api-docs/4.22.1/_recent_files_summary_8java_source.html

/*

 * Autopsy Forensic Browser

 *

 * Copyright 2021 Basis Technology Corp.

 * Contact: carrier <at> sleuthkit <dot> org

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *     http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

package org.sleuthkit.autopsy.datasourcesummary.datamodel;


import java.nio.file.Paths;

import java.text.DateFormat;

import java.text.SimpleDateFormat;

import java.util.ArrayList;

import java.util.Collections;

import java.util.List;

import java.util.Locale;

import java.util.Map;

import java.util.Objects;

import java.util.stream.Collectors;

import org.apache.commons.lang.StringUtils;

import org.sleuthkit.autopsy.datasourcesummary.datamodel.SleuthkitCaseProvider.SleuthkitCaseProviderException;

import org.sleuthkit.datamodel.AbstractFile;

import org.sleuthkit.datamodel.BlackboardArtifact;

import org.sleuthkit.datamodel.BlackboardAttribute;

import org.sleuthkit.datamodel.Content;

import org.sleuthkit.datamodel.DataSource;

import org.sleuthkit.datamodel.SleuthkitCase;

import org.sleuthkit.datamodel.TskCoreException;

import org.sleuthkit.datamodel.BlackboardArtifact.ARTIFACT_TYPE;


public class RecentFilesSummary {


    private final static BlackboardAttribute.Type DATETIME_ACCESSED_ATT = new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED);

    private final static BlackboardAttribute.Type DOMAIN_ATT = new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN);

    private final static BlackboardAttribute.Type PATH_ATT = new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH);

    private final static BlackboardAttribute.Type ASSOCATED_ATT = new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT);

    private final static BlackboardAttribute.Type EMAIL_FROM_ATT = new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_FROM);

    private final static BlackboardAttribute.Type MSG_DATEIME_SENT_ATT = new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_SENT);

    private final static BlackboardArtifact.Type ASSOCATED_OBJ_ART = new BlackboardArtifact.Type(ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT);


    private static final DateFormat DATETIME_FORMAT = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss", Locale.getDefault());


    private final SleuthkitCaseProvider provider;


    public RecentFilesSummary() {

        this(SleuthkitCaseProvider.DEFAULT);

    }


    public RecentFilesSummary(SleuthkitCaseProvider provider) {

        if (provider == null) {

            throw new IllegalArgumentException("Unable to construct RecentFileSummary object. SleuthkitCaseProvider cannot be null");

        }


        this.provider = provider;

    }


    private static <T extends RecentFileDetails> List<T> getSortedLimited(List<T> fileDetails, int limit) {

        Map<String, T> fileDetailsMap = fileDetails.stream()

                .filter(details -> details != null)

                .collect(Collectors.toMap(

                        d -> d.getPath().toUpperCase(),

                        d -> d,

                        (d1, d2) -> Long.compare(d1.getDateAsLong(), d2.getDateAsLong()) > 0 ? d1 : d2));


        return fileDetailsMap.values().stream()

                .sorted((a, b) -> -Long.compare(a.getDateAsLong(), b.getDateAsLong()))

                .limit(limit)

                .collect(Collectors.toList());

    }


    private static RecentFileDetails getRecentlyOpenedDocument(BlackboardArtifact artifact) {

        String path = DataSourceInfoUtilities.getStringOrNull(artifact, PATH_ATT);

        Long lastOpened = DataSourceInfoUtilities.getLongOrNull(artifact, DATETIME_ACCESSED_ATT);


        if (StringUtils.isBlank(path) || lastOpened == null || lastOpened == 0) {

            return null;

        } else {

            return new RecentFileDetails(artifact, path, lastOpened);

        }

    }


    public List<RecentFileDetails> getRecentlyOpenedDocuments(DataSource dataSource, int maxCount) throws SleuthkitCaseProviderException, TskCoreException {

        if (dataSource == null) {

            return Collections.emptyList();

