api-docs/4.22.1/_keyword_hits_8java_source.html

/*

 * Autopsy Forensic Browser

 *

 * Copyright 2011-2021 Basis Technology Corp.

 * Contact: carrier <at> sleuthkit <dot> org

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package org.sleuthkit.autopsy.datamodel;


import java.beans.PropertyChangeEvent;

import java.beans.PropertyChangeListener;

import java.sql.ResultSet;

import java.sql.SQLException;

import java.util.ArrayList;

import java.util.Collections;

import java.util.Comparator;

import java.util.EnumSet;

import java.util.HashMap;

import java.util.HashSet;

import java.util.LinkedHashMap;

import java.util.List;

import java.util.Map;

import java.util.Observable;

import java.util.Observer;

import java.util.Set;

import java.util.logging.Level;

import org.apache.commons.lang3.StringUtils;

import org.openide.nodes.ChildFactory;

import org.openide.nodes.Children;

import org.openide.nodes.Node;

import org.openide.nodes.Sheet;

import org.openide.util.Lookup;

import org.openide.util.NbBundle;

import org.openide.util.WeakListeners;

import org.openide.util.lookup.Lookups;

import org.sleuthkit.autopsy.casemodule.Case;

import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;

import org.sleuthkit.autopsy.coreutils.Logger;

import org.sleuthkit.autopsy.coreutils.TimeZoneUtils;

import static org.sleuthkit.autopsy.datamodel.Bundle.*;

import org.sleuthkit.autopsy.ingest.IngestManager;

import org.sleuthkit.autopsy.ingest.ModuleDataEvent;

import org.sleuthkit.datamodel.AbstractFile;

import org.sleuthkit.datamodel.BlackboardArtifact;

import org.sleuthkit.datamodel.BlackboardAttribute;

import org.sleuthkit.datamodel.SleuthkitCase;

import org.sleuthkit.datamodel.SleuthkitCase.CaseDbQuery;

import org.sleuthkit.datamodel.TskCoreException;

import static org.sleuthkit.datamodel.BlackboardArtifact.Type.TSK_KEYWORD_HIT;

import org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode;

import org.sleuthkit.datamodel.AnalysisResult;


public class KeywordHits implements AutopsyVisitableItem {


    private static final Logger logger = Logger.getLogger(KeywordHits.class.getName());

    private static final Set<IngestManager.IngestJobEvent> INGEST_JOB_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestJobEvent.COMPLETED, IngestManager.IngestJobEvent.CANCELLED);

    private static final Set<IngestManager.IngestModuleEvent> INGEST_MODULE_EVENTS_OF_INTEREST = EnumSet.of(IngestManager.IngestModuleEvent.DATA_ADDED);

    @NbBundle.Messages("KeywordHits.kwHits.text=Keyword Hits")

    private static final String KEYWORD_HITS = KeywordHits_kwHits_text();

    @NbBundle.Messages("KeywordHits.simpleLiteralSearch.text=Single Literal Keyword Search")

    private static final String SIMPLE_LITERAL_SEARCH = KeywordHits_simpleLiteralSearch_text();

    @NbBundle.Messages("KeywordHits.singleRegexSearch.text=Single Regular Expression Search")

    private static final String SIMPLE_REGEX_SEARCH = KeywordHits_singleRegexSearch_text();


    public static final String NAME = BlackboardArtifact.Type.TSK_KEYWORD_HIT.getTypeName();


    private SleuthkitCase skCase;

    private final KeywordResults keywordResults;

    private final long filteringDSObjId; // 0 if not filtering/grouping by data source


    private static final String DEFAULT_INSTANCE_NAME = "DEFAULT_INSTANCE_NAME";


    private static final String KEYWORD_HIT_ATTRIBUTES_QUERY = "SELECT blackboard_attributes.value_text, "//NON-NLS

            + "blackboard_attributes.value_int32, "//NON-NLS

            + "blackboard_artifacts.artifact_obj_id, " //NON-NLS

            + "blackboard_attributes.attribute_type_id "//NON-NLS

            + "FROM blackboard_attributes, blackboard_artifacts "//NON-NLS

            + "WHERE blackboard_attributes.artifact_id = blackboard_artifacts.artifact_id "//NON-NLS

            + " AND blackboard_artifacts.artifact_type_id = " + BlackboardArtifact.Type.TSK_KEYWORD_HIT.getTypeID() //NON-NLS

            + " AND (attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()//NON-NLS

            + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()//NON-NLS

            + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()//NON-NLS

            + " OR attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID()//NON-NLS

            + ")"; //NON-NLS


    static private boolean isOnlyDefaultInstance(List<String> instances) {

        return (instances.size() == 1) && (instances.get(0).equals(DEFAULT_INSTANCE_NAME));

    }


    KeywordHits(SleuthkitCase skCase) {

        this(skCase, 0);

    }


    public KeywordHits(SleuthkitCase skCase, long objId) {

        this.skCase = skCase;

        this.filteringDSObjId = objId;

        keywordResults = new KeywordResults();

    }


    /*

     * All of these maps and code assume the following: Regexps will have an

     * 'instance' layer that shows the specific words that matched the regexp

     * Exact match and substring will not have the instance layer and instead

     * will have the specific hits below their term.

