Autopsy 4.22.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
TableReportGenerator.java
Go to the documentation of this file.
1/*
2 * Autopsy Forensic Browser
3 *
4 * Copyright 2013-2021 Basis Technology Corp.
5 * Contact: carrier <at> sleuthkit <dot> org
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License");
8 * you may not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS,
15 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19package org.sleuthkit.autopsy.report.infrastructure;
20
21import org.sleuthkit.autopsy.report.modules.html.HTMLReport;
22import com.google.common.collect.ListMultimap;
23import com.google.common.collect.Lists;
24import com.google.common.collect.Multimaps;
25import java.sql.ResultSet;
26import java.sql.SQLException;
27import java.util.ArrayList;
28import java.util.Arrays;
29import java.util.Collection;
30import java.util.Collections;
31import java.util.Comparator;
32import java.util.HashMap;
33import java.util.HashSet;
34import java.util.Iterator;
35import java.util.List;
36import java.util.Map;
37import java.util.Objects;
38import java.util.Set;
39import java.util.TreeSet;
40import java.util.logging.Level;
41import java.util.stream.Collectors;
42import org.openide.util.NbBundle;
43import org.openide.util.NbBundle.Messages;
44import org.sleuthkit.autopsy.casemodule.Case;
45import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
46import org.sleuthkit.autopsy.casemodule.services.TagsManager;
47import org.sleuthkit.autopsy.coreutils.ImageUtils;
48import org.sleuthkit.autopsy.coreutils.Logger;
49import org.sleuthkit.autopsy.report.ReportProgressPanel;
50import static org.sleuthkit.autopsy.casemodule.services.TagsManager.getNotableTagLabel;
51import org.sleuthkit.autopsy.coreutils.TimeZoneUtils;
52import org.sleuthkit.datamodel.AbstractFile;
53import org.sleuthkit.datamodel.Account;
54import org.sleuthkit.datamodel.BlackboardArtifact;
55import org.sleuthkit.datamodel.BlackboardArtifactTag;
56import org.sleuthkit.datamodel.BlackboardAttribute;
57import org.sleuthkit.datamodel.BlackboardAttribute.Type;
58import org.sleuthkit.datamodel.Content;
59import org.sleuthkit.datamodel.ContentTag;
60import org.sleuthkit.datamodel.DataSource;
61import org.sleuthkit.datamodel.SleuthkitCase;
62import org.sleuthkit.datamodel.TagName;
63import org.sleuthkit.datamodel.TskCoreException;
64import org.sleuthkit.datamodel.TskData;
65
66class TableReportGenerator {
67
68 private List<BlackboardArtifact.Type> artifactTypes = new ArrayList<>();
69 private HashSet<String> tagNamesFilter = new HashSet<>();
70
71 private final Set<Content> images = new HashSet<>();
72 private final ReportProgressPanel progressPanel;
73 private final TableReportModule tableReport;
74 private final TableReportSettings settings;
75 private final Map<Integer, List<Column>> columnHeaderMap;
76 private static final Logger logger = Logger.getLogger(TableReportGenerator.class.getName());
77
78 private final List<String> errorList;
79
80 TableReportGenerator(TableReportSettings settings, ReportProgressPanel progressPanel, TableReportModule tableReport) {
81
82 this.progressPanel = progressPanel;
83 this.tableReport = tableReport;
84 this.columnHeaderMap = new HashMap<>();
85 errorList = new ArrayList<>();
86 this.settings = settings;
87 }
88
89 private void getAllExistingTags() throws NoCurrentCaseException, TskCoreException {
90 List<String> tagNames = new ArrayList<>();
91
92 // get all tag names from this case
93 List<TagName> tagNamesInUse = Case.getCurrentCaseThrows().getServices().getTagsManager().getTagNamesInUse();
94
95 String notableString = "";
96 for (TagName tagName : tagNamesInUse) {
97 notableString = tagName.getTagType() == TskData.TagType.BAD ? TagsManager.getNotableTagLabel() : "";
98 tagNames.add(tagName.getDisplayName() + notableString);
99 }
100 tagNamesFilter = new HashSet<>(tagNames);
101 }
102
103 @SuppressWarnings("deprecation")
104 private void getAllExistingArtiactTypes() throws NoCurrentCaseException, TskCoreException {
105 // get all possible artifact types
106 ArrayList<BlackboardArtifact.Type> doNotReport = new ArrayList<>();
107 doNotReport.add(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO));
108 doNotReport.add(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_TOOL_OUTPUT)); // output is too unstructured for table review
109 doNotReport.add(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_ASSOCIATED_OBJECT));
110 doNotReport.add(new BlackboardArtifact.Type(BlackboardArtifact.ARTIFACT_TYPE.TSK_TL_EVENT));
111
112 Case.getCurrentCaseThrows().getSleuthkitCase().getArtifactTypes().forEach(artifactTypes::add);
113 artifactTypes.removeAll(doNotReport);
114 }
115
116 protected void execute() {
117
118 progressPanel.start();
119 progressPanel.updateStatusLabel(NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.readingTagsArtifacts.text"));
120
121 if (settings.useStoredTagsAndArtifactsLists()) {
122 // Get the artifact types selected by the user.
123 artifactTypes = settings.getArtifactSelections();
124
125 // Get the tag names selected by the user and make a tag names filter.
126 tagNamesFilter = new HashSet<>(settings.getTagSelections());
127 } else {
128 try {
129 // If report type is "all tagged results", then read all possible tab names from database.
130 // Otherwise do not load tag names, i.e. run "all results" report
131 if (settings.getSelectedReportOption() == TableReportSettings.TableReportOption.ALL_TAGGED_RESULTS) {
132 getAllExistingTags();
133 }
134
135 // get all possible artifact types
136 getAllExistingArtiactTypes();
137 } catch (NoCurrentCaseException | TskCoreException ex) {
138 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetAllTagsArtifacts"));
139 logger.log(Level.SEVERE, "Failed get all possible tag names and artifact types", ex); //NON-NLS
140 return;
141 }
142 }
143
144 // Start the progress indicators for each active TableReportModule.
145 progressPanel.setIndeterminate(false);
146 progressPanel.setMaximumProgress(this.artifactTypes.size() + 2); // +2 for content and blackboard artifact tags
147
148 // report on the blackboard results
149 if (progressPanel.getStatus() != ReportProgressPanel.ReportStatus.CANCELED) {
150 makeBlackboardArtifactTables();
151 }
152
153 // report on the tagged files and artifacts
154 if (progressPanel.getStatus() != ReportProgressPanel.ReportStatus.CANCELED) {
155 makeContentTagsTables();
156 }
157
158 if (progressPanel.getStatus() != ReportProgressPanel.ReportStatus.CANCELED) {
159 makeBlackboardArtifactTagsTables();
160 }
161
162 if (progressPanel.getStatus() != ReportProgressPanel.ReportStatus.CANCELED) {
163 // report on the tagged images
164 makeThumbnailTable();
165 }
166 }
167
171 private void makeBlackboardArtifactTables() {
172 // Make a comment string describing the tag names filter in effect.
173 String comment = "";
174 if (!tagNamesFilter.isEmpty()) {
175 comment += NbBundle.getMessage(this.getClass(), "ReportGenerator.artifactTable.taggedResults.text");
176 comment += makeCommaSeparatedList(tagNamesFilter);
177 }
178
179 // Add a table to the report for every enabled blackboard artifact type.
180 for (BlackboardArtifact.Type type : artifactTypes) {
181 // Check for cancellaton.
182
183 if (progressPanel.getStatus() == ReportProgressPanel.ReportStatus.CANCELED) {
184 return;
185 }
186
187 progressPanel.updateStatusLabel(
188 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processing",
189 type.getDisplayName()));
190
191 // Keyword hits and hashset hit artifacts get special handling.
192 if (type.getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
193 writeKeywordHits(tableReport, comment, tagNamesFilter);
194 continue;
195 } else if (type.getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()) {
196 writeHashsetHits(tableReport, comment, tagNamesFilter);
197 continue;
198 }
199
200 List<ArtifactData> artifactList = getFilteredArtifacts(type, tagNamesFilter);
201
202 if (artifactList.isEmpty()) {
203 continue;
204 }
205
206 /*
207 * TSK_ACCOUNT artifacts get grouped by their TSK_ACCOUNT_TYPE
208 * attribute, and then handed off to the standard method for writing
209 * tables.
210 */
211 if (type.getTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
212 //Group account artifacts by their account type
213 ListMultimap<String, ArtifactData> groupedArtifacts = Multimaps.index(artifactList,
214 artifactData -> {
215 try {
216 return artifactData.getArtifact().getAttribute(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE)).getValueString();
217 } catch (TskCoreException ex) {
218 logger.log(Level.SEVERE, "Unable to get value of TSK_ACCOUNT_TYPE attribute. Defaulting to \"unknown\"", ex);
219 return "unknown";
220 }
221 });
222 for (String accountTypeStr : groupedArtifacts.keySet()) {
223 /*
224 * If the report is a HTMLReport, the data type name
225 * eventualy makes it to useDataTypeIcon which expects but
226 * does not require a artifact name, so we make a synthetic
227 * compund name by appending a ":" and the account type.
