AnnotationUtils.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2021 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.contentviewers.annotations;
 
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.function.Function;
import java.util.logging.Level;
import java.util.stream.Collectors;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.jsoup.Jsoup;
import org.jsoup.nodes.Document;
import org.jsoup.nodes.Element;
import org.openide.nodes.Node;
import org.openide.util.NbBundle;
import org.sleuthkit.autopsy.casemodule.Case;
import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepoException;
import org.sleuthkit.autopsy.centralrepository.datamodel.CentralRepository;
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeInstance;
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeNormalizationException;
import org.sleuthkit.autopsy.centralrepository.datamodel.CorrelationAttributeUtil;
import org.sleuthkit.autopsy.contentviewers.layout.ContentViewerHtmlStyles;
import org.sleuthkit.autopsy.coreutils.Logger;
import org.sleuthkit.autopsy.datamodel.BlackboardArtifactItem;
import org.sleuthkit.datamodel.AbstractFile;
import org.sleuthkit.datamodel.AnalysisResult;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardArtifactTag;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.ContentTag;
import org.sleuthkit.datamodel.DataArtifact;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.Tag;
import org.sleuthkit.datamodel.TskCoreException;

public class AnnotationUtils {
 
    @NbBundle.Messages({
        "AnnotationUtils.title=Annotations",
        "AnnotationUtils.toolTip=Displays tags and comments associated with the selected content.",
        "AnnotationUtils.centralRepositoryEntry.title=Central Repository Comments",
        "AnnotationUtils.centralRepositoryEntryDataLabel.case=Case:",
        "AnnotationUtils.centralRepositoryEntryDataLabel.type=Type:",
        "AnnotationUtils.centralRepositoryEntryDataLabel.comment=Comment:",
        "AnnotationUtils.centralRepositoryEntryDataLabel.path=Path:",
        "AnnotationUtils.tagEntry.title=Tags",
        "AnnotationUtils.tagEntryDataLabel.tag=Tag:",
        "AnnotationUtils.tagEntryDataLabel.tagUser=Examiner:",
        "AnnotationUtils.tagEntryDataLabel.comment=Comment:",
        "AnnotationUtils.fileHitEntry.artifactCommentTitle=Artifact Comment",
        "AnnotationUtils.fileHitEntry.hashSetHitTitle=Hash Set Hit Comments",
        "AnnotationUtils.fileHitEntry.interestingFileHitTitle=Interesting File Hit Comments",
        "AnnotationUtils.fileHitEntry.interestingItemTitle=Interesting Item Comments",
        "AnnotationUtils.fileHitEntry.setName=Set Name:",
        "AnnotationUtils.fileHitEntry.comment=Comment:",
        "AnnotationUtils.sourceFile.title=Source File",
        "AnnotationUtils.onEmpty=No annotations were found for this particular item."
    })
 
    private static final Logger logger = Logger.getLogger(AnnotationUtils.class.getName());
 
    private static final String EMPTY_HTML = "<html><head></head><body></body></html>";
 
    // describing table values for a tag
    private static final List<ItemEntry<Tag>> TAG_ENTRIES = Arrays.asList(
            new ItemEntry<>(Bundle.AnnotationUtils_tagEntryDataLabel_tag(),
                    (tag) -> (tag.getName() != null) ? tag.getName().getDisplayName() : null),
            new ItemEntry<>(Bundle.AnnotationUtils_tagEntryDataLabel_tagUser(), (tag) -> tag.getUserName()),
            new ItemEntry<>(Bundle.AnnotationUtils_tagEntryDataLabel_comment(), (tag) -> tag.getComment())
    );
 
    private static final SectionConfig<Tag> TAG_CONFIG
            = new SectionConfig<>(Bundle.AnnotationUtils_tagEntry_title(), TAG_ENTRIES);
 