     */


    private final class KeywordResults extends Observable {


        // Map from listName/Type to Map of keywords/regexp to Map of instance terms to Set of artifact Ids

        // NOTE: the map can be accessed by multiple worker threads and needs to be synchronized

        private final Map<String, Map<String, Map<String, Set<Long>>>> topLevelMap = new LinkedHashMap<>();


        KeywordResults() {

            update();

        }


        List<String> getListNames() {

            synchronized (topLevelMap) {

                List<String> names = new ArrayList<>(topLevelMap.keySet());


                // sort the list names, but ensure that the special lists

                // stay at the top.

                Collections.sort(names, new Comparator<String>() {


                    @Override

                    public int compare(String o1, String o2) {

                        // ideally, they would not be hard coded, but this module

                        // doesn't know about Keyword Search NBM

                        if (o1.startsWith("Single Literal Keyword Search")) {

                            return -1;

                        } else if (o2.startsWith("Single Literal Keyword Search")) {

                            return 1;

                        } else if (o1.startsWith("Single Regular Expression Search")) {

                            return -1;

                        } else if (o2.startsWith("Single Regular Expression Search")) {

                            return 1;

                        }

                        return o1.compareTo(o2);

                    }

                });


                return names;

            }

        }


        List<String> getKeywords(String listName) {

            List<String> keywords;

            synchronized (topLevelMap) {

                keywords = new ArrayList<>(topLevelMap.get(listName).keySet());

            }

            Collections.sort(keywords);

            return keywords;

        }


        List<String> getKeywordInstances(String listName, String keyword) {

            List<String> instances;

            synchronized (topLevelMap) {

                instances = new ArrayList<>(topLevelMap.get(listName).get(keyword).keySet());

            }

            Collections.sort(instances);

            return instances;

        }


        Set<Long> getArtifactIds(String listName, String keyword, String keywordInstance) {

            synchronized (topLevelMap) {

                return topLevelMap.get(listName).get(keyword).get(keywordInstance);

            }

        }


        void addRegExpToList(Map<String, Map<String, Set<Long>>> listMap, String regExp, String keywordInstance, Long artifactId) {

            Map<String, Set<Long>> instanceMap = listMap.computeIfAbsent(regExp, r -> new LinkedHashMap<>());

            // add this ID to the instances entry, creating one if needed

            instanceMap.computeIfAbsent(keywordInstance, ki -> new HashSet<>()).add(artifactId);

        }


        void addNonRegExpMatchToList(Map<String, Map<String, Set<Long>>> listMap, String keyWord, Long artifactId) {

            Map<String, Set<Long>> instanceMap = listMap.computeIfAbsent(keyWord, k -> new LinkedHashMap<>());


            // Use the default instance name, since we don't need that level in the tree

            instanceMap.computeIfAbsent(DEFAULT_INSTANCE_NAME, DIN -> new HashSet<>()).add(artifactId);

        }


        void populateTreeMaps(Map<Long, Map<Long, String>> artifactIds) {

            synchronized (topLevelMap) {

                topLevelMap.clear();


                // map of list name to keword to artifact IDs

                Map<String, Map<String, Map<String, Set<Long>>>> listsMap = new LinkedHashMap<>();


                // Map from from literal keyword to instances (which will be empty) to artifact IDs

                Map<String, Map<String, Set<Long>>> literalMap = new LinkedHashMap<>();


                // Map from regex keyword artifact to instances to artifact IDs

                Map<String, Map<String, Set<Long>>> regexMap = new LinkedHashMap<>();


                // top-level nodes

                topLevelMap.put(SIMPLE_LITERAL_SEARCH, literalMap);

                topLevelMap.put(SIMPLE_REGEX_SEARCH, regexMap);


                for (Map.Entry<Long, Map<Long, String>> art : artifactIds.entrySet()) {

                    long id = art.getKey();

                    Map<Long, String> attributes = art.getValue();


                    // I think we can use attributes.remove(...) here? - why should bwe use remove?

                    String listName = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID()));

                    String word = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID()));

                    String reg = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_REGEXP.getTypeID()));

                    String kwType = attributes.get(Long.valueOf(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_TYPE.getTypeID()));


                    if (listName != null) {     // part of a list

                        // get or create list entry

                        Map<String, Map<String, Set<Long>>> listMap = listsMap.computeIfAbsent(listName, ln -> new LinkedHashMap<>());


                        if ("1".equals(kwType) || reg == null) {  //literal, substring or exact

                            /*

                             * Substring, treated same as exact match. "1" is

                             * the ordinal value for substring as defined in

                             * KeywordSearch.java. The original term should be

                             * stored in reg

                             */

                            word = (reg != null) ? reg : word; //use original term if it there.

                            addNonRegExpMatchToList(listMap, word, id);

                        } else {

                            addRegExpToList(listMap, reg, word, id);

                        }

                    } else {//single term

                        if ("1".equals(kwType) || reg == null) {  //literal, substring or exact

                            /*

                             * Substring, treated same as exact match. "1" is

                             * the ordinal value for substring as defined in

                             * KeywordSearch.java. The original term should be

                             * stored in reg

                             */

                            word = (reg != null) ? reg : word; //use original term if it there.