228 */
229 String accountDisplayname = accountTypeStr;
230 if (accountTypeStr != null) {
231 try {
232 Account.Type acctType = Case.getCurrentCaseThrows().getSleuthkitCase().getCommunicationsManager().getAccountType(accountTypeStr);
233 if (acctType != null) {
234 accountDisplayname = acctType.getDisplayName();
235 }
236 } catch (TskCoreException | NoCurrentCaseException ex) {
237 logger.log(Level.SEVERE, "Unable to get display name for account type " + accountTypeStr, ex);
238 }
239 }
240
241 final String compundDataTypeName = BlackboardArtifact.ARTIFACT_TYPE.TSK_ACCOUNT.getDisplayName() + ": " + accountDisplayname;
242 writeTableForDataType(new ArrayList<>(groupedArtifacts.get(accountTypeStr)), type, compundDataTypeName, comment);
243 }
244 } else {
245 //all other artifact types are sent to writeTableForDataType directly
246 writeTableForDataType(artifactList, type, type.getDisplayName(), comment);
247 }
248 }
249 }
250
261 private void writeTableForDataType(List<ArtifactData> artifactList, BlackboardArtifact.Type type, String tableName, String comment) {
262 /*
263 * Make a sorted set of all of the attribute types that are on any of
264 * the given artifacts.
265 */
266 Set<BlackboardAttribute.Type> attrTypeSet = new TreeSet<>(Comparator.comparing(BlackboardAttribute.Type::getDisplayName));
267 for (ArtifactData data : artifactList) {
268 List<BlackboardAttribute> attributes = data.getAttributes();
269 for (BlackboardAttribute attribute : attributes) {
270 attrTypeSet.add(attribute.getAttributeType());
271 }
272 }
273 /*
274 * Get the columns appropriate for the artifact type. This is used to
275 * get the data that will be in the cells below based on type, and
276 * display the column headers.
277 */
278 List<Column> columns = getArtifactTableColumns(type.getTypeID(), attrTypeSet);
279 if (columns.isEmpty()) {
280 return;
281 }
282 columnHeaderMap.put(type.getTypeID(), columns);
283
284 /*
285 * The artifact list is sorted now, as getting the row data is dependent
286 * on having the columns, which is necessary for sorting.
287 */
288 Collections.sort(artifactList);
289
290 tableReport.startDataType(tableName, comment);
291 tableReport.startTable(Lists.transform(columns, Column::getColumnHeader));
292
293 for (ArtifactData artifactData : artifactList) {
294 // Get the row data for this artifact, and has the
295 // module add it.
296 List<String> rowData = artifactData.getRow();
297 if (rowData.isEmpty()) {
298 return;
299 }
300
301 tableReport.addRow(rowData);
302 }
303 // Finish up this data type
304 progressPanel.increment();
305 tableReport.endTable();
306 tableReport.endDataType();
307 }
308
312 @Messages({"ReportGenerator.tagTable.header.userName=User Name"})
313 @SuppressWarnings("deprecation")
314 private void makeContentTagsTables() {
315
316 // Get the content tags.
317 List<ContentTag> tags;
318 try {
319 tags = Case.getCurrentCaseThrows().getServices().getTagsManager().getAllContentTags();
320 } catch (TskCoreException | NoCurrentCaseException ex) {
321 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetContentTags"));
322 logger.log(Level.SEVERE, "failed to get content tags", ex); //NON-NLS
323 return;
324 }
325
326 // Tell the modules reporting on content tags is beginning.
327 // @@@ This casting is a tricky little workaround to allow the HTML report module to slip in a content hyperlink.
328 // @@@ Alos Using the obsolete ARTIFACT_TYPE.TSK_TAG_FILE is also an expedient hack.
329 progressPanel.updateStatusLabel(
330 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processing",
331 BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE.getDisplayName()));
332 ArrayList<String> columnHeaders = new ArrayList<>(Arrays.asList(
333 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.tag"),
334 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.file"),
335 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.comment"),
336 NbBundle.getMessage(this.getClass(), "ReportGenerator.tagTable.header.userName"),
337 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.timeModified"),
338 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.timeChanged"),
339 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.timeAccessed"),
340 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.timeCreated"),
341 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.size"),
342 NbBundle.getMessage(this.getClass(), "ReportGenerator.htmlOutput.header.hash")));
343
344 StringBuilder comment = new StringBuilder();
345 if (!tagNamesFilter.isEmpty()) {
346 comment.append(
347 NbBundle.getMessage(this.getClass(), "ReportGenerator.makeContTagTab.taggedFiles.msg"));
348 comment.append(makeCommaSeparatedList(tagNamesFilter));
349 }
350 if (tableReport instanceof HTMLReport) {
351 HTMLReport htmlReportModule = (HTMLReport) tableReport;
352 htmlReportModule.startDataType(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE.getDisplayName(), comment.toString());
353 htmlReportModule.startContentTagsTable(columnHeaders);
354 } else {
355 tableReport.startDataType(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_FILE.getDisplayName(), comment.toString());
356 tableReport.startTable(columnHeaders);
357 }
358
359 // Give the modules the rows for the content tags.
360 for (ContentTag tag : tags) {
361 try {
362 if (shouldFilterFromReport(tag.getContent())) {
363 continue;
364 }
365 } catch (TskCoreException ex) {
366 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetContentTags"));
367 logger.log(Level.SEVERE, "Failed to access content data from the case database.", ex); //NON-NLS
368 return;
369 }
370
371 // skip tags that we are not reporting on
372 String notableString = tag.getName().getTagType() == TskData.TagType.BAD ? TagsManager.getNotableTagLabel() : "";
373 if (passesTagNamesFilter(tag.getName().getDisplayName() + notableString) == false) {
374 continue;
375 }
376
377 String fileName;
378 try {
379 fileName = tag.getContent().getUniquePath();
380 } catch (TskCoreException ex) {
381 fileName = tag.getContent().getName();
382 }
383
384 ArrayList<String> rowData = new ArrayList<>(Arrays.asList(tag.getName().getDisplayName() + notableString, fileName, tag.getComment(), tag.getUserName()));
385 Content content = tag.getContent();
386 if (content instanceof AbstractFile) {
387 AbstractFile file = (AbstractFile) content;
388
389 // Add metadata about the file to HTML output
390 rowData.add(file.getMtimeAsDate());
391 rowData.add(file.getCtimeAsDate());
392 rowData.add(file.getAtimeAsDate());
393 rowData.add(file.getCrtimeAsDate());
394 rowData.add(Long.toString(file.getSize()));
395 rowData.add(file.getMd5Hash());
396 }
397 // @@@ This casting is a tricky little workaround to allow the HTML report module to slip in a content hyperlink.
398 if (tableReport instanceof HTMLReport) {
399 HTMLReport htmlReportModule = (HTMLReport) tableReport;
400 htmlReportModule.addRowWithTaggedContentHyperlink(rowData, tag);
401 } else {
402 tableReport.addRow(rowData);
403 }
404
405 // see if it is for an image so that we later report on it
406 checkIfTagHasImage(tag);
407 }
408
409 // The the modules content tags reporting is ended.
410 progressPanel.increment();
411 tableReport.endTable();
412 tableReport.endDataType();
413 }
414
418 @SuppressWarnings("deprecation")
419 @Messages({
420 "ReportGenerator.errList.failedGetBBArtifactTags=Failed to get result tags."
421 })
422 private void makeBlackboardArtifactTagsTables() {
423
424 List<BlackboardArtifactTag> tags;
425 try {
426 tags = Case.getCurrentCaseThrows().getServices().getTagsManager().getAllBlackboardArtifactTags();
427 } catch (TskCoreException | NoCurrentCaseException ex) {
428 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetBBArtifactTags"));
429 logger.log(Level.SEVERE, "failed to get blackboard artifact tags", ex); //NON-NLS
430 return;
431 }
432
433 // Tell the modules reporting on blackboard artifact tags data type is beginning.
434 // @@@ Using the obsolete ARTIFACT_TYPE.TSK_TAG_ARTIFACT is an expedient hack.
435 progressPanel.updateStatusLabel(
436 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processing",
437 BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getDisplayName()));
438 StringBuilder comment = new StringBuilder();
439 if (!tagNamesFilter.isEmpty()) {
440 comment.append(
441 NbBundle.getMessage(this.getClass(), "ReportGenerator.makeBbArtTagTab.taggedRes.msg"));
442 comment.append(makeCommaSeparatedList(tagNamesFilter));
443 }
444 tableReport.startDataType(BlackboardArtifact.ARTIFACT_TYPE.TSK_TAG_ARTIFACT.getDisplayName(), comment.toString());
445 tableReport.startTable(new ArrayList<>(Arrays.asList(
446 NbBundle.getMessage(this.getClass(), "ReportGenerator.tagTable.header.resultType"),
447 NbBundle.getMessage(this.getClass(), "ReportGenerator.tagTable.header.tag"),
448 NbBundle.getMessage(this.getClass(), "ReportGenerator.tagTable.header.comment"),
449 NbBundle.getMessage(this.getClass(), "ReportGenerator.tagTable.header.srcFile"),
450 NbBundle.getMessage(this.getClass(), "ReportGenerator.tagTable.header.userName"))));
451
452 // Give the modules the rows for the content tags.
