Autopsy  3.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
SolrSearchService.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2015 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.keywordsearch;
20 
21 import java.io.IOException;
22 import java.util.HashMap;
27 import org.apache.solr.common.util.ContentStreamBase.StringStream;
28 import org.openide.util.lookup.ServiceProvider;
34 
39 @ServiceProvider(service = KeywordSearchService.class)
40 public class SolrSearchService implements KeywordSearchService {
41  @Override
42  public void indexArtifact(BlackboardArtifact artifact) throws TskCoreException {
43  if (artifact == null)
44  return;
45 
46  // We only support artifact indexing for Autopsy versions that use
47  // the negative range for artifact ids.
48  long artifactId = artifact.getArtifactID();
49 
50  if (artifactId > 0)
51  return;
52 
53  Case currentCase = Case.getCurrentCase();
54  if (currentCase == null)
55  return;
56 
57  SleuthkitCase sleuthkitCase = currentCase.getSleuthkitCase();
58  if (sleuthkitCase == null)
59  return;
60 
61  Content dataSource;
62  AbstractFile abstractFile = sleuthkitCase.getAbstractFileById(artifact.getObjectID());
63  if (abstractFile != null)
64  dataSource = abstractFile.getDataSource();
65  else
66  dataSource = sleuthkitCase.getContentById(artifact.getObjectID());
67 
68  if (dataSource == null)
69  return;
70 
71  // Concatenate the string values of all attributes into a single
72  // "content" string to be indexed.
73  StringBuilder artifactContents = new StringBuilder();
74 
75  for (BlackboardAttribute attribute : artifact.getAttributes()) {
76  artifactContents.append(attribute.getAttributeTypeDisplayName());
77  artifactContents.append(" : ");
78 
79  // This is ugly since it will need to updated any time a new
80  // TSK_DATETIME_* attribute is added. A slightly less ugly
81  // alternative would be to assume that all date time attributes
82  // will have a name of the form "TSK_DATETIME*" and check
83  // attribute.getAttributeTypeName().startsWith("TSK_DATETIME*".
84  // The major problem with that approach is that it would require
85  // a round trip to the database to get the type name string.
86  // We have also discussed modifying BlackboardAttribute.getDisplayString()
87  // to magically format datetime attributes but that is complicated by
88  // the fact that BlackboardAttribute exists in Sleuthkit data model
89  // while the utility to determine the timezone to use is in ContentUtils
90  // in the Autopsy datamodel.
91  if (attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID()
92  || attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED.getTypeID()
93  || attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED.getTypeID()
94  || attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_MODIFIED.getTypeID()
95  || attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_RCVD.getTypeID()
96  || attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_SENT.getTypeID()
97  || attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START.getTypeID()
98  || attribute.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END.getTypeID()) {
99  artifactContents.append(ContentUtils.getStringTime(attribute.getValueLong(), abstractFile));
100  }
101  else
102  artifactContents.append(attribute.getDisplayString());
103  artifactContents.append(System.lineSeparator());
104  }
105 
106  if (artifactContents.length() == 0)
107  return;
108 
109  // To play by the rules of the existing text markup implementations,
110  // we need to (a) index the artifact contents in a "chunk" and
111  // (b) create a separate index entry for the base artifact.
112  // We distinguish artifact content from file content by applying a
113  // mask to the artifact id to make its value > 0x8000000000000000 (i.e. negative).
114 
115  // First, create an index entry for the base artifact.
116  HashMap<String, String> solrFields = new HashMap<>();
117  String documentId = Long.toString(artifactId);
118 
119  solrFields.put(Server.Schema.ID.toString(), documentId);
120 
121  // Set the IMAGE_ID field.
122  solrFields.put(Server.Schema.IMAGE_ID.toString(), Long.toString(dataSource.getId()));
123 
124  try {
125  Ingester.getDefault().ingest(new StringStream(""), solrFields, 0);
126  }
127  catch (Ingester.IngesterException ex) {
128  }
129 
130  // Next create the index entry for the document content.
131  // The content gets added to a single chunk. We may need to add chunking
132  // support later.
133  long chunkId = 1;
134 
135  documentId += "_" + Long.toString(chunkId);
136  solrFields.replace(Server.Schema.ID.toString(), documentId);
137 
138  StringStream contentStream = new StringStream(artifactContents.toString());
139 
140  try {
141  Ingester.getDefault().ingest(contentStream, solrFields, contentStream.getSize());
142  }
143  catch (Ingester.IngesterException ex) {
144  }
145  }
146 
147  @Override
148  public void close() throws IOException {
149  }
150 }
static String getStringTime(long epochSeconds, TimeZone tzone)
AbstractFile getAbstractFileById(long id)

Copyright © 2012-2015 Basis Technology. Generated on: Mon Oct 19 2015
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.