api-docs/4.10.0/_keyword_hits_8java_source.html

 /*

  * Autopsy Forensic Browser

  *

  * Copyright 2011-2018 Basis Technology Corp.

  * Contact: carrier <at> sleuthkit <dot> org

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.sleuthkit.autopsy.datamodel;


 import java.beans.PropertyChangeEvent;

 import java.beans.PropertyChangeListener;

 import java.sql.ResultSet;

 import java.sql.SQLException;

 import java.util.ArrayList;

 import java.util.Collections;

 import java.util.EnumSet;

 import java.util.HashSet;

 import java.util.LinkedHashMap;

 import java.util.List;

 import java.util.Map;

 import java.util.Objects;

 import java.util.Observable;

 import java.util.Observer;

 import java.util.Set;

 import java.util.logging.Level;

 import java.util.stream.Collectors;

 import org.apache.commons.lang3.StringUtils;

 import org.openide.nodes.ChildFactory;

 import org.openide.nodes.Children;

 import org.openide.nodes.Node;

 import org.openide.nodes.Sheet;

 import org.openide.util.Lookup;

 import org.openide.util.NbBundle;

 import org.openide.util.lookup.Lookups;

 import org.sleuthkit.autopsy.casemodule.Case;

 import org.sleuthkit.autopsy.casemodule.CasePreferences;

 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;

 import org.sleuthkit.autopsy.core.UserPreferences;

 import org.sleuthkit.autopsy.coreutils.Logger;

 import static org.sleuthkit.autopsy.datamodel.Bundle.*;

 import org.sleuthkit.autopsy.ingest.IngestManager;

 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;

 import org.sleuthkit.datamodel.AbstractFile;

 import org.sleuthkit.datamodel.BlackboardArtifact;

 import org.sleuthkit.datamodel.BlackboardAttribute;

 import org.sleuthkit.datamodel.SleuthkitCase;

 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;

 import org.sleuthkit.datamodel.TskCoreException;


 public class KeywordHits implements AutopsyVisitableItem {


     private static final Logger logger = Logger.getLogger(KeywordHits.class.getName());


     @NbBundle.Messages("KeywordHits.kwHits.text=Keyword Hits")

     private static final String KEYWORD_HITS = KeywordHits_kwHits_text();

     @NbBundle.Messages("KeywordHits.simpleLiteralSearch.text=Single Literal Keyword Search")

     private static final String SIMPLE_LITERAL_SEARCH = KeywordHits_simpleLiteralSearch_text();

     @NbBundle.Messages("KeywordHits.singleRegexSearch.text=Single Regular Expression Search")

     private static final String SIMPLE_REGEX_SEARCH = KeywordHits_singleRegexSearch_text();


     public static final String NAME = BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getLabel();


     private SleuthkitCase skCase;

     private final KeywordResults keywordResults;

     private final long datasourceObjId;


     private static final String DEFAULT_INSTANCE_NAME = "DEFAULT_INSTANCE_NAME";


     private static final String KEYWORD_HIT_ATTRIBUTES_QUERY = "SELECT blackboard_attributes.value_text, "//NON-NLS

             + "blackboard_attributes.value_int32, "//NON-NLS

             + "blackboard_attributes.artifact_id, " //NON-NLS

             + "blackboard_attributes.attribute_type_id "//NON-NLS

             + "FROM blackboard_attributes, blackboard_artifacts "//NON-NLS

             + "WHERE blackboard_attributes.artifact_id = blackboard_artifacts.artifact_id "//NON-NLS

             + " AND blackboard_artifacts.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() //NON-NLS

             + " AND (attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()//NON-NLS

             + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()//NON-NLS

             + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()//NON-NLS

             + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID()//NON-NLS

             + ")"; //NON-NLS


     static private boolean isOnlyDefaultInstance(List<String> instances) {

         return (instances.size() == 1) && (instances.get(0).equals(DEFAULT_INSTANCE_NAME));

     }


     KeywordHits(SleuthkitCase skCase) {

         this(skCase, 0);

     }


     public KeywordHits(SleuthkitCase skCase, long objId) {

         this.skCase = skCase;

         this.datasourceObjId = objId;

         keywordResults = new KeywordResults();

     }


     /*

      * All of these maps and code assume the following: Regexps will have an

      * 'instance' layer that shows the specific words that matched the regexp

      * Exact match and substring will not have the instance layer and instead

      * will have the specific hits below their term.