453 for (BlackboardArtifactTag tag : tags) {
454 try {
455 if (shouldFilterFromReport(tag.getContent())) {
456 continue;
457 }
458 } catch (TskCoreException ex) {
459 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetBBArtifactTags"));
460 logger.log(Level.SEVERE, "Failed to access content data from the case database.", ex); //NON-NLS
461 return;
462 }
463
464 String notableString = tag.getName().getTagType() == TskData.TagType.BAD ? TagsManager.getNotableTagLabel() : "";
465 if (passesTagNamesFilter(tag.getName().getDisplayName() + notableString) == false) {
466 continue;
467 }
468
469 List<String> row;
470 row = new ArrayList<>(Arrays.asList(tag.getArtifact().getArtifactTypeName(), tag.getName().getDisplayName() + notableString,
471 tag.getComment(), tag.getContent().getName(), tag.getUserName()));
472 tableReport.addRow(row);
473
474 // check if the tag is an image that we should later make a thumbnail for
475 checkIfTagHasImage(tag);
476 }
477
478 // The the modules blackboard artifact tags reporting is ended.
479 progressPanel.increment();
480 tableReport.endTable();
481 tableReport.endDataType();
482 }
483
491 private boolean passesTagNamesFilter(String tagName) {
492 return tagNamesFilter.isEmpty() || tagNamesFilter.contains(tagName);
493 }
494
498 private void makeThumbnailTable() {
499 progressPanel.updateStatusLabel(
500 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.createdThumb.text"));
501
502 if (tableReport instanceof HTMLReport) {
503 HTMLReport htmlModule = (HTMLReport) tableReport;
504 htmlModule.startDataType(
505 NbBundle.getMessage(this.getClass(), "ReportGenerator.thumbnailTable.name"),
506 NbBundle.getMessage(this.getClass(), "ReportGenerator.thumbnailTable.desc"));
507 List<String> emptyHeaders = new ArrayList<>();
508 for (int i = 0; i < HTMLReport.THUMBNAIL_COLUMNS; i++) {
509 emptyHeaders.add("");
510 }
511 htmlModule.startTable(emptyHeaders);
512
513 htmlModule.addThumbnailRows(images);
514
515 htmlModule.endTable();
516 htmlModule.endDataType();
517 }
518
519 }
520
527 private void checkIfTagHasImage(BlackboardArtifactTag artifactTag) {
528 AbstractFile file;
529 try {
530 file = Case.getCurrentCaseThrows().getSleuthkitCase().getAbstractFileById(artifactTag.getArtifact().getObjectID());
531 } catch (TskCoreException | NoCurrentCaseException ex) {
532 errorList.add(
533 NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.errGetContentFromBBArtifact"));
534 logger.log(Level.WARNING, "Error while getting content from a blackboard artifact to report on.", ex); //NON-NLS
535 return;
536 }
537
538 if (file != null) {
539 checkIfFileIsImage(file);
540 }
541 }
542
550 private void checkIfTagHasImage(ContentTag contentTag) {
551 Content c = contentTag.getContent();
552 if (c instanceof AbstractFile == false) {
553 return;
554 }
555 checkIfFileIsImage((AbstractFile) c);
556 }
557
563 private void checkIfFileIsImage(AbstractFile file) {
564
565 if (file.isDir()
566 || file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS
567 || file.getType() == TskData.TSK_DB_FILES_TYPE_ENUM.UNUSED_BLOCKS) {
568 return;
569 }
570
571 if (ImageUtils.thumbnailSupported(file)) {
572 images.add(file);
573 }
574 }
575
584 private String makeCommaSeparatedList(Collection<String> items) {
585 String list = "";
586 for (Iterator<String> iterator = items.iterator(); iterator.hasNext();) {
587 list += iterator.next() + (iterator.hasNext() ? ", " : "");
588 }
589 return list;
590 }
591
597 @SuppressWarnings("deprecation")
598 @NbBundle.Messages({"ReportGenerator.errList.noOpenCase=No open case available."})
599 private void writeKeywordHits(TableReportModule tableModule, String comment, HashSet<String> tagNamesFilter) {
600
601 // Query for keyword lists-only so that we can tell modules what lists
602 // will exist for their index.
603 // @@@ There is a bug in here. We should use the tags in the below code
604 // so that we only report the lists that we will later provide with real
605 // hits. If no keyord hits are tagged, then we make the page for nothing.
606 String orderByClause;
607 Case openCase;
608 try {
609 openCase = Case.getCurrentCaseThrows();
610 } catch (NoCurrentCaseException ex) {
611 errorList.add(Bundle.ReportGenerator_errList_noOpenCase());
612 logger.log(Level.SEVERE, "Exception while getting open case: ", ex); //NON-NLS
613 return;
614 }
615
616 // Get a list of all selected tag IDs
617 String tagIDList = "";
618 if (!tagNamesFilter.isEmpty()) {
619 try {
620 Map<String, TagName> tagNamesMap = Case.getCurrentCaseThrows().getServices().getTagsManager().getDisplayNamesToTagNamesMap();
621 for (String tagDisplayName : tagNamesFilter) {
622 if (tagNamesMap.containsKey(tagDisplayName)) {
623 if (!tagIDList.isEmpty()) {
624 tagIDList += ",";
625 }
626 tagIDList += tagNamesMap.get(tagDisplayName).getId();
627 } else {
628 // If the tag name ends with "(Notable)", try stripping that off
629 if (tagDisplayName.endsWith(getNotableTagLabel())) {
630 String editedDisplayName = tagDisplayName.substring(0, tagDisplayName.length() - getNotableTagLabel().length());
631 if (tagNamesMap.containsKey(editedDisplayName)) {
632 if (!tagIDList.isEmpty()) {
633 tagIDList += ",";
634 }
635 tagIDList += tagNamesMap.get(editedDisplayName).getId();
636 }
637 }
638 }
639 }
640 } catch (NoCurrentCaseException | TskCoreException ex) {
641 logger.log(Level.SEVERE, "Exception while getting tag info - proceeding without tag filter: ", ex); //NON-NLS
642 tagIDList = "";
643 }
644 }
645
646 // Check if there are any ad-hoc results
647 String adHocCountQuery = "SELECT COUNT(*) FROM "
648 + //NON-NLS
649 "(SELECT art.artifact_id FROM blackboard_artifacts AS art, blackboard_attributes AS att1 ";//NON-NLS
650 if (!tagIDList.isEmpty()) {
651 adHocCountQuery += ", blackboard_artifact_tags as tag "; //NON-NLS
652 }
653 adHocCountQuery += "WHERE (att1.artifact_id = art.artifact_id) AND (art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") "; // NON-NLS
654 if (!tagIDList.isEmpty()) {
655 adHocCountQuery += " AND (art.artifact_id = tag.artifact_id) AND (tag.tag_name_id IN (" + tagIDList + ")) "; //NON-NLS
656 }
657 adHocCountQuery += "EXCEPT "
658 + // NON-NLS
659 "SELECT art.artifact_id FROM blackboard_artifacts AS art, blackboard_attributes AS att1 WHERE (att1.artifact_id = art.artifact_id) AND (art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") AND (att1.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ")) AS adHocHits"; //NON-NLS
660
661 int adHocCount = 0;
662 try (SleuthkitCase.CaseDbQuery dbQuery = openCase.getSleuthkitCase().executeQuery(adHocCountQuery)) {
663 ResultSet adHocCountResultSet = dbQuery.getResultSet();
664 if (adHocCountResultSet.next()) {
665 adHocCount = adHocCountResultSet.getInt(1); //NON-NLS
666 } else {
667 throw new TskCoreException("Error counting ad hoc keywords");
668 }
669 } catch (TskCoreException | SQLException ex) {
670 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryKWLists"));
671 logger.log(Level.SEVERE, "Failed to count ad hoc searches with query " + adHocCountQuery, ex); //NON-NLS
672 return;
673 }
674
675 // Create the query to get the keyword list names
676 if (openCase.getCaseType() == Case.CaseType.MULTI_USER_CASE) {
677 orderByClause = "ORDER BY convert_to(list, 'SQL_ASCII') ASC NULLS FIRST"; //NON-NLS
678 } else {
679 orderByClause = "ORDER BY list ASC"; //NON-NLS
680 }
681 String keywordListQuery
682 = "SELECT att.value_text AS list "
683 + //NON-NLS
684 "FROM blackboard_attributes AS att, blackboard_artifacts AS art "; // NON-NLS
685 if (!tagIDList.isEmpty()) {
686 keywordListQuery += ", blackboard_artifact_tags as tag "; //NON-NLS
687 }
688 keywordListQuery += "WHERE att.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " "
689 + //NON-NLS
690 "AND art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + " "
691 + //NON-NLS
692 "AND att.artifact_id = art.artifact_id ";
