Autopsy  4.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
InterestingHits.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2015 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.datamodel;
20 
21 import java.beans.PropertyChangeEvent;
22 import java.beans.PropertyChangeListener;
23 import java.sql.ResultSet;
24 import java.sql.SQLException;
25 import java.util.ArrayList;
26 import java.util.Collections;
27 import java.util.HashSet;
28 import java.util.LinkedHashMap;
29 import java.util.List;
30 import java.util.Map;
31 import java.util.Observable;
32 import java.util.Observer;
33 import java.util.Set;
34 import java.util.logging.Level;
35 import org.openide.nodes.ChildFactory;
36 import org.openide.nodes.Children;
37 import org.openide.nodes.Node;
38 import org.openide.nodes.Sheet;
39 import org.openide.util.NbBundle;
40 import org.openide.util.lookup.Lookups;
41 import org.sleuthkit.autopsy.casemodule.Case;
42 import org.sleuthkit.autopsy.coreutils.Logger;
43 import org.sleuthkit.autopsy.ingest.IngestManager;
44 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
45 import org.sleuthkit.datamodel.BlackboardArtifact;
46 import org.sleuthkit.datamodel.BlackboardAttribute;
47 import org.sleuthkit.datamodel.SleuthkitCase;
48 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;
49 import org.sleuthkit.datamodel.TskCoreException;
50 
51 public class InterestingHits implements AutopsyVisitableItem {
52 
53  private static final String INTERESTING_ITEMS = NbBundle
54  .getMessage(InterestingHits.class, "InterestingHits.interestingItems.text");
55  private static final String DISPLAY_NAME = NbBundle.getMessage(InterestingHits.class, "InterestingHits.displayName.text");
56  private static final Logger logger = Logger.getLogger(InterestingHits.class.getName());
57  private SleuthkitCase skCase;
58  private final InterestingResults interestingResults = new InterestingResults();
59 
60  public InterestingHits(SleuthkitCase skCase) {
61  this.skCase = skCase;
62  interestingResults.update();
63  }
64 
65  private class InterestingResults extends Observable {
66 
67  private final Map<String, Set<Long>> interestingItemsMap = new LinkedHashMap<>();
68 
69  public List<String> getSetNames() {
70  List<String> setNames = new ArrayList<>(interestingItemsMap.keySet());
71  Collections.sort(setNames);
72  return setNames;
73  }
74 
75  public Set<Long> getArtifactIds(String setName) {
76  return interestingItemsMap.get(setName);
77  }
78 
79  public void update() {
80  interestingItemsMap.clear();
81  loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT);
82  loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT);
83  setChanged();
84  notifyObservers();
85  }
86 
87  /*
88  * Reads the artifacts of specified type, grouped by Set, and loads into
89  * the interestingItemsMap
90  */
91  @SuppressWarnings("deprecation")
92  private void loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE artType) {
93  if (skCase == null) {
94  return;
95  }
96 
97  int setNameId = BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID();
98  int artId = artType.getTypeID();
99  String query = "SELECT value_text,blackboard_attributes.artifact_id,attribute_type_id " //NON-NLS
100  + "FROM blackboard_attributes,blackboard_artifacts WHERE " //NON-NLS
101  + "attribute_type_id=" + setNameId //NON-NLS
102  + " AND blackboard_attributes.artifact_id=blackboard_artifacts.artifact_id" //NON-NLS
103  + " AND blackboard_artifacts.artifact_type_id=" + artId; //NON-NLS
104 
105  try (CaseDbQuery dbQuery = skCase.executeQuery(query)) {
106  ResultSet resultSet = dbQuery.getResultSet();
107  while (resultSet.next()) {
108  String value = resultSet.getString("value_text"); //NON-NLS
109  long artifactId = resultSet.getLong("artifact_id"); //NON-NLS
110  if (!interestingItemsMap.containsKey(value)) {
111  interestingItemsMap.put(value, new HashSet<>());
112  }
113  interestingItemsMap.get(value).add(artifactId);
114  }
115  } catch (TskCoreException | SQLException ex) {
