Autopsy 4.22.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
EventNode.java
Go to the documentation of this file.
1/*
2 * Autopsy Forensic Browser
3 *
4 * Copyright 2011-2019 Basis Technology Corp.
5 * Contact: carrier <at> sleuthkit <dot> org
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19package org.sleuthkit.autopsy.timeline.explorernodes;
20
21import java.lang.reflect.InvocationTargetException;
22import java.text.MessageFormat;
23import java.util.ArrayList;
24import java.util.Collection;
25import java.util.Collections;
26import java.util.HashSet;
27import java.util.List;
28import java.util.logging.Level;
29import javax.annotation.Nonnull;
30import javax.swing.Action;
31import org.joda.time.DateTime;
32import org.joda.time.DateTimeZone;
33import org.openide.nodes.Children;
34import org.openide.nodes.PropertySupport;
35import org.openide.nodes.Sheet;
36import org.openide.util.NbBundle;
37import org.openide.util.Utilities;
38import org.openide.util.lookup.Lookups;
39import org.sleuthkit.autopsy.actions.AddBlackboardArtifactTagAction;
40import org.sleuthkit.autopsy.actions.DeleteFileBlackboardArtifactTagAction;
41import org.sleuthkit.autopsy.coreutils.ContextMenuExtensionPoint;
42import org.sleuthkit.autopsy.coreutils.Logger;
43import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
44import org.sleuthkit.autopsy.datamodel.DataModelActionsFactory;
45import org.sleuthkit.autopsy.datamodel.DisplayableItemNode;
46import org.sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor;
47import org.sleuthkit.autopsy.datamodel.NodeProperty;
48import org.sleuthkit.autopsy.timeline.EventsModel;
49import org.sleuthkit.autopsy.timeline.TimeLineController;
50import org.sleuthkit.autopsy.timeline.actions.ViewFileInTimelineAction;
51import org.sleuthkit.autopsy.timeline.ui.EventTypeUtils;
52import org.sleuthkit.datamodel.AbstractFile;
53import org.sleuthkit.datamodel.BlackboardArtifact;
54import org.sleuthkit.datamodel.BlackboardAttribute;
55import org.sleuthkit.datamodel.Content;
56import org.sleuthkit.datamodel.SleuthkitCase;
57import org.sleuthkit.datamodel.TskCoreException;
58import org.sleuthkit.datamodel.TimelineEventType;
59import org.sleuthkit.datamodel.TimelineEvent;
60import org.sleuthkit.datamodel.TimelineLevelOfDetail;
61
65public class EventNode extends DisplayableItemNode {
66
67 private static final Logger logger = Logger.getLogger(EventNode.class.getName());
68
69 private final TimelineEvent event;
70
80 EventNode(@Nonnull TimelineEvent event, @Nonnull Content file, @Nonnull BlackboardArtifact artifact) {
81 super(Children.LEAF, Lookups.fixed(event, file, artifact));
82 this.event = event;
83 TimelineEventType evenType = event.getEventType();
84 this.setIconBaseWithExtension(EventTypeUtils.getImagePath(evenType));
85 }
86
93 EventNode(@Nonnull TimelineEvent event, @Nonnull Content file) {
94 super(Children.LEAF, Lookups.fixed(event, file));
95 this.event = event;
96 TimelineEventType evenType = event.getEventType();
97 this.setIconBaseWithExtension(EventTypeUtils.getImagePath(evenType));
98 }
99
100 @Override
101 @NbBundle.Messages({
102 "NodeProperty.displayName.icon=Icon",
103 "NodeProperty.displayName.description=Description",
104 "NodeProperty.displayName.eventType=Event Type",
105 "NodeProperty.displayName.known=Known",
106 "NodeProperty.displayName.dateTime=Date/Time"})
107 protected Sheet createSheet() {
108 Sheet sheet = super.createSheet();
109 Sheet.Set properties = sheet.get(Sheet.PROPERTIES);
110 if (properties == null) {
111 properties = Sheet.createPropertiesSet();
112 sheet.put(properties);
113 }
114
115 properties.put(new NodeProperty<>("icon", Bundle.NodeProperty_displayName_icon(), "icon", true)); // NON-NLS //gets overridden with icon