693 if (!tagIDList.isEmpty()) {
694 keywordListQuery += "AND (art.artifact_id = tag.artifact_id) "
695 + //NON-NLS
696 "AND (tag.tag_name_id IN (" + tagIDList + ")) "; //NON-NLS
697 }
698 if (adHocCount > 0) {
699 keywordListQuery += " UNION SELECT \'\' AS list ";
700 }
701 keywordListQuery = "SELECT * FROM ( " + keywordListQuery + " ) kwListNames ";
702 keywordListQuery += "GROUP BY list " + orderByClause; //NON-NLS
703
704 // Make the table of contents links for each list type
705 try (SleuthkitCase.CaseDbQuery dbQuery = openCase.getSleuthkitCase().executeQuery(keywordListQuery)) {
706 ResultSet listsRs = dbQuery.getResultSet();
707 List<String> lists = new ArrayList<>();
708 while (listsRs.next()) {
709 String list = listsRs.getString("list"); //NON-NLS
710 if (list.isEmpty()) {
711 list = NbBundle.getMessage(this.getClass(), "ReportGenerator.writeKwHits.userSrchs");
712 }
713 lists.add(list);
714 }
715
716 // Make keyword data type and give them set index
717 tableModule.startDataType(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName(), comment);
718 tableModule.addSetIndex(lists);
719 progressPanel.updateStatusLabel(
720 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processing",
721 BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName()));
722 } catch (TskCoreException | SQLException ex) {
723 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryKWLists"));
724 logger.log(Level.SEVERE, "Failed to query keyword lists with query " + keywordListQuery, ex); //NON-NLS
725 return;
726 }
727
728 // Query for keywords, grouped by list
729 if (openCase.getCaseType() == Case.CaseType.MULTI_USER_CASE) {
730 orderByClause = "ORDER BY convert_to(list, 'SQL_ASCII') ASC NULLS FIRST, " //NON-NLS
731 + "convert_to(keyword, 'SQL_ASCII') ASC NULLS FIRST, " //NON-NLS
732 + "convert_to(parent_path, 'SQL_ASCII') ASC NULLS FIRST, " //NON-NLS
733 + "convert_to(name, 'SQL_ASCII') ASC NULLS FIRST, " //NON-NLS
734 + "convert_to(preview, 'SQL_ASCII') ASC NULLS FIRST"; //NON-NLS
735 } else {
736 orderByClause = "ORDER BY list ASC, keyword ASC, parent_path ASC, name ASC, preview ASC"; //NON-NLS
737 }
738
739 // Query for keywords that are part of a list
740 String keywordListsQuery
741 = "SELECT art.artifact_id AS artifact_id, art.obj_id AS obj_id, att1.value_text AS keyword, att2.value_text AS preview, att3.value_text AS list, f.name AS name, f.parent_path AS parent_path "
742 + //NON-NLS
743 "FROM blackboard_artifacts AS art, blackboard_attributes AS att1, blackboard_attributes AS att2, blackboard_attributes AS att3, tsk_files AS f "
744 + //NON-NLS
745 "WHERE (att1.artifact_id = art.artifact_id) "
746 + //NON-NLS
747 "AND (att2.artifact_id = art.artifact_id) "
748 + //NON-NLS
749 "AND (att3.artifact_id = art.artifact_id) "
750 + //NON-NLS
751 "AND (f.obj_id = art.obj_id) "
752 + //NON-NLS
753 "AND (att1.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID() + ") "
754 + //NON-NLS
755 "AND (att2.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID() + ") "
756 + //NON-NLS
757 "AND (att3.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ") "
758 + //NON-NLS
759 "AND (art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") ";
760
761 // Query for keywords that are not part of a list
762 String keywordAdHocQuery
763 = "SELECT art.artifact_id AS artifact_id, art.obj_id AS obj_id, att1.value_text AS keyword, att2.value_text AS preview, \'\' AS list, f.name AS name, f.parent_path AS parent_path "
764 + // NON-NLS
765 "FROM blackboard_artifacts AS art, blackboard_attributes AS att1, blackboard_attributes AS att2, tsk_files AS f "
766 + // NON-NLS
767 "WHERE "
768 + // NON-NLS
769 " (art.artifact_id IN (SELECT art.artifact_id FROM blackboard_artifacts AS art, blackboard_attributes AS att1 WHERE (att1.artifact_id = art.artifact_id) AND (art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") "
770 + // NON-NLS
771 "EXCEPT "
772 + // NON-NLS
773 "SELECT art.artifact_id FROM blackboard_artifacts AS art, blackboard_attributes AS att1 WHERE (att1.artifact_id = art.artifact_id) AND (art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") AND (att1.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + "))) "
774 + //NON-NLS
775 "AND (att1.artifact_id = art.artifact_id) "
776 + //NON-NLS
777 "AND (att2.artifact_id = art.artifact_id) "
778 + //NON-NLS
779 "AND (f.obj_id = art.obj_id) "
780 + //NON-NLS
781 "AND (att1.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD.getTypeID() + ") "
782 + // NON-NLS
783 "AND (att2.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_PREVIEW.getTypeID() + ") "
784 + // NON-NLS
785 "AND (art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() + ") "; // NON-NLS
786
787 String keywordsQuery = "SELECT * FROM ( " + keywordListsQuery + " UNION " + keywordAdHocQuery + " ) kwHits " + orderByClause;
788
789 try (SleuthkitCase.CaseDbQuery dbQuery = openCase.getSleuthkitCase().executeQuery(keywordsQuery)) {
790 ResultSet resultSet = dbQuery.getResultSet();
791
792 String currentKeyword = "";
793 String currentList = "";
794 while (resultSet.next()) {
795 // Check to see if all the TableReportModules have been canceled
796 if (progressPanel.getStatus() == ReportProgressPanel.ReportStatus.CANCELED) {
797 break;
798 }
799
800 // Get any tags that associated with this artifact and apply the tag filter.
801 HashSet<String> uniqueTagNames = getUniqueTagNames(resultSet.getLong("artifact_id")); //NON-NLS
802 if (failsTagFilter(uniqueTagNames, tagNamesFilter)) {
803 continue;
804 }
805 String tagsList = makeCommaSeparatedList(uniqueTagNames);
806
807 Long objId = resultSet.getLong("obj_id"); //NON-NLS
808 String keyword = resultSet.getString("keyword"); //NON-NLS
809 String preview = resultSet.getString("preview"); //NON-NLS
810 String list = resultSet.getString("list"); //NON-NLS
811 String uniquePath = "";
812
813 try {
814 AbstractFile f = openCase.getSleuthkitCase().getAbstractFileById(objId);
815 if (f != null) {
816 uniquePath = openCase.getSleuthkitCase().getAbstractFileById(objId).getUniquePath();
817 if (shouldFilterFromReport(f)) {
818 continue;
819 }
820 }
821 } catch (TskCoreException ex) {
822 errorList.add(
823 NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetAbstractFileByID"));
824 logger.log(Level.WARNING, "Failed to get Abstract File by ID.", ex); //NON-NLS
825 }
826
827 // If the lists aren't the same, we've started a new list
828 if ((!list.equals(currentList) && !list.isEmpty()) || (list.isEmpty() && !currentList.equals(
829 NbBundle.getMessage(this.getClass(), "ReportGenerator.writeKwHits.userSrchs")))) {
830 if (!currentList.isEmpty()) {
831 tableModule.endTable();
832 tableModule.endSet();
833 }
834 currentList = list.isEmpty() ? NbBundle
835 .getMessage(this.getClass(), "ReportGenerator.writeKwHits.userSrchs") : list;
836 currentKeyword = ""; // reset the current keyword because it's a new list
837 tableModule.startSet(currentList);
838 progressPanel.updateStatusLabel(
839 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processingList",
840 BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName(), currentList));
841 }
842 if (!keyword.equals(currentKeyword)) {
843 // End the previous table if one exists.
844 if (!currentKeyword.equals("")) {
845 tableModule.endTable();
846 }
847
848 // Prepare for a new table.
849 currentKeyword = keyword;
850 tableModule.addSetElement(currentKeyword);
851 List<String> columnHeaderNames = new ArrayList<>();
852 columnHeaderNames.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.preview"));
853 columnHeaderNames.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile"));
854 columnHeaderNames.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tags"));
855 tableModule.startTable(columnHeaderNames);
856 }
857
858 tableModule.addRow(Arrays.asList(new String[]{preview, uniquePath, tagsList}));
859 }
860
861 // End the previous table if one exists.