      */

     private final class KeywordResults extends Observable {


         // Map from listName/Type to Map of keywords/regexp to Map of instance terms to Set of artifact Ids

         // NOTE: the map can be accessed by multiple worker threads and needs to be synchronized

         private final Map<String, Map<String, Map<String, Set<Long>>>> topLevelMap = new LinkedHashMap<>();


         KeywordResults() {

             update();

         }


         List<String> getListNames() {

             synchronized (topLevelMap) {

                 List<String> names = new ArrayList<>(topLevelMap.keySet());

                 // this causes the "Single ..." terms to be in the middle of the results,

                 // which is wierd.  Make a custom comparator or do something else to maek them on top

                 //Collections.sort(names);

                 return names;

             }

         }


         List<String> getKeywords(String listName) {

             List<String> keywords;

             synchronized (topLevelMap) {

                 keywords = new ArrayList<>(topLevelMap.get(listName).keySet());

             }

             Collections.sort(keywords);

             return keywords;

         }


         List<String> getKeywordInstances(String listName, String keyword) {

             List<String> instances;

             synchronized (topLevelMap) {

                 instances = new ArrayList<>(topLevelMap.get(listName).get(keyword).keySet());

             }

             Collections.sort(instances);

             return instances;

         }


         Set<Long> getArtifactIds(String listName, String keyword, String keywordInstance) {

             synchronized (topLevelMap) {

                 return topLevelMap.get(listName).get(keyword).get(keywordInstance);

             }

         }


         void addRegExpToList(Map<String, Map<String, Set<Long>>> listMap, String regExp, String keywordInstance, Long artifactId) {

             Map<String, Set<Long>> instanceMap = listMap.computeIfAbsent(regExp, r -> new LinkedHashMap<>());

             // add this ID to the instances entry, creating one if needed

             instanceMap.computeIfAbsent(keywordInstance, ki -> new HashSet<>()).add(artifactId);

         }


         void addNonRegExpMatchToList(Map<String, Map<String, Set<Long>>> listMap, String keyWord, Long artifactId) {

             Map<String, Set<Long>> instanceMap = listMap.computeIfAbsent(keyWord, k -> new LinkedHashMap<>());


             // Use the default instance name, since we don't need that level in the tree

             instanceMap.computeIfAbsent(DEFAULT_INSTANCE_NAME, DIN -> new HashSet<>()).add(artifactId);

         }


         void populateTreeMaps(Map<Long, Map<Long, String>> artifactIds) {

             synchronized (topLevelMap) {

                 topLevelMap.clear();


                 // map of list name to keword to artifact IDs

                 Map<String, Map<String, Map<String, Set<Long>>>> listsMap = new LinkedHashMap<>();


                 // Map from from literal keyword to instances (which will be empty) to artifact IDs

                 Map<String, Map<String, Set<Long>>> literalMap = new LinkedHashMap<>();


                 // Map from regex keyword artifact to instances to artifact IDs

                 Map<String, Map<String, Set<Long>>> regexMap = new LinkedHashMap<>();


                 // top-level nodes

                 topLevelMap.put(SIMPLE_LITERAL_SEARCH, literalMap);

                 topLevelMap.put(SIMPLE_REGEX_SEARCH, regexMap);


                 for (Map.Entry<Long, Map<Long, String>> art : artifactIds.entrySet()) {

                     long id = art.getKey();

                     Map<Long, String> attributes = art.getValue();


                     // I think we can use attributes.remove(...) here? - why should bwe use remove?

                     String listName = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()));

                     String word = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()));

                     String reg = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID()));

                     String kwType = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()));


                     if (listName != null) {     // part of a list

                         // get or create list entry

                         Map<String, Map<String, Set<Long>>> listMap = listsMap.computeIfAbsent(listName, ln -> new LinkedHashMap<>());


                         if ("1".equals(kwType) || reg == null) {  //literal, substring or exact

                             /*

                              * Substring, treated same as exact match. "1" is

                              * the ordinal value for substring as defined in

                              * KeywordSearch.java. The original term should be

                              * stored in reg

                              */

                             word = (reg != null) ? reg : word; //use original term if it there.

