api-docs/4.22.1/_cyber_triage_data_8java_source.html

/*

 * Autopsy Forensic Browser

 *

 * Copyright 2026 Basis Technology Corp.

 * Contact: carrier <at> sleuthkit <dot> org

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package org.sleuthkit.autopsy.datamodel;


import com.google.gson.JsonElement;

import com.google.gson.JsonObject;

import com.google.gson.JsonParseException;

import com.google.gson.JsonParser;

import com.google.gson.JsonPrimitive;

import java.sql.ResultSet;

import java.sql.SQLException;

import java.text.SimpleDateFormat;

import java.util.Date;

import java.util.List;

import java.util.Map;

import java.util.logging.Level;

import org.openide.nodes.ChildFactory;

import org.openide.nodes.Children;

import org.openide.nodes.Node;

import org.openide.nodes.Sheet;

import org.openide.util.lookup.Lookups;

import org.sleuthkit.autopsy.coreutils.Logger;

import org.sleuthkit.autopsy.coreutils.TimeZoneUtils;

import org.sleuthkit.datamodel.SleuthkitCase;

import org.sleuthkit.datamodel.TskCoreException;


public class CyberTriageData implements AutopsyVisitableItem {


    private final SleuthkitCase skCase;


    public CyberTriageData(SleuthkitCase skCase) {

        this.skCase = skCase;

    }


    public SleuthkitCase getSleuthkitCase() {

        return skCase;

    }


    @Override

    public <T> T accept(AutopsyItemVisitor<T> visitor) {

        return visitor.visit(this);

    }


    public static final String CT_JSON_ATTRIBUTE_TYPE_NAME = "CT_JSON_DATA_ATTRIBUTE";


    public static boolean isCyberTriageDatabase(SleuthkitCase skCase) {

        try (SleuthkitCase.CaseDbQuery dbQuery = skCase.executeQuery(

                "SELECT name FROM sqlite_master WHERE type='table' AND name='ct_errors'")) {

            return dbQuery.getResultSet().next();

        } catch (TskCoreException | SQLException ex) {

            return false;

        }

    }


    public static void addCtJsonProperties(Map<String, Object> map, String json) {

        if (json == null || json.isEmpty()) {

            return;

        }

        try {

            JsonObject obj = JsonParser.parseString(json).getAsJsonObject();

            for (Map.Entry<String, JsonElement> entry : obj.entrySet()) {

                JsonElement value = entry.getValue();

                if (value.isJsonNull()) {

                    continue;

                }

                String key = "CT " + entry.getKey();

                if (value.isJsonPrimitive()) {

                    JsonPrimitive primitive = value.getAsJsonPrimitive();

                    if (primitive.isNumber()) {

                        String lowerName = entry.getKey().toLowerCase();

                        if (lowerName.contains("date") || lowerName.contains("time")) {

                            long numVal = primitive.getAsLong();

                            // CT stores some timestamps in milliseconds; values > 10^10

                            // are ms and must be converted to seconds for TimeZoneUtils.

                            long seconds = (numVal > 10_000_000_000L) ? numVal / 1000 : numVal;

                            map.put(key, TimeZoneUtils.getFormattedTime(seconds));

                        } else {

                            map.put(key, primitive.getAsNumber());

                        }

                    } else if (primitive.isBoolean()) {

                        map.put(key, primitive.getAsBoolean());

                    } else {

                        map.put(key, primitive.getAsString());

                    }

                } else {

                    // Nested object or array — store as string

                    map.put(key, value.toString());

                }

            }

        } catch (JsonParseException | IllegalStateException ex) {

            Logger.getLogger(CyberTriageData.class.getName())

                    .log(Level.WARNING, "Failed to parse CT_JSON_DATA_ATTRIBUTE value", ex);

        }

    }


    // -------------------------------------------------------------------------

    // Root node

    // -------------------------------------------------------------------------


    public static class RootNode extends DisplayableItemNode {


        private static final String DISPLAY_NAME = "Addl. Cyber Triage Data";

        private static final String ICON_PATH = "org/sleuthkit/autopsy/images/extracted_content.png";


        public RootNode(SleuthkitCase skCase) {

            super(Children.create(new RootChildFactory(skCase), true),

                    Lookups.singleton(DISPLAY_NAME));

            setName(DISPLAY_NAME);

            setDisplayName(DISPLAY_NAME);

            setIconBaseWithExtension(ICON_PATH);

        }


        @Override


        public boolean isLeafTypeNode() {

            return false;

        }


        @Override

        public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

            return visitor.visit(this);

        }


        @Override


        public String getItemType() {

            return getClass().getName();

        }


    }


    private static class RootChildFactory extends ChildFactory<String> {


        private final SleuthkitCase skCase;


        RootChildFactory(SleuthkitCase skCase) {

            this.skCase = skCase;

        }


        @Override


        protected boolean createKeys(List<String> list) {

            list.add("ERRORS");

            return true;

        }


        @Override


        protected Node createNodeForKey(String key) {

            if ("ERRORS".equals(key)) {

                return new ErrorsNode(skCase);