862 if (!currentKeyword.isEmpty()) {
863 tableModule.endTable();
864 }
865
866 // Finish the current data type
867 progressPanel.increment();
868 tableModule.endDataType();
869 } catch (TskCoreException | SQLException ex) {
870 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryKWs"));
871 logger.log(Level.SEVERE, "Failed to query keywords with query " + keywordsQuery, ex); //NON-NLS
872 }
873 }
874
880 @SuppressWarnings("deprecation")
881 private void writeHashsetHits(TableReportModule tableModule, String comment, HashSet<String> tagNamesFilter) {
882 String orderByClause;
883 Case openCase;
884 try {
885 openCase = Case.getCurrentCaseThrows();
886 } catch (NoCurrentCaseException ex) {
887 errorList.add(Bundle.ReportGenerator_errList_noOpenCase());
888 logger.log(Level.SEVERE, "Exception while getting open case: ", ex); //NON-NLS
889 return;
890 }
891 if (openCase.getCaseType() == Case.CaseType.MULTI_USER_CASE) {
892 orderByClause = "ORDER BY convert_to(att.value_text, 'SQL_ASCII') ASC NULLS FIRST"; //NON-NLS
893 } else {
894 orderByClause = "ORDER BY att.value_text ASC"; //NON-NLS
895 }
896 String hashsetsQuery
897 = "SELECT att.value_text AS list "
898 + //NON-NLS
899 "FROM blackboard_attributes AS att, blackboard_artifacts AS art "
900 + //NON-NLS
901 "WHERE att.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + " "
902 + //NON-NLS
903 "AND art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() + " "
904 + //NON-NLS
905 "AND att.artifact_id = art.artifact_id "
906 + //NON-NLS
907 "GROUP BY list " + orderByClause; //NON-NLS
908
909 try (SleuthkitCase.CaseDbQuery dbQuery = openCase.getSleuthkitCase().executeQuery(hashsetsQuery)) {
910 // Query for hashsets
911 ResultSet listsRs = dbQuery.getResultSet();
912 List<String> lists = new ArrayList<>();
913 while (listsRs.next()) {
914 lists.add(listsRs.getString("list")); //NON-NLS
915 }
916
917 tableModule.startDataType(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName(), comment);
918 tableModule.addSetIndex(lists);
919 progressPanel.updateStatusLabel(
920 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processing",
921 BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName()));
922 } catch (TskCoreException | SQLException ex) {
923 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryHashsetLists"));
924 logger.log(Level.SEVERE, "Failed to query hashset lists: ", ex); //NON-NLS
925 return;
926 }
927
928 if (openCase.getCaseType() == Case.CaseType.MULTI_USER_CASE) {
929 orderByClause = "ORDER BY convert_to(att.value_text, 'SQL_ASCII') ASC NULLS FIRST, " //NON-NLS
930 + "convert_to(f.parent_path, 'SQL_ASCII') ASC NULLS FIRST, " //NON-NLS
931 + "convert_to(f.name, 'SQL_ASCII') ASC NULLS FIRST, " //NON-NLS
932 + "size ASC NULLS FIRST"; //NON-NLS
933 } else {
934 orderByClause = "ORDER BY att.value_text ASC, f.parent_path ASC, f.name ASC, size ASC"; //NON-NLS
935 }
936 String hashsetHitsQuery
937 = "SELECT art.artifact_id, art.obj_id, att.value_text AS setname, f.name AS name, f.size AS size, f.parent_path AS parent_path "
938 + //NON-NLS
939 "FROM blackboard_artifacts AS art, blackboard_attributes AS att, tsk_files AS f "
940 + //NON-NLS
941 "WHERE (att.artifact_id = art.artifact_id) "
942 + //NON-NLS
943 "AND (f.obj_id = art.obj_id) "
944 + //NON-NLS
945 "AND (att.attribute_type_id = " + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME.getTypeID() + ") "
946 + //NON-NLS
947 "AND (art.artifact_type_id = " + BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() + ") "
948 + //NON-NLS
949 orderByClause; //NON-NLS
950
951 try (SleuthkitCase.CaseDbQuery dbQuery = openCase.getSleuthkitCase().executeQuery(hashsetHitsQuery)) {
952 // Query for hashset hits
953 ResultSet resultSet = dbQuery.getResultSet();
954 String currentSet = "";
955 while (resultSet.next()) {
956 // Check to see if all the TableReportModules have been canceled
957 if (progressPanel.getStatus() == ReportProgressPanel.ReportStatus.CANCELED) {
958 break;
959 }
960
961 // Get any tags that associated with this artifact and apply the tag filter.
962 HashSet<String> uniqueTagNames = getUniqueTagNames(resultSet.getLong("artifact_id")); //NON-NLS
963 if (failsTagFilter(uniqueTagNames, tagNamesFilter)) {
964 continue;
965 }
966 String tagsList = makeCommaSeparatedList(uniqueTagNames);
967
968 Long objId = resultSet.getLong("obj_id"); //NON-NLS
969 String set = resultSet.getString("setname"); //NON-NLS
970 String size = resultSet.getString("size"); //NON-NLS
971 String uniquePath = "";
972
973 try {
974 AbstractFile f = openCase.getSleuthkitCase().getAbstractFileById(objId);
975 if (f != null) {
976 uniquePath = openCase.getSleuthkitCase().getAbstractFileById(objId).getUniquePath();
977 if (shouldFilterFromReport(f)) {
978 continue;
979 }
980 }
981 } catch (TskCoreException ex) {
982 errorList.add(
983 NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetAbstractFileFromID"));
984 logger.log(Level.WARNING, "Failed to get Abstract File from ID.", ex); //NON-NLS
985 return;
986 }
987
988 // If the sets aren't the same, we've started a new set
989 if (!set.equals(currentSet)) {
990 if (!currentSet.isEmpty()) {
991 tableModule.endTable();
992 tableModule.endSet();
993 }
994 currentSet = set;
995 tableModule.startSet(currentSet);
996 List<String> columnHeaderNames = new ArrayList<>();
997 columnHeaderNames.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.file"));
998 columnHeaderNames.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.size"));
999 columnHeaderNames.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tags"));
1000 tableModule.startTable(columnHeaderNames);
1001 progressPanel.updateStatusLabel(
1002 NbBundle.getMessage(this.getClass(), "ReportGenerator.progress.processingList",
1003 BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName(), currentSet));
1004 }
1005
1006 // Add a row for this hit to every module
1007 tableModule.addRow(Arrays.asList(new String[]{uniquePath, size, tagsList}));
1008 }
1009
1010 // Finish the current data type
1011 progressPanel.increment();
1012 tableModule.endDataType();
1013 } catch (TskCoreException | SQLException ex) {
1014 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedQueryHashsetHits"));
1015 logger.log(Level.SEVERE, "Failed to query hashsets hits: ", ex); //NON-NLS
1016 }
1017 }
1018
1022 List<String> getErrorList() {
1023 return errorList;
1024 }
1025
1030 private class ArtifactData implements Comparable<ArtifactData> {
1031
1032 private BlackboardArtifact artifact;
1033 private List<BlackboardAttribute> attributes;
1034 private HashSet<String> tags;
1035 private List<String> rowData = null;
1036 private Content content;
1037
1038 ArtifactData(BlackboardArtifact artifact, List<BlackboardAttribute> attrs, HashSet<String> tags) {
1039 this.artifact = artifact;
1040 this.attributes = attrs;
1041 this.tags = tags;
1042 try {
1043 this.content = Case.getCurrentCaseThrows().getSleuthkitCase().getContentById(artifact.getObjectID());
1044 } catch (TskCoreException | NoCurrentCaseException ex) {
1045 logger.log(Level.SEVERE, "Could not get content from database", ex);
1046 }
1047 }
1048
1049 public BlackboardArtifact getArtifact() {
1050 return artifact;
1051 }
1052
1053 public List<BlackboardAttribute> getAttributes() {
1054 return attributes;
1055 }
1056
1057 public HashSet<String> getTags() {
1058 return tags;
1059 }
1060
1061 public long getArtifactID() {
1062 return artifact.getArtifactID();
1063 }
1064
1065 public long getObjectID() {
1066 return artifact.getObjectID();
1067 }
1068
1072 public Content getContent() {
1073 return content;
1074 }
1075
1085 @Override
1086 public int compareTo(ArtifactData otherArtifactData) {
1087 List<String> thisRow = getRow();
1088 List<String> otherRow = otherArtifactData.getRow();
1089 for (int i = 0; i < thisRow.size(); i++) {
1090 int compare = thisRow.get(i).compareTo(otherRow.get(i));
1091 if (compare != 0) {
1092 return compare;
1093 }
1094 }
1095 return ((Long) this.getArtifactID()).compareTo(otherArtifactData.getArtifactID());
1096 }
1097
1105 public List<String> getRow() {
1106 if (rowData == null) {
1107 try {
1108 rowData = getOrderedRowDataAsStrings();
1109 // If else is done so that row data is not set before
1110 // columns are added to the hash map.
1111 if (rowData.size() > 0) {
1112 // replace null values if attribute was not defined
1113 for (int i = 0; i < rowData.size(); i++) {
1114 if (rowData.get(i) == null) {
1115 rowData.set(i, "");
1116 }
1117 }
1118 } else {
1119 rowData = null;
1120 return new ArrayList<>();
1121 }
1122 } catch (TskCoreException ex) {
1123 errorList.add(
1124 NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.coreExceptionWhileGenRptRow"));
1125 logger.log(Level.WARNING, "Core exception while generating row data for artifact report.", ex); //NON-NLS
1126 rowData = Collections.<String>emptyList();
1127 }
1128 }
1129 return rowData;
1130 }
1131
1144 @SuppressWarnings("deprecation")
1145 private List<String> getOrderedRowDataAsStrings() throws TskCoreException {
1146
1147 List<String> orderedRowData = new ArrayList<>();
1148 if (BlackboardArtifact.ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED.getTypeID() == getArtifact().getArtifactTypeID()) {
1149 if (content != null && content instanceof AbstractFile) {
1150 AbstractFile file = (AbstractFile) content;
1151 orderedRowData.add(file.getName());
1152 orderedRowData.add(file.getNameExtension());
1153 String mimeType = file.getMIMEType();
1154 if (mimeType == null) {
1155 orderedRowData.add("");
1156 } else {
1157 orderedRowData.add(mimeType);
1158 }
1159 orderedRowData.add(file.getUniquePath());
1160 } else {
1161 // Make empty rows to make sure the formatting is correct
1162 orderedRowData.add(null);
1163 orderedRowData.add(null);
1164 orderedRowData.add(null);
1165 orderedRowData.add(null);
1166 }
1167 orderedRowData.add(makeCommaSeparatedList(getTags()));
1168
1169 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() == getArtifact().getArtifactTypeID()
1170 || BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() == getArtifact().getArtifactTypeID()) {
1171 String[] attributeDataArray = new String[7];
1172 // Array is used so that order of the attributes is maintained.