                            addNonRegExpMatchToList(literalMap, word, id);

                        } else {

                            addRegExpToList(regexMap, reg, word, id);

                        }

                    }

                }

                topLevelMap.putAll(listsMap);

            }


            setChanged();

            notifyObservers();

        }


        public void update() {

            // maps Artifact ID to map of attribute types to attribute values

            Map<Long, Map<Long, String>> artifactIds = new LinkedHashMap<>();


            if (skCase == null) {

                return;

            }


            String queryStr = KEYWORD_HIT_ATTRIBUTES_QUERY;

            if (filteringDSObjId > 0) {

                queryStr += "  AND blackboard_artifacts.data_source_obj_id = " + filteringDSObjId;

            }


            try (CaseDbQuery dbQuery = skCase.executeQuery(queryStr)) {

                ResultSet resultSet = dbQuery.getResultSet();

                while (resultSet.next()) {

                    long artifactObjId = resultSet.getLong("artifact_obj_id"); //NON-NLS

                    long typeId = resultSet.getLong("attribute_type_id"); //NON-NLS

                    String valueStr = resultSet.getString("value_text"); //NON-NLS


                    //get the map of attributes for this artifact

                    Map<Long, String> attributesByTypeMap = artifactIds.computeIfAbsent(artifactObjId, ai -> new LinkedHashMap<>());

                    if (StringUtils.isNotEmpty(valueStr)) {

                        attributesByTypeMap.put(typeId, valueStr);

                    } else {

                        // Keyword Search Type is an int

                        Long valueLong = resultSet.getLong("value_int32");

                        attributesByTypeMap.put(typeId, valueLong.toString());

                    }

                }

            } catch (TskCoreException | SQLException ex) {

                logger.log(Level.WARNING, "SQL Exception occurred: ", ex); //NON-NLS

            }


            populateTreeMaps(artifactIds);

        }


    }


    @Override

    public <T> T accept(AutopsyItemVisitor<T> visitor) {

        return visitor.visit(this);

    }


    // Created by CreateAutopsyNodeVisitor


    public class RootNode extends UpdatableCountTypeNode {


        public RootNode() {

            super(Children.create(new ListFactory(), true),

                    Lookups.singleton(KEYWORD_HITS),

                    KEYWORD_HITS,

                    filteringDSObjId,

                    TSK_KEYWORD_HIT);


            super.setName(NAME);

            this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

        }


        @Override


        public boolean isLeafTypeNode() {

            return false;

        }


        @Override

        public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

            return visitor.visit(this);

        }


        @Override

        @NbBundle.Messages({"KeywordHits.createSheet.name.name=Name",

            "KeywordHits.createSheet.name.displayName=Name",

            "KeywordHits.createSheet.name.desc=no description"})


        protected Sheet createSheet() {

            Sheet sheet = super.createSheet();

            Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

            if (sheetSet == null) {

                sheetSet = Sheet.createPropertiesSet();

                sheet.put(sheetSet);

            }


            sheetSet.put(new NodeProperty<>(

                    KeywordHits_createSheet_name_name(),

                    KeywordHits_createSheet_name_displayName(),

                    KeywordHits_createSheet_name_desc(),

                    getName()));


            return sheet;

        }


        @Override


        public String getItemType() {

            return getClass().getName();

        }


    }


    private abstract class DetachableObserverChildFactory<X> extends ChildFactory.Detachable<X> implements Observer {


        @Override


        protected void addNotify() {

            keywordResults.addObserver(this);

        }


        @Override


        protected void finalize() throws Throwable {

            super.finalize();

            keywordResults.deleteObserver(this);

        }


        @Override


        public void update(Observable o, Object arg) {

            refresh(true);

        }


    }


    private class ListFactory extends DetachableObserverChildFactory<String> {


        private final PropertyChangeListener pcl = new PropertyChangeListener() {

            @Override

            public void propertyChange(PropertyChangeEvent evt) {

                String eventType = evt.getPropertyName();

                if (eventType.equals(IngestManager.IngestModuleEvent.DATA_ADDED.toString())) {

                    try {

                        Case.getCurrentCaseThrows();

                        ModuleDataEvent eventData = (ModuleDataEvent) evt.getOldValue();

                        if (null != eventData && eventData.getBlackboardArtifactType().getTypeID() == BlackboardArtifact.Type.TSK_KEYWORD_HIT.getTypeID()) {

                            keywordResults.update();

                        }

                    } catch (NoCurrentCaseException notUsed) {

                        // Case is closed, do nothing.

                    }

                } else if (eventType.equals(IngestManager.IngestJobEvent.COMPLETED.toString())

                        || eventType.equals(IngestManager.IngestJobEvent.CANCELLED.toString())) {

                    try {

                        Case.getCurrentCaseThrows();

                        keywordResults.update();

                    } catch (NoCurrentCaseException notUsed) {

                        // Case is closed, do nothing.