116 properties.put(new TimeProperty("time", Bundle.NodeProperty_displayName_dateTime(), "time ", getDateTimeString()));// NON-NLS
117 properties.put(new NodeProperty<>("description", Bundle.NodeProperty_displayName_description(), "description", event.getDescription(TimelineLevelOfDetail.HIGH))); // NON-NLS
118 properties.put(new NodeProperty<>("eventType", Bundle.NodeProperty_displayName_eventType(), "event type", event.getEventType().getDisplayName())); // NON-NLS
119
120 return sheet;
121 }
122
130 private String getDateTimeString() {
131 return new DateTime(event.getEventTimeInMs(), DateTimeZone.UTC).toString(TimeLineController.getZonedFormatter());
132 }
133
134 @Override
135 @NbBundle.Messages({
136 "EventNode.getAction.errorTitle=Error getting actions",
137 "EventNode.getAction.linkedFileMessage=There was a problem getting actions for the selected result. "
138 + " The 'View File in Timeline' action will not be available."})
139 public Action[] getActions(boolean context) {
140 List<Action> actionsList = new ArrayList<>();
141 Collections.addAll(actionsList, super.getActions(context));
142 /*
143 * If this event is derived from an artifact, add actions to view the
144 * source file and a "linked" file, if present.
145 */
146 final BlackboardArtifact artifact = getLookup().lookup(BlackboardArtifact.class);
147 final Content sourceFile = getLookup().lookup(Content.class);
148 if (artifact != null) {
149 try {
150 //find a linked file such as a downloaded file.
151 AbstractFile linkedfile = findLinked(artifact);
152 if (linkedfile != null) {
153 actionsList.add(ViewFileInTimelineAction.createViewFileAction(linkedfile));
154 }
155 } catch (TskCoreException ex) {
156 logger.log(Level.SEVERE, MessageFormat.format("Error getting linked file from blackboard artifact{0}.", artifact.getArtifactID()), ex); //NON-NLS
157 MessageNotifyUtil.Notify.error(Bundle.EventNode_getAction_errorTitle(), Bundle.EventNode_getAction_linkedFileMessage());
158 }
159
160 //add the action to view the content in the timeline, only for abstract files ( ie with times)
161 if (sourceFile instanceof AbstractFile) {
162 actionsList.add(ViewFileInTimelineAction.createViewSourceFileAction((AbstractFile) sourceFile));
163 }
164 }
165
166 //get default actions for the source file
167 List<Action> factoryActions = DataModelActionsFactory.getActions(sourceFile, artifact != null);
168 actionsList.addAll(factoryActions);
169 if (factoryActions.isEmpty()) { // if there were no factory supplied actions, at least add the tagging actions.
170 actionsList.add(AddBlackboardArtifactTagAction.getInstance());
171 if (isExactlyOneArtifactSelected()) {
172 actionsList.add(DeleteFileBlackboardArtifactTagAction.getInstance());
173 }
174 actionsList.addAll(ContextMenuExtensionPoint.getActions());
175 }
176 return actionsList.toArray(new Action[actionsList.size()]);
177 }
178
188 private static AbstractFile findLinked(BlackboardArtifact artifact) throws TskCoreException {
189 BlackboardAttribute pathIDAttribute = artifact.getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID));
190 if (pathIDAttribute != null) {
191 long contentID = pathIDAttribute.getValueLong();
192 if (contentID != -1) {
193 return artifact.getSleuthkitCase().getAbstractFileById(contentID);
194 }
195 }
196 return null;
197 }
198
199 @Override
200 public boolean isLeafTypeNode() {
201 return true;
202 }
203
204 @Override
205 public <T> T accept(DisplayableItemNodeVisitor<T> dinv) {
206 throw new UnsupportedOperationException("Not supported yet."); // NON-NLS
207 }
208
209 @Override
210 public String getItemType() {
211 return getClass().getName();
212 }
213
218 final private class TimeProperty extends PropertySupport.ReadWrite<String> {
219
220 private String value;
221
