Autopsy
4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
Classes | |
class | EventTransaction |
Public Member Functions | |
void | finalize () throws Throwable |
Interval | getSpanningInterval (Collection< Long > eventIDs) |
Static Public Member Functions | |
static EventDB | getEventDB (Case autoCase) |
Private Member Functions | |
EventDB (Case autoCase) throws SQLException, Exception | |
void | closeStatements () throws SQLException |
void | configureDB () throws SQLException |
SingleEvent | constructTimeLineEvent (ResultSet rs) throws SQLException |
Map< EventType, Long > | countEventsByType (Long startTime, Long endTime, RootFilter filter, EventTypeZoomLevel zoomLevel) |
void | createIndex (final String tableName, final List< String > columnList) |
EventCluster | eventClusterHelper (ResultSet rs, boolean useSubTypes, DescriptionLoD descriptionLOD, TagsFilter filter) throws SQLException |
boolean | hasDataSourceIDColumn () |
boolean | hasDBColumn (@Nonnull final String dbColumn) |
boolean | hasHashHitColumn () |
boolean | hasTaggedColumn () |
void | initializeTagsTable () |
void | insertTag (Tag tag, long eventID) throws SQLException |
Set< Long > | markEventsTagged (long objectID,@Nullable Long artifactID, boolean tagged) throws SQLException |
PreparedStatement | prepareStatement (String queryString) throws SQLException |
Static Private Member Functions | |
static List< EventStripe > | mergeClustersToStripes (Period timeUnitLength, List< EventCluster > preMergedEvents) |
static String | typeColumnHelper (final boolean useSubTypes) |
Private Attributes | |
volatile Connection | con |
PreparedStatement | countAllEventsStmt |
final Lock | DBLock = new ReentrantReadWriteLock(true).writeLock() |
final String | dbPath |
PreparedStatement | deleteTagStmt |
PreparedStatement | dropDBInfoTableStmt |
PreparedStatement | dropEventsTableStmt |
PreparedStatement | dropHashSetHitsTableStmt |
PreparedStatement | dropHashSetsTableStmt |
PreparedStatement | dropTagsTableStmt |
PreparedStatement | getDataSourceIDsStmt |
PreparedStatement | getEventByIDStmt |
PreparedStatement | getHashSetNamesStmt |
PreparedStatement | getMaxTimeStmt |
PreparedStatement | getMinTimeStmt |
PreparedStatement | insertHashHitStmt |
PreparedStatement | insertHashSetStmt |
PreparedStatement | insertRowStmt |
PreparedStatement | insertTagStmt |
final Set< PreparedStatement > | preparedStatements = new HashSet<>() |
PreparedStatement | selectEventIDsBYObjectAndArtifactIDStmt |
PreparedStatement | selectHashSetStmt |
PreparedStatement | selectNonArtifactEventIDsByObjectIDStmt |
Static Private Attributes | |
static final org.sleuthkit.autopsy.coreutils.Logger | LOGGER = Logger.getLogger(EventDB.class.getName()) |
Provides access to the Timeline SQLite database.
This class borrows a lot of ideas and techniques from SleuthkitCase. Creating an abstract base class for SQLite databases, or using a higherlevel persistence api may make sense in the future.
Definition at line 88 of file EventDB.java.
|
private |
Definition at line 150 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.getEventDB().
|
private |
Definition at line 1040 of file EventDB.java.
|
private |
Definition at line 1046 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
|
private |
Definition at line 1075 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes.
|
private |
count all the events with the given options and return a map organizing the counts in a hierarchy from date > eventtype> count
startTime | events before this time will be excluded (seconds from unix epoch) |
endTime | events at or after this time will be excluded (seconds from unix epoch) |
filter | only events that pass this filter will be counted |
zoomLevel | only events of this type or a subtype will be counted and the counts will be organized into bins for each of the subtypes of the given event type |
Definition at line 1105 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes, org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER, org.sleuthkit.autopsy.timeline.zooming.EventTypeZoomLevel.SUB_TYPE, and org.sleuthkit.autopsy.timeline.db.EventDB.typeColumnHelper().
|
private |
tableName | the value of tableName |
columnList | the value of columnList |
Definition at line 758 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
|
private |
map a single row in a ResultSet to an EventCluster
rs | the result set whose current row should be mapped |
useSubTypes | use the sub_type column if true, else use the base_type column |
descriptionLOD | the description level of detail for this event |
filter |
SQLException |
Definition at line 1224 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.eventtype.EventType.allTypes, and org.sleuthkit.autopsy.timeline.TimeLineController.getJodaTimeZone().
void org.sleuthkit.autopsy.timeline.db.EventDB.finalize | ( | ) | throws Throwable |
Definition at line 157 of file EventDB.java.
public factory method. Creates and opens a connection to a database at the given path. If a database does not already exist at that path, one is created.
autoCase | the Autopsy Case the is events database is for. |
Definition at line 110 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.EventDB(), and org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
Referenced by org.sleuthkit.autopsy.timeline.db.EventsRepository.EventsRepository().