                    }

                } else if (eventType.equals(Case.Events.CURRENT_CASE.toString())

                        && evt.getNewValue() == null) {

                    /*

                     * Case was closed. Remove listeners so that we don't get

                     * called with a stale case handle

                     */

                    removeNotify();

                    skCase = null;

                }


            }

        };


        private final PropertyChangeListener weakPcl = WeakListeners.propertyChange(pcl, null);


        @Override


        protected void addNotify() {

            IngestManager.getInstance().addIngestJobEventListener(INGEST_JOB_EVENTS_OF_INTEREST, weakPcl);

            IngestManager.getInstance().addIngestModuleEventListener(INGEST_MODULE_EVENTS_OF_INTEREST, weakPcl);

            Case.addEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), weakPcl);

            keywordResults.update();

            super.addNotify();

        }


        @Override


        protected void finalize() throws Throwable{

            IngestManager.getInstance().removeIngestJobEventListener(weakPcl);

            IngestManager.getInstance().removeIngestModuleEventListener(weakPcl);

            Case.removeEventTypeSubscriber(EnumSet.of(Case.Events.CURRENT_CASE), weakPcl);

            super.finalize();

        }


        @Override


        protected boolean createKeys(List<String> list) {

            list.addAll(keywordResults.getListNames());

            return true;

        }


        @Override


        protected Node createNodeForKey(String key) {

            return new ListNode(key);

        }


    }


    private abstract class KWHitsNodeBase extends DisplayableItemNode implements Observer {


        private String displayName;


        private KWHitsNodeBase(Children children, Lookup lookup, String displayName) {

            super(children, lookup);

            this.displayName = displayName;

        }


        private KWHitsNodeBase(Children children) {

            super(children);

        }


        @Override


        public String getItemType() {

            return getClass().getName();

        }


        @Override


        public void update(Observable o, Object arg) {

            updateDisplayName();

        }


        final void updateDisplayName() {

            super.setDisplayName(displayName + " (" + countTotalDescendants() + ")");

        }


        abstract int countTotalDescendants();

    }


    class ListNode extends KWHitsNodeBase {


        private final String listName;


        private ListNode(String listName) {

            super(Children.create(new TermFactory(listName), true), Lookups.singleton(listName), listName);

            super.setName(listName);

            this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

            this.listName = listName;

            updateDisplayName();

            keywordResults.addObserver(this);

        }


        @Override

        public int countTotalDescendants() {

            int totalDescendants = 0;


            for (String word : keywordResults.getKeywords(listName)) {

                for (String instance : keywordResults.getKeywordInstances(listName, word)) {

                    Set<Long> ids = keywordResults.getArtifactIds(listName, word, instance);

                    totalDescendants += ids.size();

                }

            }

            return totalDescendants;

        }


        @Override

        @NbBundle.Messages({"KeywordHits.createSheet.listName.name=List Name",

            "KeywordHits.createSheet.listName.displayName=List Name",

            "KeywordHits.createSheet.listName.desc=no description",

            "KeywordHits.createSheet.numChildren.name=Number of Children",

            "KeywordHits.createSheet.numChildren.displayName=Number of Children",

            "KeywordHits.createSheet.numChildren.desc=no description"})

        protected Sheet createSheet() {

            Sheet sheet = super.createSheet();

            Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

            if (sheetSet == null) {

                sheetSet = Sheet.createPropertiesSet();

                sheet.put(sheetSet);

            }


            sheetSet.put(new NodeProperty<>(

                    KeywordHits_createSheet_listName_name(),

                    KeywordHits_createSheet_listName_displayName(),

                    KeywordHits_createSheet_listName_desc(),

                    listName));


            sheetSet.put(new NodeProperty<>(

                    KeywordHits_createSheet_numChildren_name(),

                    KeywordHits_createSheet_numChildren_displayName(),

                    KeywordHits_createSheet_numChildren_desc(),

                    keywordResults.getKeywords(listName).size()));


            return sheet;

        }


        @Override

        public boolean isLeafTypeNode() {

            return false;

        }


        @Override

        public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

            return visitor.visit(this);

        }

    }


    private class TermFactory extends DetachableObserverChildFactory<String> {


        private final String setName;


        private TermFactory(String setName) {

            super();

            this.setName = setName;

        }


        @Override


        protected boolean createKeys(List<String> list) {

            list.addAll(keywordResults.getKeywords(setName));

            return true;

        }


        @Override


        protected Node createNodeForKey(String key) {

            return new TermNode(setName, key);

        }


    }


    ChildFactory<?> createChildFactory(String setName, String keyword) {

        if (isOnlyDefaultInstance(keywordResults.getKeywordInstances(setName, keyword))) {

            return new HitsFactory(setName, keyword, DEFAULT_INSTANCE_NAME);

        } else {

            return new RegExpInstancesFactory(setName, keyword);

        }

    }


    class TermNode extends KWHitsNodeBase {


        private final String setName;

        private final String keyword;


        private TermNode(String setName, String keyword) {

            super(Children.create(createChildFactory(setName, keyword), true), Lookups.singleton(keyword), keyword);


            super.setName(setName + "_" + keyword);

            this.setName = setName;

            this.keyword = keyword;

            this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

            updateDisplayName();

            keywordResults.addObserver(this);

