api-docs/4.22.0/_keyword_hits_8java_source.html

 /*

  * Autopsy Forensic Browser

  *

  * Copyright 2011-2021 Basis Technology Corp.

  * Contact: carrier <at> sleuthkit <dot> org

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.sleuthkit.autopsy.datamodel;


 import java.beans.PropertyChangeEvent;

 import java.beans.PropertyChangeListener;

 import java.sql.ResultSet;

 import java.sql.SQLException;

 import java.util.ArrayList;

 import java.util.Collections;

 import java.util.Comparator;

 import java.util.EnumSet;

 import java.util.HashMap;

 import java.util.HashSet;

 import java.util.LinkedHashMap;

 import java.util.List;

 import java.util.Map;

 import java.util.Observable;

 import java.util.Observer;

 import java.util.Set;

 import java.util.logging.Level;

 import org.apache.commons.lang3.StringUtils;

 import org.openide.nodes.ChildFactory;

 import org.openide.nodes.Children;

 import org.openide.nodes.Node;

 import org.openide.nodes.Sheet;

 import org.openide.util.Lookup;

 import org.openide.util.NbBundle;

 import org.openide.util.WeakListeners;

 import org.openide.util.lookup.Lookups;

 import org.sleuthkit.autopsy.casemodule.Case;

 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;

 import org.sleuthkit.autopsy.coreutils.Logger;

 import org.sleuthkit.autopsy.coreutils.TimeZoneUtils;

 import static org.sleuthkit.autopsy.datamodel.Bundle.*;

 import org.sleuthkit.autopsy.ingest.IngestManager;

 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;

 import org.sleuthkit.datamodel.AbstractFile;

 import org.sleuthkit.datamodel.BlackboardArtifact;

 import org.sleuthkit.datamodel.BlackboardAttribute;

 import org.sleuthkit.datamodel.SleuthkitCase;

 import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;

 import org.sleuthkit.datamodel.TskCoreException;

 import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_KEYWORD_HIT;

 import org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode;

 import org.sleuthkit.datamodel.AnalysisResult;


 public class KeywordHits implements AutopsyVisitableItem {


     private static final Logger logger = Logger.getLogger(KeywordHits.class.getName());

     private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);

     private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestModuleEvent.DATA_ADDED);

     @NbBundle.Messages("KeywordHits.kwHits.text=Keyword Hits")

     private static final String KEYWORD_HITS = KeywordHits_kwHits_text();

     @NbBundle.Messages("KeywordHits.simpleLiteralSearch.text=Single Literal Keyword Search")

     private static final String SIMPLE_LITERAL_SEARCH = KeywordHits_simpleLiteralSearch_text();

     @NbBundle.Messages("KeywordHits.singleRegexSearch.text=Single Regular Expression Search")

     private static final String SIMPLE_REGEX_SEARCH = KeywordHits_singleRegexSearch_text();


     public static final String NAME = BlackboardArtifact.Type.TSK_KEYWORD_HIT.getTypeName();


     private SleuthkitCase skCase;

     private final KeywordResults keywordResults;

     private final long filteringDSObjId; // 0 if not filtering/grouping by data source


     private static final String DEFAULT_INSTANCE_NAME = "DEFAULT_INSTANCE_NAME";


     private static final String KEYWORD_HIT_ATTRIBUTES_QUERY = "SELECT blackboard_attributes.value_text, "//NON-NLS

             + "blackboard_attributes.value_int32, "//NON-NLS

             + "blackboard_artifacts.artifact_obj_id, " //NON-NLS

             + "blackboard_attributes.attribute_type_id "//NON-NLS

             + "FROM blackboard_attributes, blackboard_artifacts "//NON-NLS

             + "WHERE blackboard_attributes.artifact_id = blackboard_artifacts.artifact_id "//NON-NLS

             + " AND blackboard_artifacts.artifact_type_id = " + BlackboardArtifact.Type.TSK_KEYWORD_HIT.getTypeID() //NON-NLS

             + " AND (attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()//NON-NLS

             + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()//NON-NLS

             + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()//NON-NLS

             + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID()//NON-NLS

             + ")"; //NON-NLS


     static private boolean isOnlyDefaultInstance(List<String> instances) {

         return (instances.size() == 1) && (instances.get(0).equals(DEFAULT_INSTANCE_NAME));

     }


     KeywordHits(SleuthkitCase skCase) {

         this(skCase, 0);

     }


     public KeywordHits(SleuthkitCase skCase, long objId) {

         this.skCase = skCase;

         this.filteringDSObjId = objId;

         keywordResults = new KeywordResults();

     }


     /*

      * All of these maps and code assume the following: Regexps will have an

      * 'instance' layer that shows the specific words that matched the regexp

      * Exact match and substring will not have the instance layer and instead

      * will have the specific hits below their term.

