /**
+     * Copy path ID attribute to new case along with the referenced file.
+     * 
+     * @param newArtifact The new artifact in the portable case. Should not have a TSK_PATH_ID attribute.
+     * @param oldArtifact The old artifact.
+     * 
+     * @throws TskCoreException 
+     */    
+    private void copyPathID(BlackboardArtifact newArtifact, BlackboardArtifact oldArtifact) throws TskCoreException {
+        // Get the path ID attribute
+        BlackboardAttribute oldPathIdAttr = oldArtifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID));
+        if (oldPathIdAttr != null) {
+            // Copy the file and remake the attribute if the path ID is valid
+            long oldContentId = oldPathIdAttr.getValueLong();
+            if (oldContentId > 0) {
+                Content oldContent = currentCase.getSleuthkitCase().getContentById(oldContentId);
+                long newContentId = copyContent(oldContent);
+                newArtifact.addAttribute(new BlackboardAttribute(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID,
+                        String.join(",", oldPathIdAttr.getSources()), newContentId));
+            }
+        }
+    }
+        
    /**
     * Copy attachments to the portable case.
     * 
-     * @param newArtifact The new artifact in the portable case. Should be complete apart from the TSK_ATTACHMENTS attribute.
+     * @param newArtifact The new artifact in the portable case. Should not have a TSK_ATTACHMENTS attribute.
     * @param oldArtifact The old artifact.
     * @param newFile     The new file in the portable case associated with the artifact.
     *