Interval org.sleuthkit.autopsy.timeline.db.EventDB.getSpanningInterval | ( | Collection< Long > | eventIDs | ) |
Definition at line 177 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
Referenced by org.sleuthkit.autopsy.timeline.db.EventsRepository.getSpanningInterval().
|
private |
Definition at line 790 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn().
|
private |
dbColumn | the value of dbColumn |
Definition at line 775 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.hasDataSourceIDColumn(), org.sleuthkit.autopsy.timeline.db.EventDB.hasHashHitColumn(), and org.sleuthkit.autopsy.timeline.db.EventDB.hasTaggedColumn().
|
private |
Definition at line 798 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn().
|
private |
Definition at line 794 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn().
|
private |
create the tags table if it doesn't already exist. This is broken out as a separate method so it can be used by reInitializeTags()
Definition at line 739 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.LOGGER.
|
private |
insert this tag into the db
NOTE: does not lock the db, must be called form inside a DBLock.lock/unlock pair
tag | the tag to insert |
eventID | the event id that this tag is applied to. |
SQLException | if there was a problem executing insert |
Definition at line 941 of file EventDB.java.
|
private |
mark any events with the given object and artifact ids as tagged, and record the tag it self.
NOTE: does not lock the db, must be called form inside a DBLock.lock/unlock pair
objectID | the obj_id that this tag applies to, the id of the content that the artifact is derived from for artifact tags |
artifactID | the artifact_id that this tag applies to, or null if this is a content tag |
tagged | true to mark the matching events tagged, false to mark them as untagged |
SQLException | if there is an error marking the events as (un)taggedS |
Definition at line 1004 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.db.EventDB.selectEventIDsBYObjectAndArtifactIDStmt, and org.sleuthkit.autopsy.timeline.db.EventDB.selectNonArtifactEventIDsByObjectIDStmt.
|
staticprivate |
merge the events in the given list if they are within the same period General algorithm is as follows:
1) sort them into a map from (type, description)-> List<aggevent> 2) for each key in map, merge the events and accumulate them in a list to return
timeUnitLength | |
preMergedEvents |
Definition at line 1250 of file EventDB.java.
References org.sleuthkit.autopsy.timeline.datamodel.EventCluster.getSpan(), org.sleuthkit.autopsy.timeline.datamodel.EventStripe.getStartMillis(), org.sleuthkit.autopsy.timeline.datamodel.EventStripe.merge(), and org.sleuthkit.autopsy.timeline.datamodel.EventCluster.merge().
|
private |
Definition at line 1305 of file EventDB.java.
|
staticprivate |
Definition at line 1301 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.countEventsByType().
|
private |
Definition at line 122 of file EventDB.java.
|
private |
Definition at line 137 of file EventDB.java.
|
private |
Definition at line 148 of file EventDB.java.
|
private |
Definition at line 124 of file EventDB.java.
|
private |
Definition at line 135 of file EventDB.java.
|
private |
Definition at line 142 of file EventDB.java.
|
private |
Definition at line 138 of file EventDB.java.
|
private |
Definition at line 139 of file EventDB.java.
|
private |
Definition at line 140 of file EventDB.java.
|
private |
Definition at line 141 of file EventDB.java.
|
private |
Definition at line 129 of file EventDB.java.
|
private |
Definition at line 126 of file EventDB.java.
|
private |
Definition at line 130 of file EventDB.java.
|
private |
Definition at line 127 of file EventDB.java.
|
private |
Definition at line 128 of file EventDB.java.
|
private |
Definition at line 133 of file EventDB.java.
|
private |
Definition at line 132 of file EventDB.java.
|
private |
Definition at line 131 of file EventDB.java.
|
private |
Definition at line 134 of file EventDB.java.
|
staticprivate |
Definition at line 90 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.close(), org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.commit(), org.sleuthkit.autopsy.timeline.db.EventDB.configureDB(), org.sleuthkit.autopsy.timeline.db.EventDB.countEventsByType(), org.sleuthkit.autopsy.timeline.db.EventDB.createIndex(), org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.EventTransaction(), org.sleuthkit.autopsy.timeline.db.EventDB.getEventDB(), org.sleuthkit.autopsy.timeline.db.EventDB.getSpanningInterval(), org.sleuthkit.autopsy.timeline.db.EventDB.hasDBColumn(), org.sleuthkit.autopsy.timeline.db.EventDB.initializeTagsTable(), and org.sleuthkit.autopsy.timeline.db.EventDB.EventTransaction.rollback().
|
private |
Definition at line 146 of file EventDB.java.
|
private |
Definition at line 144 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.markEventsTagged().
|
private |
Definition at line 136 of file EventDB.java.
|
private |
Definition at line 143 of file EventDB.java.
Referenced by org.sleuthkit.autopsy.timeline.db.EventDB.markEventsTagged().
Copyright © 2012-2016 Basis Technology. Generated on: Tue Oct 25 2016
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.