    // Item set attributes and table configurations
    private static final List<ItemEntry<BlackboardArtifact>> ITEMSET_HIT_ENTRIES = Arrays.asList(
            new ItemEntry<>(Bundle.AnnotationUtils_fileHitEntry_setName(),
                    (bba) -> tryGetAttribute(bba, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)),
            new ItemEntry<>(Bundle.AnnotationUtils_fileHitEntry_comment(),
                    (bba) -> tryGetAttribute(bba, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT))
    );
 
    private static final SectionConfig<BlackboardArtifact> INTERESTING_FILE_CONFIG
            = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_interestingFileHitTitle(), ITEMSET_HIT_ENTRIES);
 
    private static final SectionConfig<BlackboardArtifact> INTERESTING_ITEM_CONFIG
            = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_interestingItemTitle(), ITEMSET_HIT_ENTRIES);
 
    private static final SectionConfig<BlackboardArtifact> HASHSET_CONFIG
            = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_hashSetHitTitle(), ITEMSET_HIT_ENTRIES);
 
    private static final SectionConfig<BlackboardArtifact> ARTIFACT_COMMENT_CONFIG
            = new SectionConfig<>(Bundle.AnnotationUtils_fileHitEntry_artifactCommentTitle(), ITEMSET_HIT_ENTRIES);
 
    // central repository attributes and table configuration
    private static final List<ItemEntry<CorrelationAttributeInstance>> CR_COMMENTS_ENTRIES = Arrays.asList(
            new ItemEntry<>(Bundle.AnnotationUtils_centralRepositoryEntryDataLabel_case(),
                    cai -> (cai.getCorrelationCase() != null) ? cai.getCorrelationCase().getDisplayName() : null),
            new ItemEntry<>(Bundle.AnnotationUtils_centralRepositoryEntryDataLabel_comment(), cai -> cai.getComment()),
            new ItemEntry<>(Bundle.AnnotationUtils_centralRepositoryEntryDataLabel_path(), cai -> cai.getFilePath())
    );
 
    private static final SectionConfig<CorrelationAttributeInstance> CR_COMMENTS_CONFIG
            = new SectionConfig<>(Bundle.AnnotationUtils_centralRepositoryEntry_title(), CR_COMMENTS_ENTRIES);
 
    /*
     * Private constructor for this utility class.
     */
    private AnnotationUtils() {
 
    }

    static DisplayTskItems getDisplayContent(Node node) {
        BlackboardArtifactItem<?> artItem = node.getLookup().lookup(BlackboardArtifactItem.class);
        BlackboardArtifact artifact = artItem == null ? null : artItem.getTskContent();
 
        Content content = artItem != null
                ? artItem.getSourceContent()
                : node.getLookup().lookup(AbstractFile.class);
 
        return new DisplayTskItems(artifact, content);
    }

    public static boolean isSupported(Node node) {
        return getDisplayContent(node).getContent() != null;
    }

    public static Document buildDocument(Node node) {
        Document html = Jsoup.parse(EMPTY_HTML);
        Element body = html.getElementsByTag("body").first();
 
        DisplayTskItems displayItems = getDisplayContent(node);
        BlackboardArtifact artifact = displayItems.getArtifact();
        Content srcContent = displayItems.getContent();
 
        boolean somethingWasRendered = false;
        if (artifact != null) {
            somethingWasRendered = renderArtifact(body, artifact, srcContent);
        } else {
            somethingWasRendered = renderContent(body, srcContent, false);
        }
 
        if (!somethingWasRendered) {
            return null;
        }
 
        return html;
    }

    @SuppressWarnings("deprecation")
    private static boolean renderArtifact(Element parent, BlackboardArtifact bba, Content sourceContent) {
        boolean contentRendered = appendEntries(parent, TAG_CONFIG, getTags(bba), false, true);
 
        if (CentralRepository.isEnabled()) {
            List<CorrelationAttributeInstance> centralRepoComments = getCentralRepositoryData(bba);
            boolean crRendered = appendEntries(parent, CR_COMMENTS_CONFIG, centralRepoComments, false, !contentRendered);
            contentRendered = contentRendered || crRendered;
        }
 
        // if artifact is a hashset hit or interesting file and has a non-blank comment
        if ((BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() == bba.getArtifactTypeID()
                || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() == bba.getArtifactTypeID() 
                || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == bba.getArtifactTypeID() 
                || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() == bba.getArtifactTypeID())
                && (hasTskComment(bba))) {
 
            boolean filesetRendered = appendEntries(parent, ARTIFACT_COMMENT_CONFIG, Arrays.asList(bba), false, !contentRendered);
            contentRendered = contentRendered || filesetRendered;
        }
 