      */

     private final class KeywordResults extends Observable {


         // Map from listName/Type to Map of keywords/regexp to Map of instance terms to Set of artifact Ids

         // NOTE: the map can be accessed by multiple worker threads and needs to be synchronized

         private final Map<String, Map<String, Map<String, Set<Long>>>> topLevelMap = new LinkedHashMap<>();


         KeywordResults() {

             update();

         }


         List<String> getListNames() {

             synchronized (topLevelMap) {

                 List<String> names = new ArrayList<>(topLevelMap.keySet());


                 // sort the list names, but ensure that the special lists

                 // stay at the top.

                 Collections.sort(names, new Comparator<String>() {


                     @Override

                     public int compare(String o1, String o2) {

                         // ideally, they would not be hard coded, but this module

                         // doesn't know about Keyword Search NBM

                         if (o1.startsWith("Single Literal Keyword Search")) {

                             return -1;

                         } else if (o2.startsWith("Single Literal Keyword Search")) {

                             return 1;

                         } else if (o1.startsWith("Single Regular Expression Search")) {

                             return -1;

                         } else if (o2.startsWith("Single Regular Expression Search")) {

                             return 1;

                         }

                         return o1.compareTo(o2);

                     }

                 });


                 return names;

             }

         }


         List<String> getKeywords(String listName) {

             List<String> keywords;

             synchronized (topLevelMap) {

                 keywords = new ArrayList<>(topLevelMap.get(listName).keySet());

             }

             Collections.sort(keywords);

             return keywords;

         }


         List<String> getKeywordInstances(String listName, String keyword) {

             List<String> instances;

             synchronized (topLevelMap) {

                 instances = new ArrayList<>(topLevelMap.get(listName).get(keyword).keySet());

             }

             Collections.sort(instances);

             return instances;

         }


         Set<Long> getArtifactIds(String listName, String keyword, String keywordInstance) {

             synchronized (topLevelMap) {

                 return topLevelMap.get(listName).get(keyword).get(keywordInstance);

             }

         }


         void addRegExpToList(Map<String, Map<String, Set<Long>>> listMap, String regExp, String keywordInstance, Long artifactId) {

             Map<String, Set<Long>> instanceMap = listMap.computeIfAbsent(regExp, r -> new LinkedHashMap<>());

             // add this ID to the instances entry, creating one if needed

             instanceMap.computeIfAbsent(keywordInstance, ki -> new HashSet<>()).add(artifactId);

         }


         void addNonRegExpMatchToList(Map<String, Map<String, Set<Long>>> listMap, String keyWord, Long artifactId) {

             Map<String, Set<Long>> instanceMap = listMap.computeIfAbsent(keyWord, k -> new LinkedHashMap<>());


             // Use the default instance name, since we don't need that level in the tree

             instanceMap.computeIfAbsent(DEFAULT_INSTANCE_NAME, DIN -> new HashSet<>()).add(artifactId);

         }


         void populateTreeMaps(Map<Long, Map<Long, String>> artifactIds) {

             synchronized (topLevelMap) {

                 topLevelMap.clear();


                 // map of list name to keword to artifact IDs

                 Map<String, Map<String, Map<String, Set<Long>>>> listsMap = new LinkedHashMap<>();


                 // Map from from literal keyword to instances (which will be empty) to artifact IDs

                 Map<String, Map<String, Set<Long>>> literalMap = new LinkedHashMap<>();


                 // Map from regex keyword artifact to instances to artifact IDs

                 Map<String, Map<String, Set<Long>>> regexMap = new LinkedHashMap<>();


                 // top-level nodes

                 topLevelMap.put(SIMPLE_LITERAL_SEARCH, literalMap);

                 topLevelMap.put(SIMPLE_REGEX_SEARCH, regexMap);


                 for (Map.Entry<Long, Map<Long, String>> art : artifactIds.entrySet()) {

                     long id = art.getKey();

                     Map<Long, String> attributes = art.getValue();


                     // I think we can use attributes.remove(...) here? - why should bwe use remove?

                     String listName = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()));

                     String word = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()));

                     String reg = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID()));

                     String kwType = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()));


                     if (listName != null) {     // part of a list

                         // get or create list entry

                         Map<String, Map<String, Set<Long>>> listMap = listsMap.computeIfAbsent(listName, ln -> new LinkedHashMap<>());


                         if ("1".equals(kwType) || reg == null) {  //literal, substring or exact

                             /*

                              * Substring, treated same as exact match. "1" is

                              * the ordinal value for substring as defined in

                              * KeywordSearch.java. The original term should be

                              * stored in reg

                              */

                             word = (reg != null) ? reg : word; //use original term if it there.

                             addNonRegExpMatchToList(listMap, word, id);

                         } else {

                             addRegExpToList(listMap, reg, word, id);

                         }

                     } else {//single term

                         if ("1".equals(kwType) || reg == null) {  //literal, substring or exact

                             /*

                              * Substring, treated same as exact match. "1" is

                              * the ordinal value for substring as defined in

                              * KeywordSearch.java. The original term should be

                              * stored in reg

                              */

                             word = (reg != null) ? reg : word; //use original term if it there.