        }


        @Override

        int countTotalDescendants() {

            return keywordResults.getKeywordInstances(setName, keyword).stream()

                    .mapToInt(instance -> keywordResults.getArtifactIds(setName, keyword, instance).size())

                    .sum();

        }


        @Override

        public boolean isLeafTypeNode() {

            // is this an exact/substring match (i.e. did we use the DEFAULT name)?

            return isOnlyDefaultInstance(keywordResults.getKeywordInstances(setName, keyword));

        }


        @Override

        public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

            return visitor.visit(this);

        }


        @Override

        @NbBundle.Messages({"KeywordHits.createSheet.filesWithHits.name=Files with Hits",

            "KeywordHits.createSheet.filesWithHits.displayName=Files with Hits",

            "KeywordHits.createSheet.filesWithHits.desc=no description"})

        protected Sheet createSheet() {

            Sheet sheet = super.createSheet();

            Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

            if (sheetSet == null) {

                sheetSet = Sheet.createPropertiesSet();

                sheet.put(sheetSet);

            }

            sheetSet.put(new NodeProperty<>(

                    KeywordHits_createSheet_listName_name(),

                    KeywordHits_createSheet_listName_displayName(),

                    KeywordHits_createSheet_listName_desc(),

                    getDisplayName()));


            sheetSet.put(new NodeProperty<>(

                    KeywordHits_createSheet_filesWithHits_name(),

                    KeywordHits_createSheet_filesWithHits_displayName(),

                    KeywordHits_createSheet_filesWithHits_desc(),

                    countTotalDescendants()));


            return sheet;

        }

    }


    private class RegExpInstancesFactory extends DetachableObserverChildFactory<String> {


        private final String keyword;

        private final String setName;


        private RegExpInstancesFactory(String setName, String keyword) {

            super();

            this.setName = setName;

            this.keyword = keyword;

        }


        @Override


        protected boolean createKeys(List<String> list) {

            list.addAll(keywordResults.getKeywordInstances(setName, keyword));

            return true;

        }


        @Override


        protected Node createNodeForKey(String key) {

            return new RegExpInstanceNode(setName, keyword, key);

        }


    }


    class RegExpInstanceNode extends KWHitsNodeBase {


        private final String setName;

        private final String keyword;

        private final String instance;


        private RegExpInstanceNode(String setName, String keyword, String instance) {

            super(Children.create(new HitsFactory(setName, keyword, instance), true), Lookups.singleton(instance), instance);


            super.setName(setName + "_" + keyword + "_" + instance);

            this.setName = setName;

            this.keyword = keyword;

            this.instance = instance;

            this.setIconBaseWithExtension("org/sleuthkit/autopsy/images/keyword_hits.png"); //NON-NLS

            updateDisplayName();

            keywordResults.addObserver(this);

        }


        @Override

        int countTotalDescendants() {

            return keywordResults.getArtifactIds(setName, keyword, instance).size();

        }


        @Override

        public boolean isLeafTypeNode() {

            return true;

        }


        @Override

        public <T> T accept(DisplayableItemNodeVisitor<T> visitor) {

            return visitor.visit(this);

        }


        @Override

        protected Sheet createSheet() {

            Sheet sheet = super.createSheet();

            Sheet.Set sheetSet = sheet.get(Sheet.PROPERTIES);

            if (sheetSet == null) {

                sheetSet = Sheet.createPropertiesSet();

                sheet.put(sheetSet);

            }


            sheetSet.put(new NodeProperty<>(

                    KeywordHits_createSheet_listName_name(),

                    KeywordHits_createSheet_listName_displayName(),

                    KeywordHits_createSheet_listName_desc(),

                    getDisplayName()));


            sheetSet.put(new NodeProperty<>(

                    KeywordHits_createSheet_filesWithHits_name(),

                    KeywordHits_createSheet_filesWithHits_displayName(),

                    KeywordHits_createSheet_filesWithHits_desc(),

                    keywordResults.getArtifactIds(setName, keyword, instance).size()));


            return sheet;

        }


    }


    @NbBundle.Messages({"KeywordHits.createNodeForKey.modTime.name=ModifiedTime",

        "KeywordHits.createNodeForKey.modTime.displayName=Modified Time",

        "KeywordHits.createNodeForKey.modTime.desc=Modified Time",

        "KeywordHits.createNodeForKey.accessTime.name=AccessTime",

        "KeywordHits.createNodeForKey.accessTime.displayName=Access Time",

        "KeywordHits.createNodeForKey.accessTime.desc=Access Time",

        "KeywordHits.createNodeForKey.chgTime.name=ChangeTime",

        "KeywordHits.createNodeForKey.chgTime.displayName=Change Time",

        "KeywordHits.createNodeForKey.chgTime.desc=Change Time"})


    private BlackboardArtifactNode createBlackboardArtifactNode(AnalysisResult art) {

        if (skCase == null) {

            return null;

        }


        BlackboardArtifactNode n = new BlackboardArtifactNode(art); //NON-NLS


        // The associated file should be available through the Lookup that

        // gets created when the BlackboardArtifactNode is constructed.

