DataSourceInfoUtilities.java

Go to the documentation of this file.

/*
 * Autopsy Forensic Browser
 *
 * Copyright 2019 - 2021 Basis Technology Corp.
 * Contact: carrier <at> sleuthkit <dot> org
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.sleuthkit.autopsy.datasourcesummary.datamodel;
 
import java.sql.ResultSet;
import java.sql.SQLException;
import java.text.DecimalFormat;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.Date;
import java.util.List;
import java.util.SortedMap;
import java.util.TreeMap;
import org.sleuthkit.datamodel.SleuthkitCase;
import org.sleuthkit.datamodel.TskCoreException;
import org.apache.commons.lang.StringUtils;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.BlackboardAttribute.Type;
import org.sleuthkit.datamodel.DataSource;
import org.sleuthkit.datamodel.TskData.TSK_DB_FILES_TYPE_ENUM;
import org.sleuthkit.datamodel.TskData.TSK_FS_META_FLAG_ENUM;
import org.sleuthkit.datamodel.TskData.TSK_FS_META_TYPE_ENUM;

public final class DataSourceInfoUtilities {
 
    public static final String COMMA_FORMAT_STR = "#,###";
    public static final DecimalFormat COMMA_FORMATTER = new DecimalFormat(COMMA_FORMAT_STR);

    static Long getCountOfTskFiles(SleuthkitCase skCase, DataSource currentDataSource, String additionalWhere)
            throws TskCoreException, SQLException {
        if (currentDataSource != null) {
            return skCase.countFilesWhere(
                    "data_source_obj_id=" + currentDataSource.getId()
                    + (StringUtils.isBlank(additionalWhere) ? "" : (" AND " + additionalWhere)));
        }
        return null;
    }

    static Long getCountOfRegularFiles(SleuthkitCase skCase, DataSource currentDataSource, String additionalWhere)
            throws TskCoreException, SQLException {
        String whereClause = "meta_type=" + TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG.getValue();
 
        if (StringUtils.isNotBlank(additionalWhere)) {
            whereClause += " AND " + additionalWhere;
        }
 
        return getCountOfTskFiles(skCase, currentDataSource, whereClause);
    }

    public static Long getCountOfRegNonSlackFiles(SleuthkitCase skCase, DataSource currentDataSource, String additionalWhere)
            throws TskCoreException, SQLException {
        String whereClause = "meta_type=" + TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG.getValue()
                + " AND type<>" + TSK_DB_FILES_TYPE_ENUM.SLACK.getFileType();
 
        if (StringUtils.isNotBlank(additionalWhere)) {
            whereClause += " AND " + additionalWhere;
        }
 
        return getCountOfTskFiles(skCase, currentDataSource, whereClause);
    }

    public interface ResultSetHandler<T> {
 
        T process(ResultSet resultset) throws SQLException;
    }

    static <T> T getBaseQueryResult(SleuthkitCase skCase, String query, ResultSetHandler<T> processor)
            throws TskCoreException, SQLException {
        try (SleuthkitCase.CaseDbQuery dbQuery = skCase.executeQuery(query)) {
            ResultSet resultSet = dbQuery.getResultSet();
            return processor.process(resultSet);
        }
    }

    public static String getMetaFlagsContainsStatement(TSK_FS_META_FLAG_ENUM flag) {
        return "meta_flags & " + flag.getValue() + " > 0";
    }

    public enum SortOrder {
        DESCENDING,
        ASCENDING
    }

    public static List<BlackboardArtifact> getArtifacts(SleuthkitCase skCase, BlackboardArtifact.Type artifactType, DataSource dataSource, BlackboardAttribute.Type attributeType, SortOrder sortOrder) throws TskCoreException {
        return getArtifacts(skCase, artifactType, dataSource, attributeType, sortOrder, 0);
    }

    public static List<BlackboardArtifact> getArtifacts(SleuthkitCase skCase, BlackboardArtifact.Type artifactType, DataSource dataSource, BlackboardAttribute.Type attributeType, SortOrder sortOrder, int maxCount) throws TskCoreException {
        if (maxCount < 0) {
            throw new IllegalArgumentException("Invalid maxCount passed to getArtifacts, value must be equal to or greater than 0");
        }
 
        return createListFromMap(getArtifactMap(skCase, artifactType, dataSource, attributeType, sortOrder), maxCount);
    }

    private DataSourceInfoUtilities() {
    }

    static private SortedMap<BlackboardAttribute, List<BlackboardArtifact>> getArtifactMap(SleuthkitCase skCase, BlackboardArtifact.Type artifactType, DataSource dataSource, BlackboardAttribute.Type attributeType, SortOrder sortOrder) throws TskCoreException {
        SortedMap<BlackboardAttribute, List<BlackboardArtifact>> sortedMap = new TreeMap<>(new AttributeComparator(sortOrder));
        List<BlackboardArtifact> artifactList = skCase.getBlackboard().getArtifacts(artifactType.getTypeID(), dataSource.getId());
 
        for (BlackboardArtifact artifact : artifactList) {
            BlackboardAttribute attribute = artifact.getAttribute(attributeType);
            if (attribute == null) {
                continue;
            }
 