                             addNonRegExpMatchToList(literalMap, word, id);

                         } else {

                             addRegExpToList(regexMap, reg, word, id);

                         }

                     }

                 }

                 topLevelMap.putAll(listsMap);

             }


             setChanged();

             notifyObservers();

         }


         public void update() {

             // maps Artifact ID to map of attribute types to attribute values

             Map<Long, Map<Long, String>> artifactIds = new LinkedHashMap<>();


             if (skCase == null) {

                 return;

             }


             String queryStr = KEYWORD_HIT_ATTRIBUTES_QUERY;

             if (filteringDSObjId > 0) {

                 queryStr += "  AND blackboard_artifacts.data_source_obj_id = " + filteringDSObjId;

             }


             try (CaseDbQuery dbQuery = skCase.executeQuery(queryStr)) {

                 ResultSet resultSet = dbQuery.getResultSet();

                 while (resultSet.next()) {

                     long artifactObjId = resultSet.getLong("artifact_obj_id"); //NON-NLS

                     long typeId = resultSet.getLong("attribute_type_id"); //NON-NLS

                     String valueStr = resultSet.getString("value_text"); //NON-NLS


                     //get the map of attributes for this artifact

                     Map<Long, String> attributesByTypeMap = artifactIds.computeIfAbsent(artifactObjId, ai -> new LinkedHashMap<>());

                     if (StringUtils.isNotEmpty(valueStr)) {

                         attributesByTypeMap.put(typeId, valueStr);

                     } else {

                         // Keyword Search Type is an int

                         Long valueLong = resultSet.getLong("value_int32");

                         attributesByTypeMap.put(typeId, valueLong.toString());

                     }

                 }

             } catch (TskCoreException | SQLException ex) {

                 logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS

             }


             populateTreeMaps(artifactIds);

         }

     }


     @Override

     public <T> T accept(AutopsyItemVisitor<T> visitor) {

         return visitor.visit(this);

     }


     // Created by CreateAutopsyNodeVisitor

     public class RootNode extends UpdatableCountTypeNode {


         public RootNode() {

             super(Children.create(new ListFactory(), true),

                     Lookups.singleton(KEYWORD_HITS),

                     KEYWORD_HITS,

                     filteringDSObjId,

                     TSK_KEYWORD_HIT);


             super.setName(NAME);

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

         }


         @Override

         public boolean isLeafTypeNode() {

             return false;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }


         @Override

         @NbBundle.Messages({"KeywordHits.createSheet.name.name=Name",

             "KeywordHits.createSheet.name.displayName=Name",

             "KeywordHits.createSheet.name.desc=no description"})

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_name_name(),

                     KeywordHits_createSheet_name_displayName(),

                     KeywordHits_createSheet_name_desc(),

                     getName()));


             return sheet;

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }

     }


     private abstract class DetachableObserverChildFactory<X> extends ChildFactory.Detachable<X> implements Observer {


         @Override

         protected void addNotify() {

             keywordResults.addObserver(this);

         }


         @Override

         protected void finalize() throws Throwable {

             super.finalize();

             keywordResults.deleteObserver(this);

         }


         @Override

         public void update(Observable o, Object arg) {

             refresh(true);

         }

     }


     private class ListFactory extends DetachableObserverChildFactory<String> {


         private final PropertyChangeListener pcl = new PropertyChangeListener() {

             @Override

             public void propertyChange(PropertyChangeEvent evt) {

                 String eventType = evt.getPropertyName();

                 if (eventType.equals(IngestManager.IngestModuleEvent.DATA_ADDED.toString())) {

                     try {

                         Case.getCurrentCaseThrows();

                         ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();

                         if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.Type.TSK_KEYWORD_HIT.getTypeID()) {

                             keywordResults.update();

                         }

                     } catch (NoCurrentCaseException notUsed) {

                         // Case is closed, do nothing.

                     }

                 } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())

                         || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())) {

                     try {

                         Case.getCurrentCaseThrows();

                         keywordResults.update();

                     } catch (NoCurrentCaseException notUsed) {

                         // Case is closed, do nothing.