        AbstractFile file = n.getLookup().lookup(AbstractFile.class);

        if (file == null) {

            try {

                file = skCase.getAbstractFileById(art.getObjectID());

            } catch (TskCoreException ex) {

                logger.log(Level.SEVERE, "TskCoreException while constructing BlackboardArtifact Node from KeywordHitsKeywordChildren", ex); //NON-NLS

                return n;

            }

        }

        /*

         * It is possible to get a keyword hit on artifacts generated for the

         * underlying image in which case MAC times are not

         * available/applicable/useful.

         */

        if (file == null) {

            return n;

        }

        n.addNodeProperty(new NodeProperty<>(

                KeywordHits_createNodeForKey_modTime_name(),

                KeywordHits_createNodeForKey_modTime_displayName(),

                KeywordHits_createNodeForKey_modTime_desc(),

                TimeZoneUtils.getFormattedTime(file.getMtime())));

        n.addNodeProperty(new NodeProperty<>(

                KeywordHits_createNodeForKey_accessTime_name(),

                KeywordHits_createNodeForKey_accessTime_displayName(),

                KeywordHits_createNodeForKey_accessTime_desc(),

                TimeZoneUtils.getFormattedTime(file.getAtime())));

        n.addNodeProperty(new NodeProperty<>(

                KeywordHits_createNodeForKey_chgTime_name(),

                KeywordHits_createNodeForKey_chgTime_displayName(),

                KeywordHits_createNodeForKey_chgTime_desc(),

                TimeZoneUtils.getFormattedTime(file.getCtime())));

        return n;

    }


    private class HitsFactory extends BaseChildFactory<AnalysisResult> implements Observer {


        private final String keyword;

        private final String setName;

        private final String instance;

        private final Map<Long, AnalysisResult> artifactHits = new HashMap<>();


        private HitsFactory(String setName, String keyword, String instance) {

            super(setName + "_" + keyword + (DEFAULT_INSTANCE_NAME.equals(instance) ? "" : "_" + instance));

            this.setName = setName;

            this.keyword = keyword;

            this.instance = instance;

        }


        @Override


        protected List<AnalysisResult> makeKeys() {

            if (skCase != null) {

                keywordResults.getArtifactIds(setName, keyword, instance).forEach((id) -> {

                    try {

                        if (!artifactHits.containsKey(id)) {

                            AnalysisResult art = skCase.getBlackboard().getAnalysisResultById(id);

                            //Cache attributes while we are off the EDT.

                            //See JIRA-5969

                            art.getAttributes();

                            artifactHits.put(id, art);

                        }

                    } catch (TskCoreException ex) {

                        logger.log(Level.SEVERE, "TSK Exception occurred", ex); //NON-NLS

                    }

                });


                return new ArrayList<>(artifactHits.values());

            }

            return Collections.emptyList();

        }


        @Override


        protected Node createNodeForKey(AnalysisResult art) {

            return createBlackboardArtifactNode(art);

        }


        @Override


        protected void onAdd() {

            keywordResults.addObserver(this);

        }


        @Override


        protected void onRemove() {

            keywordResults.deleteObserver(this);

        }


        @Override


        public void update(Observable o, Object arg) {

            refresh(true);

        }


    }


}


org.sleuthkit.autopsy.casemodule.Case
Definition Case.java:168

org.sleuthkit.autopsy.casemodule.Case.removeEventTypeSubscriber
static void removeEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition Case.java:757

org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows
static Case getCurrentCaseThrows()
Definition Case.java:910

org.sleuthkit.autopsy.casemodule.Case.addEventTypeSubscriber
static void addEventTypeSubscriber(Set< Events > eventTypes, PropertyChangeListener subscriber)
Definition Case.java:712

org.sleuthkit.autopsy.casemodule.NoCurrentCaseException
Definition NoCurrentCaseException.java:26

org.sleuthkit.autopsy.coreutils.Logger
Definition Logger.java:36

org.sleuthkit.autopsy.coreutils.Logger.getLogger
synchronized static Logger getLogger(String name)
Definition Logger.java:124

org.sleuthkit.autopsy.coreutils.TimeZoneUtils
Definition TimeZoneUtils.java:36

org.sleuthkit.autopsy.coreutils.TimeZoneUtils.getFormattedTime
static String getFormattedTime(long epochTime)
Definition TimeZoneUtils.java:145

org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode.UpdatableCountTypeNode
UpdatableCountTypeNode(Children children, Lookup lookup, String baseName, long filteringDSObjId, BlackboardArtifact.Type... types)
Definition Artifacts.java:469

org.sleuthkit.autopsy.datamodel.Artifacts.UpdatableCountTypeNode.filteringDSObjId
final long filteringDSObjId
Definition Artifacts.java:453

org.sleuthkit.autopsy.datamodel.BaseChildFactory< AnalysisResult >::logger
static final Logger logger
Definition BaseChildFactory.java:47

org.sleuthkit.autopsy.datamodel.BaseChildFactory< AnalysisResult >::BaseChildFactory
BaseChildFactory(String nodeName)
Definition BaseChildFactory.java:104

org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode
Definition BlackboardArtifactNode.java:126

org.sleuthkit.autopsy.datamodel.BlackboardArtifactNode.addNodeProperty
void addNodeProperty(NodeProperty<?> property)
Definition BlackboardArtifactNode.java:1292

org.sleuthkit.autopsy.datamodel.DisplayableItemNode.isLeafTypeNode
abstract boolean isLeafTypeNode()

org.sleuthkit.autopsy.datamodel.DisplayableItemNode.DisplayableItemNode
DisplayableItemNode(Children children)
Definition DisplayableItemNode.java:78