116  logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS
117  }
118  }
119  }
120 
121  @Override
122  public <T> T accept(AutopsyItemVisitor<T> v) {
123  return v.visit(this);
124  }
125 
129  public class RootNode extends DisplayableItemNode {
130 
131  public RootNode() {
132  super(Children.create(new SetNameFactory(), true), Lookups.singleton(DISPLAY_NAME));
133  super.setName(INTERESTING_ITEMS);
134  super.setDisplayName(DISPLAY_NAME);
135  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
136  }
137 
138  @Override
139  public boolean isLeafTypeNode() {
140  return false;
141  }
142 
143  @Override
144  public <T> T accept(DisplayableItemNodeVisitor<T> v) {
145  return v.visit(this);
146  }
147 
148  @Override
149  protected Sheet createSheet() {
150  Sheet s = super.createSheet();
151  Sheet.Set ss = s.get(Sheet.PROPERTIES);
152  if (ss == null) {
153  ss = Sheet.createPropertiesSet();
154  s.put(ss);
155  }
156 
157  ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
158  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.displayName"),
159  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
160  getName()));
161 
162  return s;
163  }
164 
165  /*
166  * TODO (AUT-1849): Correct or remove peristent column reordering code
167  *
168  * Added to support this feature.
169  */
170 // @Override
171 // public String getItemType() {
172 // return "InterestingHitsRoot"; //NON-NLS
173 // }
174  }
175 
176  private class SetNameFactory extends ChildFactory.Detachable<String> implements Observer {
177 
178  /*
179  * This should probably be in the top-level class, but the factory has
180  * nice methods for its startup and shutdown, so it seemed like a
181  * cleaner place to register the property change listener.
182  */
183  private final PropertyChangeListener pcl = new PropertyChangeListener() {
184  @Override
185  public void propertyChange(PropertyChangeEvent evt) {
186  String eventType = evt.getPropertyName();
187  if (eventType.equals(IngestManager.IngestModuleEvent.DATA_ADDED.toString())) {
194  try {
195  Case.getCurrentCase();
202  ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();
203  if (null != eventData && (eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID()
204  || eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID())) {
205  interestingResults.update();
206  }
207  } catch (IllegalStateException notUsed) {
211  }
212  } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())
213  || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())) {
220  try {
221  Case.getCurrentCase();
222  interestingResults.update();
223  } catch (IllegalStateException notUsed) {
227  }
228  } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())) {
229  // case was closed. Remove listeners so that we don't get called with a stale case handle
230  if (evt.getNewValue() == null) {
231  removeNotify();
232  skCase = null;
233  }
234  }
235  }
236  };
237 
238  @Override
239  protected void addNotify() {
240  IngestManager.getInstance().addIngestJobEventListener(pcl);
241  IngestManager.getInstance().addIngestModuleEventListener(pcl);
242  Case.addPropertyChangeListener(pcl);
243  interestingResults.update();
244  interestingResults.addObserver(this);
245  }
246 
247  @Override
248  protected void removeNotify() {
249  IngestManager.getInstance().removeIngestJobEventListener(pcl);
250  IngestManager.getInstance().removeIngestModuleEventListener(pcl);
251  Case.removePropertyChangeListener(pcl);
252  interestingResults.deleteObserver(this);
253  }
254 
255  @Override
256  protected boolean createKeys(List<String> list) {
257  list.addAll(interestingResults.getSetNames());
258  return true;
259  }
260 
261  @Override
262  protected Node createNodeForKey(String key) {
263  return new SetNameNode(key);
264  }
265 
266  @Override
267  public void update(Observable o, Object arg) {
268  refresh(true);
269  }
270  }
271 
272  public class SetNameNode extends DisplayableItemNode implements Observer {
273 
274  private final String setName;
275 