        Element sourceFileSection = appendSection(parent, Bundle.AnnotationUtils_sourceFile_title());
        sourceFileSection.attr("class", ContentViewerHtmlStyles.getSpacedSectionClassName());
 
        Element sourceFileContainer = sourceFileSection.appendElement("div");
        sourceFileContainer.attr("class", ContentViewerHtmlStyles.getIndentedClassName());
 
        boolean sourceFileRendered = renderContent(sourceFileContainer, sourceContent, true);
 
        if (!sourceFileRendered) {
            sourceFileSection.remove();
        }
 
        return contentRendered || sourceFileRendered;
    }

    @SuppressWarnings("deprecation")
    private static boolean renderContent(Element parent, Content sourceContent, boolean isSubheader) {
        boolean contentRendered = appendEntries(parent, TAG_CONFIG, getTags(sourceContent), isSubheader, true);
 
        if (sourceContent instanceof AbstractFile) {
            AbstractFile sourceFile = (AbstractFile) sourceContent;
 
            if (CentralRepository.isEnabled()) {
                List<CorrelationAttributeInstance> centralRepoComments = getCentralRepositoryData(sourceFile);
                boolean crRendered = appendEntries(parent, CR_COMMENTS_CONFIG, centralRepoComments, isSubheader,
                        !contentRendered);
                contentRendered = contentRendered || crRendered;
            }
 
            boolean hashsetRendered = appendEntries(parent, HASHSET_CONFIG,
                    getFileSetHits(sourceFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT),
                    isSubheader,
                    !contentRendered);
 
            boolean interestingFileRendered = appendEntries(parent, INTERESTING_FILE_CONFIG,
                    getFileSetHits(sourceFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT),
                    isSubheader,
                    !contentRendered);
 
            boolean interestingItemRendered = appendEntries(parent, INTERESTING_ITEM_CONFIG,
                    getFileSetHits(sourceFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM),
                    isSubheader,
                    !contentRendered);
 
            contentRendered = contentRendered || hashsetRendered || interestingFileRendered || interestingItemRendered;
        }
        return contentRendered;
    }

    private static List<ContentTag> getTags(Content sourceContent) {
        try {
            SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
            return tskCase.getContentTagsByContent(sourceContent);
        } catch (NoCurrentCaseException ex) {
            logger.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS
        } catch (TskCoreException ex) {
            logger.log(Level.SEVERE, "Exception while getting tags from the case database.", ex); //NON-NLS
        }
        return new ArrayList<>();
    }

    private static List<BlackboardArtifactTag> getTags(BlackboardArtifact bba) {
        try {
            SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
            return tskCase.getBlackboardArtifactTagsByArtifact(bba);
        } catch (NoCurrentCaseException ex) {
            logger.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS
        } catch (TskCoreException ex) {
            logger.log(Level.SEVERE, "Exception while getting tags from the case database.", ex); //NON-NLS
        }
        return new ArrayList<>();
    }

    private static List<BlackboardArtifact> getFileSetHits(AbstractFile sourceFile, BlackboardArtifact.ARTIFACT_TYPE type) {
        try {
            SleuthkitCase tskCase = Case.getCurrentCaseThrows().getSleuthkitCase();
            return tskCase.getBlackboardArtifacts(type, sourceFile.getId()).stream()
                    .filter((bba) -> hasTskComment(bba) || hasTskSet(bba))
                    .collect(Collectors.toList());
        } catch (NoCurrentCaseException ex) {
            logger.log(Level.SEVERE, "Exception while getting open case.", ex); // NON-NLS
        } catch (TskCoreException ex) {
            logger.log(Level.SEVERE, "Exception while getting file set hits from the case database.", ex); //NON-NLS
        }
        return new ArrayList<>();
    }

    private static boolean hasTskComment(BlackboardArtifact artifact) {
        return StringUtils.isNotBlank(tryGetAttribute(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT));
    }
    
    private static boolean hasTskSet(BlackboardArtifact artifact) {
        return StringUtils.isNotBlank(tryGetAttribute(artifact, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
    }

    private static String tryGetAttribute(BlackboardArtifact artifact, BlackboardAttribute.ATTRIBUTE_TYPE attributeType) {
        if (artifact == null) {
            return null;
        }
 