                             addNonRegExpMatchToList(listMap, word, id);

                         } else {

                             addRegExpToList(listMap, reg, word, id);

                         }

                     } else {//single term

                         if ("1".equals(kwType) || reg == null) {  //literal, substring or exact

                             /*

                              * Substring, treated same as exact match. "1" is

                              * the ordinal value for substring as defined in

                              * KeywordSearch.java. The original term should be

                              * stored in reg

                              */

                             word = (reg != null) ? reg : word; //use original term if it there.

                             addNonRegExpMatchToList(literalMap, word, id);

                         } else {

                             addRegExpToList(regexMap, reg, word, id);

                         }

                     }

                 }

                 topLevelMap.putAll(listsMap);

             }


             setChanged();

             notifyObservers();

         }


         public void update() {

             // maps Artifact ID to map of attribute types to attribute values

             Map<Long, Map<Long, String>> artifactIds = new LinkedHashMap<>();


             if (skCase == null) {

                 return;

             }


             String queryStr = KEYWORD_HIT_ATTRIBUTES_QUERY;

             if (Objects.equals(CasePreferences.getGroupItemsInTreeByDataSource(), true)) {

                 queryStr +=  "  AND blackboard_artifacts.data_source_obj_id = " + datasourceObjId;

             }


             try (CaseDbQuery dbQuery = skCase.executeQuery(queryStr)) {

                 ResultSet resultSet = dbQuery.getResultSet();

                 while (resultSet.next()) {

                     long artifactId = resultSet.getLong("artifact_id"); //NON-NLS

                     long typeId = resultSet.getLong("attribute_type_id"); //NON-NLS

                     String valueStr = resultSet.getString("value_text"); //NON-NLS


                     //get the map of attributes for this artifact

                     Map<Long, String> attributesByTypeMap = artifactIds.computeIfAbsent(artifactId, ai -> new LinkedHashMap<>());

                     if (StringUtils.isNotEmpty(valueStr)) {

                         attributesByTypeMap.put(typeId, valueStr);

                     } else {

                         // Keyword Search Type is an int

                         Long valueLong = resultSet.getLong("value_int32");

                         attributesByTypeMap.put(typeId, valueLong.toString());

                     }

                 }

             } catch (TskCoreException | SQLException ex) {

                 logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS

             }


             populateTreeMaps(artifactIds);

         }

     }


     @Override

     public <T> T accept(AutopsyItemVisitor<T> visitor) {

         return visitor.visit(this);

     }


     // Created by CreateAutopsyNodeVisitor

     public class RootNode extends DisplayableItemNode {


         public RootNode() {

             super(Children.create(new ListFactory(), true), Lookups.singleton(KEYWORD_HITS));

             super.setName(NAME);

             super.setDisplayName(KEYWORD_HITS);

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

         }


         @Override

         public boolean isLeafTypeNode() {

             return false;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }


         @Override

         @NbBundle.Messages({"KeywordHits.createSheet.name.name=Name",

             "KeywordHits.createSheet.name.displayName=Name",

             "KeywordHits.createSheet.name.desc=no description"})

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_name_name(),

                     KeywordHits_createSheet_name_displayName(),

                     KeywordHits_createSheet_name_desc(),

                     getName()));


             return sheet;

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }

     }


     private abstract class DetachableObserverChildFactory<X> extends ChildFactory.Detachable<X> implements Observer {


         @Override

         protected void addNotify() {

             keywordResults.addObserver(this);

         }


         @Override

         protected void removeNotify() {

             keywordResults.deleteObserver(this);

         }


         @Override

         public void update(Observable o, Object arg) {

             refresh(true);

         }

     }


     private class ListFactory extends DetachableObserverChildFactory<String> {


         private final PropertyChangeListener pcl = new PropertyChangeListener() {

             @Override

             public void propertyChange(PropertyChangeEvent evt) {

                 String eventType = evt.getPropertyName();

                 if (eventType.equals(IngestManager.IngestModuleEvent.DATA_ADDED.toString())) {

                     try {

                         Case.getCurrentCaseThrows();

                         ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();

                         if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {

                             keywordResults.update();

                         }

                     } catch (NoCurrentCaseException notUsed) {

                         // Case is closed, do nothing.