            List<BlackboardArtifact> mapArtifactList = sortedMap.get(attribute);
            if (mapArtifactList == null) {
                mapArtifactList = new ArrayList<>();
                sortedMap.put(attribute, mapArtifactList);
            }
 
            mapArtifactList.add(artifact);
        }
 
        return sortedMap;
    }

    static private List<BlackboardArtifact> createListFromMap(SortedMap<BlackboardAttribute, List<BlackboardArtifact>> sortedMap, int maxCount) {
        List<BlackboardArtifact> artifactList = new ArrayList<>();
 
        for (List<BlackboardArtifact> mapArtifactList : sortedMap.values()) {
 
            if (maxCount == 0 || (artifactList.size() + mapArtifactList.size()) <= maxCount) {
                artifactList.addAll(mapArtifactList);
                continue;
            }
 
            if (maxCount == artifactList.size()) {
                break;
            }
 
            for (BlackboardArtifact artifact : mapArtifactList) {
                if (artifactList.size() < maxCount) {
                    artifactList.add(artifact);
                } else {
                    break;
                }
            }
        }
        return artifactList;
    }

    private static class AttributeComparator implements Comparator<BlackboardAttribute> {
 
        private final SortOrder direction;
 
        AttributeComparator(SortOrder direction) {
            this.direction = direction;
        }
 
        @Override
        public int compare(BlackboardAttribute attribute1, BlackboardAttribute attribute2) {
            if (!attribute1.getAttributeType().equals(attribute2.getAttributeType())) {
                throw new IllegalArgumentException("Unable to compare attributes of different types");
            }
 
            int result = compare(attribute1.getAttributeType(), attribute1, attribute2);
 
            if (direction == SortOrder.DESCENDING) {
                result *= -1;
            }
 
            return result;
        }

        private int compare(BlackboardAttribute.Type type, BlackboardAttribute attribute1, BlackboardAttribute attribute2) {
            switch (type.getValueType()) {
                case STRING:
                    return attribute1.getValueString().compareToIgnoreCase(attribute2.getValueString());
                case INTEGER:
                    return Integer.compare(attribute1.getValueInt(), attribute2.getValueInt());
                case LONG:
                case DATETIME:
                    return Long.compare(attribute1.getValueLong(), attribute2.getValueLong());
                case DOUBLE:
                    return Double.compare(attribute1.getValueDouble(), attribute2.getValueDouble());
                case BYTE:
                case JSON:
                default:
                    throw new IllegalArgumentException("Unable to compare attributes of type " + attribute1.getAttributeType().getTypeName());
            }
        }
    }

    private static BlackboardAttribute getAttributeOrNull(BlackboardArtifact artifact, Type attributeType) {
        try {
            return artifact.getAttribute(attributeType);
        } catch (TskCoreException ex) {
            return null;
        }
    }

    public static String getStringOrNull(BlackboardArtifact artifact, Type attributeType) {
        BlackboardAttribute attr = getAttributeOrNull(artifact, attributeType);
        return (attr == null) ? null : attr.getValueString();
    }

    public static Long getLongOrNull(BlackboardArtifact artifact, Type attributeType) {
        BlackboardAttribute attr = getAttributeOrNull(artifact, attributeType);
        return (attr == null) ? null : attr.getValueLong();
    }

    public static Integer getIntOrNull(BlackboardArtifact artifact, Type attributeType) {
        BlackboardAttribute attr = getAttributeOrNull(artifact, attributeType);
        return (attr == null) ? null : attr.getValueInt();
    }

    public static Date getDateOrNull(BlackboardArtifact artifact, Type attributeType) {
        Long longVal = getLongOrNull(artifact, attributeType);
        return (longVal == null || longVal == 0) ? null : new Date(longVal * 1000);
    }

    public static long getLongOrZero(Long longVal) {
        return longVal == null ? 0 : longVal;
    }

    public static String getStringOrZero(Long longVal) {
        return longVal == null ? "0" : COMMA_FORMATTER.format(longVal);
    }
}