ContainerSummary.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2020-2021 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.datasourcesummary.datamodel;
 
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import org.sleuthkit.autopsy.datasourcesummary.datamodel.SleuthkitCaseProvider.SleuthkitCaseProviderException;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.TskCoreException;
import org.sleuthkit.datamodel.TskData;

public class ContainerSummary {
 
    private final SleuthkitCaseProvider provider;

    public ContainerSummary() {
        this(SleuthkitCaseProvider.DEFAULT);
    }

    public ContainerSummary(SleuthkitCaseProvider provider) {
        this.provider = provider;
    }

    public Long getSizeOfUnallocatedFiles(DataSource currentDataSource)
            throws SleuthkitCaseProvider.SleuthkitCaseProviderException, TskCoreException, SQLException {
        if (currentDataSource == null) {
            return null;
        }
 
        final String valueParam = "value";
        final String countParam = "count";
        String query = "SELECT SUM(size) AS " + valueParam + ", COUNT(*) AS " + countParam
                + " FROM tsk_files"
                + " WHERE " + DataSourceInfoUtilities.getMetaFlagsContainsStatement(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)
                + " AND type<>" + TskData.TSK_DB_FILES_TYPE_ENUM.SLACK.getFileType()
                + " AND type<>" + TskData.TSK_DB_FILES_TYPE_ENUM.VIRTUAL_DIR.getFileType()
                + " AND dir_type<>" + TskData.TSK_FS_NAME_TYPE_ENUM.VIRT_DIR.getValue()
                + " AND name<>''"
                + " AND data_source_obj_id=" + currentDataSource.getId();
 
        DataSourceInfoUtilities.ResultSetHandler<Long> handler = (resultSet) -> {
            if (resultSet.next()) {
                // ensure that there is an unallocated count result that is attached to this data source
                long resultCount = resultSet.getLong(valueParam);
                return (resultCount > 0) ? resultSet.getLong(valueParam) : null;
            } else {
                return null;
            }
        };
 
        return DataSourceInfoUtilities.getBaseQueryResult(provider.get(), query, handler);
    }

    public String getOperatingSystems(DataSource dataSource)
            throws SleuthkitCaseProvider.SleuthkitCaseProviderException, TskCoreException, SQLException {
 
        if (dataSource == null) {
            return null;
        }
 
        return getConcattedAttrValue(dataSource.getId(),
                BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO.getTypeID(),
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID());
    }

    public String getDataSourceType(DataSource dataSource)
            throws SleuthkitCaseProvider.SleuthkitCaseProviderException, TskCoreException, SQLException {
 
        if (dataSource == null) {
            return null;
        }
 
        return getConcattedAttrValue(dataSource.getId(),
                BlackboardArtifact.ARTIFACT_TYPE.TSK_DATA_SOURCE_USAGE.getTypeID(),
                BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION.getTypeID());
    }

    private String getConcattedStringsResult(String query, String valueParam, String separator)
            throws SleuthkitCaseProvider.SleuthkitCaseProviderException, TskCoreException, SQLException {
 
        DataSourceInfoUtilities.ResultSetHandler<String> handler = (resultSet) -> {
            String toRet = "";
            boolean first = true;
            while (resultSet.next()) {
                if (first) {
                    first = false;
                } else {
                    toRet += separator;
                }
                toRet += resultSet.getString(valueParam);
            }
 
            return toRet;
        };
 
        return DataSourceInfoUtilities.getBaseQueryResult(provider.get(), query, handler);
    }

    private String getConcattedAttrValue(long dataSourceId, int artifactTypeId, int attributeTypeId)
            throws SleuthkitCaseProvider.SleuthkitCaseProviderException, TskCoreException, SQLException {
 
        final String valueParam = "concatted_attribute_value";
        String query = "SELECT attr.value_text AS " + valueParam
                + " FROM blackboard_artifacts bba "
                + " INNER JOIN blackboard_attributes attr ON bba.artifact_id = attr.artifact_id "
                + " WHERE bba.data_source_obj_id = " + dataSourceId
                + " AND bba.artifact_type_id = " + artifactTypeId
                + " AND attr.attribute_type_id = " + attributeTypeId;
 