                     }

                 } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())

                         || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())) {

                     try {

                         Case.getCurrentCaseThrows();

                         keywordResults.update();

                     } catch (NoCurrentCaseException notUsed) {

                         // Case is closed, do nothing.

                     }

                 } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())

                         && evt.getNewValue() == null) {

                     /*

                      * Case was closed. Remove listeners so that we don't get

                      * called with a stale case handle

                      */

                     removeNotify();

                     skCase = null;

                 }


             }

         };


         @Override

         protected void addNotify() {

             IngestManager.getInstance().addIngestJobEventListener(pcl);

             IngestManager.getInstance().addIngestModuleEventListener(pcl);

             Case.addEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), pcl);

             keywordResults.update();

             super.addNotify();

         }


         @Override

         protected void removeNotify() {

             IngestManager.getInstance().removeIngestJobEventListener(pcl);

             IngestManager.getInstance().removeIngestModuleEventListener(pcl);

             Case.removeEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), pcl);

             super.removeNotify();

         }


         @Override

         protected boolean createKeys(List<String> list) {

             list.addAll(keywordResults.getListNames());

             return true;

         }


         @Override

         protected Node createNodeForKey(String key) {

             return new ListNode(key);

         }

     }


     private abstract class KWHitsNodeBase extends DisplayableItemNode implements Observer {


         private KWHitsNodeBase(Children children, Lookup lookup) {

             super(children, lookup);

         }


         private KWHitsNodeBase(Children children) {

             super(children);

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }


         @Override

         public void update(Observable o, Object arg) {

             updateDisplayName();

         }


         final void updateDisplayName() {

             super.setDisplayName(getName() + " (" + countTotalDescendants() + ")");

         }


         abstract int countTotalDescendants();

     }


     class ListNode extends KWHitsNodeBase {


         private final String listName;


         private ListNode(String listName) {

             super(Children.create(new TermFactory(listName), true), Lookups.singleton(listName));

             super.setName(listName);

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             this.listName = listName;

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         @Override

         public int countTotalDescendants() {

             int totalDescendants = 0;


             for (String word : keywordResults.getKeywords(listName)) {

                 for (String instance : keywordResults.getKeywordInstances(listName, word)) {

                     Set<Long> ids = keywordResults.getArtifactIds(listName, word, instance);

                     totalDescendants += ids.size();

                 }

             }

             return totalDescendants;

         }


         @Override

         @NbBundle.Messages({"KeywordHits.createSheet.listName.name=List Name",

             "KeywordHits.createSheet.listName.displayName=List Name",

             "KeywordHits.createSheet.listName.desc=no description",

             "KeywordHits.createSheet.numChildren.name=Number of Children",

             "KeywordHits.createSheet.numChildren.displayName=Number of Children",

             "KeywordHits.createSheet.numChildren.desc=no description"})

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_listName_name(),

                     KeywordHits_createSheet_listName_displayName(),

                     KeywordHits_createSheet_listName_desc(),

                     listName));


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_numChildren_name(),

                     KeywordHits_createSheet_numChildren_displayName(),

                     KeywordHits_createSheet_numChildren_desc(),

                     keywordResults.getKeywords(listName).size()));


             return sheet;

         }


         @Override

         public boolean isLeafTypeNode() {

             return false;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }

     }


     private class TermFactory extends DetachableObserverChildFactory<String> {


         private final String setName;


         private TermFactory(String setName) {

             super();

             this.setName = setName;

         }


         @Override

         protected boolean createKeys(List<String> list) {

             list.addAll(keywordResults.getKeywords(setName));

             return true;

         }


         @Override

         protected Node createNodeForKey(String key) {

             return new TermNode(setName, key);

         }

     }


     class TermNode extends KWHitsNodeBase {


         private final String setName;

         private final String keyword;


         private TermNode(String setName, String keyword) {

             super(Children.create(new RegExpInstancesFactory(setName, keyword), true), Lookups.singleton(keyword));

             super.setName(keyword);

             this.setName = setName;

             this.keyword = keyword;

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         @Override

         int countTotalDescendants() {

             return keywordResults.getKeywordInstances(setName, keyword).stream()

                     .mapToInt(instance -> keywordResults.getArtifactIds(setName, keyword, instance).size())

                     .sum();

         }


         @Override

         public boolean isLeafTypeNode() {

             // is this an exact/substring match (i.e. did we use the DEFAULT name)?