        }


        throwOnNonPositiveCount(maxCount);


        List<RecentFileDetails> details = provider.get().getBlackboard()

                .getArtifacts(ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID(), dataSource.getId()).stream()

                .map(art -> getRecentlyOpenedDocument(art))

                .filter(d -> d != null)

                .collect(Collectors.toList());


        return getSortedLimited(details, maxCount);

    }


    private static RecentDownloadDetails getRecentDownload(BlackboardArtifact artifact) {

        Long accessedTime = DataSourceInfoUtilities.getLongOrNull(artifact, DATETIME_ACCESSED_ATT);

        String domain = DataSourceInfoUtilities.getStringOrNull(artifact, DOMAIN_ATT);

        String path = DataSourceInfoUtilities.getStringOrNull(artifact, PATH_ATT);


        if (StringUtils.isBlank(path) || accessedTime == null || accessedTime == 0) {

            return null;

        } else {

            return new RecentDownloadDetails(artifact, path, accessedTime, domain);

        }

    }


    private static void throwOnNonPositiveCount(int count) {

        if (count < 1) {

            throw new IllegalArgumentException("Invalid count: value must be greater than 0.");

        }

    }


    public List<RecentDownloadDetails> getRecentDownloads(DataSource dataSource, int maxCount) throws TskCoreException, SleuthkitCaseProviderException {

        if (dataSource == null) {

            return Collections.emptyList();

        }


        throwOnNonPositiveCount(maxCount);


        List<RecentDownloadDetails> details = provider.get().getBlackboard()

                .getArtifacts(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID(), dataSource.getId()).stream()

                .map(art -> getRecentDownload(art))

                .filter(d -> d != null)

                .collect(Collectors.toList());


        return getSortedLimited(details, maxCount);

    }


    public List<RecentAttachmentDetails> getRecentAttachments(DataSource dataSource, int maxCount) throws SleuthkitCaseProviderException, TskCoreException {

        if (dataSource == null) {

            return Collections.emptyList();

        }


        throwOnNonPositiveCount(maxCount);


        SleuthkitCase skCase = provider.get();


        List<BlackboardArtifact> associatedArtifacts = skCase.getBlackboard()

                .getArtifacts(ASSOCATED_OBJ_ART.getTypeID(), dataSource.getId());


        List<RecentAttachmentDetails> details = new ArrayList<>();

        for (BlackboardArtifact artifact : associatedArtifacts) {

            RecentAttachmentDetails thisDetails = getRecentAttachment(artifact, skCase);


            if (thisDetails != null) {

                details.add(thisDetails);

            }

        }


        return getSortedLimited(details, maxCount);

    }


    private static RecentAttachmentDetails getRecentAttachment(BlackboardArtifact artifact, SleuthkitCase skCase) throws TskCoreException {

        // get associated artifact or return no result

        BlackboardAttribute attribute = artifact.getAttribute(ASSOCATED_ATT);

        if (attribute == null) {

            return null;

        }


        // get associated message artifact if exists or return no result

        BlackboardArtifact messageArtifact = skCase.getBlackboardArtifact(attribute.getValueLong());

        if (messageArtifact == null || !isMessageArtifact(messageArtifact)) {

            return null;

        }


        // get abstract file if exists or return no result

        Content content = artifact.getParent();

        if (!(content instanceof AbstractFile)) {

            return null;

        }


        AbstractFile abstractFile = (AbstractFile) content;


        // get the path, sender, and date

        String path = Paths.get(abstractFile.getParentPath(), abstractFile.getName()).toString();

        String sender = DataSourceInfoUtilities.getStringOrNull(messageArtifact, EMAIL_FROM_ATT);

        Long date = DataSourceInfoUtilities.getLongOrNull(messageArtifact, MSG_DATEIME_SENT_ATT);


        if (date == null || date == 0 || StringUtils.isBlank(path)) {

            return null;