276  public SetNameNode(String setName) {//, Set<Long> children) {
277  super(Children.create(new HitFactory(setName), true), Lookups.singleton(setName));
278  this.setName = setName;
279  super.setName(setName);
280  updateDisplayName();
281  this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/interesting_item.png"); //NON-NLS
282  interestingResults.addObserver(this);
283  }
284 
285  private void updateDisplayName() {
286  super.setDisplayName(setName + " (" + interestingResults.getArtifactIds(setName).size() + ")");
287  }
288 
289  @Override
290  public boolean isLeafTypeNode() {
291  return true;
292  }
293 
294  @Override
295  protected Sheet createSheet() {
296  Sheet s = super.createSheet();
297  Sheet.Set ss = s.get(Sheet.PROPERTIES);
298  if (ss == null) {
299  ss = Sheet.createPropertiesSet();
300  s.put(ss);
301  }
302 
303  ss.put(new NodeProperty<>(NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
304  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.name"),
305  NbBundle.getMessage(this.getClass(), "InterestingHits.createSheet.name.desc"),
306  getName()));
307 
308  return s;
309  }
310 
311  @Override
312  public <T> T accept(DisplayableItemNodeVisitor<T> v) {
313  return v.visit(this);
314  }
315 
316  @Override
317  public void update(Observable o, Object arg) {
318  updateDisplayName();
319  }
320 
321  /*
322  * TODO (AUT-1849): Correct or remove peristent column reordering code
323  *
324  * Added to support this feature.
325  */
326 // @Override
327 // public String getItemType() {
328 // return "InterestingHitsSetName"; //NON-NLS
329 // }
330  }
331 
332  private class HitFactory extends ChildFactory<Long> implements Observer {
333 
334  private final String setName;
335 
336  private HitFactory(String setName) {
337  super();
338  this.setName = setName;
339  interestingResults.addObserver(this);
340  }
341 
342  @Override
343  protected boolean createKeys(List<Long> list) {
344  for (long l : interestingResults.getArtifactIds(setName)) {
345  list.add(l);
346  }
347  return true;
348  }
349 
350  @Override
351  protected Node createNodeForKey(Long l) {
352  if (skCase == null) {
353  return null;
354  }
355  try {
356  return new BlackboardArtifactNode(skCase.getBlackboardArtifact(l));
357  } catch (TskCoreException ex) {
358  logger.log(Level.SEVERE, "Error creating new Blackboard Artifact node", ex); //NON-NLS
359  return null;
360  }
361  }
362 
363  @Override
364  public void update(Observable o, Object arg) {
365  refresh(true);
366  }
367  }
368 }
org.sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType
BlackboardArtifact.Type getBlackboardArtifactType()
Definition: ModuleDataEvent.java:104
org.sleuthkit.autopsy.ingest.IngestManager.removeIngestModuleEventListener
void removeIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:688
org.sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition: IngestManager.java:234
org.sleuthkit.autopsy.datamodel.InterestingHits.InterestingResults.loadArtifacts
void loadArtifacts(BlackboardArtifact.ARTIFACT_TYPE artType)
Definition: InterestingHits.java:92
org.sleuthkit.autopsy.ingest.IngestManager.removeIngestJobEventListener
void removeIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:670
org.sleuthkit.autopsy.ingest.IngestManager.addIngestJobEventListener
void addIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:661
org.sleuthkit.autopsy.casemodule.Case.removePropertyChangeListener
static synchronized void removePropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:1305
org.sleuthkit.autopsy.ingest.IngestManager.addIngestModuleEventListener
void addIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:679
org.sleuthkit.autopsy.casemodule.Case.addPropertyChangeListener
static synchronized void addPropertyChangeListener(PropertyChangeListener listener)
Definition: Case.java:1292
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:166

Copyright © 2012-2015 Basis Technology. Generated on: Wed Apr 6 2016
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.