             return isOnlyDefaultInstance(keywordResults.getKeywordInstances(setName, keyword));

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }


         @Override

         @NbBundle.Messages({"KeywordHits.createSheet.filesWithHits.name=Files with Hits",

             "KeywordHits.createSheet.filesWithHits.displayName=Files with Hits",

             "KeywordHits.createSheet.filesWithHits.desc=no description"})

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }

             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_listName_name(),

                     KeywordHits_createSheet_listName_displayName(),

                     KeywordHits_createSheet_listName_desc(),

                     getDisplayName()));


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_filesWithHits_name(),

                     KeywordHits_createSheet_filesWithHits_displayName(),

                     KeywordHits_createSheet_filesWithHits_desc(),

                     countTotalDescendants()));


             return sheet;

         }

     }


     private class RegExpInstanceKey {


         private final boolean isRegExp;

         private String strKey;

         private Long longKey;


         RegExpInstanceKey(String key) {

             isRegExp = true;

             strKey = key;

         }


         RegExpInstanceKey(Long key) {

             isRegExp = false;

             longKey = key;

         }


         boolean isRegExp() {

             return isRegExp;

         }


         Long getIdKey() {

             return longKey;

         }


         String getRegExpKey() {

             return strKey;

         }

     }


     private class RegExpInstancesFactory extends DetachableObserverChildFactory<RegExpInstanceKey> {


         private final String keyword;

         private final String setName;


         private RegExpInstancesFactory(String setName, String keyword) {

             super();

             this.setName = setName;

             this.keyword = keyword;

         }


         @Override

         protected boolean createKeys(List<RegExpInstanceKey> list) {

             List<String> instances = keywordResults.getKeywordInstances(setName, keyword);

             // The keys are different depending on what we are displaying.

             // regexp get another layer to show instances.

             // Exact/substring matches don't.

             if (isOnlyDefaultInstance(instances)) {

                 list.addAll(keywordResults.getArtifactIds(setName, keyword, DEFAULT_INSTANCE_NAME).stream()

                         .map(RegExpInstanceKey::new)

                         .collect(Collectors.toList()));

             } else {

                 list.addAll(instances.stream()

                         .map(RegExpInstanceKey::new)

                         .collect(Collectors.toList()));

             }

             return true;

         }


         @Override

         protected Node createNodeForKey(RegExpInstanceKey key) {

             if (key.isRegExp()) {

                 return new RegExpInstanceNode(setName, keyword, key.getRegExpKey());

             } else {

                 // if it isn't a regexp, then skip the 'instance' layer of the tree

                 return createBlackboardArtifactNode(key.getIdKey());

             }

         }


     }


     class RegExpInstanceNode extends KWHitsNodeBase {


         private final String setName;

         private final String keyword;

         private final String instance;


         private RegExpInstanceNode(String setName, String keyword, String instance) {

             super(Children.create(new HitsFactory(setName, keyword, instance), true), Lookups.singleton(instance));

             super.setName(instance);  //the instance represents the name of the keyword hit at this point as the keyword is the regex

             this.setName = setName;

             this.keyword = keyword;

             this.instance = instance;

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         @Override

         int countTotalDescendants() {

             return keywordResults.getArtifactIds(setName, keyword, instance).size();

         }


         @Override

         public boolean isLeafTypeNode() {

             return true;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }


         @Override

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_listName_name(),

                     KeywordHits_createSheet_listName_displayName(),

                     KeywordHits_createSheet_listName_desc(),

                     getDisplayName()));


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_filesWithHits_name(),

                     KeywordHits_createSheet_filesWithHits_displayName(),

                     KeywordHits_createSheet_filesWithHits_desc(),

                     keywordResults.getArtifactIds(setName, keyword, instance).size()));


             return sheet;

         }


     }


     @NbBundle.Messages({"KeywordHits.createNodeForKey.modTime.name=ModifiedTime",

         "KeywordHits.createNodeForKey.modTime.displayName=Modified Time",

         "KeywordHits.createNodeForKey.modTime.desc=Modified Time",

         "KeywordHits.createNodeForKey.accessTime.name=AccessTime",

         "KeywordHits.createNodeForKey.accessTime.displayName=Access Time",

         "KeywordHits.createNodeForKey.accessTime.desc=Access Time",

         "KeywordHits.createNodeForKey.chgTime.name=ChangeTime",

         "KeywordHits.createNodeForKey.chgTime.displayName=Change Time",

         "KeywordHits.createNodeForKey.chgTime.desc=Change Time"})

     private BlackboardArtifactNode createBlackboardArtifactNode(Long artifactId) {

         if (skCase == null) {

             return null;

         }


         try {

             BlackboardArtifact art = skCase.getBlackboardArtifact(artifactId);

             BlackboardArtifactNode n = new BlackboardArtifactNode(art);

             // The associated file should be available through the Lookup that

             // gets created when the BlackboardArtifactNode is constructed.