        BlackboardAttribute attr = null;
        try {
            attr = artifact.getAttribute(new BlackboardAttribute.Type(attributeType));
        } catch (TskCoreException ex) {
            logger.log(Level.WARNING, String.format("Unable to fetch attribute of type %s for artifact %s", attributeType, artifact), ex);
        }
 
        if (attr == null) {
            return null;
        }
 
        return attr.getValueString();
    }

    private static List<CorrelationAttributeInstance> getCentralRepositoryData(BlackboardArtifact artifact) {
        if (artifact == null) {
            return new ArrayList<>();
        }
        List<CorrelationAttributeInstance> instances = new ArrayList<>();
        if (artifact instanceof DataArtifact) {
            instances.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((DataArtifact) artifact));
        } else if (artifact instanceof AnalysisResult) {
            instances.addAll(CorrelationAttributeUtil.makeCorrAttrsForSearch((AnalysisResult) artifact));
        }
 
        List<Pair<CorrelationAttributeInstance.Type, String>> lookupKeys = instances.stream()
                .map(cai -> Pair.of(cai.getCorrelationType(), cai.getCorrelationValue()))
                .collect(Collectors.toList());
 
        return getCorrelationAttributeComments(lookupKeys);
    }

    private static List<CorrelationAttributeInstance> getCentralRepositoryData(AbstractFile sourceFile) {
        if (sourceFile == null || StringUtils.isEmpty(sourceFile.getMd5Hash())) {
            return new ArrayList<>();
        }
 
        List<CorrelationAttributeInstance.Type> artifactTypes = null;
        try {
            artifactTypes = CentralRepository.getInstance().getDefinedCorrelationTypes();
        } catch (CentralRepoException ex) {
            logger.log(Level.SEVERE, "Error connecting to the Central Repository database.", ex); // NON-NLS
        }
 
        if (artifactTypes == null || artifactTypes.isEmpty()) {
            return new ArrayList<>();
        }
 
        String md5 = sourceFile.getMd5Hash();
 
        // get key lookups for a file attribute types and the md5 hash
        List<Pair<CorrelationAttributeInstance.Type, String>> lookupKeys = artifactTypes.stream()
                .filter((attributeType) -> attributeType.getId() == CorrelationAttributeInstance.FILES_TYPE_ID)
                .map((attributeType) -> Pair.of(attributeType, md5))
                .collect(Collectors.toList());
 
        return getCorrelationAttributeComments(lookupKeys);
    }

    private static List<CorrelationAttributeInstance> getCorrelationAttributeComments(List<Pair<CorrelationAttributeInstance.Type, String>> lookupKeys) {
        List<CorrelationAttributeInstance> instancesToRet = new ArrayList<>();
 
        try {
            // use lookup instances to find the actual correlation attributes for the items selected
            for (Pair<CorrelationAttributeInstance.Type, String> typeVal : lookupKeys) {
                instancesToRet.addAll(CentralRepository.getInstance()
                        .getArtifactInstancesByTypeValue(typeVal.getKey(), typeVal.getValue())
                        .stream()
                        // for each one found, if it has a comment, return
                        .filter((cai) -> StringUtils.isNotBlank(cai.getComment()))
                        .collect(Collectors.toList()));
            }
 
        } catch (CentralRepoException ex) {
            logger.log(Level.SEVERE, "Error connecting to the Central Repository database.", ex); // NON-NLS
        } catch (CorrelationAttributeNormalizationException ex) {
            logger.log(Level.WARNING, "Error normalizing instance from Central Repository database.", ex); // NON-NLS
        }
 
        return instancesToRet;
    }

    private static <T> boolean appendEntries(Element parent, AnnotationUtils.SectionConfig<T> config, List<? extends T> items,
            boolean isSubsection, boolean isFirstSection) {
        if (items == null || items.isEmpty()) {
            return false;
        }
 
        Element sectionDiv = (isSubsection) ? appendSubsection(parent, config.getTitle()) : appendSection(parent, config.getTitle());
        if (!isFirstSection) {
            sectionDiv.attr("class", ContentViewerHtmlStyles.getSpacedSectionClassName());
        }
 
