Autopsy  4.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
org.sleuthkit.autopsy.timeline.db.EventsRepository Class Reference


enum  DBPopulationMode
class  DBPopulationWorker

Public Member Functions

 EventsRepository (Case autoCase, ReadOnlyObjectProperty< ZoomParams > currentStateProperty)
synchronized Set< Long > addTag (long objID, Long artifactID, Tag tag, EventDB.EventTransaction trans)
boolean areFiltersEquivalent (RootFilter f1, RootFilter f2)
synchronized int countAllEvents ()
synchronized Map< EventType, Long > countEvents (ZoomParams params)
synchronized Set< Long > deleteTag (long objID, Long artifactID, long tagID, boolean tagged)
Case getAutoCase ()
Interval getBoundingEventsInterval (Interval timeRange, RootFilter filter)
synchronized ObservableMap< Long, String > getDatasourcesMap ()
TimeLineEvent getEventById (Long eventID)
Set< Long > getEventIDs (Interval timeRange, RootFilter filter)
synchronized Set< TimeLineEventgetEventsById (Collection< Long > eventIDs)
FilteredEventsModel getEventsModel ()
synchronized List< EventStripegetEventStripes (ZoomParams params)
synchronized ObservableMap< Long, String > getHashSetMap ()
Long getMaxTime ()
Long getMinTime ()
Interval getSpanningInterval (Collection< Long > eventIDs)
Map< String, Long > getTagCountsByTagName (Set< Long > eventIDsWithTags)
ObservableList< TagName > getTagNames ()
boolean hasNewColumns ()
boolean isRebuilding ()
CancellationProgressTask< Void > rebuildRepository (Consumer< Worker.State > onStateChange)
CancellationProgressTask< Void > rebuildTags (Consumer< Worker.State > onStateChange)
void syncTagsFilter (TagsFilter tagsFilter)

Private Member Functions

void invalidateCaches ()
synchronized void invalidateCaches (Set< Long > updatedEventIDs)
synchronized void populateFilterData (SleuthkitCase skCase)
CancellationProgressTask< Void > rebuildRepository (final DBPopulationMode mode, Consumer< Worker.State > onStateChange)

Private Attributes

final Case autoCase
final ObservableMap< Long, String > datasourcesMap = FXCollections.observableHashMap()
DBPopulationWorker dbWorker
final LoadingCache< ZoomParams, Map< EventType, Long > > eventCountsCache
final EventDB eventDB
final LoadingCache< ZoomParams, List< EventStripe > > eventStripeCache
final ObservableMap< Long, String > hashSetMap = FXCollections.observableHashMap()
final LoadingCache< Long, TimeLineEventidToEventCache
final LoadingCache< Object, Long > maxCache
final LoadingCache< Object, Long > minCache
final FilteredEventsModel modelInstance
final ObservableList< TagName > tagNames = FXCollections.observableArrayList()
final Executor workerExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("eventrepository-worker-%d").build())

Static Private Attributes

static final Logger LOGGER = Logger.getLogger(EventsRepository.class.getName())

Detailed Description

Provides higher-level public API (over EventsDB) to access events. In theory this insulates the rest of the timeline module form the details of the db implementation. Since there are no other implementations of the database or clients of this class, and no Java Interface defined yet, in practice this just delegates everything to the eventDB. Some results are also cached by this layer.

Concurrency Policy:

Since almost everything just delegates to the EventDB, which is internally synchronized, we only have to worry about rebuildRepository() which we synchronize on our intrinsic lock.

Constructor & Destructor Documentation

org.sleuthkit.autopsy.timeline.db.EventsRepository.EventsRepository ( Case  autoCase,
ReadOnlyObjectProperty< ZoomParams currentStateProperty 

Member Function Documentation

synchronized Set<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.addTag ( long  objID,
Long  artifactID,
Tag  tag,
EventDB.EventTransaction  trans 
boolean org.sleuthkit.autopsy.timeline.db.EventsRepository.areFiltersEquivalent ( RootFilter  f1,
RootFilter  f2 

synchronized int org.sleuthkit.autopsy.timeline.db.EventsRepository.countAllEvents ( )

synchronized Map<EventType, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.countEvents ( ZoomParams  params)
synchronized Set<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.deleteTag ( long  objID,
Long  artifactID,
long  tagID,
boolean  tagged 
Case org.sleuthkit.autopsy.timeline.db.EventsRepository.getAutoCase ( )
Interval org.sleuthkit.autopsy.timeline.db.EventsRepository.getBoundingEventsInterval ( Interval  timeRange,
RootFilter  filter 
synchronized ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.getDatasourcesMap ( )
TimeLineEvent org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventById ( Long  eventID)
Set<Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventIDs ( Interval  timeRange,
RootFilter  filter 
synchronized Set<TimeLineEvent> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventsById ( Collection< Long >  eventIDs)
FilteredEventsModel org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventsModel ( )
a FilteredEvetns object with this repository as underlying source of events

synchronized List<EventStripe> org.sleuthkit.autopsy.timeline.db.EventsRepository.getEventStripes ( ZoomParams  params)
synchronized ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.getHashSetMap ( )
Long org.sleuthkit.autopsy.timeline.db.EventsRepository.getMaxTime ( )
min time (in seconds from unix epoch)