                     }

                 } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())

                         && evt.getNewValue() == null) {

                     /*

                      * Case was closed. Remove listeners so that we don't get

                      * called with a stale case handle

                      */

                     removeNotify();

                     skCase = null;

                 }


             }

         };


         private final PropertyChangeListener weakPcl = WeakListeners.propertyChange(pcl, null);


         @Override

         protected void addNotify() {

             IngestManager.getInstance().addIngestJobEventListener(INGEST_JOB_EVENTS_OF_INTEREST, weakPcl);

             IngestManager.getInstance().addIngestModuleEventListener(INGEST_MODULE_EVENTS_OF_INTEREST, weakPcl);

             Case.addEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), weakPcl);

             keywordResults.update();

             super.addNotify();

         }


         @Override

         protected void finalize() throws Throwable{

             IngestManager.getInstance().removeIngestJobEventListener(weakPcl);

             IngestManager.getInstance().removeIngestModuleEventListener(weakPcl);

             Case.removeEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), weakPcl);

             super.finalize();

         }


         @Override

         protected boolean createKeys(List<String> list) {

             list.addAll(keywordResults.getListNames());

             return true;

         }


         @Override

         protected Node createNodeForKey(String key) {

             return new ListNode(key);

         }

     }


     private abstract class KWHitsNodeBase extends DisplayableItemNode implements Observer {


         private String displayName;


         private KWHitsNodeBase(Children children, Lookup lookup, String displayName) {

             super(children, lookup);

             this.displayName = displayName;

         }


         private KWHitsNodeBase(Children children) {

             super(children);

         }


         @Override

         public String getItemType() {

             return getClass().getName();

         }


         @Override

         public void update(Observable o, Object arg) {

             updateDisplayName();

         }


         final void updateDisplayName() {

             super.setDisplayName(displayName + " (" + countTotalDescendants() + ")");

         }


         abstract int countTotalDescendants();

     }


     class ListNode extends KWHitsNodeBase {


         private final String listName;


         private ListNode(String listName) {

             super(Children.create(new TermFactory(listName), true), Lookups.singleton(listName), listName);

             super.setName(listName);

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             this.listName = listName;

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         @Override

         public int countTotalDescendants() {

             int totalDescendants = 0;


             for (String word : keywordResults.getKeywords(listName)) {

                 for (String instance : keywordResults.getKeywordInstances(listName, word)) {

                     Set<Long> ids = keywordResults.getArtifactIds(listName, word, instance);

                     totalDescendants += ids.size();

                 }

             }

             return totalDescendants;

         }


         @Override

         @NbBundle.Messages({"KeywordHits.createSheet.listName.name=List Name",

             "KeywordHits.createSheet.listName.displayName=List Name",

             "KeywordHits.createSheet.listName.desc=no description",

             "KeywordHits.createSheet.numChildren.name=Number of Children",

             "KeywordHits.createSheet.numChildren.displayName=Number of Children",

             "KeywordHits.createSheet.numChildren.desc=no description"})

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_listName_name(),

                     KeywordHits_createSheet_listName_displayName(),

                     KeywordHits_createSheet_listName_desc(),

                     listName));


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_numChildren_name(),

                     KeywordHits_createSheet_numChildren_displayName(),

                     KeywordHits_createSheet_numChildren_desc(),

                     keywordResults.getKeywords(listName).size()));


             return sheet;

         }


         @Override

         public boolean isLeafTypeNode() {

             return false;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }

     }


     private class TermFactory extends DetachableObserverChildFactory<String> {


         private final String setName;


         private TermFactory(String setName) {

             super();

             this.setName = setName;

         }


         @Override

         protected boolean createKeys(List<String> list) {

             list.addAll(keywordResults.getKeywords(setName));

             return true;

         }


         @Override

         protected Node createNodeForKey(String key) {

             return new TermNode(setName, key);

         }

     }


     ChildFactory<?> createChildFactory(String setName, String keyword) {

         if (isOnlyDefaultInstance(keywordResults.getKeywordInstances(setName, keyword))) {

             return new HitsFactory(setName, keyword, DEFAULT_INSTANCE_NAME);

         } else {

             return new RegExpInstancesFactory(setName, keyword);

         }

     }


     class TermNode extends KWHitsNodeBase {


         private final String setName;

         private final String keyword;


         private TermNode(String setName, String keyword) {

             super(Children.create(createChildFactory(setName, keyword), true), Lookups.singleton(keyword), keyword);


             super.setName(setName + "_" + keyword);

             this.setName = setName;

             this.keyword = keyword;

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         @Override

         int countTotalDescendants() {

             return keywordResults.getKeywordInstances(setName, keyword).stream()

                     .mapToInt(instance -> keywordResults.getArtifactIds(setName, keyword, instance).size())

                     .sum();

         }


         @Override

         public boolean isLeafTypeNode() {

             // is this an exact/substring match (i.e. did we use the DEFAULT name)?

             return isOnlyDefaultInstance(keywordResults.getKeywordInstances(setName, keyword));

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }


         @Override

         @NbBundle.Messages({"KeywordHits.createSheet.filesWithHits.name=Files with Hits",

             "KeywordHits.createSheet.filesWithHits.displayName=Files with Hits",

             "KeywordHits.createSheet.filesWithHits.desc=no description"})

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }

             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_listName_name(),

                     KeywordHits_createSheet_listName_displayName(),

                     KeywordHits_createSheet_listName_desc(),

                     getDisplayName()));