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory
Definition KeywordHits.java:433

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.finalize
void finalize()
Definition KeywordHits.java:441

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.update
void update(Observable o, Object arg)
Definition KeywordHits.java:447

org.sleuthkit.autopsy.datamodel.KeywordHits.DetachableObserverChildFactory.addNotify
void addNotify()
Definition KeywordHits.java:436

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.artifactHits
final Map< Long, AnalysisResult > artifactHits
Definition KeywordHits.java:919

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.onAdd
void onAdd()
Definition KeywordHits.java:962

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.createNodeForKey
Node createNodeForKey(AnalysisResult art)
Definition KeywordHits.java:957

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.onRemove
void onRemove()
Definition KeywordHits.java:967

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.keyword
final String keyword
Definition KeywordHits.java:916

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.update
void update(Observable o, Object arg)
Definition KeywordHits.java:972

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.instance
final String instance
Definition KeywordHits.java:918

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.setName
final String setName
Definition KeywordHits.java:917

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.makeKeys
List< AnalysisResult > makeKeys()
Definition KeywordHits.java:935

org.sleuthkit.autopsy.datamodel.KeywordHits.HitsFactory.HitsFactory
HitsFactory(String setName, String keyword, String instance)
Definition KeywordHits.java:921

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.update
void update(Observable o, Object arg)
Definition KeywordHits.java:560

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.getItemType
String getItemType()
Definition KeywordHits.java:555

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.KWHitsNodeBase
KWHitsNodeBase(Children children)
Definition KeywordHits.java:550

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.displayName
String displayName
Definition KeywordHits.java:543

org.sleuthkit.autopsy.datamodel.KeywordHits.KWHitsNodeBase.KWHitsNodeBase
KWHitsNodeBase(Children children, Lookup lookup, String displayName)
Definition KeywordHits.java:545

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults
Definition KeywordHits.java:140

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.topLevelMap
final Map< String, Map< String, Map< String, Set< Long > > > > topLevelMap
Definition KeywordHits.java:144

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordResults.update
void update()
Definition KeywordHits.java:339

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory
Definition KeywordHits.java:455

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createNodeForKey
Node createNodeForKey(String key)
Definition KeywordHits.java:536

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.createKeys
boolean createKeys(List< String > list)
Definition KeywordHits.java:530

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.pcl
final PropertyChangeListener pcl
Definition KeywordHits.java:457

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.finalize
void finalize()
Definition KeywordHits.java:522

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.addNotify
void addNotify()
Definition KeywordHits.java:513

org.sleuthkit.autopsy.datamodel.KeywordHits.ListFactory.weakPcl
final PropertyChangeListener weakPcl
Definition KeywordHits.java:510

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.setName
final String setName
Definition KeywordHits.java:762

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createNodeForKey
Node createNodeForKey(String key)
Definition KeywordHits.java:777

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.keyword
final String keyword
Definition KeywordHits.java:761

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.RegExpInstancesFactory
RegExpInstancesFactory(String setName, String keyword)
Definition KeywordHits.java:764

org.sleuthkit.autopsy.datamodel.KeywordHits.RegExpInstancesFactory.createKeys
boolean createKeys(List< String > list)
Definition KeywordHits.java:771

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.isLeafTypeNode
boolean isLeafTypeNode()
Definition KeywordHits.java:397

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.RootNode
RootNode()
Definition KeywordHits.java:385

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.getItemType
String getItemType()
Definition KeywordHits.java:428

org.sleuthkit.autopsy.datamodel.KeywordHits.RootNode.createSheet
Sheet createSheet()
Definition KeywordHits.java:410

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createNodeForKey
Node createNodeForKey(String key)
Definition KeywordHits.java:661

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.setName
final String setName
Definition KeywordHits.java:647