1173 for (BlackboardAttribute attr : attributes) {
1174 if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME))) {
1175 attributeDataArray[0] = attr.getDisplayString();
1176 } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY))) {
1177 attributeDataArray[1] = attr.getDisplayString();
1178 } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT))) {
1179 attributeDataArray[3] = attr.getDisplayString();
1180 } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION))) {
1181 attributeDataArray[4] = attr.getDisplayString();
1182 } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT))) {
1183 attributeDataArray[5] = attr.getDisplayString();
1184 } else if (attr.getAttributeType().equals(new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME))) {
1185 attributeDataArray[6] = attr.getDisplayString();
1186 }
1187 }
1188
1189 attributeDataArray[2] = content.getUniquePath();
1190 orderedRowData.addAll(Arrays.asList(attributeDataArray));
1191
1192 HashSet<String> allTags = getTags();
1193 try {
1194 List<ContentTag> contentTags = Case.getCurrentCaseThrows().getServices().getTagsManager().getContentTagsByContent(content);
1195 for (ContentTag ct : contentTags) {
1196 String notableString = ct.getName().getTagType() == TskData.TagType.BAD ? TagsManager.getNotableTagLabel() : "";
1197 allTags.add(ct.getName().getDisplayName() + notableString);
1198 }
1199 } catch (TskCoreException | NoCurrentCaseException ex) {
1200 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetContentTags"));
1201 logger.log(Level.SEVERE, "Failed to get content tags", ex); //NON-NLS
1202 }
1203 orderedRowData.add(makeCommaSeparatedList(allTags));
1204
1205 } else if (columnHeaderMap.containsKey(this.artifact.getArtifactTypeID())) {
1206
1207 for (Column currColumn : columnHeaderMap.get(this.artifact.getArtifactTypeID())) {
1208 String cellData = currColumn.getCellData(this);
1209 orderedRowData.add(cellData);
1210 }
1211 }
1212
1213 return orderedRowData;
1214 }
1215
1216 }
1217
1227 private List<ArtifactData> getFilteredArtifacts(BlackboardArtifact.Type type, HashSet<String> tagNamesFilter) {
1228 List<ArtifactData> artifacts = new ArrayList<>();
1229 try {
1230 List<Long> dsIds = settings.getSelectedDataSources() != null
1231 ? settings.getSelectedDataSources()
1232 : Case.getCurrentCaseThrows().getSleuthkitCase().getDataSources().stream().map(DataSource::getId).collect(Collectors.toList());
1233
1234 for (BlackboardArtifact artifact : Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard().getArtifacts(Collections.singletonList(type), dsIds)) {
1235 if (shouldFilterFromReport(artifact)) {
1236 continue;
1237 }
1238
1239 List<BlackboardArtifactTag> tags = Case.getCurrentCaseThrows().getServices().getTagsManager().getBlackboardArtifactTagsByArtifact(artifact);
1240 HashSet<String> uniqueTagNames = new HashSet<>();
1241 for (BlackboardArtifactTag tag : tags) {
1242 String notableString = tag.getName().getTagType() == TskData.TagType.BAD ? TagsManager.getNotableTagLabel() : "";
1243 uniqueTagNames.add(tag.getName().getDisplayName() + notableString);
1244 }
1245 if (failsTagFilter(uniqueTagNames, tagNamesFilter)) {
1246 continue;
1247 }
1248 try {
1249 artifacts.add(new ArtifactData(artifact, Case.getCurrentCaseThrows().getSleuthkitCase().getBlackboard().getBlackboardAttributes(artifact), uniqueTagNames));
1250 } catch (TskCoreException ex) {
1251 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetBBAttribs"));
1252 logger.log(Level.SEVERE, "Failed to get Blackboard Attributes when generating report.", ex); //NON-NLS
1253 }
1254 }
1255 } catch (TskCoreException | NoCurrentCaseException ex) {
1256 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetBBArtifacts"));
1257 logger.log(Level.SEVERE, "Failed to get Blackboard Artifacts when generating report.", ex); //NON-NLS
1258 }
1259 return artifacts;
1260 }
1261
1262 private Boolean failsTagFilter(HashSet<String> tagNames, HashSet<String> tagsNamesFilter) {
1263 if (null == tagsNamesFilter || tagsNamesFilter.isEmpty()) {
1264 return false;
1265 }
1266
1267 HashSet<String> filteredTagNames = new HashSet<>(tagNames);
1268 filteredTagNames.retainAll(tagsNamesFilter);
1269 return filteredTagNames.isEmpty();
1270 }
1271
1282 @Messages({"ReportGenerator.artTableColHdr.comment=Comment"})
1283 @SuppressWarnings("deprecation")
1284 private List<Column> getArtifactTableColumns(int artifactTypeId, Set<BlackboardAttribute.Type> attributeTypeSet) {
1285 ArrayList<Column> columns = new ArrayList<>();
1286
1287 // Long switch statement to retain ordering of attribute types that are
1288 // attached to pre-defined artifact types.
1289 if (BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID() == artifactTypeId) {
1290 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.url"),
1291 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL)));
1292
1293 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.title"),
1294 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE)));
1295
1296 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateCreated"),
1297 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED)));
1298
1299 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1300 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1301
1302 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID() == artifactTypeId) {
1303 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.url"),
1304 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL)));
1305
1306 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1307 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1308
1309 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"),
1310 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1311
1312 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.value"),
1313 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_VALUE)));
1314
1315 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1316 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1317
1318 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID() == artifactTypeId) {
1319 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.url"),
1320 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL)));
1321
1322 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateAccessed"),
1323 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED)));
1324
1325 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.referrer"),
1326 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REFERRER)));
1327
1328 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.title"),
1329 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TITLE)));
1330
1331 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1332 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1333
1334 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.urlDomainDecoded"),
1335 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL_DECODED)));
1336
1337 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID() == artifactTypeId) {
1338 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dest"),
1339 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)));
1340
1341 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.sourceUrl"),
1342 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL)));
1343
1344 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateAccessed"),
1345 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED)));
1346
1347 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1348 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1349
1350 attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID));
1351 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID() == artifactTypeId) {
1352 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.path"),
1353 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)));
1354
1355 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1356 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED)));
1357
1358 attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID));
1359 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID() == artifactTypeId) {
1360 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.progName"),
1361 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1362
1363 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.instDateTime"),
1364 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1365
1366 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID() == artifactTypeId) {
1367 columns.add(new HeaderOnlyColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.preview")));
1368
1369 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() == artifactTypeId) {
1370 columns.add(new SourceFileColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.file")));
1371
1372 columns.add(new HeaderOnlyColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.size")));
1373
1374 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID() == artifactTypeId) {
1375 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.devMake"),
1376 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MAKE)));
1377
1378 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.devModel"),
1379 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MODEL)));
1380
1381 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.deviceId"),
1382 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID)));
1383
1384 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1385 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1386
1387 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY.getTypeID() == artifactTypeId) {
1388 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.text"),
1389 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT)));
1390
1391 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.domain"),
1392 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DOMAIN)));
1393
1394 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateAccessed"),
1395 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_ACCESSED)));
1396
1397 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.progName"),
1398 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1399
1400 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA_EXIF.getTypeID() == artifactTypeId) {
1401 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTaken"),
1402 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_CREATED)));
1403
1404 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.devManufacturer"),
1405 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MAKE)));
1406
1407 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.devModel"),
1408 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_MODEL)));
1409
1410 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitude"),
1411 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE)));
1412
1413 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitude"),
1414 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE)));
1415
1416 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.altitude"),
1417 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_ALTITUDE)));
1418
1419 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT.getTypeID() == artifactTypeId) {
1420 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.personName"),
1421 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1422
1423 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.phoneNumber"),
1424 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)));
1425
1426 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.phoneNumHome"),
1427 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_HOME)));
1428
1429 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.phoneNumOffice"),
1430 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_OFFICE)));
1431
1432 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.phoneNumMobile"),
1433 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_MOBILE)));
1434
1435 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.email"),
1436 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL)));
1437
1438 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE.getTypeID() == artifactTypeId) {
1439 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.msgType"),
1440 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MESSAGE_TYPE)));
1441
1442 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.direction"),
1443 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION)));
1444
1445 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.readStatus"),
1446 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_READ_STATUS)));
1447
1448 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1449 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1450
1451 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.fromPhoneNum"),
1452 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)));
1453
1454 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.fromEmail"),
1455 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_FROM)));
1456
1457 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.toPhoneNum"),
1458 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)));
1459
1460 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.toEmail"),
1461 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_TO)));
1462
1463 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.subject"),
1464 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT)));
1465
1466 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.text"),
1467 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT)));
1468
1469 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG.getTypeID() == artifactTypeId) {
1470 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.personName"),
1471 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1472
1473 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.fromPhoneNum"),
1474 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM)));
1475
1476 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.toPhoneNum"),
1477 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_TO)));
1478
1479 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1480 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START)));
1481
1482 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.direction"),
1483 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION)));
1484
1485 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_CALENDAR_ENTRY.getTypeID() == artifactTypeId) {
1486 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.calendarEntryType"),
1487 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CALENDAR_ENTRY_TYPE)));
1488
1489 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.description"),
1490 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)));
1491
1492 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.startDateTime"),
1493 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START)));
1494
1495 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.endDateTime"),
1496 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_END)));
1497
1498 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.location"),
1499 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION)));
1500
1501 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_SPEED_DIAL_ENTRY.getTypeID() == artifactTypeId) {
1502 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.shortCut"),
1503 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SHORTCUT)));
1504