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_filesWithHits_name(),

                     KeywordHits_createSheet_filesWithHits_displayName(),

                     KeywordHits_createSheet_filesWithHits_desc(),

                     countTotalDescendants()));


             return sheet;

         }

     }


     private class RegExpInstancesFactory extends DetachableObserverChildFactory<String> {


         private final String keyword;

         private final String setName;


         private RegExpInstancesFactory(String setName, String keyword) {

             super();

             this.setName = setName;

             this.keyword = keyword;

         }


         @Override

         protected boolean createKeys(List<String> list) {

             list.addAll(keywordResults.getKeywordInstances(setName, keyword));

             return true;

         }


         @Override

         protected Node createNodeForKey(String key) {

             return new RegExpInstanceNode(setName, keyword, key);

         }

     }


     class RegExpInstanceNode extends KWHitsNodeBase {


         private final String setName;

         private final String keyword;

         private final String instance;


         private RegExpInstanceNode(String setName, String keyword, String instance) {

             super(Children.create(new HitsFactory(setName, keyword, instance), true), Lookups.singleton(instance), instance);


             super.setName(setName + "_" + keyword + "_" + instance);

             this.setName = setName;

             this.keyword = keyword;

             this.instance = instance;

             this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

             updateDisplayName();

             keywordResults.addObserver(this);

         }


         @Override

         int countTotalDescendants() {

             return keywordResults.getArtifactIds(setName, keyword, instance).size();

         }


         @Override

         public boolean isLeafTypeNode() {

             return true;

         }


         @Override

         public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

             return visitor.visit(this);

         }


         @Override

         protected Sheet createSheet() {

             Sheet sheet = super.createSheet();

             Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

             if (sheetSet == null) {

                 sheetSet = Sheet.createPropertiesSet();

                 sheet.put(sheetSet);

             }


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_listName_name(),

                     KeywordHits_createSheet_listName_displayName(),

                     KeywordHits_createSheet_listName_desc(),

                     getDisplayName()));


             sheetSet.put(new NodeProperty<>(

                     KeywordHits_createSheet_filesWithHits_name(),

                     KeywordHits_createSheet_filesWithHits_displayName(),

                     KeywordHits_createSheet_filesWithHits_desc(),

                     keywordResults.getArtifactIds(setName, keyword, instance).size()));


             return sheet;

         }


     }


     @NbBundle.Messages({"KeywordHits.createNodeForKey.modTime.name=ModifiedTime",

         "KeywordHits.createNodeForKey.modTime.displayName=Modified Time",

         "KeywordHits.createNodeForKey.modTime.desc=Modified Time",

         "KeywordHits.createNodeForKey.accessTime.name=AccessTime",

         "KeywordHits.createNodeForKey.accessTime.displayName=Access Time",

         "KeywordHits.createNodeForKey.accessTime.desc=Access Time",

         "KeywordHits.createNodeForKey.chgTime.name=ChangeTime",

         "KeywordHits.createNodeForKey.chgTime.displayName=Change Time",

         "KeywordHits.createNodeForKey.chgTime.desc=Change Time"})

     private BlackboardArtifactNode createBlackboardArtifactNode(AnalysisResult art) {

         if (skCase == null) {

             return null;

         }


         BlackboardArtifactNode n = new BlackboardArtifactNode(art); //NON-NLS


         // The associated file should be available through the Lookup that

         // gets created when the BlackboardArtifactNode is constructed.

         AbstractFile file = n.getLookup().lookup(AbstractFile.class);

         if (file == null) {

             try {

                 file = skCase.getAbstractFileById(art.getObjectID());

             } catch (TskCoreException ex) {

                 logger.log(Level.SEVERE, "TskCoreException while constructing BlackboardArtifact Node from KeywordHitsKeywordChildren", ex); //NON-NLS

                 return n;

             }

         }

         /*

          * It is possible to get a keyword hit on artifacts generated for the

          * underlying image in which case MAC times are not

          * available/applicable/useful.

          */

         if (file == null) {

             return n;

         }

         n.addNodeProperty(new NodeProperty<>(

                 KeywordHits_createNodeForKey_modTime_name(),

                 KeywordHits_createNodeForKey_modTime_displayName(),

                 KeywordHits_createNodeForKey_modTime_desc(),

                 TimeZoneUtils.getFormattedTime(file.getMtime())));

         n.addNodeProperty(new NodeProperty<>(

                 KeywordHits_createNodeForKey_accessTime_name(),

                 KeywordHits_createNodeForKey_accessTime_displayName(),

                 KeywordHits_createNodeForKey_accessTime_desc(),

                 TimeZoneUtils.getFormattedTime(file.getAtime())));

         n.addNodeProperty(new NodeProperty<>(

                 KeywordHits_createNodeForKey_chgTime_name(),

                 KeywordHits_createNodeForKey_chgTime_displayName(),

                 KeywordHits_createNodeForKey_chgTime_desc(),

                 TimeZoneUtils.getFormattedTime(file.getCtime())));

         return n;