        } else {

            return new RecentAttachmentDetails(messageArtifact, path, date, sender);

        }

    }


    private static boolean isMessageArtifact(BlackboardArtifact nodeArtifact) {

        final int artifactTypeID = nodeArtifact.getArtifactTypeID();

        return artifactTypeID == ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID()

                || artifactTypeID == ARTIFACT_TYPE.TSK_MESSAGE.getTypeID();


    }


    public static class RecentFileDetails {


        private final String path;

        private final long date;

        private final BlackboardArtifact artifact;


        RecentFileDetails(BlackboardArtifact artifact, String path, long date) {

            this.artifact = artifact;

            this.path = path;

            this.date = date;

        }


        public String getDateAsString() {

            return DATETIME_FORMAT.format(date * 1000);

        }


        public Long getDateAsLong() {

            return date;

        }


        public String getPath() {

            return path;

        }


        public BlackboardArtifact getArtifact() {

            return artifact;

        }


    }


    public static class RecentDownloadDetails extends RecentFileDetails {


        private final String webDomain;


        RecentDownloadDetails(BlackboardArtifact artifact, String path, long date, String webDomain) {

            super(artifact, path, date);

            this.webDomain = webDomain;

        }


        public String getWebDomain() {

            return webDomain;

        }


    }


    public static class RecentAttachmentDetails extends RecentFileDetails {


        private final String sender;


        RecentAttachmentDetails(BlackboardArtifact artifact, String path, long date, String sender) {

            super(artifact, path, date);

            this.sender = sender;

        }


        public String getSender() {

            return sender;

        }


        @Override


        public boolean equals(Object obj) {

            if (!(obj instanceof RecentAttachmentDetails)) {

                return false;

            }

            RecentAttachmentDetails compareObj = (RecentAttachmentDetails) obj;


            return compareObj.getSender().equals(this.sender)

                    && compareObj.getPath().equals(this.getPath())

                    && compareObj.getDateAsLong().equals(this.getDateAsLong());

        }


        @Override


        public int hashCode() {

            int hash = 5;

            hash = 73 * hash + Objects.hashCode(this.sender);

            return hash;

        }


    }


}


org.sleuthkit.autopsy.datasourcesummary.datamodel.DataSourceInfoUtilities
Definition DataSourceInfoUtilities.java:45

org.sleuthkit.autopsy.datasourcesummary.datamodel.DataSourceInfoUtilities.getStringOrNull
static String getStringOrNull(BlackboardArtifact artifact, Type attributeType)
Definition DataSourceInfoUtilities.java:387

org.sleuthkit.autopsy.datasourcesummary.datamodel.DataSourceInfoUtilities.getLongOrNull
static Long getLongOrNull(BlackboardArtifact artifact, Type attributeType)
Definition DataSourceInfoUtilities.java:401

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentAttachmentDetails
Definition RecentFilesSummary.java:394

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentAttachmentDetails.hashCode
int hashCode()
Definition RecentFilesSummary.java:436

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentAttachmentDetails.getSender
String getSender()
Definition RecentFilesSummary.java:419

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentAttachmentDetails.sender
final String sender
Definition RecentFilesSummary.java:396

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentAttachmentDetails.equals
boolean equals(Object obj)
Definition RecentFilesSummary.java:424

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentDownloadDetails
Definition RecentFilesSummary.java:363

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentDownloadDetails.getWebDomain
String getWebDomain()
Definition RecentFilesSummary.java:386

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentDownloadDetails.webDomain
final String webDomain
Definition RecentFilesSummary.java:365

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails
Definition RecentFilesSummary.java:305

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails.date
final long date
Definition RecentFilesSummary.java:308

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails.getDateAsString
String getDateAsString()
Definition RecentFilesSummary.java:330

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails.path
final String path
Definition RecentFilesSummary.java:307

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails.artifact
final BlackboardArtifact artifact
Definition RecentFilesSummary.java:309