222 @Override
223 public boolean canWrite() {
224 return false;
225 }
226
227 TimeProperty(String name, String displayName, String shortDescription, String value) {
228 super(name, String.class, displayName, shortDescription);
229 setValue("suppressCustomEditor", Boolean.TRUE); // remove the "..." (editing) button NON-NLS
230 this.value = value;
231 TimeLineController.timeZoneProperty().addListener(timeZone -> {
232 try {
233 setValue(getDateTimeString());
234 } catch (IllegalAccessException | IllegalArgumentException | InvocationTargetException ex) {
235 logger.log(Level.SEVERE, "Unexpected error setting date/time property on EventNode explorer node", ex); //NON-NLS
236 }
237 });
238
239 }
240
241 @Override
242 public String getValue() throws IllegalAccessException, InvocationTargetException {
243 return value;
244 }
245
246 @Override
247 public void setValue(String newValue) throws IllegalAccessException, IllegalArgumentException, InvocationTargetException {
248 String oldValue = getValue();
249 value = newValue;
250 firePropertyChange("time", oldValue, newValue); // NON-NLS
251 }
252 }
253
264 public static EventNode createEventNode(final Long eventID, EventsModel eventsModel) throws TskCoreException {
265
266 SleuthkitCase sleuthkitCase = eventsModel.getSleuthkitCase();
267
268 /*
269 * Look up the event by id and creata an EventNode with the appropriate
270 * data in the lookup.
271 */
272 final TimelineEvent eventById = eventsModel.getEventById(eventID);
273 Content file = sleuthkitCase.getContentById(eventById.getContentObjID());
274
275 if (eventById.getArtifactID().isPresent()) {
276 BlackboardArtifact blackboardArtifact = sleuthkitCase.getBlackboardArtifact(eventById.getArtifactID().get());
277 return new EventNode(eventById, file, blackboardArtifact);
278 } else {
279 return new EventNode(eventById, file);
280 }
281 }
282
283 private static boolean isExactlyOneArtifactSelected() {
284 final Collection<BlackboardArtifact> selectedArtifactsList
285 = new HashSet<>(Utilities.actionsGlobalContext().lookupAll(BlackboardArtifact.class));
286 return selectedArtifactsList.size() == 1;
287 }
288}
org.sleuthkit.autopsy.actions.AddBlackboardArtifactTagAction.getInstance
static synchronized AddBlackboardArtifactTagAction getInstance()
Definition AddBlackboardArtifactTagAction.java:57
org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition Logger.java:124
org.sleuthkit.autopsy.datamodel.DataModelActionsFactory.getActions
static List< Action > getActions(File file, boolean isArtifactSource)
Definition DataModelActionsFactory.java:84
org.sleuthkit.autopsy.timeline.TimeLineController.timeZoneProperty
static ReadOnlyObjectProperty< TimeZone > timeZoneProperty()
Definition TimeLineController.java:141
org.sleuthkit.autopsy.timeline.actions.ViewFileInTimelineAction.createViewSourceFileAction
static ViewFileInTimelineAction createViewSourceFileAction(AbstractFile file)
Definition ViewFileInTimelineAction.java:75
org.sleuthkit.autopsy.timeline.actions.ViewFileInTimelineAction.createViewFileAction
static ViewFileInTimelineAction createViewFileAction(AbstractFile file)
Definition ViewFileInTimelineAction.java:70
org.sleuthkit.autopsy.timeline.explorernodes.EventNode.createEventNode
static EventNode createEventNode(final Long eventID, EventsModel eventsModel)
Definition EventNode.java:264
org.sleuthkit.autopsy.timeline.explorernodes.EventNode.findLinked
static AbstractFile findLinked(BlackboardArtifact artifact)
Definition EventNode.java:188
org.sleuthkit.autopsy.timeline.ui.EventTypeUtils.getImagePath
static String getImagePath(TimelineEventType type)
Definition EventTypeUtils.java:41

Copyright © 2012-2024 Sleuth Kit Labs. Generated on:
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.