     }


     private class HitsFactory extends BaseChildFactory<AnalysisResult> implements Observer {


         private final String keyword;

         private final String setName;

         private final String instance;

         private final Map<Long, AnalysisResult> artifactHits = new HashMap<>();


         private HitsFactory(String setName, String keyword, String instance) {

             super(setName + "_" + keyword + (DEFAULT_INSTANCE_NAME.equals(instance) ? "" : "_" + instance));

             this.setName = setName;

             this.keyword = keyword;

             this.instance = instance;

         }


         @Override

         protected List<AnalysisResult> makeKeys() {

             if (skCase != null) {

                 keywordResults.getArtifactIds(setName, keyword, instance).forEach((id) -> {

                     try {

                         if (!artifactHits.containsKey(id)) {

                             AnalysisResult art = skCase.getBlackboard().getAnalysisResultById(id);

                             //Cache attributes while we are off the EDT.

                             //See JIRA-5969

                             art.getAttributes();

                             artifactHits.put(id, art);

                         }

                     } catch (TskCoreException ex) {

                         logger.log(Level.SEVERE, "TSK Exception occurred", ex); //NON-NLS

                     }

                 });


                 return new ArrayList<>(artifactHits.values());

             }

             return Collections.emptyList();

         }


         @Override

         protected Node createNodeForKey(AnalysisResult art) {

             return createBlackboardArtifactNode(art);

         }


         @Override

         protected void onAdd() {

             keywordResults.addObserver(this);

         }


         @Override

         protected void onRemove() {

             keywordResults.deleteObserver(this);

         }


         @Override

         public void update(Observable o, Object arg) {

             refresh(true);

         }

     }

 }

org::sleuthkit

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.pcl
final PropertyChangeListener pcl
Definition: KeywordHits.java:457

org::sleuthkit.autopsy.datamodel.KeywordHits
Definition: KeywordHits.java:67

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.finalize
void finalize()
Definition: KeywordHits.java:522

org::sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.addNotify
void addNotify()
Definition: KeywordHits.java:436

org::sleuthkit::datamodel::BlackboardArtifact::Type::getTypeName
String getTypeName()

org::sleuthkit.autopsy.datamodel.KeywordHits.isOnlyDefaultInstance
static boolean isOnlyDefaultInstance(List< String > instances)
Definition: KeywordHits.java:108

org::sleuthkit.autopsy.datamodel.KeywordHits.KEYWORD_HITS
static final String KEYWORD_HITS
Definition: KeywordHits.java:73

org::sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType
BlackboardArtifact.Type getBlackboardArtifactType()
Definition: ModuleDataEvent.java:104

org::sleuthkit.autopsy.ingest.IngestManager.removeIngestModuleEventListener
void removeIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:784

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.createSheet
Sheet createSheet()
Definition: KeywordHits.java:410

org::sleuthkit.autopsy.casemodule.Case
Definition: Case.java:168

org::sleuthkit::datamodel::Blackboard::getAnalysisResultById
AnalysisResult getAnalysisResultById(long artifactObjId)

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createNodeForKey
Node createNodeForKey(String key)
Definition: KeywordHits.java:661

org::sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode.filteringDSObjId
final long filteringDSObjId
Definition: Artifacts.java:453

org::sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition: IngestManager.java:161

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:972

org::sleuthkit.autopsy.datamodel.KeywordHits.keywordResults
final KeywordResults keywordResults
Definition: KeywordHits.java:82

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.createNodeForKey
Node createNodeForKey(AnalysisResult art)
Definition: KeywordHits.java:957

org::sleuthkit::datamodel::BlackboardAttribute

org::sleuthkit::datamodel::SleuthkitCase::getBlackboard
Blackboard getBlackboard()

org::sleuthkit::datamodel::BlackboardArtifact::Type::TSK_KEYWORD_HIT
static final Type TSK_KEYWORD_HIT

org::sleuthkit::datamodel::BlackboardArtifact::getObjectID
long getObjectID()

org::sleuthkit.autopsy.datamodel.BaseChildFactory
Definition: BaseChildFactory.java:45

org::sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase
Definition: KeywordHits.java:541

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode
Definition: KeywordHits.java:383

org::sleuthkit.autopsy.datamodel.KeywordHits.skCase
SleuthkitCase skCase
Definition: KeywordHits.java:81

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.getItemType
String getItemType()
Definition: KeywordHits.java:428

org

org::sleuthkit.autopsy.coreutils.TimeZoneUtils.getFormattedTime
static String getFormattedTime(long epochTime)
Definition: TimeZoneUtils.java:145

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.onRemove
void onRemove()
Definition: KeywordHits.java:967