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.TermFactory
TermFactory(String setName)
Definition KeywordHits.java:649

org.sleuthkit.autopsy.datamodel.KeywordHits.TermFactory.createKeys
boolean createKeys(List< String > list)
Definition KeywordHits.java:655

org.sleuthkit.autopsy.datamodel.KeywordHits
Definition KeywordHits.java:67

org.sleuthkit.autopsy.datamodel.KeywordHits.DEFAULT_INSTANCE_NAME
static final String DEFAULT_INSTANCE_NAME
Definition KeywordHits.java:90

org.sleuthkit.autopsy.datamodel.KeywordHits.createBlackboardArtifactNode
BlackboardArtifactNode createBlackboardArtifactNode(AnalysisResult art)
Definition KeywordHits.java:867

org.sleuthkit.autopsy.datamodel.KeywordHits.KEYWORD_HIT_ATTRIBUTES_QUERY
static final String KEYWORD_HIT_ATTRIBUTES_QUERY
Definition KeywordHits.java:95

org.sleuthkit.autopsy.datamodel.KeywordHits.KEYWORD_HITS
static final String KEYWORD_HITS
Definition KeywordHits.java:73

org.sleuthkit.autopsy.datamodel.KeywordHits.INGEST_JOB_EVENTS_OF_INTEREST
static final Set< IngestManager.IngestJobEvent > INGEST_JOB_EVENTS_OF_INTEREST
Definition KeywordHits.java:70

org.sleuthkit.autopsy.datamodel.KeywordHits.isOnlyDefaultInstance
static boolean isOnlyDefaultInstance(List< String > instances)
Definition KeywordHits.java:108

org.sleuthkit.autopsy.datamodel.KeywordHits.NAME
static final String NAME
Definition KeywordHits.java:79

org.sleuthkit.autopsy.datamodel.KeywordHits.INGEST_MODULE_EVENTS_OF_INTEREST
static final Set< IngestManager.IngestModuleEvent > INGEST_MODULE_EVENTS_OF_INTEREST
Definition KeywordHits.java:71

org.sleuthkit.autopsy.datamodel.KeywordHits.skCase
SleuthkitCase skCase
Definition KeywordHits.java:81

org.sleuthkit.autopsy.datamodel.KeywordHits.KeywordHits
KeywordHits(SleuthkitCase skCase, long objId)
Definition KeywordHits.java:128

org.sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_REGEX_SEARCH
static final String SIMPLE_REGEX_SEARCH
Definition KeywordHits.java:77

org.sleuthkit.autopsy.datamodel.KeywordHits.filteringDSObjId
final long filteringDSObjId
Definition KeywordHits.java:83

org.sleuthkit.autopsy.datamodel.KeywordHits.keywordResults
final KeywordResults keywordResults
Definition KeywordHits.java:82

org.sleuthkit.autopsy.datamodel.KeywordHits.SIMPLE_LITERAL_SEARCH
static final String SIMPLE_LITERAL_SEARCH
Definition KeywordHits.java:75

org.sleuthkit.autopsy.datamodel.KeywordHits.logger
static final Logger logger
Definition KeywordHits.java:69

org.sleuthkit.autopsy.datamodel.NodeProperty
Definition NodeProperty.java:28

org.sleuthkit.autopsy.ingest.IngestManager
Definition IngestManager.java:122

org.sleuthkit.autopsy.ingest.IngestManager.getInstance
static synchronized IngestManager getInstance()
Definition IngestManager.java:161

org.sleuthkit.autopsy.ingest.IngestManager.removeIngestModuleEventListener
void removeIngestModuleEventListener(final PropertyChangeListener listener)
Definition IngestManager.java:784

org.sleuthkit.autopsy.ingest.IngestManager.removeIngestJobEventListener
void removeIngestJobEventListener(final PropertyChangeListener listener)
Definition IngestManager.java:741

org.sleuthkit.autopsy.ingest.IngestManager.addIngestModuleEventListener
void addIngestModuleEventListener(final PropertyChangeListener listener)
Definition IngestManager.java:762

org.sleuthkit.autopsy.ingest.IngestManager.addIngestJobEventListener
void addIngestJobEventListener(final PropertyChangeListener listener)
Definition IngestManager.java:719

org.sleuthkit.autopsy.ingest.ModuleDataEvent
Definition ModuleDataEvent.java:49

org.sleuthkit.autopsy.ingest.ModuleDataEvent.getBlackboardArtifactType
BlackboardArtifact.Type getBlackboardArtifactType()
Definition ModuleDataEvent.java:104

org.sleuthkit.autopsy.casemodule.Case.Events
Definition Case.java:303

org.sleuthkit.autopsy.casemodule.Case.Events.CURRENT_CASE
CURRENT_CASE
Definition Case.java:384

org.sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent
Definition IngestManager.java:1298

org.sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.CANCELLED
CANCELLED
Definition IngestManager.java:1317

org.sleuthkit.autopsy.ingest.IngestManager.IngestJobEvent.COMPLETED
COMPLETED
Definition IngestManager.java:1311

org.sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent
Definition IngestManager.java:1341

org.sleuthkit.autopsy.ingest.IngestManager.IngestModuleEvent.DATA_ADDED
DATA_ADDED
Definition IngestManager.java:1349

org.sleuthkit.autopsy.datamodel.AutopsyItemVisitor
Definition AutopsyItemVisitor.java:28

org.sleuthkit.autopsy.datamodel.AutopsyItemVisitor.visit
T visit(DataSources i)

org.sleuthkit.autopsy.datamodel.AutopsyVisitableItem
Definition AutopsyVisitableItem.java:26

org.sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor
Definition DisplayableItemNodeVisitor.java:42

org.sleuthkit.autopsy.datamodel.DisplayableItemNodeVisitor.visit
T visit(DataSourceFilesNode in)