1505 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.personName"),
1506 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME_PERSON)));
1507
1508 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.phoneNumber"),
1509 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER)));
1510
1511 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID() == artifactTypeId) {
1512 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.deviceName"),
1513 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_NAME)));
1514
1515 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.deviceAddress"),
1516 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DEVICE_ID)));
1517
1518 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1519 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1520
1521 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT.getTypeID() == artifactTypeId) {
1522 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitude"),
1523 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE)));
1524
1525 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitude"),
1526 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE)));
1527
1528 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1529 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1530
1531 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_BOOKMARK.getTypeID() == artifactTypeId) {
1532 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitude"),
1533 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE)));
1534
1535 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitude"),
1536 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE)));
1537
1538 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.altitude"),
1539 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_ALTITUDE)));
1540
1541 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"),
1542 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1543
1544 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.locationAddress"),
1545 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION)));
1546
1547 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1548 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1549
1550 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_LAST_KNOWN_LOCATION.getTypeID() == artifactTypeId) {
1551 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitude"),
1552 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE)));
1553
1554 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitude"),
1555 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE)));
1556
1557 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.altitude"),
1558 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_ALTITUDE)));
1559
1560 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"),
1561 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1562
1563 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.locationAddress"),
1564 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION)));
1565
1566 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1567 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1568
1569 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_SEARCH.getTypeID() == artifactTypeId) {
1570 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitude"),
1571 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE)));
1572
1573 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitude"),
1574 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE)));
1575
1576 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.altitude"),
1577 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_ALTITUDE)));
1578
1579 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"),
1580 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1581
1582 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.locationAddress"),
1583 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION)));
1584
1585 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1586 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1587
1588 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_SERVICE_ACCOUNT.getTypeID() == artifactTypeId) {
1589 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.category"),
1590 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY)));
1591
1592 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.userId"),
1593 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_ID)));
1594
1595 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.password"),
1596 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PASSWORD)));
1597
1598 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.personName"),
1599 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1600
1601 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.appName"),
1602 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1603
1604 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.url"),
1605 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL)));
1606
1607 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.appPath"),
1608 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)));
1609
1610 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.description"),
1611 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)));
1612
1613 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.replytoAddress"),
1614 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_REPLYTO)));
1615
1616 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.mailServer"),
1617 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SERVER_NAME)));
1618
1619 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID() == artifactTypeId
1620 || BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED.getTypeID() == artifactTypeId) {
1621 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"),
1622 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1623
1624 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_EXT_MISMATCH_DETECTED.getTypeID() == artifactTypeId) {
1625 columns.add(new HeaderOnlyColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.file")));
1626
1627 columns.add(new HeaderOnlyColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.extension.text")));
1628
1629 columns.add(new HeaderOnlyColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.mimeType.text")));
1630
1631 columns.add(new HeaderOnlyColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.path")));
1632
1633 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO.getTypeID() == artifactTypeId) {
1634 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.processorArchitecture.text"),
1635 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROCESSOR_ARCHITECTURE)));
1636
1637 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.osName.text"),
1638 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1639
1640 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.osInstallDate.text"),
1641 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1642
1643 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG.getTypeID() == artifactTypeId) {
1644 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailTo"),
1645 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_TO)));
1646
1647 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailFrom"),
1648 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_FROM)));
1649
1650 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSubject"),
1651 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SUBJECT)));
1652
1653 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskDateTimeSent"),
1654 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_SENT)));
1655
1656 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskDateTimeRcvd"),
1657 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_RCVD)));
1658
1659 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskPath"),
1660 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)));
1661
1662 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailCc"),
1663 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_CC)));
1664
1665 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskEmailBcc"),
1666 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL_BCC)));
1667
1668 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskMsgId"),
1669 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_MSG_ID)));
1670
1671 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_FILE_HIT.getTypeID() == artifactTypeId) {
1672 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSetName"),
1673 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)));
1674
1675 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskInterestingFilesCategory"),
1676 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY)));
1677
1678 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskPath"),
1679 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)));
1680
1681 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.comment"),
1682 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT)));
1683
1684 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.description"),
1685 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)));
1686
1687 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_ROUTE.getTypeID() == artifactTypeId) {
1688 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskGpsRouteCategory"),
1689 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY)));
1690
1691 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1692 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1693
1694 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitudeEnd"),
1695 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_END)));
1696
1697 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitudeEnd"),
1698 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_END)));
1699
1700 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.latitudeStart"),
1701 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LATITUDE_START)));
1702
1703 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.longitudeStart"),
1704 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_GEO_LONGITUDE_START)));
1705
1706 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.name"),
1707 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME)));
1708
1709 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.location"),
1710 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCATION)));
1711
1712 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1713 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1714
1715 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ARTIFACT_HIT.getTypeID() == artifactTypeId) {
1716 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSetName"),
1717 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)));
1718
1719 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.associatedArtifact"),
1720 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT)));
1721
1722 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1723 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1724
1725 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_INTERESTING_ITEM.getTypeID() == artifactTypeId) {
1726 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskSetName"),
1727 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME)));
1728
1729 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.associatedArtifact"),
1730 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT)));
1731
1732 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1733 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1734
1735 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskInterestingFilesCategory"),
1736 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_CATEGORY)));
1737
1738 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tskPath"),
1739 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH)));
1740
1741 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.comment"),
1742 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COMMENT)));
1743
1744 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.description"),
1745 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DESCRIPTION)));
1746
1747 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_PROG_RUN.getTypeID() == artifactTypeId) {
1748 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.program"),
1749 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PROG_NAME)));
1750
1751 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.associatedArtifact"),
1752 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT)));
1753
1754 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.dateTime"),
1755 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME)));
1756
1757 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.count"),
1758 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_COUNT)));
1759
1760 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_ACCOUNT.getTypeID() == artifactTypeId) {
1761 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.userName"),
1762 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_NAME)));
1763
1764 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.userId"),
1765 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_USER_ID)));
1766
1767 } else if (BlackboardArtifact.ARTIFACT_TYPE.TSK_REMOTE_DRIVE.getTypeID() == artifactTypeId) {
1768 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.localPath"),
1769 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_LOCAL_PATH)));
1770
1771 columns.add(new AttributeColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.remotePath"),
1772 new BlackboardAttribute.Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_REMOTE_PATH)));
1773 } else if (artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_ACCOUNT.getTypeID()) {
1774 columns.add(new StatusColumn());
1775 attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ACCOUNT_TYPE));
1776 attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ASSOCIATED_ARTIFACT));
1777 attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_SET_NAME));
1778 attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_KEYWORD_SEARCH_DOCUMENT_ID));
1779 } else if (artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_CACHE.getTypeID()) {
1780 attributeTypeSet.remove(new Type(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID));
1781 } else {
1782 // This is the case that it is a custom type. The reason an else is
1783 // necessary is to make sure that the source file column is added
1784 for (BlackboardAttribute.Type type : attributeTypeSet) {
1785 columns.add(new AttributeColumn(type.getDisplayName(), type));
1786 }
1787 columns.add(new SourceFileColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")));
1788 columns.add(new TaggedResultsColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tags")));
1789
1790 // Short circuits to guarantee that the attribute types aren't added
1791 // twice.
1792 return columns;
1793 }
1794 // If it is an attribute column, it removes the attribute type of that
1795 // column from the set, so types are not reported more than once.
1796 for (Column column : columns) {
1797 attributeTypeSet = column.removeTypeFromSet(attributeTypeSet);
1798 }
1799 // Now uses the remaining types in the set to construct columns
1800 for (BlackboardAttribute.Type type : attributeTypeSet) {
1801 columns.add(new AttributeColumn(type.getDisplayName(), type));
1802 }
1803 // Source file column is added here for ordering purposes.