        String separator = ", ";
        return getConcattedStringsResult(query, valueParam, separator);
    }

    public static class ImageDetails {
 
        private final Long unallocatedSize;
        private final long size;
        private final long sectorSize;
 
        private final String timeZone;
        private final String imageType;
 
        private final List<String> paths;
        private final String md5Hash;
        private final String sha1Hash;
        private final String sha256Hash;

        ImageDetails(Long unallocatedSize, long size, long sectorSize,
                String timeZone, String imageType, List<String> paths, String md5Hash,
                String sha1Hash, String sha256Hash) {
            this.unallocatedSize = unallocatedSize;
            this.size = size;
            this.sectorSize = sectorSize;
            this.timeZone = timeZone;
            this.imageType = imageType;
            this.paths = paths == null ? Collections.emptyList() : new ArrayList<>(paths);
            this.md5Hash = md5Hash;
            this.sha1Hash = sha1Hash;
            this.sha256Hash = sha256Hash;
        }

        public Long getUnallocatedSize() {
            return unallocatedSize;
        }

        public long getSize() {
            return size;
        }

        public long getSectorSize() {
            return sectorSize;
        }

        public String getTimeZone() {
            return timeZone;
        }

        public String getImageType() {
            return imageType;
        }

        public List<String> getPaths() {
            return Collections.unmodifiableList(paths);
        }

        public String getMd5Hash() {
            return md5Hash;
        }

        public String getSha1Hash() {
            return sha1Hash;
        }

        public String getSha256Hash() {
            return sha256Hash;
        }
    }

    public static class ContainerDetails {
 
        private final String displayName;
        private final String originalName;
        private final String deviceIdValue;
        private final String acquisitionDetails;
        private final ImageDetails imageDetails;

        ContainerDetails(String displayName, String originalName, String deviceIdValue,
                String acquisitionDetails, ImageDetails imageDetails) {
            this.displayName = displayName;
            this.originalName = originalName;
            this.deviceIdValue = deviceIdValue;
            this.acquisitionDetails = acquisitionDetails;
            this.imageDetails = imageDetails;
        }

        public String getDisplayName() {
            return displayName;
        }

        public String getOriginalName() {
            return originalName;
        }

        public String getDeviceId() {
            return deviceIdValue;
        }

        public String getAcquisitionDetails() {
            return acquisitionDetails;
        }

        public ImageDetails getImageDetails() {
            return imageDetails;
        }
    }

    public ContainerDetails getContainerDetails(DataSource ds) throws TskCoreException, SQLException, SleuthkitCaseProvider.SleuthkitCaseProviderException {
        if (ds == null) {
            return null;
        }
 
        return new ContainerDetails(
                ds.getName(),
                ds.getName(),
                ds.getDeviceId(),
                ds.getAcquisitionDetails(),
                ds instanceof Image ? getImageDetails((Image) ds) : null
        );
    }

    public ImageDetails getImageDetails(Image image) throws TskCoreException, SQLException, SleuthkitCaseProvider.SleuthkitCaseProviderException {
        if (image == null) {
            return null;
        }
 
        Long unallocSize = getSizeOfUnallocatedFiles(image);
        String imageType = image.getType().getName();
        long size = image.getSize();
        long sectorSize = image.getSsize();
        String timeZone = image.getTimeZone();
        List<String> paths = image.getPaths() == null ? Collections.emptyList() : Arrays.asList(image.getPaths());
        String md5 = image.getMd5();
        String sha1 = image.getSha1();
        String sha256 = image.getSha256();
 
        return new ImageDetails(unallocSize, size, sectorSize, timeZone, imageType, paths, md5, sha1, sha256);
    }
}