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_KEYWORD
TSK_KEYWORD

org::sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_REGEX_SEARCH
static final String SIMPLE_REGEX_SEARCH
Definition: KeywordHits.java:77

org::sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.finalize
void finalize()
Definition: KeywordHits.java:441

org::sleuthkit::datamodel::AbstractFile::getAtime
long getAtime()

org::sleuthkit.autopsy.casemodule
Definition: AddImageAction.java:19

org::sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent
Definition: IngestManager.java:1298

org::sleuthkit.autopsy.datamodel
Definition: AbstractAbstractFileNode.java:19

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory
Definition: KeywordHits.java:455

org::sleuthkit::datamodel::BlackboardArtifact::Type::getTypeID
int getTypeID()

org::sleuthkit.autopsy.ingest.ModuleDataEvent
Definition: ModuleDataEvent.java:49

org::sleuthkit::datamodel::AbstractFile::getCtime
long getCtime()

org::sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.COMPLETED
COMPLETED
Definition: IngestManager.java:1311

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory
Definition: KeywordHits.java:759

org::sleuthkit::datamodel::BlackboardArtifact

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.TermFactory
TermFactory(String setName)
Definition: KeywordHits.java:649

org::sleuthkit::datamodel::BlackboardArtifact::Type

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.topLevelMap
final Map< String, Map< String, Map< String, Set< Long > > > > topLevelMap
Definition: KeywordHits.java:144

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.setName
final String setName
Definition: KeywordHits.java:762

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.addNotify
void addNotify()
Definition: KeywordHits.java:513

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.artifactHits
final Map< Long, AnalysisResult > artifactHits
Definition: KeywordHits.java:919

org::sleuthkit.autopsy.coreutils
Definition: AppSQLiteDB.java:19

org::sleuthkit.autopsy.datamodel.KeywordHits.createBlackboardArtifactNode
BlackboardArtifactNode createBlackboardArtifactNode(AnalysisResult art)
Definition: KeywordHits.java:867

org::sleuthkit.autopsy.coreutils.Logger
Definition: Logger.java:36

org::sleuthkit.autopsy.datamodel.KeywordHits.INGEST_JOB_EVENTS_OF_INTEREST
static final Set< IngestManager.IngestJobEvent > INGEST_JOB_EVENTS_OF_INTEREST
Definition: KeywordHits.java:70

org::sleuthkit::datamodel::SleuthkitCase::getAbstractFileById
AbstractFile getAbstractFileById(long id)

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createKeys
boolean createKeys(List< String > list)
Definition: KeywordHits.java:530

org::sleuthkit.autopsy.ingest.IngestManager.removeIngestJobEventListener
void removeIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:741

org::sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.KWHitsNodeBase
KWHitsNodeBase(Children children)
Definition: KeywordHits.java:550

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createKeys
boolean createKeys(List< String > list)
Definition: KeywordHits.java:771

org::sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addNodeProperty
void addNodeProperty(NodeProperty<?> property)
Definition: BlackboardArtifactNode.java:1275

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createKeys
boolean createKeys(List< String > list)
Definition: KeywordHits.java:655

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory
Definition: KeywordHits.java:645

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.setName
final String setName
Definition: KeywordHits.java:917

org::sleuthkit.autopsy.casemodule.Case.Events
Definition: Case.java:303

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.onAdd
void onAdd()
Definition: KeywordHits.java:962

org::sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:447

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_SET_NAME
TSK_SET_NAME

org::sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor
Definition: DisplayableItemNodeVisitor.java:42

org::sleuthkit.autopsy.datamodel.Artifacts
Definition: Artifacts.java:72

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.RegExpInstancesFactory
RegExpInstancesFactory(String setName, String keyword)
Definition: KeywordHits.java:764

org::sleuthkit.autopsy.ingest
Definition: AnalysisResultIngestModule.java:19

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_KEYWORD_REGEXP
TSK_KEYWORD_REGEXP

org::sleuthkit.autopsy.ingest.IngestManager.addIngestJobEventListener
void addIngestJobEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:719

org::sleuthkit.autopsy.datamodel.KeywordHits.DEFAULT_INSTANCE_NAME
static final String DEFAULT_INSTANCE_NAME
Definition: KeywordHits.java:90

org::sleuthkit::datamodel::TskCoreException

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.RootNode
RootNode()
Definition: KeywordHits.java:385

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.keyword
final String keyword
Definition: KeywordHits.java:916

org::sleuthkit.autopsy.ingest.IngestManager
Definition: IngestManager.java:122

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.keyword
final String keyword
Definition: KeywordHits.java:761

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createNodeForKey
Node createNodeForKey(String key)
Definition: KeywordHits.java:536

org::sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent.DATA_ADDED
DATA_ADDED
Definition: IngestManager.java:1349

org::sleuthkit.autopsy.coreutils.TimeZoneUtils
Definition: TimeZoneUtils.java:36

org::sleuthkit.autopsy.datamodel.AutopsyItemVisitor.visit
T visit(DataSources i)

org::sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.weakPcl
final PropertyChangeListener weakPcl
Definition: KeywordHits.java:510

org::sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode
Definition: Artifacts.java:448