             AbstractFile file = n.getLookup().lookup(AbstractFile.class);

             if (file == null) {

                 try {

                     file = skCase.getAbstractFileById(art.getObjectID());

                 } catch (TskCoreException ex) {

                     logger.log(Level.SEVERE, "TskCoreException while constructing BlackboardArtifact Node from KeywordHitsKeywordChildren", ex); //NON-NLS

                     return n;

                 }

             }

             /*

              * It is possible to get a keyword hit on artifacts generated for

              * the underlying image in which case MAC times are not

              * available/applicable/useful.

              */

             if (file == null) {

                 return n;

             }


             n.addNodeProperty(new NodeProperty<>(

                     KeywordHits_createNodeForKey_modTime_name(),

                     KeywordHits_createNodeForKey_modTime_displayName(),

                     KeywordHits_createNodeForKey_modTime_desc(),

                     ContentUtils.getStringTime(file.getMtime(), file)));

             n.addNodeProperty(new NodeProperty<>(

                     KeywordHits_createNodeForKey_accessTime_name(),

                     KeywordHits_createNodeForKey_accessTime_displayName(),

                     KeywordHits_createNodeForKey_accessTime_desc(),

                     ContentUtils.getStringTime(file.getAtime(), file)));

             n.addNodeProperty(new NodeProperty<>(

                     KeywordHits_createNodeForKey_chgTime_name(),

                     KeywordHits_createNodeForKey_chgTime_displayName(),

                     KeywordHits_createNodeForKey_chgTime_desc(),

                     ContentUtils.getStringTime(file.getCtime(), file)));

             return n;

         } catch (TskCoreException ex) {

             logger.log(Level.WARNING, "TSK Exception occurred", ex); //NON-NLS

         }

         return null;

     }


     private class HitsFactory extends DetachableObserverChildFactory<Long> {


         private final String keyword;

         private final String setName;

         private final String instance;


         private HitsFactory(String setName, String keyword, String instance) {

             super();

             this.setName = setName;

             this.keyword = keyword;

             this.instance = instance;

         }


         @Override

         protected boolean createKeys(List<Long> list) {

             list.addAll(keywordResults.getArtifactIds(setName, keyword, instance));

             return true;

         }


         @Override

         protected Node createNodeForKey(Long artifactId) {

             return createBlackboardArtifactNode(artifactId);

         }

     }

 }

org.sleuthkit

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.pcl
final PropertyChangeListener pcl
Definition: KeywordHits.java:430

org.sleuthkit.autopsy.datamodel.KeywordHits
Definition: KeywordHits.java:64

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.addNotify
void addNotify()
Definition: KeywordHits.java:410

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.removeNotify
void removeNotify()
Definition: KeywordHits.java:415

org.sleuthkit.autopsy.datamodel.KeywordHits.isOnlyDefaultInstance
static boolean isOnlyDefaultInstance(List< String > instances)
Definition: KeywordHits.java:105

org.sleuthkit.autopsy.datamodel.KeywordHits.KEYWORD_HITS
static final String KEYWORD_HITS
Definition: KeywordHits.java:69

org.sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType
BlackboardArtifact.Type getBlackboardArtifactType()
Definition: ModuleDataEvent.java:104

org.sleuthkit.autopsy.ingest.IngestManager.removeIngestModuleEventListener
void removeIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:518

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.createSheet
Sheet createSheet()
Definition: KeywordHits.java:384

org.sleuthkit.autopsy.casemodule.CasePreferences
Definition: CasePreferences.java:37

org.sleuthkit.autopsy.casemodule.Case
Definition: Case.java:127

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.KWHitsNodeBase
KWHitsNodeBase(Children children, Lookup lookup)
Definition: KeywordHits.java:514