            }

            return null;

        }


    }


    // -------------------------------------------------------------------------

    // Errors node

    // -------------------------------------------------------------------------


    public static class ErrorsNode extends DisplayableItemNode {


        private static final String DISPLAY_NAME = "Errors";

        private static final String ICON_PATH = "org/sleuthkit/autopsy/images/error-icon-16.png";


        public ErrorsNode(SleuthkitCase skCase) {

            super(Children.create(new ErrorsChildFactory(skCase), true),

                    Lookups.singleton(DISPLAY_NAME));

            setName(DISPLAY_NAME);

            setDisplayName(DISPLAY_NAME);

            setIconBaseWithExtension(ICON_PATH);

        }


        @Override


        public boolean isLeafTypeNode() {

            return false;

        }


        @Override

        public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

            return visitor.visit(this);

        }


        @Override


        public String getItemType() {

            return getClass().getName();

        }


    }


    // -------------------------------------------------------------------------

    // Error data and leaf nodes

    // -------------------------------------------------------------------------


    public static class CtError {


        public final long id;

        public final String title;

        public final String description;

        public final String stackTrace;

        public final long timestamp;

        public final String severity;


        CtError(long id, String title, String description,

                String stackTrace, long timestamp, String severity) {

            this.id = id;

            this.title = title;

            this.description = description;

            this.stackTrace = stackTrace;

            this.timestamp = timestamp;

            this.severity = severity;

        }

    }


    private static class ErrorsChildFactory extends ChildFactory<CtError> {


        private static final Logger logger = Logger.getLogger(ErrorsChildFactory.class.getName());

        private final SleuthkitCase skCase;


        ErrorsChildFactory(SleuthkitCase skCase) {

            this.skCase = skCase;

        }


        @Override


        protected boolean createKeys(List<CtError> list) {

            String query = "SELECT id, title, description, stack_trace, time_stamp, severity "

                    + "FROM ct_errors ORDER BY time_stamp DESC";

            try (SleuthkitCase.CaseDbQuery dbQuery = skCase.executeQuery(query)) {

                ResultSet rs = dbQuery.getResultSet();

                while (rs.next()) {

                    list.add(new CtError(

                            rs.getLong("id"),

                            rs.getString("title"),

                            rs.getString("description"),

                            rs.getString("stack_trace"),

                            rs.getLong("time_stamp"),

                            rs.getString("severity")));

                }

            } catch (TskCoreException | SQLException ex) {

                logger.log(Level.WARNING, "Failed to query ct_errors table", ex);

            }

            return true;

        }


        @Override


        protected Node createNodeForKey(CtError error) {

            return new ErrorNode(error);

        }


    }


    public static class ErrorNode extends DisplayableItemNode {


        private static final String ICON_PATH = "org/sleuthkit/autopsy/images/warning-icon-16.png";

        private static final SimpleDateFormat DATE_FORMAT

                = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");


        private final CtError error;


        ErrorNode(CtError error) {

            super(Children.LEAF, Lookups.singleton(error));

            this.error = error;

            setName(Long.toString(error.id));

            setDisplayName(error.title);

            setIconBaseWithExtension(ICON_PATH);

        }


        @Override


        public boolean isLeafTypeNode() {

            return true;

        }


        @Override

        public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

            return visitor.visit(this);

        }


        @Override


        public String getItemType() {

            return getClass().getName();

        }


        @Override


        protected Sheet createSheet() {

            Sheet sheet = super.createSheet();

            Sheet.Set props = sheet.get(Sheet.PROPERTIES);

            if (props == null) {

                props = Sheet.createPropertiesSet();

                sheet.put(props);

            }

            props.put(new NodeProperty<>("Severity", "Severity", "Severity of the error",

                    error.severity != null ? error.severity : ""));

            props.put(new NodeProperty<>("Title", "Title", "Error title",

                    error.title != null ? error.title : ""));

            props.put(new NodeProperty<>("Description", "Description", "Error description",

                    error.description != null ? error.description : ""));

            props.put(new NodeProperty<>("Timestamp", "Timestamp", "When the error occurred",

                    DATE_FORMAT.format(new Date(error.timestamp * 1000))));

            props.put(new NodeProperty<>("StackTrace", "Stack Trace", "Error stack trace",

                    error.stackTrace != null ? error.stackTrace : ""));

            return sheet;

        }


    }


}


org.sleuthkit.autopsy.coreutils.Logger
Definition Logger.java:36

org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition Logger.java:124

org.sleuthkit.autopsy.coreutils.TimeZoneUtils
Definition TimeZoneUtils.java:36

org.sleuthkit.autopsy.coreutils.TimeZoneUtils.getFormattedTime
static String getFormattedTime(long epochTime)
Definition TimeZoneUtils.java:145

org.sleuthkit.autopsy.datamodel.CyberTriageData.CtError
Definition CyberTriageData.java:241

org.sleuthkit.autopsy.datamodel.CyberTriageData.CtError.stackTrace
final String stackTrace
Definition CyberTriageData.java:246

org.sleuthkit.autopsy.datamodel.CyberTriageData.CtError.timestamp
final long timestamp
Definition CyberTriageData.java:247

org.sleuthkit.autopsy.datamodel.CyberTriageData.CtError.title
final String title
Definition CyberTriageData.java:244

org.sleuthkit.autopsy.datamodel.CyberTriageData.CtError.severity
final String severity
Definition CyberTriageData.java:248

org.sleuthkit.autopsy.datamodel.CyberTriageData.CtError.id
final long id
Definition CyberTriageData.java:243

org.sleuthkit.autopsy.datamodel.CyberTriageData.CtError.description
final String description
Definition CyberTriageData.java:245