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults
Definition: KeywordHits.java:140

org::sleuthkit::datamodel::SleuthkitCase::CaseDbQuery

org::sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.getItemType
String getItemType()
Definition: KeywordHits.java:555

org::sleuthkit::datamodel::SleuthkitCase

org::sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor.visit
T visit(DataSourceFilesNode in)

org::sleuthkit.autopsy.casemodule.Case.Events.CURRENT_CASE
CURRENT_CASE
Definition: Case.java:384

org::sleuthkit.autopsy.datamodel.NodeProperty
Definition: NodeProperty.java:28

org::sleuthkit.autopsy.datamodel.KeywordHits.logger
static final Logger logger
Definition: KeywordHits.java:69

org::sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.displayName
String displayName
Definition: KeywordHits.java:543

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.instance
final String instance
Definition: KeywordHits.java:918

org::sleuthkit::datamodel::BlackboardArtifact::getAttributes
List< BlackboardAttribute > getAttributes()

org::sleuthkit::datamodel::AbstractFile

org::sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory
Definition: KeywordHits.java:433

org::sleuthkit::datamodel::AbstractFile::getMtime
long getMtime()

org::sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createNodeForKey
Node createNodeForKey(String key)
Definition: KeywordHits.java:777

org::sleuthkit.autopsy.datamodel.KeywordHits.KEYWORD_HIT_ATTRIBUTES_QUERY
static final String KEYWORD_HIT_ATTRIBUTES_QUERY
Definition: KeywordHits.java:95

org::sleuthkit.autopsy.ingest.IngestManager.addIngestModuleEventListener
void addIngestModuleEventListener(final PropertyChangeListener listener)
Definition: IngestManager.java:762

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordHits
KeywordHits(SleuthkitCase skCase, long objId)
Definition: KeywordHits.java:128

org::sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.update
void update()
Definition: KeywordHits.java:339

org::sleuthkit::datamodel

org::sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition: Logger.java:124

org::sleuthkit.autopsy.datamodel.KeywordHits.INGEST_MODULE_EVENTS_OF_INTEREST
static final Set< IngestManager.IngestModuleEvent > INGEST_MODULE_EVENTS_OF_INTEREST
Definition: KeywordHits.java:71

org::sleuthkit.autopsy.datamodel.KeywordHits.RootNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition: KeywordHits.java:397

org::sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows
static Case getCurrentCaseThrows()
Definition: Case.java:910

org::sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.CANCELLED
CANCELLED
Definition: IngestManager.java:1317

org::sleuthkit.autopsy.casemodule.Case.addEventTypeSubscriber
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:712

org::sleuthkit.autopsy

org::sleuthkit.autopsy.datamodel.AutopsyItemVisitor
Definition: AutopsyItemVisitor.java:28

org::sleuthkit.autopsy.datamodel.AutopsyVisitableItem
Definition: AutopsyVisitableItem.java:26

org::sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.update
void update(Observable o, Object arg)
Definition: KeywordHits.java:560

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE

org::sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent
Definition: IngestManager.java:1341

org::sleuthkit.autopsy.datamodel.KeywordHits.filteringDSObjId
final long filteringDSObjId
Definition: KeywordHits.java:83

org::sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.setName
final String setName
Definition: KeywordHits.java:647

org::sleuthkit::datamodel::BlackboardAttribute::ATTRIBUTE_TYPE::TSK_KEYWORD_SEARCH_TYPE
TSK_KEYWORD_SEARCH_TYPE

org::sleuthkit.autopsy.casemodule.NoCurrentCaseException
Definition: NoCurrentCaseException.java:26

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.HitsFactory
HitsFactory(String setName, String keyword, String instance)
Definition: KeywordHits.java:921

org::sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.KWHitsNodeBase
KWHitsNodeBase(Children children, Lookup lookup, String displayName)
Definition: KeywordHits.java:545

org::sleuthkit.autopsy.datamodel.BlackboardArtifactNode
Definition: BlackboardArtifactNode.java:126

org::sleuthkit.autopsy.datamodel.KeywordHits.NAME
static final String NAME
Definition: KeywordHits.java:79

org::sleuthkit.autopsy.casemodule.Case.removeEventTypeSubscriber
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition: Case.java:757

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory
Definition: KeywordHits.java:914

org::sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_LITERAL_SEARCH
static final String SIMPLE_LITERAL_SEARCH
Definition: KeywordHits.java:75

org::sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.makeKeys
List< AnalysisResult > makeKeys()
Definition: KeywordHits.java:935

org::sleuthkit::datamodel::AnalysisResult

org::sleuthkit.autopsy.datamodel.DisplayableItemNode
Definition: DisplayableItemNode.java:38

org::sleuthkit::datamodel::SleuthkitCase::executeQuery
CaseDbQuery executeQuery(String query)