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails.getPath
String getPath()
Definition RecentFilesSummary.java:348

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails.getDateAsLong
Long getDateAsLong()
Definition RecentFilesSummary.java:339

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFileDetails.getArtifact
BlackboardArtifact getArtifact()
Definition RecentFilesSummary.java:355

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.EMAIL_FROM_ATT
static final BlackboardAttribute.Type EMAIL_FROM_ATT
Definition RecentFilesSummary.java:51

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.getRecentAttachments
List< RecentAttachmentDetails > getRecentAttachments(DataSource dataSource, int maxCount)
Definition RecentFilesSummary.java:221

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.ASSOCATED_ATT
static final BlackboardAttribute.Type ASSOCATED_ATT
Definition RecentFilesSummary.java:50

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.DOMAIN_ATT
static final BlackboardAttribute.Type DOMAIN_ATT
Definition RecentFilesSummary.java:48

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.getRecentAttachment
static RecentAttachmentDetails getRecentAttachment(BlackboardArtifact artifact, SleuthkitCase skCase)
Definition RecentFilesSummary.java:254

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.provider
final SleuthkitCaseProvider provider
Definition RecentFilesSummary.java:57

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.DATETIME_ACCESSED_ATT
static final BlackboardAttribute.Type DATETIME_ACCESSED_ATT
Definition RecentFilesSummary.java:47

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.isMessageArtifact
static boolean isMessageArtifact(BlackboardArtifact nodeArtifact)
Definition RecentFilesSummary.java:295

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.getSortedLimited
static< T extends RecentFileDetails > List< T > getSortedLimited(List< T > fileDetails, int limit)
Definition RecentFilesSummary.java:87

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.getRecentlyOpenedDocuments
List< RecentFileDetails > getRecentlyOpenedDocuments(DataSource dataSource, int maxCount)
Definition RecentFilesSummary.java:133

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFilesSummary
RecentFilesSummary()
Definition RecentFilesSummary.java:62

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.getRecentDownloads
List< RecentDownloadDetails > getRecentDownloads(DataSource dataSource, int maxCount)
Definition RecentFilesSummary.java:193

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.RecentFilesSummary
RecentFilesSummary(SleuthkitCaseProvider provider)
Definition RecentFilesSummary.java:71

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.getRecentlyOpenedDocument
static RecentFileDetails getRecentlyOpenedDocument(BlackboardArtifact artifact)
Definition RecentFilesSummary.java:108

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.getRecentDownload
static RecentDownloadDetails getRecentDownload(BlackboardArtifact artifact)
Definition RecentFilesSummary.java:156

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.DATETIME_FORMAT
static final DateFormat DATETIME_FORMAT
Definition RecentFilesSummary.java:55

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.PATH_ATT
static final BlackboardAttribute.Type PATH_ATT
Definition RecentFilesSummary.java:49

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.MSG_DATEIME_SENT_ATT
static final BlackboardAttribute.Type MSG_DATEIME_SENT_ATT
Definition RecentFilesSummary.java:52

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.throwOnNonPositiveCount
static void throwOnNonPositiveCount(int count)
Definition RecentFilesSummary.java:173

org.sleuthkit.autopsy.datasourcesummary.datamodel.RecentFilesSummary.ASSOCATED_OBJ_ART
static final BlackboardArtifact.Type ASSOCATED_OBJ_ART
Definition RecentFilesSummary.java:53

org.sleuthkit.autopsy.datasourcesummary.datamodel.SleuthkitCaseProvider.SleuthkitCaseProviderException
Definition SleuthkitCaseProvider.java:38

org.sleuthkit.autopsy.datasourcesummary.datamodel.SleuthkitCaseProvider
Definition SleuthkitCaseProvider.java:32

org.sleuthkit.autopsy.datasourcesummary.datamodel.SleuthkitCaseProvider.DEFAULT
SleuthkitCaseProvider DEFAULT
Definition SleuthkitCaseProvider.java:66