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorNode
Definition CyberTriageData.java:303

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorNode.ICON_PATH
static final String ICON_PATH
Definition CyberTriageData.java:305

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorNode.error
final CtError error
Definition CyberTriageData.java:309

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorNode.getItemType
String getItemType()
Definition CyberTriageData.java:330

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorNode.DATE_FORMAT
static final SimpleDateFormat DATE_FORMAT
Definition CyberTriageData.java:307

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorNode.createSheet
Sheet createSheet()
Definition CyberTriageData.java:335

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition CyberTriageData.java:320

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsChildFactory
Definition CyberTriageData.java:264

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsChildFactory.skCase
final SleuthkitCase skCase
Definition CyberTriageData.java:267

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsChildFactory.createNodeForKey
Node createNodeForKey(CtError error)
Definition CyberTriageData.java:295

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsChildFactory.createKeys
boolean createKeys(List< CtError > list)
Definition CyberTriageData.java:274

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsChildFactory.logger
static final Logger logger
Definition CyberTriageData.java:266

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsNode
Definition CyberTriageData.java:205

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition CyberTriageData.java:219

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsNode.ErrorsNode
ErrorsNode(SleuthkitCase skCase)
Definition CyberTriageData.java:210

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsNode.DISPLAY_NAME
static final String DISPLAY_NAME
Definition CyberTriageData.java:207

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsNode.getItemType
String getItemType()
Definition CyberTriageData.java:229

org.sleuthkit.autopsy.datamodel.CyberTriageData.ErrorsNode.ICON_PATH
static final String ICON_PATH
Definition CyberTriageData.java:208

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootChildFactory
Definition CyberTriageData.java:175

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootChildFactory.createNodeForKey
Node createNodeForKey(String key)
Definition CyberTriageData.java:190

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootChildFactory.skCase
final SleuthkitCase skCase
Definition CyberTriageData.java:177

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootChildFactory.createKeys
boolean createKeys(List< String > list)
Definition CyberTriageData.java:184

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootNode.getItemType
String getItemType()
Definition CyberTriageData.java:166

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootNode.ICON_PATH
static final String ICON_PATH
Definition CyberTriageData.java:145

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootNode.RootNode
RootNode(SleuthkitCase skCase)
Definition CyberTriageData.java:147

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition CyberTriageData.java:156

org.sleuthkit.autopsy.datamodel.CyberTriageData.RootNode.DISPLAY_NAME
static final String DISPLAY_NAME
Definition CyberTriageData.java:144

org.sleuthkit.autopsy.datamodel.CyberTriageData.isCyberTriageDatabase
static boolean isCyberTriageDatabase(SleuthkitCase skCase)
Definition CyberTriageData.java:75

org.sleuthkit.autopsy.datamodel.CyberTriageData.CyberTriageData
CyberTriageData(SleuthkitCase skCase)
Definition CyberTriageData.java:52

org.sleuthkit.autopsy.datamodel.CyberTriageData.skCase
final SleuthkitCase skCase
Definition CyberTriageData.java:50

org.sleuthkit.autopsy.datamodel.CyberTriageData.getSleuthkitCase
SleuthkitCase getSleuthkitCase()
Definition CyberTriageData.java:56

org.sleuthkit.autopsy.datamodel.CyberTriageData.addCtJsonProperties
static void addCtJsonProperties(Map< String, Object > map, String json)
Definition CyberTriageData.java:94

org.sleuthkit.autopsy.datamodel.CyberTriageData.CT_JSON_ATTRIBUTE_TYPE_NAME
static final String CT_JSON_ATTRIBUTE_TYPE_NAME
Definition CyberTriageData.java:69

org.sleuthkit.autopsy.datamodel.DisplayableItemNode.DisplayableItemNode
DisplayableItemNode(Children children)
Definition DisplayableItemNode.java:78

org.sleuthkit.autopsy.datamodel.NodeProperty
Definition NodeProperty.java:28

org.sleuthkit.autopsy.datamodel.AutopsyItemVisitor
Definition AutopsyItemVisitor.java:28

org.sleuthkit.autopsy.datamodel.AutopsyItemVisitor.visit
T visit(DataSources i)

org.sleuthkit.autopsy.datamodel.AutopsyVisitableItem
Definition AutopsyVisitableItem.java:26

org.sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor
Definition DisplayableItemNodeVisitor.java:42

org.sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor.visit
T visit(DataSourceFilesNode in)