Long org.sleuthkit.autopsy.timeline.db.EventsRepository.getMinTime ( )
max tie (in seconds from unix epoch)

Interval org.sleuthkit.autopsy.timeline.db.EventsRepository.getSpanningInterval ( Collection< Long >  eventIDs)
Map<String, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.getTagCountsByTagName ( Set< Long >  eventIDsWithTags)

get a count of tagnames applied to the given event ids as a map from tagname displayname to count of tag applications

eventIDsWithTagsthe event ids to get the tag counts map for
a map from tagname displayname to count of applications

ObservableList<TagName> org.sleuthkit.autopsy.timeline.db.EventsRepository.getTagNames ( )
boolean org.sleuthkit.autopsy.timeline.db.EventsRepository.hasNewColumns ( )

void org.sleuthkit.autopsy.timeline.db.EventsRepository.invalidateCaches ( )
synchronized void org.sleuthkit.autopsy.timeline.db.EventsRepository.invalidateCaches ( Set< Long >  updatedEventIDs)
boolean org.sleuthkit.autopsy.timeline.db.EventsRepository.isRebuilding ( )

synchronized void org.sleuthkit.autopsy.timeline.db.EventsRepository.populateFilterData ( SleuthkitCase  skCase)

use the given SleuthkitCase to update the data used to determine the available filters.


CancellationProgressTask<Void> org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildRepository ( Consumer< Worker.State >  onStateChange)

rebuild the entire repo.

onStateChangecalled when he background task changes state. Clients can use this to handle failure, or cleanup operations for example.
the task that will rebuild the repo in a background thread. The task has already been started.

CancellationProgressTask<Void> org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildRepository ( final DBPopulationMode  mode,
Consumer< Worker.State >  onStateChange 

rebuild the repo.

modethe rebuild mode to use.
onStateChangecalled when he background task changes state. Clients can use this to handle failure, or cleanup operations for example.
the task that will rebuild the repo in a background thread. The task has already been started.

CancellationProgressTask<Void> org.sleuthkit.autopsy.timeline.db.EventsRepository.rebuildTags ( Consumer< Worker.State >  onStateChange)

drop and rebuild the tags in the repo.

onStateChangecalled when he background task changes state. Clients can use this to handle failure, or cleanup operations for example.
the task that will rebuild the repo in a background thread. The task has already been started.

void org.sleuthkit.autopsy.timeline.db.EventsRepository.syncTagsFilter ( TagsFilter  tagsFilter)

"sync" the given tags filter with the tagnames in use: Disable filters for tags that are not in use in the case, and add new filters for tags that don't have them. New filters are selected by default.

tagsFilterthe tags filter to modify so it is consistent with the tags in use in the case

Member Data Documentation

final Case org.sleuthkit.autopsy.timeline.db.EventsRepository.autoCase
final ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.datasourcesMap = FXCollections.observableHashMap()
DBPopulationWorker org.sleuthkit.autopsy.timeline.db.EventsRepository.dbWorker
final LoadingCache<ZoomParams, Map<EventType, Long> > org.sleuthkit.autopsy.timeline.db.EventsRepository.eventCountsCache

final EventDB org.sleuthkit.autopsy.timeline.db.EventsRepository.eventDB

final LoadingCache<ZoomParams, List<EventStripe> > org.sleuthkit.autopsy.timeline.db.EventsRepository.eventStripeCache

final ObservableMap<Long, String> org.sleuthkit.autopsy.timeline.db.EventsRepository.hashSetMap = FXCollections.observableHashMap()
final LoadingCache<Long, TimeLineEvent> org.sleuthkit.autopsy.timeline.db.EventsRepository.idToEventCache

final Logger org.sleuthkit.autopsy.timeline.db.EventsRepository.LOGGER = Logger.getLogger(EventsRepository.class.getName())

final LoadingCache<Object, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.maxCache

final LoadingCache<Object, Long> org.sleuthkit.autopsy.timeline.db.EventsRepository.minCache

final FilteredEventsModel org.sleuthkit.autopsy.timeline.db.EventsRepository.modelInstance
final ObservableList<TagName> org.sleuthkit.autopsy.timeline.db.EventsRepository.tagNames = FXCollections.observableArrayList()
final Executor org.sleuthkit.autopsy.timeline.db.EventsRepository.workerExecutor = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat("eventrepository-worker-%d").build())