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createNodeForKey
Node createNodeForKey(RegExpInstanceKey key)
Definition: KeywordHits.java:765

org.sleuthkit.autopsy.datamodel.ContentUtils.getStringTime
static String getStringTime(long epochSeconds, TimeZone tzone)
Definition: ContentUtils.java:88

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createNodeForKey
Node createNodeForKey(String key)
Definition: KeywordHits.java:629

org.sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition: IngestManager.java:146

org.sleuthkit.autopsy.datamodel.KeywordHits.keywordResults
final KeywordResults keywordResults
Definition: KeywordHits.java:78

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.removeNotify
void removeNotify()
Definition: KeywordHits.java:493

org.sleuthkit.autopsy.core
Definition: AutopsyOptionProcessor.java:19

org.sleuthkit.autopsy.datamodel.AbstractContentNode.setName
void setName(String name)
Definition: AbstractContentNode.java:85

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceKey.longKey
Long longKey
Definition: KeywordHits.java:706

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase
Definition: KeywordHits.java:512

org.sleuthkit.autopsy.datamodel.ContentUtils
Definition: ContentUtils.java:55

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode
Definition: KeywordHits.java:361

org.sleuthkit.autopsy.datamodel.KeywordHits.skCase
SleuthkitCase skCase
Definition: KeywordHits.java:77

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.getItemType
String getItemType()
Definition: KeywordHits.java:402

org

org.sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_REGEX_SEARCH
static final String SIMPLE_REGEX_SEARCH
Definition: KeywordHits.java:73

org.sleuthkit.autopsy.casemodule
Definition: AddImageAction.java:19

org.sleuthkit.autopsy.core.UserPreferences
Definition: UserPreferences.java:39

org.sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent
Definition: IngestManager.java:1051

org.sleuthkit.autopsy.datamodel
Definition: AbstractAbstractFileNode.java:19

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory
Definition: KeywordHits.java:428

org.sleuthkit.autopsy.ingest.ModuleDataEvent
Definition: ModuleDataEvent.java:49

org.sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.COMPLETED
COMPLETED
Definition: IngestManager.java:1064

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory
Definition: KeywordHits.java:735

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.TermFactory
TermFactory(String setName)
Definition: KeywordHits.java:617

org.sleuthkit.autopsy.datamodel.KeywordHits.createBlackboardArtifactNode
BlackboardArtifactNode createBlackboardArtifactNode(Long artifactId)
Definition: KeywordHits.java:853

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.topLevelMap
final Map< String, Map< String, Map< String, Set< Long > > > > topLevelMap
Definition: KeywordHits.java:141

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.setName
final String setName
Definition: KeywordHits.java:738

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.addNotify
void addNotify()
Definition: KeywordHits.java:484

org.sleuthkit.autopsy.coreutils
Definition: AutopsyExceptionHandler.java:19

org.sleuthkit.autopsy.coreutils.Logger
Definition: Logger.java:36

org.sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor.visit
T visit(DataSourcesNode in)

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceKey
Definition: KeywordHits.java:702

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createKeys
boolean createKeys(List< String > list)
Definition: KeywordHits.java:501

org.sleuthkit.autopsy.ingest.IngestManager.removeIngestJobEventListener
void removeIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:500

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.KWHitsNodeBase
KWHitsNodeBase(Children children)
Definition: KeywordHits.java:518

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createKeys
boolean createKeys(List< String > list)
Definition: KeywordHits.java:623

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory
Definition: KeywordHits.java:613

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.setName
final String setName
Definition: KeywordHits.java:909

org.sleuthkit.autopsy.casemodule.Case.Events
Definition: Case.java:254

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:420

org.sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor
Definition: DisplayableItemNodeVisitor.java:40

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createKeys
boolean createKeys(List< RegExpInstanceKey > list)
Definition: KeywordHits.java:747

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.RegExpInstancesFactory
RegExpInstancesFactory(String setName, String keyword)
Definition: KeywordHits.java:740

org.sleuthkit.autopsy.ingest
Definition: BlockingIngestTaskQueue.java:19

org.sleuthkit.autopsy.ingest.IngestManager.addIngestJobEventListener
void addIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:491

org.sleuthkit.autopsy.datamodel.KeywordHits.DEFAULT_INSTANCE_NAME
static final String DEFAULT_INSTANCE_NAME
Definition: KeywordHits.java:86