        Element sectionContainer = sectionDiv.appendElement("div");
 
        if (!isSubsection) {
            sectionContainer.attr("class", ContentViewerHtmlStyles.getIndentedClassName());
        }
 
        appendVerticalEntryTables(sectionContainer, items, config.getAttributes());
        return true;
    }

    private static <T> Element appendVerticalEntryTables(Element parent, List<? extends T> items, List<ItemEntry<T>> rowHeaders) {
        boolean isFirst = true;
        for (T item : items) {
            if (item == null) {
                continue;
            }
 
            List<List<String>> tableData = rowHeaders.stream()
                    .map(row -> Arrays.asList(row.getItemName(), row.retrieveValue(item)))
                    .collect(Collectors.toList());
 
            Element childTable = appendTable(parent, 2, tableData, null);
 
            if (isFirst) {
                isFirst = false;
            } else {
                childTable.attr("class", ContentViewerHtmlStyles.getSpacedSectionClassName());
            }
        }
 
        return parent;
    }

    private static Element appendTable(Element parent, int columnNumber, List<List<String>> content, List<String> columnHeaders) {
        Element table = parent.appendElement("table")
                .attr("valign", "top")
                .attr("align", "left");
 
        if (columnHeaders != null && !columnHeaders.isEmpty()) {
            Element header = table.appendElement("thead");
            appendRow(header, columnHeaders, columnNumber, true);
        }
        Element tableBody = table.appendElement("tbody");
 
        content.forEach((rowData) -> appendRow(tableBody, rowData, columnNumber, false));
        return table;
    }

    private static Element appendRow(Element rowParent, List<String> data, int columnNumber, boolean isHeader) {
        String cellType = isHeader ? "th" : "td";
        Element row = rowParent.appendElement("tr");
        for (int i = 0; i < columnNumber; i++) {
            Element cell = row.appendElement(cellType);
 
            if (i == 0) {
                cell.attr("class", ContentViewerHtmlStyles.getKeyColumnClassName());
            }
 
            if (data != null && i < data.size()) {
                cell.appendElement("span")
                        .attr("class", ContentViewerHtmlStyles.getTextClassName())
                        .text(StringUtils.isEmpty(data.get(i)) ? "" : data.get(i));
            }
        }
        return row;
    }

    private static Element appendSection(Element parent, String headerText) {
        Element sectionDiv = parent.appendElement("div");
        Element header = sectionDiv.appendElement("h1");
        header.text(headerText);
        header.attr("class", ContentViewerHtmlStyles.getHeaderClassName());
        return sectionDiv;
    }

    private static Element appendSubsection(Element parent, String headerText) {
        Element subsectionDiv = parent.appendElement("div");
        Element header = subsectionDiv.appendElement("h2");
        header.text(headerText);
        header.attr("class", ContentViewerHtmlStyles.getHeaderClassName());
        return subsectionDiv;
    }

    static class ItemEntry<T> {
 
        private final String itemName;
        private final Function<T, String> valueRetriever;
 
        ItemEntry(String itemName, Function<T, String> valueRetriever) {
            this.itemName = itemName;
            this.valueRetriever = valueRetriever;
        }
 
        String getItemName() {
            return itemName;
        }
 
        Function<T, String> getValueRetriever() {
            return valueRetriever;
        }
 
        String retrieveValue(T object) {
            return valueRetriever.apply(object);
        }
    }

    static class SectionConfig<T> {
 
        private final String title;
        private final List<ItemEntry<T>> attributes;
 
        SectionConfig(String title, List<ItemEntry<T>> attributes) {
            this.title = title;
            this.attributes = attributes;
        }

        String getTitle() {
            return title;
        }

        List<ItemEntry<T>> getAttributes() {
            return attributes;
        }
    }

    static class DisplayTskItems {
 
        private final BlackboardArtifact artifact;
        private final Content content;

        DisplayTskItems(BlackboardArtifact artifact, Content content) {
            this.artifact = artifact;
            this.content = content;
        }

        BlackboardArtifact getArtifact() {
            return artifact;
        }

        Content getContent() {
            return content;
        }
    }
}