1804 if (artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getTypeID()
1805 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getTypeID()
1806 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getTypeID()
1807 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getTypeID()
1808 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getTypeID()
1809 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getTypeID()
1810 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getTypeID()
1811 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_SEARCH_QUERY.getTypeID()
1812 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_METADATA_EXIF.getTypeID()
1813 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT.getTypeID()
1814 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE.getTypeID()
1815 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_CALLLOG.getTypeID()
1816 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_CALENDAR_ENTRY.getTypeID()
1817 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_SPEED_DIAL_ENTRY.getTypeID()
1818 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_BLUETOOTH_PAIRING.getTypeID()
1819 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_TRACKPOINT.getTypeID()
1820 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_BOOKMARK.getTypeID()
1821 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_LAST_KNOWN_LOCATION.getTypeID()
1822 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_SEARCH.getTypeID()
1823 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_GPS_AREA.getTypeID()
1824 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_SERVICE_ACCOUNT.getTypeID()
1825 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED.getTypeID()
1826 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_SUSPECTED.getTypeID()
1827 || artifactTypeId == BlackboardArtifact.ARTIFACT_TYPE.TSK_OS_INFO.getTypeID()) {
1828 columns.add(new SourceFileColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.srcFile")));
1829 }
1830 columns.add(new TaggedResultsColumn(NbBundle.getMessage(this.getClass(), "ReportGenerator.artTableColHdr.tags")));
1831
1832 return columns;
1833 }
1834
1842 private String getFileUniquePath(Content content) {
1843 try {
1844 if (content != null) {
1845 return content.getUniquePath();
1846 } else {
1847 return "";
1848 }
1849 } catch (TskCoreException ex) {
1850 errorList.add(NbBundle.getMessage(this.getClass(), "ReportGenerator.errList.failedGetAbstractFileByID"));
1851 logger.log(Level.WARNING, "Failed to get Abstract File by ID.", ex); //NON-NLS
1852 }
1853 return "";
1854
1855 }
1856
1860 private boolean shouldFilterFromReport(Content content) throws TskCoreException {
1861 if (this.settings.getSelectedDataSources() == null) {
1862 return false;
1863 }
1864
1865 if (content.getDataSource() == null) {
1866 return false;
1867 }
1868
1869 long dataSourceId = content.getDataSource().getId();
1870 return !this.settings.getSelectedDataSources().contains(dataSourceId);
1871 }
1872
1882 @SuppressWarnings("deprecation")
1883 private HashSet<String> getUniqueTagNames(long artifactId) throws TskCoreException {
1884 HashSet<String> uniqueTagNames = new HashSet<>();
1885
1886 String query = "SELECT display_name, artifact_id, knownStatus FROM tag_names AS tn, blackboard_artifact_tags AS bat "
1887 + //NON-NLS
1888 "WHERE tn.tag_name_id = bat.tag_name_id AND bat.artifact_id = " + artifactId; //NON-NLS
1889
1890 try (SleuthkitCase.CaseDbQuery dbQuery = Case.getCurrentCaseThrows().getSleuthkitCase().executeQuery(query)) {
1891 ResultSet tagNameRows = dbQuery.getResultSet();
1892 while (tagNameRows.next()) {
1893 String notableString = tagNameRows.getInt("knownStatus") == TskData.FileKnown.BAD.ordinal() ? getNotableTagLabel() : "";
1894 uniqueTagNames.add(tagNameRows.getString("display_name") + notableString); //NON-NLS
1895 }
1896 } catch (TskCoreException | SQLException | NoCurrentCaseException ex) {
1897 throw new TskCoreException("Error getting tag names for artifact: ", ex);
1898 }
1899
1900 return uniqueTagNames;
1901
1902 }
1903
1904 private interface Column {
1905
1906 String getColumnHeader();
1907
1908 String getCellData(ArtifactData artData);
1909
1910 Set<BlackboardAttribute.Type> removeTypeFromSet(Set<BlackboardAttribute.Type> types);
1911 }
1912
1913 private class StatusColumn implements Column {
1914
1915 @NbBundle.Messages("TableReportGenerator.StatusColumn.Header=Review Status")
1916 @Override
1917 public String getColumnHeader() {
1918 return Bundle.TableReportGenerator_StatusColumn_Header();
1919 }
1920
1921 @Override
1922 public String getCellData(ArtifactData artData) {
1923 return artData.getArtifact().getReviewStatus().getDisplayName();
1924 }
1925
1926 @Override
1927 public Set<BlackboardAttribute.Type> removeTypeFromSet(Set<BlackboardAttribute.Type> types) {
1928 // This column doesn't have a type, so nothing to remove
1929 return types;
1930 }
1931
1932 }
1933
1934 private class AttributeColumn implements Column {
1935
1936 private final String columnHeader;
1937 private final BlackboardAttribute.Type attributeType;
1938
1945 AttributeColumn(String columnHeader, BlackboardAttribute.Type attributeType) {
1946 this.columnHeader = Objects.requireNonNull(columnHeader);
1947 this.attributeType = attributeType;
1948 }
1949
1950 @Override
1951 public String getColumnHeader() {
1952 return this.columnHeader;
1953 }
1954
1955 @Override
1956 public String getCellData(ArtifactData artData) {
1957 List<BlackboardAttribute> attributes = artData.getAttributes();
1958 for (BlackboardAttribute attribute : attributes) {
1959 if (attribute.getAttributeType().equals(this.attributeType)) {
1960 if (attribute.getAttributeType().getValueType() != BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME) {
1961 return attribute.getDisplayString();
1962 } else {
1963 return TimeZoneUtils.getFormattedTime(attribute.getValueLong());
1964 }
1965 }
1966 }
1967 return "";
1968 }
1969
1970 @Override
1971 public Set<BlackboardAttribute.Type> removeTypeFromSet(Set<BlackboardAttribute.Type> types) {
1972 types.remove(this.attributeType);
1973 return types;
1974 }
1975 }
1976
1977 private class SourceFileColumn implements Column {
1978
1979 private final String columnHeader;
1980
1981 SourceFileColumn(String columnHeader) {
1982 this.columnHeader = columnHeader;
1983 }
1984
1985 @Override
1986 public String getColumnHeader() {
1987 return this.columnHeader;
1988 }
1989
1990 @Override
1991 public String getCellData(ArtifactData artData) {
1992 return getFileUniquePath(artData.getContent());
1993 }
1994
1995 @Override
1996 public Set<BlackboardAttribute.Type> removeTypeFromSet(Set<BlackboardAttribute.Type> types) {
1997 // This column doesn't have a type, so nothing to remove
1998 return types;
1999 }
2000 }
2001
2002 private class TaggedResultsColumn implements Column {
2003
2004 private final String columnHeader;
2005
2006 TaggedResultsColumn(String columnHeader) {
2007 this.columnHeader = columnHeader;
2008 }
2009
2010 @Override
2011 public String getColumnHeader() {
2012 return this.columnHeader;
2013 }
2014
2015 @Override
2016 public String getCellData(ArtifactData artData) {
2017 return makeCommaSeparatedList(artData.getTags());
2018 }
2019
2020 @Override
2021 public Set<BlackboardAttribute.Type> removeTypeFromSet(Set<BlackboardAttribute.Type> types) {
2022 // This column doesn't have a type, so nothing to remove
2023 return types;
2024 }
2025 }
2026
2027 private class HeaderOnlyColumn implements Column {
2028
2029 private final String columnHeader;
2030
2031 HeaderOnlyColumn(String columnHeader) {
2032 this.columnHeader = columnHeader;
2033 }
2034
2035 @Override
2036 public String getColumnHeader() {
2037 return columnHeader;
2038 }
2039
2040 @Override
2041 public String getCellData(ArtifactData artData) {
2042 throw new UnsupportedOperationException("Cannot get cell data of unspecified column");
2043 }
2044
2045 @Override
2046 public Set<BlackboardAttribute.Type> removeTypeFromSet(Set<BlackboardAttribute.Type> types) {
2047 // This column doesn't have a type, so nothing to remove
2048 return types;
2049 }
2050 }
2051}
org.sleuthkit.autopsy.casemodule.services.TagsManager.getContentTagsByContent
List< ContentTag > getContentTagsByContent(Content content)
Definition TagsManager.java:839
org.sleuthkit.autopsy.coreutils.TimeZoneUtils.getFormattedTime
static String getFormattedTime(long epochTime)
Definition TimeZoneUtils.java:145
org.sleuthkit.autopsy.report.infrastructure.TableReportGenerator.AttributeColumn.removeTypeFromSet
Set< BlackboardAttribute.Type > removeTypeFromSet(Set< BlackboardAttribute.Type > types)
Definition TableReportGenerator.java:1971
org.sleuthkit.autopsy.report.infrastructure.TableReportGenerator.HeaderOnlyColumn.removeTypeFromSet
Set< BlackboardAttribute.Type > removeTypeFromSet(Set< BlackboardAttribute.Type > types)
Definition TableReportGenerator.java:2046
org.sleuthkit.autopsy.report.infrastructure.TableReportGenerator.SourceFileColumn.removeTypeFromSet
Set< BlackboardAttribute.Type > removeTypeFromSet(Set< BlackboardAttribute.Type > types)
Definition TableReportGenerator.java:1996
org.sleuthkit.autopsy.report.infrastructure.TableReportGenerator.StatusColumn.removeTypeFromSet
Set< BlackboardAttribute.Type > removeTypeFromSet(Set< BlackboardAttribute.Type > types)
Definition TableReportGenerator.java:1927
org.sleuthkit.autopsy.report.infrastructure.TableReportGenerator.TaggedResultsColumn.removeTypeFromSet
Set< BlackboardAttribute.Type > removeTypeFromSet(Set< BlackboardAttribute.Type > types)
Definition TableReportGenerator.java:2021
org.sleuthkit.autopsy.report.infrastructure.TableReportGenerator.Column.removeTypeFromSet
Set< BlackboardAttribute.Type > removeTypeFromSet(Set< BlackboardAttribute.Type > types)

Copyright © 2012-2024 Sleuth Kit Labs. Generated on:
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.