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.RootNode
RootNode()
Definition: KeywordHits.java:363

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.keyword
final String keyword
Definition: KeywordHits.java:908

org.sleuthkit.autopsy.ingest.IngestManager
Definition: IngestManager.java:111

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.keyword
final String keyword
Definition: KeywordHits.java:737

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.createNodeForKey
Node createNodeForKey(Long artifactId)
Definition: KeywordHits.java:926

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createNodeForKey
Node createNodeForKey(String key)
Definition: KeywordHits.java:507

org.sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent.DATA_ADDED
DATA_ADDED
Definition: IngestManager.java:1102

org.sleuthkit.autopsy.datamodel.AutopsyItemVisitor.visit
T visit(DataSources i)

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults
Definition: KeywordHits.java:137

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceKey.isRegExp
final boolean isRegExp
Definition: KeywordHits.java:704

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.getItemType
String getItemType()
Definition: KeywordHits.java:523

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.createKeys
boolean createKeys(List< Long > list)
Definition: KeywordHits.java:920

org.sleuthkit.autopsy.casemodule.CasePreferences.getGroupItemsInTreeByDataSource
static Boolean getGroupItemsInTreeByDataSource()
Definition: CasePreferences.java:76

org.sleuthkit.autopsy.casemodule.Case.Events.CURRENT_CASE
CURRENT_CASE
Definition: Case.java:335

org.sleuthkit.autopsy.datamodel.NodeProperty
Definition: NodeProperty.java:28

org.sleuthkit.autopsy.datamodel.KeywordHits.logger
static final Logger logger
Definition: KeywordHits.java:66

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.instance
final String instance
Definition: KeywordHits.java:910

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory
Definition: KeywordHits.java:407

org.sleuthkit.autopsy.datamodel.KeywordHits.KEYWORD_HIT_ATTRIBUTES_QUERY
static final String KEYWORD_HIT_ATTRIBUTES_QUERY
Definition: KeywordHits.java:92

org.sleuthkit.autopsy.ingest.IngestManager.addIngestModuleEventListener
void addIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:509

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordHits
KeywordHits(SleuthkitCase skCase, long objId)
Definition: KeywordHits.java:125

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.update
void update()
Definition: KeywordHits.java:317

org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition: KeywordHits.java:371

org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows
static Case getCurrentCaseThrows()
Definition: Case.java:638

org.sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.CANCELLED
CANCELLED
Definition: IngestManager.java:1070

org.sleuthkit.autopsy.casemodule.Case.addEventTypeSubscriber
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:437

org.sleuthkit.autopsy

org.sleuthkit.autopsy.datamodel.AutopsyItemVisitor
Definition: AutopsyItemVisitor.java:28

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstanceKey.strKey
String strKey
Definition: KeywordHits.java:705

org.sleuthkit.autopsy.datamodel.AutopsyVisitableItem
Definition: AutopsyVisitableItem.java:26

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:528

org.sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent
Definition: IngestManager.java:1094

org.sleuthkit.autopsy.datamodel.KeywordHits.datasourceObjId
final long datasourceObjId
Definition: KeywordHits.java:79

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.setName
final String setName
Definition: KeywordHits.java:615

org.sleuthkit.autopsy.casemodule.NoCurrentCaseException
Definition: NoCurrentCaseException.java:26

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.HitsFactory
HitsFactory(String setName, String keyword, String instance)
Definition: KeywordHits.java:912

org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode
Definition: BlackboardArtifactNode.java:80

org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addNodeProperty
void addNodeProperty(NodeProperty<?> np)
Definition: BlackboardArtifactNode.java:730

org.sleuthkit.autopsy.datamodel.KeywordHits.NAME
static final String NAME
Definition: KeywordHits.java:75

org.sleuthkit.autopsy.casemodule.Case.removeEventTypeSubscriber
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:482

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory
Definition: KeywordHits.java:906

org.sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_LITERAL_SEARCH
static final String SIMPLE_LITERAL_SEARCH
Definition: KeywordHits.java:71

org.sleuthkit.autopsy.datamodel.DisplayableItemNode
Definition: DisplayableItemNode.java:37